On Thu, 17 Dec 2015 10:48:47 -0700 Thus spake Theo de Raadt <dera...@cvs.openbsd.org>:
> > Serguey Parkhomovsky wrote:
> > > On Wed, Dec 16, 2015 at 06:08:22PM -0500, Ted Unangst wrote:
> > > >
> > > > well, nobody fixed it, so if it's working, it's not using getaddrinfo.
> > > >
> > >
> > > Hmmm... looks like getaddrinfo was using my nameserver to resolve the
> > > decimal IP? I get the same behavior in -current by passing the
> > > AI_NUMERICHOST flag in hints. The following patch should fix this issue:
An IP address can't get "resolved" by a nameserver. It is a
nameserver's resolution terminus. But this is weird, so I'm open to
suggestions on proper terminology. Converted, perhaps?
> > We're not convinced we want to fix this. The RFC may be mistaken in
> > perpetuating this silliness.
>
> That's my take on this, and why we originally turned the feature off.
>
> There is a long history of security or authentication issues related
> to patterns like A can map to B, B default maps back to C, but A != C.
> This is one of those cases. We turned such a thing off for IP address.
> Notice how long before anyone noticed? Also note it was found with
> code in tor. Doesn't that send shivers down your spine?
Yeah, it's certainly a debatable issue, but I submitted in deference to
adherence to order (i.e. POSIX, RFC). I was definitely messing about
in ways I probably should not have been when I found this though. And
funny you should mention shivers (lol). It took me quite a while to
believe it wasn't a bug in Tor. NetBSD & OpenBSD or Tor? Hmm.
In any case, my general philosophy is, make a rule, adhere to the rule,
change it when necessary and then adhere to that, but don't break it or
it's the thin edge of entropy. You get the point, but I really don't
care very much one way or the other.
--Kyle
--
CA +1-778-819-UNIX www.backwatcher.com
US +1-425-584-UNIX
SIP am...@backwatcher.com
INUM +883-5100-0990-1657
ISN UNIX*1917
C*NET 1-731-UNIX
GPG F36E1CAB / CF001165F36E1CAB
6050 05B7 9FF1 CC21 3F00 CEBB CF00 1165 F36E 1CAB
OTR 1B8CA85B 9696C3E0 CDE79B77 52D5F7E6 5492DBE2 : jabber/backwatcher.org
5CF381C0 5F74307B 082E63E9 9EC509FA 85486180 : jabber/riseup.net
3614B012 C81F85FD 71FC48A4 75D88B91 A0203B51 : jabber/jabber.ru
DC446975 0D1CC62D 092E633C 2E3D3D82 B4CE1C47 : freenode
B4B825A3 086F0716 2CA55061 A0F521EB 54C0AB2F : oftc
744D942C D581087C ADDB11D2 E8E9FF59 B46481F3 : efnet
4443188D 5CA26B63 6327F9CD 3349C795 7743110D : facebook
4FB85A74 B2E1BBE3 20CD282E 8E8DD9B3 30EDAAC3 : google
B0C46C9E DD3685C8 81182D51 B2D14BE9 A43CFE09 : icq
41D60F67 7441ACFF 32CC2BF7 4EE70B17 08DA044F : aim
30CD13B4 A25DAC7A 863F638A 9EE95FBB 15D320A9 : yahoo
9FE919C7 7FD23FCB 5FF12636 A1F571B9 104AE5C1 : skype
pgpiIXTwCjo7D.pgp
Description: OpenPGP digital signature
