Underscore Character

Mark_Andrews at iengines.com Mark_Andrews at iengines.com
Sat Nov 13 20:44:35 UTC 1999 

> Mark_Andrews at iengines.com wrote:
> 
> >         Kevin,
> >                the checking is there for security reasons.
> >         Gethostbyaddr was being used to break into systems by
> >         returning arbitary text as the hostname.  We needed to
> >         tighten this and the only guaranteed safe output was to
> >         enforce RFC 952 + RFC 1123 strictly.  The rest is due to
> >         the principle of least astonishment.
> 
> Mark,          We've discussed this before, and I appreciate, in general term
> s,
> the motivation behind limiting the character set. I just think the limitation
> s
> went too far in excluding underscores. Now, if I could get just
> *one* authoritative reference to underscores in  DNS names being a security r
> isk
> (and believe me, I've looked!), then I could probably convince my management 
> that
> we need to eliminate them; "RFC compliance" in and of itself isn't terribly
> persuasive, especially since all of our underscored DNS names are internal an
> d
> have nothing to do with Internet interoperability. Conversely, if there's no
> evidence of underscores being a security risk, then what exactly is the point
>  of
> deprecating them? Such arbitrary-seeming restrictions just reinforce the
> stereotype of Unix-centric system software being picky and unforgiving, and h
> elps
> drive away customers to more "warm and fuzzy" offerings from Microsoft et al.

	The problem with security is that you don't always know
	where the problem lies, you only know what is legal to be
	returned.  When you step outside that envelope you step
	into the unknown.  While underscores may be ok in 99% of
	cases you just don't know about that last 1% and because
	of that we have to err on the side of caution.

	I know of interperative languages where underscore is the
	assignment character and where hostnames are good indexes
	into arrays provided you escape the minuses.  Suddenly having
	assignments occur while trying to index into an array is
	not a good thing to occur.

	Repeat after me.  This is "RFC compliance for SECURITY'S sake."

	As for not being on the Internet, turn the checks off if
	you don't want them.  But if you ever attach these machines
	to the Internet don't complain when things don't work.

> 
> >         P.S. If you wish to complain go complain to your OS vendor
> >         that your OS allowed you to use hostnames that were not
> >         RFC 952 + RFC 112 compliant in the first place.  Your OS
> >         was released after March 1982 (RFC 801 which has the same
> >         name rules as RFC 952, I couldn't find a online copy of 608)
> > wasn't it?
> 
> I don't really understand that argument. Hostnames, in an OS context, have no
> necessary relationship to DNS names, or vice versa. A lot of our underscored
> DNS names, for instance, are for network-attached printers, where the concept
>  of
> "configuring a hostname in the OS" has little meaning.

	Network printer names *are* hostnames.  Just because you can't log
	into a host does not mean that it is not a host or that it doesn't
	have an operating system.

	Mark
> 
> 
> - Kevin
> 
> 
--
Mark Andrews, Internet Engines Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at iengines.com

More information about the bind-users mailing list