Subject: Re: sendmail 8.7.3, perl 5, bind 4.9.3 glitches
To: None <firstname.lastname@example.org>
From: David <email@example.com>
Date: 01/24/1996 16:54:58
On Tue, 23 Jan 1996, James Graham - Systems Mangler wrote:
> To contribute to the BIND issues, I find some interesting problems with
> -current BIND.
> Say you live in an environment in which machines are of the form
> where foo is the machine. Say you want to get to another machine
> in a parallel subdomain, such as
> Under previous versions of BIND (the one under StunOS comes to mind),
> one can simply, from machine foo(.bar.baz.quux), say:
> # ping bar.foo
> and the resolver will automagically begin adding parts of the domain name
> beyond the unresolved point, i.e.
> TRY bar.foo. ...FAIL
> TRY bar.foo.baz. ...FAIL
> TRY bar.foo.baz.quux. ...OK
> Why is this now broken?
Security reasons.. if you telnet to rxxx.mil and someone at
baz.quux is playing the nasty hacker they can set up a
rxxx.mil.baz.quux which you wll connect to - now they can
make that machine connect across to the real rxxx.mil and
capture your entire session.
If you use rxxx.mil. then you are safe - but most of the
godawful broken resolver implementation I have seen under
(for example) Microsoft systems cannot cope with a trailing '.',
and most people do not tend to add the trailing '.' as a
matter of principle...
Also the failure case when your site is cut off from the
net is much less painful...