Re: djbdns-1.05-epoll + speedup patch

[Charles Cazabon <dns@discworld.dyndns.org>]

Sami Farin <safari-dns@safari.iki.fi> wrote:
> > 
> > surf is there for security reasons.  It is MEANT to take some time.
> > That's where its security comes from.
> 
> Well BIND seems to do better, according to this.
> http://www.lurhq.com/cachepoisoning.html

Eh?  Are you referring to that analysis of the PRNG in dnscache?

  The calprob output shows the randomness is still not perfect (in fact, it is
  slightly worse than BIND 9; 30% probability of a successful guess with a
  spoofing set size of 5000):
  [...]
  This is however offset by the fact that djbdns also generates random
  numbers for the source port of each query,
  [...]
  This forces the attacker to guess transaction ID and source port
  simultaneously. It is immensely difficult to succeed at such an attack,

dnscache is harder to poison than BIND 8 or BIND 9.

Charles
-- 
-----------------------------------------------------------------------
Charles Cazabon                              <dns@discworld.dyndns.org>
GPL'ed software available at:               http://pyropus.ca/software/
-----------------------------------------------------------------------