subject:"response case in\-sensitivity\?"

Re: response case in-sensitivity?

2015-07-30 Thread Chris Thompson


On Jul 30 2015, Barry Margolin wrote:


In article ,
Mark Andrews  wrote:
[... snip ...] 

Then iOS (or the application) is broken.  Domain names should always
be compared case insensitively.  Please report a bug to the app
vendor and / or Apple.


Isn't this the DNS 0x20 security enhancement? Clients send a random mix 
of case, and check that the response matches, to protect against spoofed 
responses.


https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00


You must distinguish between the copy of the query in the reply packet,
which BIND (like nearly all implementations) does copy exactly from the
query, and the owner field used in the answer section, which recent
versions of BIND make the same as that loaded from zone file (when
authoritative), or as received from an authoritative nameserver (when
from the cache).

--
Chris Thompson
Email: c...@cam.ac.uk



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: response case in-sensitivity?

2015-07-30 Thread Barry Margolin

In article ,
 Mark Andrews  wrote:

> In message <23dee83f-7476-432b-92b9-f8d34d617...@nau.edu>, Mathew Ian Eis 
> writes:
> > Howdy BIND,
> > 
> > Weve been troubleshooting an issue with iOS print discovery using DNS-SD 
> > for the last several weeks. We made a little bit of a breakthrough this 
> > evening when we observed in a packet trace that the response case was 
> > fully lowercase, regardless of the query case. It seems iOS is doing some 
> > kind of case sensitive comparison between the query and the response, 
> > causing DNS-SD to fail when they dont match.
> 
> Then iOS (or the application) is broken.  Domain names should always
> be compared case insensitively.  Please report a bug to the app
> vendor and / or Apple.

Isn't this the DNS 0x20 security enhancement? Clients send a random mix 
of case, and check that the response matches, to protect against spoofed 
responses.

https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00

-- 
Barry Margolin
Arlington, MA
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: response case in-sensitivity?

2015-07-29 Thread Mark Andrews


In message <23dee83f-7476-432b-92b9-f8d34d617...@nau.edu>, Mathew Ian Eis 
writes:
> Howdy BIND,
> 
> Weve been troubleshooting an issue with iOS print discovery using DNS-SD 
> for the last several weeks. We made a little bit of a breakthrough this 
> evening when we observed in a packet trace that the response case was 
> fully lowercase, regardless of the query case. It seems iOS is doing some 
> kind of case sensitive comparison between the query and the response, 
> causing DNS-SD to fail when they dont match.

Then iOS (or the application) is broken.  Domain names should always
be compared case insensitively.  Please report a bug to the app
vendor and / or Apple.

> I noticed change 3645, but my reading of the related article suggests 
> that the change was actually intended to preserve the case in a query 
> response rather than force it to lowercase.

It preserves the case of the of the owner names of the records in
the answers as received.

> My reading of that article suggests the RFC compliant behavior is to 
> preserve the case in the response, is this correct? 
> https://deepthought.isc.org/article/AA-01113/0/Case-Insensitive-Response-C
> ompression-May-Cause-Problems-With-Mixed-Case-Data-and-Non-Conforming-Clie
> nts.html
> 
> Were currently running BIND 9.9.7 (it is likely this issue was introduced 
> when we updated from 9.9.4 a while back), so Im wondering why I am 
> running into this. Is there something that I need to turn on to preserve 
> the case in the response, or, alternatively, is there something that we 
> have have inadvertently changed that would cause BIND to force the 
> response to lowercase?
> 
> Thanks in advance,
> 
> Mathew Eis
> Northern Arizona University
> Information Technology Services
> mathew@nau.edu

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: response case in-sensitivity?

2015-07-29 Thread Hauke Lampe

On 30.07.2015 03:02, Mathew Ian Eis wrote:

> My reading of that article suggests the RFC compliant behavior is to preserve 
> the case in the response, is this correct? 
> https://deepthought.isc.org/article/AA-01113/0/Case-Insensitive-Response-Compression-May-Cause-Problems-With-Mixed-Case-Data-and-Non-Conforming-Clients.html

I never quite understood DNS compression rules but I can confirm what
you see with BIND 9.10.2 and that the ACL mentioned in the comments
changes the behaviour.

The responses matches the case of the cached entry:

SRV? _xmpp-server._TCP.hauke-lampe.de. (61)
1/4/9 _xmpp-server._TCP.hauke-lampe.de. SRV jabber2

SRV? _xMpP-ServeR._tCp.haukE-lampE.de. (61)
1/4/9 _xmpp-server._TCP.hauke-lampe.de. SRV jabber2

with "no-case-compress { any; };":

SRV? _xmpp-server._TCP.hauke-lampe.de. (61)
1/4/9 _xmpp-server._TCP.hauke-lampe.de. SRV jabber2

SRV? _xMpP-ServeR._tCp.haukE-lampE.de. (61)
1/4/9 _xMpP-ServeR._tCp.haukE-lampE.de. SRV jabber2

["This new ACL is going to be available in 9.10.0 (noted already as
being in 9.10.0b1), 9.9.6, and 9.8.8, as well as in subscription
versions of BIND."]

Hauke.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

response case in-sensitivity?

2015-07-29 Thread Mathew Ian Eis

Howdy BIND,

We’ve been troubleshooting an issue with iOS print discovery using DNS-SD for 
the last several weeks. We made a little bit of a breakthrough this evening 
when we observed in a packet trace that the response case was fully lowercase, 
regardless of the query case. It seems iOS is doing some kind of case sensitive 
comparison between the query and the response, causing DNS-SD to fail when they 
don’t match.

I noticed change 3645, but my reading of the related article suggests that the 
change was actually intended to preserve the case in a query response rather 
than force it to lowercase.

My reading of that article suggests the RFC compliant behavior is to preserve 
the case in the response, is this correct? 
https://deepthought.isc.org/article/AA-01113/0/Case-Insensitive-Response-Compression-May-Cause-Problems-With-Mixed-Case-Data-and-Non-Conforming-Clients.html

We’re currently running BIND 9.9.7 (it is likely this issue was introduced when 
we updated from 9.9.4 a while back), so I’m wondering why I am running into 
this. Is there something that I need to turn on to preserve the case in the 
response, or, alternatively, is there something that we have have inadvertently 
changed that would cause BIND to force the response to lowercase?

Thanks in advance,

Mathew Eis
Northern Arizona University
Information Technology Services
mathew@nau.edu
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: response case in-sensitivity?

Re: response case in-sensitivity?

Re: response case in-sensitivity?

Re: response case in-sensitivity?

response case in-sensitivity?

5 matches

Site Navigation

Mail list logo

Footer information