On 8/17/21, Viktor Dukhovni <[email protected]> wrote: >> On 17 Aug 2021, at 1:17 pm, Lee <[email protected]> wrote: >> >> If you have a system that uses systemd-resolved or dnsmasq you can test >> them at >> https://xdi-attack.net/test.html >> >> For whatever it's worth, I get 'Your resolver is not vulnerable ...' >> for each test if I have >> check-names response fail; >> in my bind named.conf >> But every single 'Special character filtering' test comes back 'was >> not filtered by your resolver' if I remove check-names :( > > I am far from convinced that it is the resolvers job to enforce RDATA > syntax restrictions beyond what is required for a valid wire form. > > If applications make unwarranted assumptions about the syntax of > DNS replies, that's surely an application bug, rather than an issue > in DNS.
I disagree. Programmers f**k up _all the time_ https://www.microsoft.com/en-us/securityengineering/sdl/about "In January 2002, Microsoft launched its Trustworthy Computing initiative to help ensure Microsoft products and services were built inherently highly secure, available, reliable..." M$ is still shipping buggy software; blaming programmers hasn't helped. Regards, Lee _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
