Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net: domain name length checks should use wire format #17549

Closed
gibson042 opened this issue Oct 22, 2016 · 3 comments
Closed

net: domain name length checks should use wire format #17549

gibson042 opened this issue Oct 22, 2016 · 3 comments
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Milestone

Comments

@gibson042
Copy link
Contributor

RFC 1035 specifies a limit on domain names of 255 octets in wire format (a sequence of length-preceded labels ending with the zero-length root label), and even the willful RFC 6762 Multicast DNS tops out at 256 wire-format octets. But Go's IsDomainName allows up to 255 presentation format octets, exceeding both. There is also a separate issue of IsDomainName rejecting wildcard domains, but that's just #1168 and #12421.

What version of Go are you using (go version)?

go1.7.1

What operating system and processor architecture are you using (go env)?

linux/amd64

GOARCH="amd64"
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build693750050=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

### What did you do?

query long domain names

package main

import (
    "fmt"
    "net"
    "strings"
    "time"
)

func main() {
    long_label := strings.Repeat("l", 50)
    long_domain := strings.Repeat(long_label+".", 5) + "golang.org"
    length := len(long_domain)
    domains := []string{
        // valid domain name, but will be falsely rejected
        "*.golang.org",

        // maximum wire-format length per RFC 1035
        long_domain[length-253:],

        // too long for public Internet, but will issue and time out
        long_domain[length-254:],

        // too long for even RFC 6762 Multicast DNS, but will issue and time out
        long_domain[length-255:],

        // properly rejected as too long
        long_domain[length-256:],
    }
    for _, domain := range domains {
        start := time.Now()
        fmt.Printf("\n%d presentation-format octets: %s\n", len(domain), domain)
        fmt.Println(net.LookupHost(domain))
        fmt.Println(time.Since(start))
    }
}
### What did you expect to see?

QNAMEs longer than 255 wire-format bytes rejected

12 presentation-format octets: *.golang.org
[173.194.204.141 2607:f8b0:400d:c07::8d] <nil>
~50ms

253 presentation-format octets: llllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org
[173.194.204.141 2607:f8b0:400d:c07::8d] <nil>
~50ms

254 presentation-format octets: lllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org
[] lookup lllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org:
invalid domain name
<100µs

255 presentation-format octets: llllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org
[] lookup llllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org:
invalid domain name
<100µs

256 presentation-format octets: lllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org
[] lookup lllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org:
invalid domain name
<100µs
### What did you see instead?

names longer than 255 wire-format bytes were queried and timed out after 20 seconds

12 presentation-format octets: *.golang.org
[] lookup *.golang.org: invalid domain name
99.551µs

253 presentation-format octets: llllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org
[173.194.204.141 2607:f8b0:400d:c07::8d] <nil>
52.282064ms

254 presentation-format octets: lllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org
[] lookup lllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org on 8.8.8.8:53:
read udp 172.19.129.66:49106->8.8.8.8:53: i/o timeout
20.001165244s

255 presentation-format octets: llllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org
[] lookup llllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org on 8.8.8.8:53:
read udp 172.19.129.66:51603->8.8.8.8:53: i/o timeout
20.001086372s

256 presentation-format octets: lllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org
[] lookup lllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org:
invalid domain name
60.555µs
@gopherbot
Copy link

CL https://golang.org/cl/31722 mentions this issue.

@mikioh mikioh added this to the Go1.8 milestone Oct 22, 2016
@quentinmit quentinmit added the NeedsFix The path to resolution is known, but the work has not been done. label Oct 24, 2016
@gopherbot
Copy link

CL https://golang.org/cl/36429 mentions this issue.

gopherbot pushed a commit that referenced this issue Feb 7, 2017
We added CentOS 7's /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
to the list in response to #17549 - not being able to find any certs otherwise.

Now we have #18813, where CentOS 6 apparently has both that file
and /etc/pki/tls/certs/ca-bundle.crt, and the latter is complete while
the former is not.

Moving the new CentOS 7 file to the bottom of the list should fix both
problems: the CentOS 7 system that didn't have any of the other files
in the list will still find the new one, and existing systems will still
keep using what they were using instead of preferring the new path
that may or may not be complete on some systems.

Fixes #18813.

Change-Id: I5275ab67424b95e7210e14938d3e986c8caee0ba
Reviewed-on: https://go-review.googlesource.com/36429
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
@gopherbot
Copy link

CL https://golang.org/cl/36530 mentions this issue.

gopherbot pushed a commit that referenced this issue Feb 8, 2017
We added CentOS 7's /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
to the list in response to #17549 - not being able to find any certs otherwise.

Now we have #18813, where CentOS 6 apparently has both that file
and /etc/pki/tls/certs/ca-bundle.crt, and the latter is complete while
the former is not.

Moving the new CentOS 7 file to the bottom of the list should fix both
problems: the CentOS 7 system that didn't have any of the other files
in the list will still find the new one, and existing systems will still
keep using what they were using instead of preferring the new path
that may or may not be complete on some systems.

Fixes #18813.

Change-Id: I5275ab67424b95e7210e14938d3e986c8caee0ba
Reviewed-on: https://go-review.googlesource.com/36429
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-on: https://go-review.googlesource.com/36530
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
@golang golang locked and limited conversation to collaborators Feb 7, 2018
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsFix The path to resolution is known, but the work has not been done.
Projects
None yet
Development

No branches or pull requests

4 participants