Date: Tue, 25 Mar 2003 17:27:04 -0500 (EST) From: Geoffrey <geoffrey@reptiles.org> Cc: stable@freebsd.org Subject: Re: Resolver Issues (non valid hostname characters) Message-ID: <20030325171417.E81110-100000@iguana.reptiles.org> In-Reply-To: <20030325204423.1EEAA5D07@ptavv.es.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 25 Mar 2003, Kevin Oberman wrote: > It should be noted that this limitation was in RFC952 which is not a DNS > specification. See RFC2181. I think our implementation is simply > broken. > > The DNS itself places only one restriction on the particular labels > that can be used to identify resource records. That one restriction > relates to the length of the label and the full name. > [...] > Those restrictions > aside, any binary string whatever can be used as the label of any > resource record. Similarly, any binary string can serve as the value > of any record that includes a domain name as some or all of its value > (SOA, NS, MX, PTR, CNAME, and any others that may be added). > Implementations of the DNS protocols must not place any restrictions > on the labels that can be used. In particular, DNS servers must not > refuse to serve a zone because it contains labels that might not be > acceptable to some DNS client programs. A DNS server may be > configurable to issue warnings when loading, or even to refuse to > load, a primary zone containing labels that might be considered > questionable, however this should not happen by default. > Before anyone considers removing restrictions, I hope consideration is given to the very real probability of vulnerabilities in bind which may have much more interesting implications as a result of the same. Test, test, fix, probe, fix and test some more before considering this please. At least then when the vulns happen (and they will), there will at least be a starting point to implement a fix. "You cannot deftly manipulate the control stick if you are suffering from diarrhoea"- [from a manual for Japanese Kamikaze pilots] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030325171417.E81110-100000>