Hi Andreas,
On 17/08/2021 22:09, A. Schulze via Unbound-users wrote:
there is rumor about some weakness in dns. Details in this thread:
https://lists.dns-oarc.net/pipermail/dns-operations/2021-August/021260.html
A test site is available at https://xdi-attack.net/test.html
The test show unbound-1.13.2 as green (not vulnerable) but there are some hints
regarding special character filtering.
Maybe the unbound developer@nlnetlabs could rate these hints?
We did read the USENIX paper and the email thread on dns-operations.
Currently, Unbound is binary clean in hostnames/domainnames, but we
could implement options for additional filtering on hostnames. (We do
already have options for scrubbing replies in Unbound.)
However, the discussion on the mailing list also makes it clear that
there are different ideas about *where* the bad content filtering should
take place, in the infrastructure (ie. the name servers) or at the
endpoint (stub resolvers and libraries). We'd love to hear more
community consensus to make this architectural decision.
Best,
-- Benno
--
Benno J. Overeinder
NLnet Labs
https://www.nlnetlabs.nl/
