httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dgau...@hotwired.com (Dean Gaudet)
Subject Re: security holes and other fun stuff
Date Tue, 16 Jul 1996 01:15:40 GMT
In article <hot.mailing-lists.new-httpd-199607160042.BAA00790@originat.demon.co.uk>,
>Not true. 

What's not true?  That the API is working?  Gee the IRIX, BSDI, Solaris,
and SunOS4 man pages must all be broken.  The API has no timeout.
It is impossible to implement applications that respect the timeout
using the API.  There's also no mention in the man pages (I'm not about
to go dig any further for RFCs or the posix spec) about the timeout.
Hence applications programmers are doing just what they're supposed to:
calling the routine and using the result.

>This isn't how DNS works at all. An application only has to do a DNS lookup
>once, to map the domain name to an ip address. Once it's opened a connection
>then there's no need to check that the DNS map has changed. 

Ahh so now you're saying that HTTP is the culprit and it's bad and
everything because it opens a new TCP connection for each request.
So your solution to this problem is that a browser should do DNS on
every hit... or they have to write their own resolver routines (which
you've already said netscape shouldn't have done -- but they had to do
it to get multithreaded DNS).

>If you change an ip address on a box then all existing connections will
>drop anyway and at the next DNS lookup the new address will appear, there's
>absolutely no need for any API to pass back timeout values, they're
>not relevant to applications.

No they won't drop.  Not unless you actually drop the old address.
Generally I do this (IRIX syntax):

    ifconfig ec0 NEW.A.B.C; ifconfig ec0 alias OLD.X.Y.Z

>> A month after renumbering bianca.com I saw 4 requests per day to the old
>
>It just can't happen with working code.

I don't deny that it can't happen with "working" code.  I'm telling you
that working code is an ideal.  We're living in the real world, where
broken code is the norm.

Frankly I don't care about 4 accesses per day 1 month after a renumbering.
But I do care about the one to two week range where I saw hundreds to
thousands of accesses despite the fact that the DNS had fully propagated.

>> The length of that time is what's at issue here.  There's like 0 chance
>> you'll convince J. Random Admin to play with the magic values in their
>> zone's SOA.  The number of people that understand that the 2nd through
>> 4th values refer to the zone as a whole and not the individual records
>> is pretty small.  I know how to play with the values to attempt to renumber
>
>If the admin doesn't have a full understanding of DNS then the whole issue
>is irrelevant.

I wasn't clear enough, sorry.  Here's what I meant to say:

    The length of that time is what's at issue here.  There's like 0
    chance an ISP will convince J. Random Customer to play with the magic
    values in their zone's SOA.  The number of people that understand
    that the 2nd through 4th values refer to the zone as a whole and
    not the individual records is pretty small.  I know how to play with
    the values to attempt to renumber

The ISP clearly has to understand DNS.

This argument is pointless.  I really think there are security flaws with
Apache's advocation of DNS in configuration files.  If the Apache Group
doesn't care about it (I've not received one response, even privately,
which supports my view) then I'll shut up.  It's not just an Apache
issue -- I'm certain that if we were to investigate Netscape or NCSA or
other servers that allow DNS in their configuration files then we'd find
the same problems.

Dean

Mime
View raw message