Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > > If applications make unwarranted assumptions about the syntax of > DNS replies, that's surely an application bug, rather than an issue > in DNS.
I particularly liked this paper because it's a really good example of a common cause of security problems: when it isn't clear whose responsibility it is to enforce an important restriction, in this case, hostname syntax vs. DNS name (lack of) syntax. And different implementers have made different choices, for instance whether the libc stub resolver enforces hostname syntax or not. And another classic vulnerability generator: standard APIs that make it easy for non-specialists to step on every rake in the grass. In this case, if an application needs something more fancy than getaddrinfo(), it has to contend with the low-level resolver API which is just about better than nothing for parsing DNS packets, but certainly won't help you handle names that ought to have restricted syntax (service names, mail domains, etc...) So I don't think the problems can be dismissed as simply application bugs: the problems come from mismatches in expectations at the boundary between the DNS and the applications. And the DNS is notorious (the subject of memes!) for being far too difficult to use correctly. Tony. -- f.anthony.n.finch <d...@dotat.at> https://dotat.at/ Selsey Bill to Lyme Regis: West or northwest 3 to 5. Smooth or slight, occasionally moderate in east. Showers later. Mainly good. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations