Skip site navigation (1)Skip section navigation (2)
Date:      Sat, 16 Feb 2008 15:40:26 -0800
From:      Xin LI <delphij@delphij.net>
To:        "M. Warner Losh" <imp@bsdimp.com>
Cc:        ache@nagual.pp.ru, src-committers@FreeBSD.ORG, delphij@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-src@FreeBSD.ORG
Subject:   Re: cvs commit: src/lib/libc/resolv res_comp.c
Message-ID:  <47B7746A.8080403@delphij.net>
In-Reply-To: <20080215.233427.1598351542.imp@bsdimp.com>
References:  <200802160016.m1G0GnFB046558@repoman.freebsd.org>	<20080216024541.GA31498@nagual.pp.ru> <20080215.233427.1598351542.imp@bsdimp.com>

next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

M. Warner Losh wrote:
> In message: <20080216024541.GA31498@nagual.pp.ru>
>             Andrey Chernov <ache@nagual.pp.ru> writes:
> : On Sat, Feb 16, 2008 at 12:16:49AM +0000, Xin LI wrote:
> : > delphij     2008-02-16 00:16:49 UTC
> : > 
> : >   FreeBSD src repository
> : > 
> : >   Modified files:
> : >     lib/libc/resolv      res_comp.c 
> : >   Log:
> : >   Allow underscore in domain names while resolving.  While having underscore
> : >   is a violation of RFC 1034 [STD 13], it is accepted by certain name servers
> : >   as well as other popular operating systems' resolver library.
> : 
> : Do you mean we'll have now different results from libc and from bind's 
> : resolver for names with underscore? If yes, it sounds worse than RFC 
> : violation committed.
> 
> Plus there was a very long, very heated thread about removing _ as a
> valid name years ago.  Have conditions changed since then?  Frankly,
> I'd like to have seen a change like this discussed more widely.  There
> was much debate before, and there turned out to be good reasons for
> omitting the _.  I just can't recall them now.

If we are pointing the same discussion thread, it finally reached a
point which says that there is security concerns, claiming that
gethostbyname() and friends should do aggressive sanity check for domain
names.

While this might be reasonable at that time of discussion, I would argue
that with the world outside *BSD all accepts _ in host names at the
resolver side, the alleged _ -> - transition never finished as people
expected in the early age of Internet, and so that as applications
ported to these platforms from time to time, they will have to face the
fact that _ is considered as valid by their resolvers.  Moreover, if "_"
is that harmful to any individual applications, I would say that they
should check it at the input stage, which is considered as the attack
surface, not to rely on base services like resolver to do the sanity check.

I don't think it would be the end of world if we allow _ in host names.
All other (lame) OSes allows it, their resolver just accepts this
character and give the answer, actually, I would be very surprised if it
can still cause any real world attack nowadays.

Cheers,
- --
Xin LI <delphij@delphij.net>	http://www.delphij.net/
FreeBSD - The Power to Serve!
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFHt3Rqi+vbBBjt66ARAlc8AKC3DAuRfzEuIWUicQBDeDLA5aLk/wCfdtNa
qJ/s+THCAGNsF7M47UMXieI=
=LDaK
-----END PGP SIGNATURE-----



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47B7746A.8080403>