kcd at daimlerchrysler.com
Sat Nov 13 05:43:35 UTC 1999
Mark_Andrews at iengines.com wrote:
> the checking is there for security reasons.
> Gethostbyaddr was being used to break into systems by
> returning arbitary text as the hostname. We needed to
> tighten this and the only guaranteed safe output was to
> enforce RFC 952 + RFC 1123 strictly. The rest is due to
> the principle of least astonishment.
Mark, We've discussed this before, and I appreciate, in general terms,
the motivation behind limiting the character set. I just think the limitations
went too far in excluding underscores. Now, if I could get just
*one* authoritative reference to underscores in DNS names being a security risk
(and believe me, I've looked!), then I could probably convince my management that
we need to eliminate them; "RFC compliance" in and of itself isn't terribly
persuasive, especially since all of our underscored DNS names are internal and
have nothing to do with Internet interoperability. Conversely, if there's no
evidence of underscores being a security risk, then what exactly is the point of
deprecating them? Such arbitrary-seeming restrictions just reinforce the
stereotype of Unix-centric system software being picky and unforgiving, and helps
drive away customers to more "warm and fuzzy" offerings from Microsoft et al.
> P.S. If you wish to complain go complain to your OS vendor
> that your OS allowed you to use hostnames that were not
> RFC 952 + RFC 112 compliant in the first place. Your OS
> was released after March 1982 (RFC 801 which has the same
> name rules as RFC 952, I couldn't find a online copy of 608)
> wasn't it?
I don't really understand that argument. Hostnames, in an OS context, have no
necessary relationship to DNS names, or vice versa. A lot of our underscored
DNS names, for instance, are for network-attached printers, where the concept of
"configuring a hostname in the OS" has little meaning.
More information about the bind-users