resolved: implement RFC5452

This improves the resilience against cache poisoning by being stricter about only accepting responses that match precisely the requst they are in reply to. It should be noted that we still only use one port (which is picked at random), rather than one port for each transaction. Port randomization would improve things further, but is not required by the RFC.
author: Tom Gundersen <teg@jklm.no> 2015-07-09 02:58:15 +0200
committer: Tom Gundersen <teg@jklm.no> 2015-07-14 18:50:57 +0200
commit: 29815b6c608b836cada5e349d06a96b63eaa65f3 (patch)
tree: 7be9d6fd1f0b2a4017d245b2836b17d97a50e5b6 /TODO
parent: 8300ba218e3cf5049496937be8bce10f22d09bbc (diff)
1 files changed, 0 insertions, 1 deletions
diff --git a/TODO b/TODO
index 2904e2b445..c1b57beeb9 100644
--- a/TODO
+++ b/TODO
@@ -354,7 +354,6 @@ Features:
   - dname
   - cname on PTR (?)
   - maybe randomize DNS UDP source ports
-  - maybe compare query section of DNS replies
 
 * Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely
author	Tom Gundersen <teg@jklm.no>	2015-07-09 02:58:15 +0200
committer	Tom Gundersen <teg@jklm.no>	2015-07-14 18:50:57 +0200
commit	29815b6c608b836cada5e349d06a96b63eaa65f3 (patch)
tree	7be9d6fd1f0b2a4017d245b2836b17d97a50e5b6 /TODO
parent	8300ba218e3cf5049496937be8bce10f22d09bbc (diff)