On the "randomness" of DNS
Bill Stewart
bill.stewart at pobox.com
Wed Jul 30 19:48:14 EDT 2008
>>> Ben wrote:
> > But just how GREAT is that, really? Well, we don'
> > t know. Why? Because there isn't actually a way test for randomness. Your
> > DNS resolver could be using some easily predicted random number generator
> > like, say, a linear congruential one, as is common in the rand() library
> > function, but DNS-OARC would still say it was GREAT.
At 11:57 AM 7/30/2008, Pierre-Evariste Dagand wrote:
>Well, they are some tests to judge the "quality" of a random number
>generator. The best known being the Diehard tests:
Random number quality is contextual.
In this case, for 95-99% of the market, the real test is between
"Patched" "Badly Broken Not patched yet" "Didn't need patching",
and if you'd prefer the term "Best we can do until DNSSEC"
instead of "GREAT" I won't be the one to argue with you.
There are some other possible conditions, like
"Rolled their own with open source, badly"
or "Maliciously subtle malware DNS resolver".
The latter is way too much work compared to cruder approaches
(like targeting queries directly to your evil DNS server).
The former is not too common, though it probably exists,
but once most systems get patched,
it may not be a big enough target to interest crackers.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list