Allow underscores in DNS names
Louis A. Mamakos
louie at TransSys.COM
Sun Mar 30 08:36:27 PST 2003
> "Louis A. Mamakos" wrote:
> > > There was a better patch that made it an option in resolv.conf,
> > > rather than turning it on all the time.
> >
> > This is great, except that you'd don't need to have a resolv.conf
> > on your system at all; the resolver will default to using a local
> > caching nameserver.
>
> By this argument, it should do that anyway, if the only option
> is this one.
>
> My own argument is that there should be an "allow_chars" option
> in the resolv.conf, so that the Tuesday after this is committed,
> and someone now wants "#" in domain names to support their idea
> of mapping phone numbers to domain names, we don't have to go
> through this whole dumb "let's violate RFC-952, just this once!"
> argument yet againt.
Sure, fine. Note that RFC-952 was written in a time where most
host names were looked up in a file that was periodically FTP'ed
from SRI-NIC.
>
> > > FreeBSD should be standards compliant, by default, and take work
> > > to make it possible to give bogus data to other hosts on the
> > > Internet who can not handle "_" or other characters because they
> > > *are* standars compliant.
> >
> > Since this is a resolver option, you're not handing out names to
> > other hosts using the DNS infrastructure.
>
> You are if you are a caching DNS server, which uses the resolver
> code to look up data on the global DNS, caches it, and returns
> it to local DNS querants.
No, I don't think so, otherwise you break the DNS's ability to to
have any strings of octets be DNS labels. A caching DNS server
does not do gethostbyname(), nor does it use a stub resolver to
resolve queries.
[...]
>
> > > "Be conservative in what you send."
> >
> > And liberal in what you receive, which is exactly what modifing
> > the resolver to not cause gethostbyname() and it's ilk to barf
> > on these types of names.
>
> And liberal in what you resend?
As I mentioned above, this discussion is irrelevant when it comes
to "resending" anything within the context of the DNS. It's a policy
decision on the part of the stub resolver that back-ends gethostby*().
> Reading the 1998 discussion, as was previously suggested, is a
> good idea.
>
>
> > There are lots of things in ancient RFCs which probably do not
> > make as much sense these days as they once did.
>
> There is a fix for that: join an IETF group, and create a
> "supercedes" RFC.
Having served as the first chair of the DNS working group in the
IETF more than a decade ago, I'm somewhat familiar with the
process and the DNS, thanks.
> The standards are the standards, as they are.
Let's just review the first few paragraphs of this "standard:"
STATUS OF THIS MEMO
This RFC is the official specification of the format of the Internet
Host Table. This edition of the specification includes minor
revisions to RFC-810 which brings it up to date. Distribution of this
memo is unlimited.
INTRODUCTION
The DoD Host Table is utilized by the DoD Hostname Server maintained
by the DDN Network Information Center (NIC) on behalf of the Defense
Communications Agency (DCA) [See RFC-953].
LOCATION OF THE STANDARD DOD ONLINE HOST TABLE
A machine-translatable ASCII text version of the DoD Host Table is
online in the file NETINFO:HOSTS.TXT on the SRI-NIC host. It can be
obtained via FTP from your local host by connecting to host
SRI-NIC.ARPA (26.0.0.73 or 10.0.0.51), logging in as user =
ANONYMOUS, password = GUEST, and retrieving the file
"NETINFO:HOSTS.TXT". The same table may also be obtained via the NIC
Hostname Server, as described in RFC-953. The latter method is
faster and easier, but requires a user program to make the necessary
connection to the Name Server.
Everyone that's still usign the DOD ONLINE HOST TABLE, please raise
your hand? Thanks.
>
> > If there is a security issue in applications, they should get
> > fixed regardless.
>
> OK.
>
> So you are advocating getting rid of the stupid "This program
> uses gets(), which is unsafe" messages, right?
I dunno, do the program do DNS queries?
> Because the programs where the API that is being used lead to a
> security isseu in applications, when people do not know how to
> use the API properly.
These programs are still broken and code in the stub resolver won't
protect them from bogus names in /etc/hosts or NIS, so don't sleep
too soundly at night, thinking you're safe from the evil underscores.
>
> > All this heartburn over what the gethostbyname() library function
> > chooses to believe from the DNS still doesn't address getting
> > hostnames out of NIS or /etc/hosts.
>
> NIS and /etc/hosts should *NEVER* contain a host name with an
> "_". *NEVER*.
Really. Using the awesome power of emacs, I caused this to happen on
my system. Further, please do a 'man hosts' and see the last
sentence of the DESCRIPTION section:
Host names may contain any printable character other
than a field delimiter, newline, or comment character.
louie
More information about the freebsd-arch
mailing list