Date: Sat, 16 Feb 2008 15:40:26 -0800 From: Xin LI <delphij@delphij.net> To: "M. Warner Losh" <imp@bsdimp.com> Cc: ache@nagual.pp.ru, src-committers@FreeBSD.ORG, delphij@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-src@FreeBSD.ORG Subject: Re: cvs commit: src/lib/libc/resolv res_comp.c Message-ID: <47B7746A.8080403@delphij.net> In-Reply-To: <20080215.233427.1598351542.imp@bsdimp.com> References: <200802160016.m1G0GnFB046558@repoman.freebsd.org> <20080216024541.GA31498@nagual.pp.ru> <20080215.233427.1598351542.imp@bsdimp.com>
next in thread | previous in thread | raw e-mail | index | archive | help
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 M. Warner Losh wrote: > In message: <20080216024541.GA31498@nagual.pp.ru> > Andrey Chernov <ache@nagual.pp.ru> writes: > : On Sat, Feb 16, 2008 at 12:16:49AM +0000, Xin LI wrote: > : > delphij 2008-02-16 00:16:49 UTC > : > > : > FreeBSD src repository > : > > : > Modified files: > : > lib/libc/resolv res_comp.c > : > Log: > : > Allow underscore in domain names while resolving. While having underscore > : > is a violation of RFC 1034 [STD 13], it is accepted by certain name servers > : > as well as other popular operating systems' resolver library. > : > : Do you mean we'll have now different results from libc and from bind's > : resolver for names with underscore? If yes, it sounds worse than RFC > : violation committed. > > Plus there was a very long, very heated thread about removing _ as a > valid name years ago. Have conditions changed since then? Frankly, > I'd like to have seen a change like this discussed more widely. There > was much debate before, and there turned out to be good reasons for > omitting the _. I just can't recall them now. If we are pointing the same discussion thread, it finally reached a point which says that there is security concerns, claiming that gethostbyname() and friends should do aggressive sanity check for domain names. While this might be reasonable at that time of discussion, I would argue that with the world outside *BSD all accepts _ in host names at the resolver side, the alleged _ -> - transition never finished as people expected in the early age of Internet, and so that as applications ported to these platforms from time to time, they will have to face the fact that _ is considered as valid by their resolvers. Moreover, if "_" is that harmful to any individual applications, I would say that they should check it at the input stage, which is considered as the attack surface, not to rely on base services like resolver to do the sanity check. I don't think it would be the end of world if we allow _ in host names. All other (lame) OSes allows it, their resolver just accepts this character and give the answer, actually, I would be very surprised if it can still cause any real world attack nowadays. Cheers, - -- Xin LI <delphij@delphij.net> http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHt3Rqi+vbBBjt66ARAlc8AKC3DAuRfzEuIWUicQBDeDLA5aLk/wCfdtNa qJ/s+THCAGNsF7M47UMXieI= =LDaK -----END PGP SIGNATURE-----
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?47B7746A.8080403>