On Tue, 23 Jan 1996, James Graham - Systems Mangler wrote:

> To contribute to the BIND issues, I find some interesting problems with
> -current BIND.
> 
> Say you live in an environment in which machines are of the form
> 
>         foo.bar.baz.quux
> 
> where foo is the machine.  Say you want to get to another machine
> in a parallel subdomain, such as
> 
> 	bar.foo.baz.quux
> 
> Under previous versions of BIND (the one under StunOS comes to mind),
> one can simply, from machine foo(.bar.baz.quux), say:
> 
> 	# ping bar.foo
> 
> and the resolver will automagically begin adding parts of the domain name
> beyond the unresolved point, i.e.
> 
> 	TRY	bar.foo.	...FAIL
> 	TRY	bar.foo.baz.	...FAIL
> 	TRY	bar.foo.baz.quux.	...OK
> 
> Why is this now broken?
> 

	Security reasons.. if you telnet to rxxx.mil and someone at
	baz.quux is playing the nasty hacker they can set up a
	rxxx.mil.baz.quux which you wll connect to - now they can
	make that machine connect across to the real rxxx.mil and
	capture your entire session.

	If you use rxxx.mil. then you are safe - but most of the
	godawful broken resolver implementation I have seen under
	(for example) Microsoft systems cannot cope with a trailing '.',
	and most people do not tend to add the trailing '.' as a
	matter of principle...

	Also the failure case when your site is cut off from the
	net is much less painful...

		David