[ On Tuesday, November 19, 2002 at 19:43:11 (+0100), der Mouse wrote: ]
> Subject: Re: switching from bind8 to bind9
>
> > [...].  To that end it seems quite prudent to have the DNS software
> > do the checking early and often too, especially on certain record
> > types, just in case that other software might fall flat on its face
> > with the likes of a unicode exploit or what have you.
> 
> Perhaps.  On the other hand, doing this means that your DNS software
> will then prevent you from doing things like investigating Empire
> Towers spam thoroughly (they tend to use octets in the 0x00-0x1f range
> in DNS labels).

I use the latest version of 'host' for such things and it easily lets me
bypass my any caching/forwarding servers.  :-)  (where permitted by
firwall rules, of course, but if I control the DNS then I likely also
control the firewall too!  ;-)

> > It's one thing to be liberal in what you accept and quite another to
> > pass on poisoned data.
> 
> But you cannot tell what constitutes "poisoned" data to arbitrary other
> pieces of software.

No, of course not -- but I can tell that non-ASCII labels for some types
of records is suspect, and that's all I need to worry about.

The rest of what you say starts to get much further away from the realm
of the practical and into the realm of theory.  BIND-8's checks are
practical, and they work, and for the most part they make me happy
enough to use them.

> Surely the right fix is to just not run software that broken?

I agree, but the people who own and operate the DNS clients I serve
don't seem to agree with us.

I suppose I could just let the full fury of the Big Bad Internet strike
them full face.  Either way I'm damned by some if I do and damned by
others if I don't.  The status quo is at least a stable state.

-- 
								Greg A. Woods

+1 416 218-0098;            <g.a.woods@ieee.org>;           <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>