[95554] in North American Network Operators' Group
Re: On-going Internet Emergency and Domain Names
daemon@ATHENA.MIT.EDU (Gadi Evron)
Sat Mar 31 06:34:29 2007
Date: Sat, 31 Mar 2007 05:32:43 -0500 (CDT)
From: Gadi Evron <ge@linuxbox.org>
To: Paul Vixie <vixie@vix.com>
Cc: nanog@merit.edu
In-Reply-To: <g3ps6qlzad.fsf@sa.vix.com>
Errors-To: owner-nanog@merit.edu
On 31 Mar 2007, Paul Vixie wrote:
>
> whoa. this is like deja vu all over again. when barb@CERT asked me to
> patch BIND gethostbyaddr() back in 1994 or so to disallow non-ascii host
> names in order to protect sendmail from a /var/spool/mqueue/qf* formatting
> vulnerability, i was fresh off the boat and did as i was asked. a dozen
> years later i find that that bug in sendmail is long gone, but the pain
> from BIND's "check-names" logic is still with us. i did the wrong thing
> and i should have said "just fix sendmail, i don't care how much easier
> it would be to patch libc, that's just wrong."
>
> are we really going to stop malware by blackholing its domain names? if
> so then i've got some phone calls to make.
> are we really going to stop malware by blackholing its domain names? if
> so then i've got some phone calls to make.
I don't know about bind, obviously your knowledge over-shadows
mine.
Changing bind for sendmail was likely silly but it showed some agaility we
seem to not have today.
If it could have been a temporary dynamic solution (rather than a
package change), it's an interesting concept.
Back to reality and 2007:
In this case, we speak of a problem with DNS, not sendmail, and not bind.
As to blacklisting, it's not my favorite solution but rather a limited
alternative I also saw you mention on occasion. What alternatives do
you offer which we can use today?
Gadi.
> --
> Paul Vixie
>
