On Jan 21, 2018, at 7:20 PM, Paul Wouters <p...@nohats.ca> wrote:
>> - Section 6 says:
>> The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be
>> passed to another (DNS) program for processing. The content MUST be
>> verified and sanitized before passing it to other software. For
>> example, domain names are limited to alphanumeric characters and the
>> minus ("-") and underscore ("_") symbol and if other other characters
>> are present, the entire payload could be ignored and not passed to
>> DNS software, or the malicious characters could be filtered out
>> before passing the payload to DNS software.
>> That is not correct. *Host* names are limited, but domain names are not.
>> Domain names can have any octet in them. This is a common misunderstanding
>> in the DNS; see RFC 7719 for definitions of DNS terms. I suggest that this
>> paragraph be changed to:
>
> That somewhat contradicts 7719 in which document you state:
>
> Note that any label in a
> domain name can contain any octet value; hostnames are generally
> considered to be domain names where every label follows the rules
> in the "preferred name syntax"
There is no contradiction between what I say above and that.
> So a hostname - if FQDN - could have a leftmost label with other stuff
> in it, but everything to the right of the zone cut would have to be
> compliant to the restrive set. And we were talking about domain names,
> and not hostnames.
Nonono. Nothing in the definition of domain name or hostname has anything to do
with label position.
>
>> The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be
>> passed to another (DNS) program for processing. Some DNS programs
>> only handle domain names in host name format, although many are
>> inconsistent about this.
>
> I would prefer to keep the focus on the security part. If there are
> weird characters, don't blindly pass those along.
If you're talking about domain names, there are no "weird characters": they are
just blobs of octets.
> Whether something
> is a legit hostname or domainname is not very relevant to the IKE
> or IPsec layer. Whoever _receives_ the information can determine
> that part. We are mostly concerned about passing foo`cat /etc/passswd`.com
...which is a valid domain name (assuming an ASCII or UTF-8 encoding for the
octets).
>
> So how about:
>
> The content of INTERNAL_DNS_DOMAIN and INTERNAL_DNSSEC_TA may be
> passed to another (DNS) program for processing. The content MUST be
> verified to not contain any malicious characters, before it is
> passed to other programs for DNS processing. If it contains malicious
> characters, the payload should be ignored or sanitized. Whether a
> specific combination of non-malicious characters constitute a valid
> DNS domain name is best left to be decided by the DNS software that
> receives the contents of these payloads.
>
Unless you can define "malicious", I would disagree. In fact, unless you can
define "character", you will also have a problem (some encodings of characters
take up multiple octets).
If you really want to go down this path, you must say something like "domain
names where each label consist only of octets which map to the ASCII encoding
of the following values: A to Z, a to z, 0 to 9, "-", and "_".
--Paul Hoffman
_______________________________________________
IPsec mailing list
IPsec@ietf.org
https://www.ietf.org/mailman/listinfo/ipsec
