On 31 Mar 2007, Paul Vixie wrote:
whoa. this is like deja vu all over again. when barb@CERT asked me to patch BIND gethostbyaddr() back in 1994 or so to disallow non-ascii host names in order to protect sendmail from a /var/spool/mqueue/qf* formatting vulnerability, i was fresh off the boat and did as i was asked. a dozen years later i find that that bug in sendmail is long gone, but the pain from BIND's "check-names" logic is still with us. i did the wrong thing and i should have said "just fix sendmail, i don't care how much easier it would be to patch libc, that's just wrong."
are we really going to stop malware by blackholing its domain names? if so then i've got some phone calls to make.
are we really going to stop malware by blackholing its domain names? if so then i've got some phone calls to make.
I don't know about bind, obviously your knowledge over-shadows mine. Changing bind for sendmail was likely silly but it showed some agaility we seem to not have today. If it could have been a temporary dynamic solution (rather than a package change), it's an interesting concept. Back to reality and 2007: In this case, we speak of a problem with DNS, not sendmail, and not bind. As to blacklisting, it's not my favorite solution but rather a limited alternative I also saw you mention on occasion. What alternatives do you offer which we can use today? Gadi.
-- Paul Vixie