Received: from localhost (daemon@localhost) 
        by CS.UTK.EDU with SMTP (cf v2.9s-UTK)
	id EAA23609; Sun, 9 Aug 1998 04:26:49 -0400 (EDT)
Received: by cs.cs.utk.edu (bulk_mailer v1.10); Sun, 9 Aug 1998 04:26:37 -0400
Received:  
        by CS.UTK.EDU (cf v2.9s-UTK)
	id EAA23571; Sun, 9 Aug 1998 04:26:36 -0400 (EDT)
Received: from munnari.OZ.AU (munnari.OZ.AU [128.250.1.21]) 
        by CS.UTK.EDU with SMTP (cf v2.9s-UTK)
	id EAA23548; Sun, 9 Aug 1998 04:26:26 -0400 (EDT)
Received: from mundamutti.cs.mu.OZ.AU by munnari.OZ.AU with SMTP (5.83--+1.3.1+0.56)
	id IA13071; Sun, 9 Aug 1998 18:26:02 +1000 (from kre@munnari.OZ.AU)
To: "D. J. Bernstein" <djb@cr.yp.to>
Cc: drums@cs.utk.edu
Subject: Re: another unauthorized syntax-check requirement 
In-Reply-To: "D. J. Bernstein"'s message of "09 Aug 1998 04:17:44 +0000."
References: <19980808153359.27971.qmail@cr.yp.to> <19980808222117Z6283-14900+3860@nic.funet.fi>  <19980809041744.3045.qmail@cr.yp.to> 
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Date: Sun, 09 Aug 1998 18:25:59 +1000
Message-Id: <5267.902651159@munnari.OZ.AU>
From: Robert Elz <kre@munnari.oz.au>

    Date:        9 Aug 1998 04:17:44 -0000
    From:        "D. J. Bernstein" <djb@cr.yp.to>
    Message-ID:  <19980809041744.3045.qmail@cr.yp.to>

  | Wrong. By default, BIND allows underscores except in its local
  | configuration files.

Actually, not really, it also doesn't allow them as args to gethostbyname()
(ie: in the resolver).   BIND is both the daemon (named) and the resolver.

With sendmail as the MTA that has the effect of disallowing underscores (and
lots more of course) in the value of an MX record (as sendmail uses 
gethostbyname() to translate the MX record value to an A record).  There is
no standard anywhere which limits the syntax of MX record names (they're not
visible in 821 or 822 anywhere, so they're not subject to any of their rules)
so this is a royal pain.

Of course, sendmail could be using a lower level resolver interface which
doesn't impose that absurd restriction, but I personally prefer to fix my
resolver so it doesn't attempt to syntax check the name that I have asked
it to find - there's no reason for resolvers to do that.

The motivation for this nonsense was a CERT report of course - the problem
was people sticking "weird" things in PTR records, and fooling applications
which blindly accepted the results of gethostbyaddr() - saving all those
dumb applications by imposing some checking on what gethostbyaddr() returns
is defensible (even if fixing the applications would be a far better solution),
but extending that reasoning to also syntax check the args passed to
gethostbyname() is worse than indefensible, it is ludicrous.

kre