Use SHA-256 to provide security against DNS cache poisoning. Use the SHA-256 hash function to verify that DNS answers received are for the questions originally asked. This replaces the slightly insecure SHA-1 (when compiled with DNSSEC) or the very insecure CRC32 (otherwise). Refer: CERT VU#434904.

commit: 2d765867c597db18be9d876c9c17e2c0fe1953cd [log] [tgz]
author: Simon Kelley <simon@thekelleys.org.uk> Thu Nov 12 22:06:07 2020 +0000
committer: Simon Kelley <simon@thekelleys.org.uk> Wed Dec 16 15:49:02 2020 +0000
tree: c7e1cb14604310b7daff7860e82fb0a32c6d5453
parent: 257ac0c5f7732cbc6aa96fdd3b06602234593aca [diff] [blame]
diff --git a/CHANGELOG b/CHANGELOG
index 2be1842..3e0d9eb 100644
--- a/CHANGELOG
+++ b/CHANGELOG

@@ -11,6 +11,11 @@
 	in the {query-ID, random-port} tuple as possible, help defeat
 	cache poisoning attacks. Refer: CERT VU#434904.
 
+	Use the SHA-256 hash function to verify that DNS answers
+	received are for the questions originally asked. This replaces
+	the slightly insecure SHA-1 (when compiled with DNSSEC) or
+	the very insecure CRC32 (otherwise). Refer: CERT VU#434904.
+	
 
 version 2.82
 	Improve behaviour in the face of network interfaces which come
commit	2d765867c597db18be9d876c9c17e2c0fe1953cd	[log] [tgz]
author	Simon Kelley <simon@thekelleys.org.uk>	Thu Nov 12 22:06:07 2020 +0000
committer	Simon Kelley <simon@thekelleys.org.uk>	Wed Dec 16 15:49:02 2020 +0000
tree	c7e1cb14604310b7daff7860e82fb0a32c6d5453
parent	257ac0c5f7732cbc6aa96fdd3b06602234593aca [diff] [blame]