From owner-cvs-all@FreeBSD.ORG Sat Feb 16 23:40:38 2008 Return-Path: Delivered-To: cvs-all@FreeBSD.ORG Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2B7FF16A417; Sat, 16 Feb 2008 23:40:38 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.delphij.net (delphij-pt.tunnel.tserv2.fmt.ipv6.he.net [IPv6:2001:470:1f03:2c9::2]) by mx1.freebsd.org (Postfix) with ESMTP id 9D34913C4E5; Sat, 16 Feb 2008 23:40:37 +0000 (UTC) (envelope-from delphij@delphij.net) Received: from tarsier.geekcn.org (unknown [202.108.54.204]) (using TLSv1 with cipher ADH-CAMELLIA256-SHA (256/256 bits)) (No client certificate requested) by tarsier.delphij.net (Postfix) with ESMTP id 84E9B28448; Sun, 17 Feb 2008 07:40:36 +0800 (CST) Received: from localhost (unknown [202.108.54.204]) by tarsier.geekcn.org (Postfix) with ESMTP id 327E5EB4E06; Sun, 17 Feb 2008 07:40:36 +0800 (CST) X-Virus-Scanned: amavisd-new at geekcn.org Received: from tarsier.geekcn.org ([202.108.54.204]) by localhost (mail.geekcn.org [202.108.54.204]) (amavisd-new, port 10024) with ESMTP id HiifIALVafDp; Sun, 17 Feb 2008 07:40:31 +0800 (CST) Received: from charlie.delphij.net (c-67-161-39-180.hsd1.ca.comcast.net [67.161.39.180]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by tarsier.geekcn.org (Postfix) with ESMTP id 20467EB4DF7; Sun, 17 Feb 2008 07:40:28 +0800 (CST) DomainKey-Signature: a=rsa-sha1; s=default; d=delphij.net; c=nofws; q=dns; h=message-id:date:from:reply-to:organization:user-agent: mime-version:to:cc:subject:references:in-reply-to: x-enigmail-version:openpgp:content-type:content-transfer-encoding; b=NeaPRgblWmRbfXLeoUpxzZN9Sa+YYMwKrijH7y7odqM7qj0drDOaXxA6YMvUBtwTi cz7ssHDy/+gw5+V32vVVw== Message-ID: <47B7746A.8080403@delphij.net> Date: Sat, 16 Feb 2008 15:40:26 -0800 From: Xin LI Organization: The FreeBSD Project User-Agent: Thunderbird 2.0.0.9 (X11/20080122) MIME-Version: 1.0 To: "M. Warner Losh" References: <200802160016.m1G0GnFB046558@repoman.freebsd.org> <20080216024541.GA31498@nagual.pp.ru> <20080215.233427.1598351542.imp@bsdimp.com> In-Reply-To: <20080215.233427.1598351542.imp@bsdimp.com> X-Enigmail-Version: 0.95.5 OpenPGP: id=18EDEBA0; url=http://www.delphij.net/delphij.asc Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: ache@nagual.pp.ru, src-committers@FreeBSD.ORG, delphij@FreeBSD.ORG, cvs-all@FreeBSD.ORG, cvs-src@FreeBSD.ORG Subject: Re: cvs commit: src/lib/libc/resolv res_comp.c X-BeenThere: cvs-all@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: d@delphij.net List-Id: CVS commit messages for the entire tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 16 Feb 2008 23:40:38 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 M. Warner Losh wrote: > In message: <20080216024541.GA31498@nagual.pp.ru> > Andrey Chernov writes: > : On Sat, Feb 16, 2008 at 12:16:49AM +0000, Xin LI wrote: > : > delphij 2008-02-16 00:16:49 UTC > : > > : > FreeBSD src repository > : > > : > Modified files: > : > lib/libc/resolv res_comp.c > : > Log: > : > Allow underscore in domain names while resolving. While having underscore > : > is a violation of RFC 1034 [STD 13], it is accepted by certain name servers > : > as well as other popular operating systems' resolver library. > : > : Do you mean we'll have now different results from libc and from bind's > : resolver for names with underscore? If yes, it sounds worse than RFC > : violation committed. > > Plus there was a very long, very heated thread about removing _ as a > valid name years ago. Have conditions changed since then? Frankly, > I'd like to have seen a change like this discussed more widely. There > was much debate before, and there turned out to be good reasons for > omitting the _. I just can't recall them now. If we are pointing the same discussion thread, it finally reached a point which says that there is security concerns, claiming that gethostbyname() and friends should do aggressive sanity check for domain names. While this might be reasonable at that time of discussion, I would argue that with the world outside *BSD all accepts _ in host names at the resolver side, the alleged _ -> - transition never finished as people expected in the early age of Internet, and so that as applications ported to these platforms from time to time, they will have to face the fact that _ is considered as valid by their resolvers. Moreover, if "_" is that harmful to any individual applications, I would say that they should check it at the input stage, which is considered as the attack surface, not to rely on base services like resolver to do the sanity check. I don't think it would be the end of world if we allow _ in host names. All other (lame) OSes allows it, their resolver just accepts this character and give the answer, actually, I would be very surprised if it can still cause any real world attack nowadays. Cheers, - -- Xin LI http://www.delphij.net/ FreeBSD - The Power to Serve! -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) iD8DBQFHt3Rqi+vbBBjt66ARAlc8AKC3DAuRfzEuIWUicQBDeDLA5aLk/wCfdtNa qJ/s+THCAGNsF7M47UMXieI= =LDaK -----END PGP SIGNATURE-----