Return-Path: X-Original-To: dnsop@ietfa.amsl.com Delivered-To: dnsop@ietfa.amsl.com Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21FE2C1CAE88 for ; Thu, 25 Jul 2024 05:11:45 -0700 (PDT) X-Virus-Scanned: amavisd-new at amsl.com X-Spam-Flag: NO X-Spam-Score: -6.907 X-Spam-Level: X-Spam-Status: No, score=-6.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NKG9AxsIihUY for ; Thu, 25 Jul 2024 05:11:44 -0700 (PDT) Received: from stereo.hq.phicoh.net (stereo.hq.phicoh.net [IPv6:2a10:3781:2413:1:2a0:c9ff:fe9f:17a9]) (using TLSv1.2 with cipher ECDHE-RSA-CHACHA20-POLY1305 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0CD3CC1CAE7B for ; Thu, 25 Jul 2024 05:11:43 -0700 (PDT) Received: from stereo.hq.phicoh.net (localhost [::ffff:127.0.0.1]) by stereo.hq.phicoh.net with esmtp (TLS version=TLSv1.2 cipher=ECDHE-RSA-CHACHA20-POLY1305) (Smail #158) id m1sWxJi-0000MEC; Thu, 25 Jul 2024 14:11:30 +0200 Message-Id: To: dnsop@ietf.org From: Philip Homburg Sender: pch-b538D2F77@u-1.phicoh.com References: <1070949df20a6ac1f9c2c2dd401d5953bb362bf2.camel@aisec.fraunhofer.de> In-reply-to: Your message of "Wed, 24 Jul 2024 16:20:09 +0000 ." Date: Thu, 25 Jul 2024 14:11:27 +0200 Message-ID-Hash: DQX4G63SIT2WNAQSPYOPEU5B53DJRZDC X-Message-ID-Hash: DQX4G63SIT2WNAQSPYOPEU5B53DJRZDC X-MailFrom: pch-b538D2F77@u-1.phicoh.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-dnsop.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: Martin Schanzenbach X-Mailman-Version: 3.3.9rc4 Precedence: list Subject: =?utf-8?q?=5BDNSOP=5D_Re=3A_Potentially_interesting_DNSSEC_library_CVE_?= List-Id: IETF DNSOP WG mailing list Archived-At: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: > I think this is the core issue behind the CVE and the filed bug. > Who is the "ultimate user"? And where is this expectation formulated > exactly? I would believe that most applications using DNS libraries > such as dnsjava do not expect that they have to sift through CNAMEs > in the replies and filter according to their initial query. So is > dnsjava in your opinion the "ultimate user" that is expected to > filter? If yes, "ultimate user" is an odd description because > dnsjava is a resolver implementation, whereas "ultimate user" to > me means application using a resolver (library/implementation). The typical model is that of a library that implements a DNS stub resolver function. This library is expected to offer a function that takes a QNAME, QCLASS, and QTYPE as arguments and returns a set of resource records or an error. If dnsjava implements the function of a stub resolver, then yes, dnsjava would be expected to sift through the CNAMEs. A stub resolvers speaks the DNS protocol and this is just how the protocol works. Obviously, you are free to define a new protocol that runs between a stub resolver and a recursive resolver. However, just compaining about the current situation is not going to change much.