Am Wed, Oct 23, 2024 at 07:23:23PM -0300 schrieb Santiago Ruano Rincón:
> El 22/10/24 a las 00:05, Bob Halley escribió:
> > This is a blast from the past; 2008 is a LONG time ago!
>
> Indeed! :-)
>
> > It should be fine, as of 1.7 since the entropy pool added then would help
> > with query id randomness. Newer dnspython releases use the system's
> > randomness source via python APIs instead of the dnspython entropy pool if
> > possible, so should be even better. Also dnspython creates a new socket
> > for every query, so there will be port randomization from the OS most
> > likely as well. Finally, dnspython doesn't cache by default, and even if
> > its optional caching features are enabled, the nature of the way it caches
> > does not leave it susceptible to the Kaminsky style attacks. Also it is
> > probably harder for an attacker to send a giant stream of queries through
> > dnspython than it is to send them to an ISP in most things that use
> > dnspython.
>
> Thanks a lot for your answer.
>
> Given the above, ff there are no objections, I would close this bug with
> Version: 1.7.1-.
>
> Dear security team, would you agree with changing this in the security
> tracker?
Looks good.
Cheers,
Moritz
