Re: [DNSOP] Clarification question: compression pointers always to names earlier in the packet?

bert hubert <bert.hubert@powerdns.com> Wed, 24 October 2018 09:21 UTC

Return-Path: <bert@hubertnet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 30D59130EF2 for <dnsop@ietfa.amsl.com>; Wed, 24 Oct 2018 02:21:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.652
X-Spam-Level:
X-Spam-Status: No, score=-1.652 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HEADER_FROM_DIFFERENT_DOMAINS=0.249, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id yTw9nRAKY1mX for <dnsop@ietfa.amsl.com>; Wed, 24 Oct 2018 02:21:52 -0700 (PDT)
Received: from xs.powerdns.com (xs.powerdns.com [82.94.213.34]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 921EA130E7C for <dnsop@ietf.org>; Wed, 24 Oct 2018 02:21:52 -0700 (PDT)
Received: from server.ds9a.nl (unknown [86.82.68.237]) by xs.powerdns.com (Postfix) with ESMTPS id A76789FB55 for <dnsop@ietf.org>; Wed, 24 Oct 2018 09:21:48 +0000 (UTC)
Received: by server.ds9a.nl (Postfix, from userid 1000) id 64EB6AC9CD5; Wed, 24 Oct 2018 11:21:48 +0200 (CEST)
Date: Wed, 24 Oct 2018 11:21:48 +0200
From: bert hubert <bert.hubert@powerdns.com>
To: dnsop <dnsop@ietf.org>
Message-ID: <20181024092148.GA24150@server.ds9a.nl>
References: <BC2CDF40-4FF0-4111-88B7-04969491D2E0@dukhovni.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <BC2CDF40-4FF0-4111-88B7-04969491D2E0@dukhovni.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/05t1SGM9O9jH5EAih0-MVQJgKvQ>
Subject: Re: [DNSOP] Clarification question: compression pointers always to names earlier in the packet?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 09:22:00 -0000

On Wed, Oct 24, 2018 at 05:01:53AM -0400, Viktor Dukhovni wrote:
> And yet, here and there I see mention of having to take care to avoid "loops",
> but loops are impossible in a monotone strictly decreasing sequence.

Yes. This is one of the best ways of preventing such loops. Some libraries
accidentally allowed a jump to the same place though, if I recall correctly.

PowerDNS, for reasons I'm trying to find out, not only checks if a jump went
backwards but also refuses to go backwards more than 100 times. It may be
that someone made a packet that burned a lot of CPU time.

https://github.com/PowerDNS/pdns/commit/9114819cc4c5dad50ba92c8a9ab8d852811db365

> Is there a later RFC that relaxes the constraint and allows pointers to names
> later in the message?  I'm having a bit of trouble finding the later text...

Not that I know of. But it might accidentally work in some places, including
I think old (2.9 era) PowerDNS software. 

> Secondarily, can the pointer point to some odd-ball location earlier in the
> message that is not semantically a label in its original context, but just
> happens to carry data that decodes as the desired label?  Or, are pointers
> only valid to prior locations that are corresponding labels in their original
> context?

I'd say "don't do that". Someone really clever might one day find you can
point back to a location in the middle of a name that so happens to be
parseable as a whole name (remember, there is a length field there). 

It would likely work though in most implementations.

	Bert