On Sun, 21 Jan 2018, Paul Hoffman wrote:
So how about:
The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA
may be
passed to another (DNS) program for processing. The content MUST be
verified to not contain any malicious characters, before it is
passed to other programs for DNS processing. If it contains malicious
characters, the payload should be ignored or sanitized. Whether a
specific combination of non-malicious characters constitute a valid
DNS domain name is best left to be decided by the DNS software that
receives the contents of these payloads.
Unless you can define "malicious", I would disagree. In fact, unless you can
define "character", you will also have a problem (some encodings of characters
take up multiple octets).
If you really want to go down this path, you must say something like "domain
names where each label consist only of octets which map to the ASCII encoding
of the following values: A to Z, a to z, 0 to 9, "-", and "_".
I'm trying not to define any DNS terms in this document and stay out of
any character/domain/hostname discussion. How about:
The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be passed
to another (DNS) program for processing. As with any network input, the
content should be considered untrusted and handled accordingly.
Paul
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec