Don Hackett: [BIND-BUGS #1090] [bind bug] leading zero's give bad address
Tom Limoncelli
tal at research.bell-labs.com
Tue Sep 5 19:18:46 UTC 2000
Mark.Andrews at nominum.com wrote:
>
> > i need help with this. it seems like octal interpretation is counterintuitiv
> > e
> > but i thought it was the standard long before i came on the scene. if decima
> > l
> > is how BSD inet_addr() classically behaved, and i broke it, then i'll change
> > it to decimal.
> >
> From memory BSD 4.2 interperted leading zeros as octal. You could
> even enter the addresses as hexadecimal. i.e. it was bad to name
> a host deadbeef. This was mentioned in the 4.2 documention.
I've always considered this a bug. It is counter-intuitive to the
average user, which violates most user-interface guidelines. The
user-representation of IPv4 addresses is decimal. I haven't checked the
RFCs to back this up, but if they do support octal notation I would be
surprised. This has always seemed to be a side-effect of using the
wrong libc function to do the conversion rather than a documented
feature.
Don't ask me, ask my users. From an operational point of view I can say
that about once a year I get a "bug report" from a user that discovers
this behavior. When I explain that this is octal coversion they
understand (if they are technical), but many have requested that it be
reported to the vendor as a bug to be fixed. This has been my average
at all the companies I've worked, not just Lucent/Bell Labs. I bring
this up to introduce "hard historical data" that this tradition is
confusing to users and thus should be fixed. I'm sure I could survey
SAGE members to collect data if that would convince people.
I'm surprised that nobody has come up with a security hole based on
this. I guess we're lucky that octal always converts to fewer number of
digits or someone would find some kind of buffer overrun problem.
However, I do notice that http://216.254.0135.10 confuses Apache's
name-based virtual web server. On the PC (I haven't tried others)
Netscape and MS-IE both have this octal-tradition carried forward.
It's just embarassing that we who consider ourselves so high-tech and
better than everyone else are afraid to fix bugs that have lasted for
more than a couple years.
This should either be fixed, or we should make it part of the standard.
If we make it a standard, we should also permit roman numerals, binary,
and morse code.
--tal
...and before someone asks, I also think it's silly that in post-CIDR
days "8" becomes "0.0.0.8" and "8.9" becomes "8.0.0.9". At least
"10.256.1.1" doesn't become "11.0.1.1" on most systems.
More information about the bind-workers
mailing list