Bug #99814 for Net-DNS: Undeserved Insecure dependency error with named nameservers

I patched die() to confess() to debug this (new since 0.6?): Error: ====== Insecure dependency while running with -T switch at /usr/lib/perl5/site_perl/5.8.8/i686-linux-thread-multi/Net/DNS/Resolver/Base.pm line 852 Net::DNS::Resolver::Base::send_udp('Net::DNS::Resolver=HASH(0x9df8f9c)', 'Net::DNS::Update=HASH(0x9de5604)', '\x{fd}\x{d9}(\x{0}\x{0}\x{1}\x{0}\x{0}\x{0}\x{1}\x{0}\x{1}\x{5}litts\x{3}net\x{0}\x{0}\x{6}\x{0}\x{1}\x{c0}\x{c}\x{0}\x{10}\x{0}\x{fe}\x{0}\x{0}\x{0}\x{0}\x{0}\x{7}\x{6}gobble\x{11}internal_view_...') called at /usr/lib/perl5/site_perl/5.8.8/i686-linux-thread-multi/Net/DNS/Resolver/Base.pm line 511 Net::DNS::Resolver::Base::send('Net::DNS::Resolver=HASH(0x9df8f9c)', 'Net::DNS::Update=HASH(0x9de5604)') called at {...}dnsupdate.cgi line 2542 main::doUpdate('delete', 'internal', 'litts.net.', '', 600, 'TXT', 'gobble', 1, 1, ...) called at {...}dnsupdate.cgi line 726 main::processPost() called at {...}dnsupdate.cgi line 317 Analysis: ========= The failure happens if I specify the nameserver as 'ns1.litts.net', but not if I use the IPv4 or IPv6 address associated with that server. The query being sent happens to be a (TSIG-signed) UPDATE to delete (a non-existent) TXT record. Obviously, I have IPv6 support. The root cause is that Socket6::getaddrinfo returns tainted data. modver Socket6 Socket6 => 0.25 Patch: ====== --- /usr/lib/perl5/site_perl/5.8.8/i686-linux-thread-multi/Net/DNS/Resolver/Base.pm~ 2014-10-24 04:15:16.000000000 -0400 +++ /usr/lib/perl5/site_perl/5.8.8/i686-linux-thread-multi/Net/DNS/Resolver/Base.pm 2014-10-26 08:26:15.000000000 -0400 @@ -772,11 +772,11 @@ if ( scalar(@res) < 5 ) { die("can't resolve \"$ns_address\" to address"); } - push @ns, [$ns_address, $dst_sockaddr, $sockfamily]; + push @ns, [_untaint( $ns_address, $dst_sockaddr, $sockfamily )]; } else { next NSADDRESS unless ( _ip_is_ipv4($ns_address) ); my $dst_sockaddr = sockaddr_in( $dstport, inet_aton($ns_address) ); push @ns, [$ns_address, $dst_sockaddr, AF_INET]; Host OS is Linux (an old kernel).