Subject: Re: switching from bind8 to bind9
To: None <tech-net@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: tech-net
Date: 11/19/2002 13:34:10
[ On Tuesday, November 19, 2002 at 06:19:39 (+0100), der Mouse wrote: ]
> Subject: Re: switching from bind8 to bind9
>
> > No, I seemed to remember 2821 deciding that _ would be legal.
> 
> If so, it seems to have been backed out by the time it was frozen.  My
> copy of 2821 says (excerpted, of course):
> 
>       Domain = (sub-domain 1*("." sub-domain)) / address-literal
>       sub-domain = Let-dig [Ldh-str]
>       Let-dig = ALPHA / DIGIT
>       Ldh-str = *( ALPHA / DIGIT / "-" ) Let-dig
> 
> I searched, and the _ character does not appear at all in 2821.

and if you search for the word "underscore" you'll also find at the end
of 4.1.2 (Command Argument Syntax):

   To promote interoperability and consistent with long-standing
   guidance about conservative use of the DNS in naming and applications
   (e.g., see section 2.3.1 of the base DNS document, RFC1035 [22]),
   characters outside the set of alphas, digits, and hyphen MUST NOT
   appear in domain name labels for SMTP clients or servers.  In
   particular, the underscore character is not permitted.  SMTP servers
   that receive a command in which invalid character codes have been
   employed, and for which there are no other reasons for rejection,
   MUST reject that command with a 501 response.

Of course the famed underscore character is merely the tip of this
issue's iceberg.

It's important in the context of this thread to note as well that SMTP
is not the only specification (or software) that falls under the
umbrella of RFC 1035 2.3.1 -- IIRC even plain old telnet strongly
suggests that hostname labels (i.e. domain names with A RRs) should have
a restricted character set.  To that end it seems quite prudent to have
the DNS software do the checking early and often too, especially on
certain record types, just in case that other software might fall flat
on its face with the likes of a unicode exploit or what have you.

It's one thing to be liberal in what you accept and quite another to
pass on poisoned data.

In my world (i.e. in the places where I manage the DNS) it's quite clear
that until agreement is reached on how to safely internationalize domain
name labels everything which is not "let-dig [ldh-str]" could be poison
to some client, or at least unusable by some client.  I know I have
DNS clients that are vulnerable to the unicode exploits, for example,
and there's nothing I can to do fix them so filtering is my only cure.

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>