Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <87pl3dewuk.fsf@mid.deneb.enyo.de>
Date: Sat, 02 May 2026 15:59:15 +0200
From: Florian Weimer <fw@...eb.enyo.de>
To: Rich Felker <dalias@...c.org>
Cc: musl@...ts.openwall.com
Subject: Re: Re: musl dn_expand issue (CVE-2026-40684 attributed to
 Exim)

* Rich Felker:

> I'm starting to recall the last time we looked at this, and I think
> one big unanswered question was whether we should emit escaped forms
> at all or just treat labels containing bytes not permitted in DNS as
> malformed and produce an error.

The DNS protocol allows arbitrary bytes in labels.  It's largely
binary-transparent, but can perform ASCII case folding in certain
contexts.  A low-level function such as dn_expand should not make
assumptions about the contents of labels.

Host names are more restricted, although the RFCs are overly
restrictive in practice because they also disallow _ in host names,
which are in use.  Furthermore, * is quite common in CNAME chains due
to a misunderstanding of how DNS wildcards work.  Some owner names of
PTR records use / in labels (which is totally fine protocol-wise
because those names are not used as host names) and are reached via
CNAMEs.

Some stub resolvers reject shell metacharacters and domain names
starting with - (although some of those are in use), to protect shell
scripts.

Not implementing escaping may have unintended effects when couple of
with other DNS software.  I can't point to an application that is
adversely impacted by this (except Exim, but I haven't looked at what
it is doing to see if it makes sense).  This also applies to the
lookup side: musl does not implement unescaping of domain names, so it
sends queries for different domains compared to other stub resolvers.

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.