> Serguey Parkhomovsky wrote: > > On Wed, Dec 16, 2015 at 06:08:22PM -0500, Ted Unangst wrote: > > > > > > well, nobody fixed it, so if it's working, it's not using getaddrinfo. > > > > > > > Hmmm... looks like getaddrinfo was using my nameserver to resolve the > > decimal IP? I get the same behavior in -current by passing the > > AI_NUMERICHOST flag in hints. The following patch should fix this issue: > > We're not convinced we want to fix this. The RFC may be mistaken in > perpetuating this silliness.
That's my take on this, and why we originally turned the feature off. There is a long history of security or authentication issues related to patterns like A can map to B, B default maps back to C, but A != C. This is one of those cases. We turned such a thing off for IP address. Notice how long before anyone noticed? Also note it was found with code in tor. Doesn't that send shivers down your spine?
