North American Network Operators Group Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical Re: On-going Internet Emergency and Domain Names
On 31 Mar 2007, Paul Vixie wrote: > > whoa. this is like deja vu all over again. when [email protected] asked me to > patch BIND gethostbyaddr() back in 1994 or so to disallow non-ascii host > names in order to protect sendmail from a /var/spool/mqueue/qf* formatting > vulnerability, i was fresh off the boat and did as i was asked. a dozen > years later i find that that bug in sendmail is long gone, but the pain > from BIND's "check-names" logic is still with us. i did the wrong thing > and i should have said "just fix sendmail, i don't care how much easier > it would be to patch libc, that's just wrong." > > are we really going to stop malware by blackholing its domain names? if > so then i've got some phone calls to make. > are we really going to stop malware by blackholing its domain names? if > so then i've got some phone calls to make. I don't know about bind, obviously your knowledge over-shadows mine. Changing bind for sendmail was likely silly but it showed some agaility we seem to not have today. If it could have been a temporary dynamic solution (rather than a package change), it's an interesting concept. Back to reality and 2007: In this case, we speak of a problem with DNS, not sendmail, and not bind. As to blacklisting, it's not my favorite solution but rather a limited alternative I also saw you mention on occasion. What alternatives do you offer which we can use today? Gadi. > -- > Paul Vixie >
|