kcd at daimlerchrysler.com
Tue Nov 16 17:43:20 UTC 1999
Mark_Andrews at iengines.com wrote:
(Re: the security implications of underscores in hostnames)
> I know of interperative languages where underscore is the
> assignment character and where hostnames are good indexes
> into arrays provided you escape the minuses. Suddenly having
> assignments occur while trying to index into an array is
> not a good thing to occur.
Such languages would be pretty obscure, wouldn't they?
Standard security practice is for a program to escape *any* character which might
have a special meaning in the runtime environment, if it is not intended to have
that meaning in a particular context. Since underscores have been in hostnames for
years, I'd say any program which has fails to do this is just plain badly written.
Of course, all of this is rather academic: in my many searches, I've never
uncovered an authoritative reference to any underscore-related vulnerabilities.
> Repeat after me. This is "RFC compliance for SECURITY'S sake."
> As for not being on the Internet, turn the checks off if
> you don't want them.
But then that blinds me to other sorts of name problems, doesn't it? Perhaps a
little more granularity here would be nice.
> But if you ever attach these machines
> to the Internet don't complain when things don't work.
> > > P.S. If you wish to complain go complain to your OS vendor
> > > that your OS allowed you to use hostnames that were not
> > > RFC 952 + RFC 112 compliant in the first place. Your OS
> > > was released after March 1982 (RFC 801 which has the same
> > > name rules as RFC 952, I couldn't find a online copy of 608)
> > > wasn't it?
> > I don't really understand that argument. Hostnames, in an OS context, have no
> > necessary relationship to DNS names, or vice versa. A lot of our underscored
> > DNS names, for instance, are for network-attached printers, where the concept
> > of
> > "configuring a hostname in the OS" has little meaning.
> Network printer names *are* hostnames. Just because you can't log
> into a host does not mean that it is not a host or that it doesn't
> have an operating system.
I still think you're mixing apples and oranges. The "operating system" of such a
device doesn't necessarily have the faintest clue what name you're using to access
it, so how do you expect the OS vendor to enforce RFC compliance? Should it
periodically perform reverse lookups to see if its address maps back to anything
Or are you saying every device in the network which wants to connect *to* that
device should be enforcing RFC compliance for every connection attempt? That would
appear to me to be a function of the resolver library, which is often ported
fairly directly from the BIND distribution. So the OS vendors would most likely
just pass the complaints on to ISC.
More information about the bind-users