[regression] CNAME with _ is parsed as invalid response #424
Comments
|
rfc2181 section 11 says not to do any validation, but that applies to servers not clients according to the spec. We had a security report that PR #406 addressed, so we must balance full compliance with security, and in today's world, security MUST win. I will agree however, that this needs to be loosened to include |
|
Thank you for the quick fix and clarification. This poorly defined area of what constitutes a valid or invalid entry in a DNS record is like a minefield. |
sergepetrenko
pushed a commit
to tarantool/c-ares
that referenced
this issue
Jul 29, 2022
…tely use them c-ares 1.17.2 introduced response validation to prevent a security issue, however it did not have (_) listed as a valid character for domain name responses which caused issues when a CNAME referenced a SRV record which contained underscores. While RFC2181 section 11 does explicitly state not to do validation, that applies to servers not clients. Fixes: c-ares#424 Fix By: Brad House (@bradh352)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
With a CNAME setup
test->_test,ares_parse_a_replyis rejecting the response as invalid. The problem seems to be with PR: #406 where the assumption is made that hostname restrictions apply to domain names. With domain names like_ldap._tcp.<server>this assumption seems to be invalid.
This is already reported in Node
nodejs/node#39780
The text was updated successfully, but these errors were encountered: