On Mon, 10 May 2021, Joe Abley wrote:
$ORIGIN example.com
@ SVCB 1 foo
key6="\032\001\013\184\000\000\000\000\000\000\000\000\\\\,\000"
; a.k.a. ipv6hint=2001:db8::5c5c:2c00
A zone owner/editor would never even think of typing in IP addresses
like that.
Right, but an attacker who wants to take advantage of the impact of that
observation in the construction of some parser might, which is why it's a
security concern.
Some DN / RDN / CN parsing tools have hthis issue too and some allow a
comma with an additional masking comma, eg OU=testing,,security, O=Mayhem
Then other code can just never ever allow masking, double masking,
backslshing, single or double quotes or what not.
Paul
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
