Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > > My reading of RFC 1035 is that DNS name "compression" via "pointers" is > restricted to name strictly earlier in the DNS message: [snip] > > And yet, here and there I see mention of having to take care to avoid "loops", > but loops are impossible in a monotone strictly decreasing sequence.
Shane and Joe have answered this, but I just want to say that this is the FIRST thing I look for in a DNS message parser, because it is such a common denial of service vulnerability, and it's a good bit of slapstick fun to find code that repeats this mistake. There are two basic ways to avoid it: * Limit the number of pointers you will follow. * Keep a high-water-mark separate from the current location, and require pointers to be strictly less than the HWM. (I prefer this way.) Note that limiting the overall length of the name isn't enough, because a pointer can loop without making the name longer. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Viking: West or northwest, 5 to 7, occasionally gale 8 until later. Rough or very rough. Rain then showers. Moderate or poor, becoming good. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
