[95548] in North American Network Operators' Group
Re: On-going Internet Emergency and Domain Names
daemon@ATHENA.MIT.EDU (Paul Vixie)
Sat Mar 31 02:13:46 2007
To: nanog@merit.edu
From: Paul Vixie <vixie@vix.com>
Date: 31 Mar 2007 06:09:30 +0000
In-Reply-To: <200703310200.44596.admin@digibase.ca>
Errors-To: owner-nanog@merit.edu
whoa. this is like deja vu all over again. when barb@CERT asked me to
patch BIND gethostbyaddr() back in 1994 or so to disallow non-ascii host
names in order to protect sendmail from a /var/spool/mqueue/qf* formatting
vulnerability, i was fresh off the boat and did as i was asked. a dozen
years later i find that that bug in sendmail is long gone, but the pain
from BIND's "check-names" logic is still with us. i did the wrong thing
and i should have said "just fix sendmail, i don't care how much easier
it would be to patch libc, that's just wrong."
are we really going to stop malware by blackholing its domain names? if
so then i've got some phone calls to make.
--
Paul Vixie
