-
Notifications
You must be signed in to change notification settings - Fork 237
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLSA cert validation #257
Comments
Thanks! Against which version of dnsjava did you test this? The changes from #252 (released in v3.5.1) also fixed points 1 and 2. I'm not sure about the third point, max length. Do you see a use case where this is really an issue? |
I was on 3.2.2, but I just tested again on 3.5.1. I get a NullPointerException when testing missing cert using rdata "0 0 1".
I don't see any errors for non-hex char not a letter. For example, "3 1 1 0D6FCE13243AA-". Per 182b5a3#diff-f9d43ac9568da097f6fcf1841a792ae3168643498a01ead4a638d4dc5cb65d23R39 it looks like maybe this is by design? If so, why reject non-hex chars when using a letter not in A-F, but not reject other characters? For example, "3 1 1 D6FCE13243AAZ" is rejected. For the last bullet point, I'm not sure. I was thinking that if something was relying on the dnsjava lib validation that this would help prevent storing extremely long strings that would bloat a database. May help prevent malicious behavior. |
Are you sure you tested this against 3.5.1? Can you please post a complete example? When I try to parse |
@ibauersachs I re-tested on 3.5.1 and the missing cert and non-hex char I still think it would be good to protect from maliciously long inputs whenever possible. |
I'm closing this. I couldn't find anything in the RFC that limits the association data length. As whitespace is allowed, a text-message of |
Some rdata for TLSA records, specifically cert values, are allowed that I believe should be rejected per https://datatracker.ietf.org/doc/html/rfc6698#section-2.1.
The text was updated successfully, but these errors were encountered: