From owner-freebsd-stable Tue Mar 25 14:27: 8 2003 Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 175D537B401 for ; Tue, 25 Mar 2003 14:27:06 -0800 (PST) Received: from mail.reptiles.org (mail.reptiles.org [198.96.117.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7E55D43FAF for ; Tue, 25 Mar 2003 14:27:05 -0800 (PST) (envelope-from geoffrey@reptiles.org) Received: from mail.reptiles.org([198.96.117.157]) (2254 bytes) by mail.reptiles.org via sendmail with P:esmtp/R:bind_hosts/T:inet_zone_bind_smtp (sender: ) id for ; Tue, 25 Mar 2003 17:27:04 -0500 (EST) (Smail-3.2.0.115-Pre 2001-Aug-6 #2 built 2002-Nov-19) Date: Tue, 25 Mar 2003 17:27:04 -0500 (EST) From: Geoffrey Cc: stable@freebsd.org Subject: Re: Resolver Issues (non valid hostname characters) In-Reply-To: <20030325204423.1EEAA5D07@ptavv.es.net> Message-ID: <20030325171417.E81110-100000@iguana.reptiles.org> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII X-Spam-Status: No, hits=-19.4 required=5.0 tests=EMAIL_ATTRIBUTION,IN_REP_TO,MISSING_HEADERS, QUOTED_EMAIL_TEXT,REPLY_WITH_QUOTES autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Tue, 25 Mar 2003, Kevin Oberman wrote: > It should be noted that this limitation was in RFC952 which is not a DNS > specification. See RFC2181. I think our implementation is simply > broken. > > The DNS itself places only one restriction on the particular labels > that can be used to identify resource records. That one restriction > relates to the length of the label and the full name. > [...] > Those restrictions > aside, any binary string whatever can be used as the label of any > resource record. Similarly, any binary string can serve as the value > of any record that includes a domain name as some or all of its value > (SOA, NS, MX, PTR, CNAME, and any others that may be added). > Implementations of the DNS protocols must not place any restrictions > on the labels that can be used. In particular, DNS servers must not > refuse to serve a zone because it contains labels that might not be > acceptable to some DNS client programs. A DNS server may be > configurable to issue warnings when loading, or even to refuse to > load, a primary zone containing labels that might be considered > questionable, however this should not happen by default. > Before anyone considers removing restrictions, I hope consideration is given to the very real probability of vulnerabilities in bind which may have much more interesting implications as a result of the same. Test, test, fix, probe, fix and test some more before considering this please. At least then when the vulns happen (and they will), there will at least be a starting point to implement a fix. "You cannot deftly manipulate the control stick if you are suffering from diarrhoea"- [from a manual for Japanese Kamikaze pilots] To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message