New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
net: domain name length checks should use wire format #17549
Labels
Milestone
Comments
CL https://golang.org/cl/31722 mentions this issue. |
quentinmit
added
the
NeedsFix
The path to resolution is known, but the work has not been done.
label
Oct 24, 2016
CL https://golang.org/cl/36429 mentions this issue. |
gopherbot
pushed a commit
that referenced
this issue
Feb 7, 2017
We added CentOS 7's /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem to the list in response to #17549 - not being able to find any certs otherwise. Now we have #18813, where CentOS 6 apparently has both that file and /etc/pki/tls/certs/ca-bundle.crt, and the latter is complete while the former is not. Moving the new CentOS 7 file to the bottom of the list should fix both problems: the CentOS 7 system that didn't have any of the other files in the list will still find the new one, and existing systems will still keep using what they were using instead of preferring the new path that may or may not be complete on some systems. Fixes #18813. Change-Id: I5275ab67424b95e7210e14938d3e986c8caee0ba Reviewed-on: https://go-review.googlesource.com/36429 Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
CL https://golang.org/cl/36530 mentions this issue. |
gopherbot
pushed a commit
that referenced
this issue
Feb 8, 2017
We added CentOS 7's /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem to the list in response to #17549 - not being able to find any certs otherwise. Now we have #18813, where CentOS 6 apparently has both that file and /etc/pki/tls/certs/ca-bundle.crt, and the latter is complete while the former is not. Moving the new CentOS 7 file to the bottom of the list should fix both problems: the CentOS 7 system that didn't have any of the other files in the list will still find the new one, and existing systems will still keep using what they were using instead of preferring the new path that may or may not be complete on some systems. Fixes #18813. Change-Id: I5275ab67424b95e7210e14938d3e986c8caee0ba Reviewed-on: https://go-review.googlesource.com/36429 Run-TryBot: Russ Cox <rsc@golang.org> Reviewed-by: Adam Langley <agl@golang.org> Reviewed-on: https://go-review.googlesource.com/36530 TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
RFC 1035 specifies a limit on domain names of 255 octets in wire format (a sequence of length-preceded labels ending with the zero-length root label), and even the willful RFC 6762 Multicast DNS tops out at 256 wire-format octets. But Go's
IsDomainName
allows up to 255 presentation format octets, exceeding both. There is also a separate issue ofIsDomainName
rejecting wildcard domains, but that's just #1168 and #12421.What version of Go are you using (
go version
)?go1.7.1
What operating system and processor architecture are you using (
go env
)?linux/amd64
GOARCH="amd64"
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build693750050=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"
query long domain names
QNAMEs longer than 255 wire-format bytes rejected
names longer than 255 wire-format bytes were queried and timed out after 20 seconds
The text was updated successfully, but these errors were encountered: