Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

net: domain name length checks should use wire format #17549

Closed
gibson042 opened this issue Oct 22, 2016 · 3 comments

Comments

Projects
None yet
4 participants
@gibson042
Copy link
Contributor

commented Oct 22, 2016

RFC 1035 specifies a limit on domain names of 255 octets in wire format (a sequence of length-preceded labels ending with the zero-length root label), and even the willful RFC 6762 Multicast DNS tops out at 256 wire-format octets. But Go's IsDomainName allows up to 255 presentation format octets, exceeding both. There is also a separate issue of IsDomainName rejecting wildcard domains, but that's just #1168 and #12421.

What version of Go are you using (go version)?

go1.7.1

What operating system and processor architecture are you using (go env)?

linux/amd64

GOARCH="amd64"
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
CC="gcc"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build693750050=/tmp/go-build -gno-record-gcc-switches"
CXX="g++"
CGO_ENABLED="1"

### What did you do?

query long domain names

package main

import (
    "fmt"
    "net"
    "strings"
    "time"
)

func main() {
    long_label := strings.Repeat("l", 50)
    long_domain := strings.Repeat(long_label+".", 5) + "golang.org"
    length := len(long_domain)
    domains := []string{
        // valid domain name, but will be falsely rejected
        "*.golang.org",

        // maximum wire-format length per RFC 1035
        long_domain[length-253:],

        // too long for public Internet, but will issue and time out
        long_domain[length-254:],

        // too long for even RFC 6762 Multicast DNS, but will issue and time out
        long_domain[length-255:],

        // properly rejected as too long
        long_domain[length-256:],
    }
    for _, domain := range domains {
        start := time.Now()
        fmt.Printf("\n%d presentation-format octets: %s\n", len(domain), domain)
        fmt.Println(net.LookupHost(domain))
        fmt.Println(time.Since(start))
    }
}
### What did you expect to see?

QNAMEs longer than 255 wire-format bytes rejected

12 presentation-format octets: *.golang.org
[173.194.204.141 2607:f8b0:400d:c07::8d] <nil>
~50ms

253 presentation-format octets: llllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org
[173.194.204.141 2607:f8b0:400d:c07::8d] <nil>
~50ms

254 presentation-format octets: lllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org
[] lookup lllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org:
invalid domain name
<100µs

255 presentation-format octets: llllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org
[] lookup llllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org:
invalid domain name
<100µs

256 presentation-format octets: lllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org
[] lookup lllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org:
invalid domain name
<100µs
### What did you see instead?

names longer than 255 wire-format bytes were queried and timed out after 20 seconds

12 presentation-format octets: *.golang.org
[] lookup *.golang.org: invalid domain name
99.551µs

253 presentation-format octets: llllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org
[173.194.204.141 2607:f8b0:400d:c07::8d] <nil>
52.282064ms

254 presentation-format octets: lllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org
[] lookup lllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org on 8.8.8.8:53:
read udp 172.19.129.66:49106->8.8.8.8:53: i/o timeout
20.001165244s

255 presentation-format octets: llllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org
[] lookup llllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org on 8.8.8.8:53:
read udp 172.19.129.66:51603->8.8.8.8:53: i/o timeout
20.001086372s

256 presentation-format octets: lllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org
[] lookup lllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.llllllllllllllllllllllllllllllllllllllllllllllllll.golang.org:
invalid domain name
60.555µs
@gopherbot

This comment has been minimized.

Copy link

commented Oct 22, 2016

CL https://golang.org/cl/31722 mentions this issue.

@gopherbot

This comment has been minimized.

Copy link

commented Feb 7, 2017

CL https://golang.org/cl/36429 mentions this issue.

gopherbot pushed a commit that referenced this issue Feb 7, 2017

crypto/x509: check for new tls-ca-bundle.pem last
We added CentOS 7's /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
to the list in response to #17549 - not being able to find any certs otherwise.

Now we have #18813, where CentOS 6 apparently has both that file
and /etc/pki/tls/certs/ca-bundle.crt, and the latter is complete while
the former is not.

Moving the new CentOS 7 file to the bottom of the list should fix both
problems: the CentOS 7 system that didn't have any of the other files
in the list will still find the new one, and existing systems will still
keep using what they were using instead of preferring the new path
that may or may not be complete on some systems.

Fixes #18813.

Change-Id: I5275ab67424b95e7210e14938d3e986c8caee0ba
Reviewed-on: https://go-review.googlesource.com/36429
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
@gopherbot

This comment has been minimized.

Copy link

commented Feb 7, 2017

CL https://golang.org/cl/36530 mentions this issue.

gopherbot pushed a commit that referenced this issue Feb 8, 2017

[release-branch.go1.8] crypto/x509: check for new tls-ca-bundle.pem last
We added CentOS 7's /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
to the list in response to #17549 - not being able to find any certs otherwise.

Now we have #18813, where CentOS 6 apparently has both that file
and /etc/pki/tls/certs/ca-bundle.crt, and the latter is complete while
the former is not.

Moving the new CentOS 7 file to the bottom of the list should fix both
problems: the CentOS 7 system that didn't have any of the other files
in the list will still find the new one, and existing systems will still
keep using what they were using instead of preferring the new path
that may or may not be complete on some systems.

Fixes #18813.

Change-Id: I5275ab67424b95e7210e14938d3e986c8caee0ba
Reviewed-on: https://go-review.googlesource.com/36429
Run-TryBot: Russ Cox <rsc@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
Reviewed-on: https://go-review.googlesource.com/36530
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

@golang golang locked and limited conversation to collaborators Feb 7, 2018

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.