cpghost wrote:
Yes indeed. If I understand all this correctly, it's because the transaction ID that has to be sent back is only 2 bytes long,
2 bits, 16 bytes.
and if the query port doesn't change as well with every query, that can be cracked in milliseconds: sending 65536 DNS queries to a constant port is just way too easy! The namespace is way too small, and there's no way to fix this by switching to, say, 4 bytes or even more for the transaction ID without breaking existing resolvers; actually without breaking the protocol itself.
That's more or less accurate, yes. Doug -- This .signature sanitized for your protection _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "[EMAIL PROTECTED]"