Re: [DNSOP] Clarification question: compression pointers always to names earlier in the packet?

Tony Finch <dot@dotat.at> Wed, 24 October 2018 10:45 UTC

Return-Path: <dot@dotat.at>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D68381286D9 for <dnsop@ietfa.amsl.com>; Wed, 24 Oct 2018 03:45:55 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SD0P8tiOFp4M for <dnsop@ietfa.amsl.com>; Wed, 24 Oct 2018 03:45:53 -0700 (PDT)
Received: from ppsw-33.csi.cam.ac.uk (ppsw-33.csi.cam.ac.uk [131.111.8.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 91E801286E3 for <dnsop@ietf.org>; Wed, 24 Oct 2018 03:45:53 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:47402) by ppsw-33.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.139]:25) with esmtps (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1gFGff-000Abj-gF (Exim 4.91) for dnsop@ietf.org (return-path <dot@dotat.at>); Wed, 24 Oct 2018 11:45:51 +0100
Date: Wed, 24 Oct 2018 11:45:51 +0100
From: Tony Finch <dot@dotat.at>
To: dnsop <dnsop@ietf.org>
In-Reply-To: <BC2CDF40-4FF0-4111-88B7-04969491D2E0@dukhovni.org>
Message-ID: <alpine.DEB.2.20.1810241135130.24450@grey.csi.cam.ac.uk>
References: <BC2CDF40-4FF0-4111-88B7-04969491D2E0@dukhovni.org>
User-Agent: Alpine 2.20 (DEB 67 2015-01-07)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/5oujIg6Y8Tu2ietnedX5neklYy8>
Subject: Re: [DNSOP] Clarification question: compression pointers always to names earlier in the packet?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Oct 2018 10:45:56 -0000

Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
>
> My reading of RFC 1035 is that DNS name "compression" via "pointers" is
> restricted to name strictly earlier in the DNS message: [snip]
>
> And yet, here and there I see mention of having to take care to avoid "loops",
> but loops are impossible in a monotone strictly decreasing sequence.

Shane and Joe have answered this, but I just want to say that this is the
FIRST thing I look for in a DNS message parser, because it is such a
common denial of service vulnerability, and it's a good bit of slapstick
fun to find code that repeats this mistake.

There are two basic ways to avoid it:

* Limit the number of pointers you will follow.

* Keep a high-water-mark separate from the current location, and require
  pointers to be strictly less than the HWM. (I prefer this way.)

Note that limiting the overall length of the name isn't enough, because a
pointer can loop without making the name longer.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Viking: West or northwest, 5 to 7, occasionally gale 8 until later. Rough or
very rough. Rain then showers. Moderate or poor, becoming good.