[10703] in bugtraq
Re: weaknesses in dns label decoding,
daemon@ATHENA.MIT.EDU (Brett Glass)
Thu Jun 3 11:40:39 1999
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <4.2.0.56.19990603061749.045ed100@localhost>
Date: Thu, 3 Jun 1999 06:20:41 -0600
Reply-To: Brett Glass <brett@LARIAT.ORG>
From: Brett Glass <brett@LARIAT.ORG>
X-To: Pavel Kankovsky <peak@ARGO.TROJA.MFF.CUNI.CZ>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <19990602225645.4257.0@argo.troja.mff.cuni.cz>
Many sysadmins disable BIND's "check-names" option because
their less knowledgeable colleagues assign illegal names. In
particular, many use underscores in system names, even though
they're verboten.
BIND *should* have a separate option that allows underscores
in names to accommodate this frequent glitch, but it doesn't.
So, the checking becomes all-or-nothing.
--Brett
At 11:00 PM 6/2/99 +0200, Pavel Kankovsky wrote:
>On Mon, 31 May 1999, bobk wrote:
>
> > Another thing to remember is that it is possible to put ABSOLUTELY
> > ANYTHING inside a DNS domain name. This includes whitespace, control
> > characters, and even NULL.
>
>Use BIND's check-names option to refuse illegal answers.
>
>--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
>"NSA GCHQ KGB CIA nuclear conspiration war weapon spy agent... Hi Echelon!"
