Or maybe it could lead to some security issues?

// Resource Header
msg = append(msg, nameIN...)
msg = binary.BigEndian.AppendUint16(msg, uint16(dnsmessage.TypeCNAME))
msg = binary.BigEndian.AppendUint16(msg, uint16(dnsmessage.ClassINET))
msg = binary.BigEndian.AppendUint32(msg, 1)

nameCNAME := []byte{12, 's', 't', 'h', '.', 'i', 'n', 't', 'e', 'r', 'n', 'a', 'l', 2, 'g', 'o', 3, 'd', 'e', 'v', 0} // valid RFC 1035 name
msg = binary.BigEndian.AppendUint16(msg, uint16(len(nameCNAME)))
msg = append(msg, nameCNAME...)

_, err := parser.Start(msg)
if err != nil {
	panic(err)
}

err = parser.SkipAllQuestions()
if err != nil {
	panic(err)
}

_, err = parser.AnswerHeader()
if err != nil {
	panic(err)
}

cname, err := parser.CNAMEResource()
if err != nil {
	panic(err)
}

fmt.Println(cname.CNAME.Data[:cname.CNAME.Length])
fmt.Println(cname) 

[115 116 104 46 105 110 116 101 114 110 97 108 46 103 111 46 100 101 118 46]
{sth.internal.go.dev.}

[]byte{12, 's', 't', 'h', '.', 'i', 'n', 't', 'e', 'r', 'n', 'a', 'l', 2, 'g', 'o', 3, 'd', 'e', 'v', 0} (subdomain of go.dev. was interpreted as subdomain of internal.go.dev.).

Having two different interpretations in never good in terms of security.

Change https://go.dev/cl/443215 mentions this issue: dns/dnsmessage: reject names with dots inside label

We might also try to add \. escape as defined in RFC 1035 (and probably \DDD Edit: \\). But the array inside the Name struct would not be able to hold all possible names.

@neild, can you give this a look?

Hey @mateusz834 I'd like to try to get this fixed for 1.20, but I think we should be implementing the full 1034 escaping behavior (similar to what miekg/dns does), rather than just hard failing on this one specific. I'm happy to review if you'd like to update your CL to implement this, but we have a hard freeze at the end of next week before which we need to land the change. If you're short on time I'm also happy to take over and implement this behavior if you don't think you can get to it before then.

Edit: I also found a discussion about the same issue here: #10631 (but marked as net).

@rolandshoemaker I can try to implement this, give me few days.

full 1034 escaping behavior

You mean RFC 1035? Only these two?

\X              where X is any character other than a digit (0-9), is
                used to quote that character so that its special meaning
                does not apply.  For example, "\." can be used to place
                a dot character in a label.

\DDD            where each D is a digit is the octet corresponding to
                the decimal number described by DDD.  The resulting
                octet is assumed to be text and is not checked for
                special meaning.

How to handle case in which we have to unpack a 255B (dns encoded name) that requires one character to be encoded as \DDD. (It will not fit inside the Name struct, it will take 257B) Should we just return an error?

Oh bah, I missed we use a sized byte slice to avoid allocations, this ends up being more complicated than I anticipated. Perhaps just failing out here is the lowest impact fix we can reasonably apply in the short term. That said I think we should be failing on all non-LDH characters though, since otherwise we'll still be mis-parsing other special characters.

@rolandshoemaker Note that the net package always checks for invalid hostnames:

Edit:

That said I think we should be failing on all non-LDH characters though, since otherwise we'll still be mis-parsing other special characters.

If we really need something like that we probably should reject dots and ASCII characters: char < ' ' || char > '~'. Rejecting non-LDH characters can break backwards compatibility.

Do we want to do something with this for go 1.21?

ping @rolandshoemaker