From owner-freebsd-stable@FreeBSD.ORG Tue Mar 25 23:05:29 2003 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5538A37B407 for ; Tue, 25 Mar 2003 23:05:29 -0800 (PST) Received: from fe3.cox-internet.com (fe3-cox.cox-internet.com [66.76.2.40]) by mx1.FreeBSD.org (Postfix) with ESMTP id EC83E43FF2 for ; Tue, 25 Mar 2003 23:05:03 -0800 (PST) (envelope-from daved@nostrum.com) Received: from nostrum.com ([208.180.29.144]) by fe3.cox-internet.com 9a2f9096933fa391a6c2fc942f8b01bd) with ESMTP id <20030326070502.YCZO20598.fe3@nostrum.com>; Wed, 26 Mar 2003 01:05:02 -0600 Date: Wed, 26 Mar 2003 01:05:06 -0600 Content-Type: text/plain; charset=US-ASCII; format=flowed Mime-Version: 1.0 (Apple Message framework v551) To: Mark.Andrews@isc.org From: David J Duchscher In-Reply-To: <200303260523.h2Q5NFpE029121@drugs.dv.isc.org> Message-Id: <460D1DA6-5F59-11D7-BFC4-0003930B3DA4@nostrum.com> Content-Transfer-Encoding: 7bit X-Mailer: Apple Mail (2.551) X-Spam-Status: No, hits=-21.6 required=5.0 tests=AWL,EMAIL_ATTRIBUTION,IN_REP_TO,QUOTED_EMAIL_TEXT, REPLY_WITH_QUOTES,USER_AGENT_APPLEMAIL autolearn=ham version=2.50 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.50 (1.173-2003-02-20-exp) cc: stable@freebsd.org cc: Mark_Andrews@isc.org cc: Terry Lambert Subject: Re: Resolver Issues (non valid hostname characters) X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2003 07:05:33 -0000 X-List-Received-Date: Wed, 26 Mar 2003 07:05:33 -0000 On Tuesday, March 25, 2003, at 11:23 PM, Mark.Andrews@isc.org wrote: > >> On Tuesday, March 25, 2003, at 09:53 PM, Mark.Andrews@isc.org wrote: >> >>> The current implementation fits this. It handles (accepts) >>> garbage in and only returns (generates) clean respones to >>> the application. >>> >> >> Which I would say it not the intention of what being 'generous on what >> you accept' to mean. IMHO, the maxim is to stop exactly what is >> happening. We are being restrictive on what we return to the >> application so things are breaking. I can't change the remote end so >> communication does not flow. From my perspective, you advocating >> being restrict on what you will accept and what you will send. > > This is a security matter. Sendmail was compromised due to > lack of checking the results returned by gethostbyaddr(). > > get*by*() and get*info() enforce RFC 952 so that every > application written doesn't have to validate the results > returned. Allowing underscore (or IHN) is a API change > and will potentially break applications that correctly > depend upon get*by*() and get*info() filtering out the > garbage. > > If you want to be liberal in what you accept bypass > get*by*() and get*info() and call the resolver directly. Let me see, this is a matter of national security so we can't talk about it. This is very much a straw man argument when it comes to underscore. Bypassing the resolver is also not an option that most users have available to them. This argument also implies that all the other OS mentioned have a security problem because they don't do this type of checking. Not knocking security worries, and of course it should be considered, but from my perspective, this doesn't hold much water. >>> If the resolver died receiving underscore you would something >>> to complain about. Currently it just filters out ALL illegal >>> responses. >> >> I can't talk to some hosts on the internet because FreeBSD will not >> resolve the host name which over 99% of the host on the Internet will. >> I guess that just doesn't matter. > > If the name contains a underscore it is not a hostname by > definition. Nothing stops you talking to the DNS directly > and entering IP literals. CNAME virtual hosts. I have mailed the patch to PR/50299 that makes it an optional behavior. You can also find it here: http://magus.nostrum.com/~daved/resolver_patch.txt I think we have pretty much beat this to death. If the FreeBSD project thinks the latest patch is a useful addition, great. FYI, I will be glad to tune the patch as people see fit. It currently is against the 4 branch but I not going to spend the time if its not going to committed. DaveD