On-going Internet Emergency and Domain Names
vixie at vix.com
Sat Mar 31 06:09:30 UTC 2007
whoa. this is like deja vu all over again. when barb at CERT asked me to
patch BIND gethostbyaddr() back in 1994 or so to disallow non-ascii host
names in order to protect sendmail from a /var/spool/mqueue/qf* formatting
vulnerability, i was fresh off the boat and did as i was asked. a dozen
years later i find that that bug in sendmail is long gone, but the pain
from BIND's "check-names" logic is still with us. i did the wrong thing
and i should have said "just fix sendmail, i don't care how much easier
it would be to patch libc, that's just wrong."
are we really going to stop malware by blackholing its domain names? if
so then i've got some phone calls to make.
More information about the NANOG