On 16 Jun 2018, at 2:14, Shumon Huque wrote:
Yeah, good point about side channels. Let's stick to recommending
randomization!
Unbound has interesting middle ground here:
rrset-roundrobin: <yes or no>
If yes, Unbound rotates RRSet order in response (the
random number is taken from the query ID,
for speed and thread safety). Default is no.
It rotates, but you cannot predict (easily) by how much. It keeps the
implementation simple but mostly avoids (as far as I can judge) the side
channel.
I do want to point out that the default is ‘no’, suggesting it is
getting away with no ‘round robin’ at all in many deployments.
Kind regards,
--
Peter van Dijk
PowerDNS.COM BV - https://www.powerdns.com/
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
