On 04/13/2018 04:47 PM, bert hubert wrote:
2) Try:
ping goes-via-embedded-nul.tdns.powerdns.org
ping goes-via-embedded-space.tdns.powerdns.org.
ping goes-via-embedded-dot.tdns.powerdns.org.
None of these resolve when I try them, I wonder if that is because
implementations want CNAMEs to be 'host names', or if this a chain of
bugs. Not practically very relevant, but still.
It is relevant because sometimes * wildcards leak into such CNAME chains:
https://sourceware.org/bugzilla/show_bug.cgi?id=12154
glibc should just filter out such wildcards, and not completely reject
the answer. (I think that stub resolvers should stop processing CNAMEs
completely and use the actual QNAME, after search list processing, as
the canonical name, but that is controversial.)
I'm slightly worried that a naïve implementation of the skipping
introduces a denial-of-service vulnerability because parsing many binary
domain names can be quite costly, requiring millions of cycles and
expanding to 6 MiB in total for 64 KiB packet.
Thanks,
Florian
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
