Hi, On Tue, Aug 17, 2021 at 09:17:24PM +0100, Tony Finch wrote:
common cause of security problems: when it isn't clear whose responsibility it is to enforce an important restriction, in this case, hostname syntax vs. DNS name (lack of) syntax. And different implementers have made different choices, for instance whether the libc stub resolver enforces hostname syntax or not.
This has been a source of trouble essentially forever. But "fixing" it in the resolver itself is, I'd suggest, a bad idea unless one creates different calls to the resolver. There's an argument to be made for that, of course. As I recall things, the getdnsapi effort was an attempt among other things to provide the calls necessary to ask for various kinds of raw or pre-baked responses, and this would be in line with that sort of thing. I have long believed that a huge part of the problem is the deficiency of the standard library, and if we could find a way to make an extended library more attractive to application programmers it'd be IMO great.
if an application needs something more fancy than getaddrinfo(), it has to contend with the low-level resolver API which is just about better than nothing for parsing DNS packets, but certainly won't help you handle names that ought to have restricted syntax (service names, mail domains, etc...)
Hence https://getdnsapi.net/ Best regards, A -- Andrew Sullivan a...@anvilwalrusden.com _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
