Hi Shane, > It shouldn't cause any performance issues to do a refresh every few seconds, > although I would think you'd be better off simply using a larger pool. I haven't > tested it, but you should be able to set the pool size to 16384 for that magical > 30 bits of entropy you want (you probably want to set the refresh to a very > large value in this case). Does BIND choose those ports in a cryptographically secure way? Can it be configured not to re-use a socket for multiple queries in a row? Not sure what the current algorithms are... please pardon my ignorance. If BIND is reusing bound UDP ports for multiple queries in a row, then that definitely reduces the entropy. > I'm sorry you're frustrated. There are a lot of ways you can change the > direction of ISC development. Firstly, you can submit source code - we like that > one especially. Secondly, you can fund development, and have us develop code > that you need or want done. Thirdly, you can join the BIND Forum and give us > recommendations and feedback there. Or forth, you can simply ask us. Well, under normal circumstances I might consider contributing code or helping you get your collective security act together. However, other ethically-questionable practices that the ISC engages in pretty much prevent that from ever happening. In particular, your organization charges for early security vulnerability information. I personally feel that creates a huge conflict of interest. You produce a product. If there are vulnerabilities in that product, you boost revenue from your early notification program, since users will be incented to join the members program. Hmm... Sounds like one fine line away from a protection racket. What stops any random "evil hacker" from joining this program as a sponsor and using that information to attack BIND users who aren't in your special club? Nope, sorry, no contributions from me. The information about using randomized source ports has been around for ever in multiple public forums. If the ISC wanted to make a more secure product they would have drawn from these sources long ago. > Don't worry, I don't take it personally. I've been working in technology enough > to know that people tend to flame first, and ask questions later. I don't like > it, and I wish it wasn't part of the techy culture, but there it is. For the record, I did ask questions first before making wild allegations. ;-) tim
