[Pdns-users] DNS poisoning and spoof-nearmiss-max

[J Knight]

What is the Recursor's exact detection method and reaction
in relation to the spoof-nearmiss-max config parameter?

Do internal counters for an outstanding query record
- answers coming back from other authoritative (or ANY) servers
  than the one asked?
- any mismatch (not just an "approximate" mismatch, as the "nearmiss"
  suggests) of the query-ID?

Shouldn't the default for this parameter be "1" instead of "20"?
How well does the Recursor aggregate/avoid duplicate queries for
the same RR going out, to avoid a birthday attack?

There is a "chain-resends" statistics variable (not documented
in http://doc.powerdns.com/recursor-stats.html , along with
several other variables found in rec_channel_rec.cc : what
are case-mismatches , shunted-queries, noshunt-* , why
is throttled-outqueries duplicating throttled-out ?) suggesting
tracking of this.

What does the Recursor actually do if the counter exceeds the
configured limit?
- abandon the query and return SERVFAIL to all clients?
- abandon the query and return nothing to all clients?
- wait X seconds and retry the outgoing query to the same NS?
  or to another NS for the zone?

I am reading through http://www.ietf.org/internet-drafts/draft-ietf-dnsext-forgery-resilience-05.txt
for some interesting ideas...