Buglet in Bind 4.9.5. [SUMMARY]

[alan () MANAWATU GEN NZ (Alan Brown)]

Lots of followups to this one. So far the response count is over 100
with no sign of a letup.

Firstly, by my (and several other people's) interpretation, this IS a bug
in Bind, not a feature - no matter how many programmers would like to argue
otherwise.

RFC 1035 is quite explicit that the dotted quad format is in DECIMAL.
(RFC 1035, section 3.4.1).

This RFC is obseleted by RFC 2065, but that RFC makes no mention of A
records at all, concentrating more on security aspects of DNS.

If RFC 1035 holds, then either the specification of an A field needs to
be updated or Bind does. if not, then RFC 2065 needs revising to specify
all the items covered in the RFC it obseletes.

Regardless of that, the unholy terror of allowing mixed base in the
A record has tripped up a _lot_ of people. Over 1/3 of the people who
replied to me have been caught by this and IMO that's way too high.

Even seasoned admins have admitted to having been tripped by this problem
in DNS and other areas such as ethernet MAC assignments, with comments
that inserting submitted lists without combing them for zero padding has
caused trouble even after the cause of the problem is known and been fixed
once already.

Bind is a program written by programmers who assume that the end users are
programmers, when in fact the configuration files are mostly handled by
non-programmers. Most people are aware of notation for hexadecimal, but
octal representation isn't used much these days outside programming
circles.


Regarding the security risks mentioned, false alarms are as bad, if not
worse than not alarming, because high levels of falsing cause any alarm to
be written off as Yet Another False, masking the genuine ones.

AB