New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[regression] CNAME with _ is parsed as invalid response #424
Comments
rfc2181 section 11 says not to do any validation, but that applies to servers not clients according to the spec. We had a security report that PR #406 addressed, so we must balance full compliance with security, and in today's world, security MUST win. I will agree however, that this needs to be loosened to include |
Thank you for the quick fix and clarification. This poorly defined area of what constitutes a valid or invalid entry in a DNS record is like a minefield. |
…tely use them c-ares 1.17.2 introduced response validation to prevent a security issue, however it did not have (_) listed as a valid character for domain name responses which caused issues when a CNAME referenced a SRV record which contained underscores. While RFC2181 section 11 does explicitly state not to do validation, that applies to servers not clients. Fixes: c-ares#424 Fix By: Brad House (@bradh352)
With a CNAME setup
test
->_test
,ares_parse_a_reply
is rejecting the response as invalid. The problem seems to be with PR: #406 where the assumption is made that hostname restrictions apply to domain names. With domain names like_ldap._tcp.<server>
this assumption seems to be invalid.
This is already reported in Node
nodejs/node#39780
The text was updated successfully, but these errors were encountered: