Mark_Andrews at iengines.com
Mark_Andrews at iengines.com
Sat Nov 13 20:44:35 UTC 1999
> Mark_Andrews at iengines.com wrote:
> > Kevin,
> > the checking is there for security reasons.
> > Gethostbyaddr was being used to break into systems by
> > returning arbitary text as the hostname. We needed to
> > tighten this and the only guaranteed safe output was to
> > enforce RFC 952 + RFC 1123 strictly. The rest is due to
> > the principle of least astonishment.
> Mark, We've discussed this before, and I appreciate, in general term
> the motivation behind limiting the character set. I just think the limitation
> went too far in excluding underscores. Now, if I could get just
> *one* authoritative reference to underscores in DNS names being a security r
> (and believe me, I've looked!), then I could probably convince my management
> we need to eliminate them; "RFC compliance" in and of itself isn't terribly
> persuasive, especially since all of our underscored DNS names are internal an
> have nothing to do with Internet interoperability. Conversely, if there's no
> evidence of underscores being a security risk, then what exactly is the point
> deprecating them? Such arbitrary-seeming restrictions just reinforce the
> stereotype of Unix-centric system software being picky and unforgiving, and h
> drive away customers to more "warm and fuzzy" offerings from Microsoft et al.
The problem with security is that you don't always know
where the problem lies, you only know what is legal to be
returned. When you step outside that envelope you step
into the unknown. While underscores may be ok in 99% of
cases you just don't know about that last 1% and because
of that we have to err on the side of caution.
I know of interperative languages where underscore is the
assignment character and where hostnames are good indexes
into arrays provided you escape the minuses. Suddenly having
assignments occur while trying to index into an array is
not a good thing to occur.
Repeat after me. This is "RFC compliance for SECURITY'S sake."
As for not being on the Internet, turn the checks off if
you don't want them. But if you ever attach these machines
to the Internet don't complain when things don't work.
> > P.S. If you wish to complain go complain to your OS vendor
> > that your OS allowed you to use hostnames that were not
> > RFC 952 + RFC 112 compliant in the first place. Your OS
> > was released after March 1982 (RFC 801 which has the same
> > name rules as RFC 952, I couldn't find a online copy of 608)
> > wasn't it?
> I don't really understand that argument. Hostnames, in an OS context, have no
> necessary relationship to DNS names, or vice versa. A lot of our underscored
> DNS names, for instance, are for network-attached printers, where the concept
> "configuring a hostname in the OS" has little meaning.
Network printer names *are* hostnames. Just because you can't log
into a host does not mean that it is not a host or that it doesn't
have an operating system.
> - Kevin
Mark Andrews, Internet Engines Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at iengines.com
More information about the bind-users