Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 30 Mar 2003 11:36:24 -0500
From:      "Louis A. Mamakos" <louie@TransSys.COM>
To:        Terry Lambert <tlambert2@mindspring.com>
Cc:        Dag-Erling =?iso-8859-1?Q?Sm=F8rgrav?= <des@ofug.org>
Subject:   Re: Allow underscores in DNS names 
Message-ID:  <200303301636.h2UGaODN042934@whizzo.transsys.com>
In-Reply-To: Your message of "Sat, 29 Mar 2003 18:18:18 PST." <3E8653EA.BAF9D765@mindspring.com> 
References:  <xzpu1dm2k2h.fsf@flood.ping.uio.no> <3E864AD1.6C1C3656@mindspring.com> <200303300205.h2U25vDN037209@whizzo.transsys.com> <3E8653EA.BAF9D765@mindspring.com> 

next in thread | previous in thread | raw e-mail | index | archive | help
> "Louis A. Mamakos" wrote:
> > > There was a better patch that made it an option in resolv.conf,
> > > rather than turning it on all the time.
> > 
> > This is great, except that you'd don't need to have a resolv.conf
> > on your system at all; the resolver will default to using a local
> > caching nameserver.
> 
> By this argument, it should do that anyway, if the only option
> is this one.
> 
> My own argument is that there should be an "allow_chars" option
> in the resolv.conf, so that the Tuesday after this is committed,
> and someone now wants "#" in domain names to support their idea
> of mapping phone numbers to domain names, we don't have to go
> through this whole dumb "let's violate RFC-952, just this once!"
> argument yet againt.

Sure, fine.  Note that RFC-952 was written in a time where most
host names were looked up in a file that was periodically FTP'ed
from SRI-NIC.

> 
> > > FreeBSD should be standards compliant, by default, and take work
> > > to make it possible to give bogus data to other hosts on the
> > > Internet who can not handle "_" or other characters because they
> > > *are* standars compliant.
> > 
> > Since this is a resolver option, you're not handing out names to
> > other hosts using the DNS infrastructure.
> 
> You are if you are a caching DNS server, which uses the resolver
> code to look up data on the global DNS, caches it, and returns
> it to local DNS querants.

No, I don't think so, otherwise you break the DNS's ability to to
have any strings of octets be DNS labels.  A caching DNS server
does not do gethostbyname(), nor does it use a stub resolver to
resolve queries.

[...]

> 
> > > "Be conservative in what you send."
> > 
> > And liberal in what you receive, which is exactly what modifing
> > the resolver to not cause gethostbyname() and it's ilk to barf
> > on these types of names.
> 
> And liberal in what you resend?

As I mentioned above, this discussion is irrelevant when it comes
to "resending" anything within the context of the DNS.  It's a policy
decision on the part of the stub resolver that back-ends gethostby*().


> Reading the 1998 discussion, as was previously suggested, is a
> good idea.
> 
> 
> > There are lots of things in ancient RFCs which probably do not
> > make as much sense these days as they once did.
> 
> There is a fix for that: join an IETF group, and create a
> "supercedes" RFC.

Having served as the first chair of the DNS working group in the
IETF more than a decade ago, I'm somewhat familiar with the
process and the DNS, thanks.

> The standards are the standards, as they are.

Let's just review the first few paragraphs of this "standard:"
    
    STATUS OF THIS MEMO
    
       This RFC is the official specification of the format of the Internet
       Host Table.  This edition of the specification includes minor
       revisions to RFC-810 which brings it up to date. Distribution of this
       memo is unlimited.
    
    INTRODUCTION
    
       The DoD Host Table is utilized by the DoD Hostname Server maintained
       by the DDN Network Information Center (NIC) on behalf of the Defense
       Communications Agency (DCA) [See RFC-953].
    
    LOCATION OF THE STANDARD DOD ONLINE HOST TABLE
    
       A machine-translatable ASCII text version of the DoD Host Table is
       online in the file NETINFO:HOSTS.TXT on the SRI-NIC host.  It can be
       obtained via FTP from your local host by connecting to host
       SRI-NIC.ARPA (26.0.0.73 or 10.0.0.51), logging in as user =
       ANONYMOUS, password = GUEST, and retrieving the file
       "NETINFO:HOSTS.TXT".  The same table may also be obtained via the NIC
       Hostname Server, as described in RFC-953.  The latter method is
       faster and easier, but requires a user program to make the necessary
       connection to the Name Server.

Everyone that's still usign the DOD ONLINE HOST TABLE, please raise
your hand?  Thanks.

> 
> > If there is a security issue in applications, they should get
> > fixed regardless.
> 
> OK.
> 
> So you are advocating getting rid of the stupid "This program
> uses gets(), which is unsafe" messages, right?

I dunno, do the program do DNS queries?  

> Because the programs where the API that is being used lead to a
> security isseu in applications, when people do not know how to
> use the API properly.

These programs are still broken and code in the stub resolver won't
protect them from bogus names in /etc/hosts or NIS, so don't sleep
too soundly at night, thinking you're safe from the evil underscores.

> 
> > All this heartburn over what the gethostbyname() library function
> > chooses to believe from the DNS still doesn't address getting
> > hostnames out of NIS or /etc/hosts.
> 
> NIS and /etc/hosts should *NEVER* contain a host name with an
> "_".  *NEVER*.

Really.  Using the awesome power of emacs, I caused this to happen on
my system.  Further, please do a 'man hosts' and see the last 
sentence of the DESCRIPTION section:

 	Host names may contain any printable character other
	than a field delimiter, newline, or comment character.

louie



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200303301636.h2UGaODN042934>