[10715] in bugtraq
Re: weaknesses in dns label decoding,
daemon@ATHENA.MIT.EDU (marka@ISC.ORG)
Fri Jun 4 13:33:51 1999
Message-Id: <199906032313.JAA02951@bsdi.dv.isc.org>
Date: Fri, 4 Jun 1999 09:13:15 +1000
Reply-To: marka@ISC.ORG
From: marka@ISC.ORG
X-To: Brett Glass <brett@lariat.org>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: Your message of "Thu, 03 Jun 1999 06:20:41 CST."
<4.2.0.56.19990603061749.045ed100@localhost>
> Many sysadmins disable BIND's "check-names" option because
> their less knowledgeable colleagues assign illegal names. In
> particular, many use underscores in system names, even though
> they're verboten.
>
> BIND *should* have a separate option that allows underscores
> in names to accommodate this frequent glitch, but it doesn't.
> So, the checking becomes all-or-nothing.
>
> --Brett
No.
There is a specification about what is legal in a hostname
/ mailname (RHS of @). If an application is expecting a
hostname, it should only be given hostnames. The library
(or server) should filter out non conforment names.
You do not know what the application is using as a field
seperator and "_" is a perfectly valid character to use
to seperate a list of hostnames.
Yes I am playing devils advocate here but you have to do
that at time to knock down silly ideas. You either enforce
the specification you you don't bother at all.
Check-names is on by default for good reason. To force people
to become aware of what they are doing and where they are breaking
a standard.
Underscore is also a silly character to have. How many hostnames
are in the following html fragment when you read it on a ascii
terminal?
<UL>foobar.au_example.net</UL>
Mark
P.S. There are interperative languages where "_" is an
assignment operator and where a hostname could be used
as a variable name.
P.P.S. I made this arguement long before I worked for ISC
and it is still my view.
>
> At 11:00 PM 6/2/99 +0200, Pavel Kankovsky wrote:
> >On Mon, 31 May 1999, bobk wrote:
> >
> > > Another thing to remember is that it is possible to put ABSOLUTELY
> > > ANYTHING inside a DNS domain name. This includes whitespace, control
> > > characters, and even NULL.
> >
> >Use BIND's check-names option to refuse illegal answers.
> >
> >--Pavel Kankovsky aka Peak [ Boycott Microsoft--http://www.vcnet.com/bms ]
> >"NSA GCHQ KGB CIA nuclear conspiration war weapon spy agent... Hi Echelon!"
>
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
