"_" in dNSName? (was Re: [Bug 100298] New: keytool and SANs (DNS types))
Weijun Wang
weijun.wang at oracle.com
Wed Feb 6 14:14:44 UTC 2013
Hi Walt
I'm adding the openjdk security-dev mail list to CC.
At the beginning of RFC 2181 11 we have
Occasionally it is assumed that the Domain Name System serves only
the purpose of mapping Internet host names to data, and mapping
Internet addresses to host names. This is not correct...
In my understanding, this RFC is relaxing the syntax for general DNS
names. However, the dNSName in SAN is just the "only the purpose"
mentioned above, and its syntax is still restricted. In fact, the latest
X.509 cert spec (RFC 5280 4.2.1.6) still references RFC 1034 as the
format for dNSName.
Thanks
Weijun
On 02/06/2013 09:38 PM, Walter Holm wrote:
> Hi Weijun,
>
> First, thank you for taking interest in this issue.
>
> Although it is true that this RFC specifies a "should" for domain names
> (in "_Preferred_ name syntax") to remove confusion. Section 11 of
> http://www.ietf.org/rfc/rfc2181.txt (which updates RFC 1034) clarifies
> what the name syntax is…in particular the name syntax is supposed to be
> unrestrictive (starts with the second paragraph). In a side note about
> the behavior of keytool, when generating a self-signed cert, if the DN
> contains an underscore, it is successful, it's just the SAN that fails.
>
> Thank you for your time,
>
> Sincerely,
>
> Walter Holm
>
> (Walt)
>
> -----Original Message-----
> From: Weijun Wang [mailto:weijun.wang at oracle.com]
> Sent: Wednesday, February 06, 2013 3:21 AM
> To: Walter Holm
> Subject: Fwd: [Bug 100298] New: keytool and SANs (DNS types)
>
> Hi Walter
>
> Hostname as specified in http://tools.ietf.org/html/rfc1034#section-3.5
>
> which says a label can only contains let-dig-hyp
>
> <let-dig-hyp> ::= <let-dig> | "-"
>
> <let-dig> ::= <letter> | <digit>
>
> Is there any other specification that allows the underscore char?
>
> Thanks
>
> Weijun
>
> -------- Original Message --------
>
> Subject: [Bug 100298] New: keytool and SANs (DNS types)
>
> Date: Tue, 5 Feb 2013 12:36:35 -0800 (PST)
>
> From: bugzilla-daemon at bugs.openjdk.java.net
>
> To: weijun.wang at oracle.com
>
> https://bugs.openjdk.java.net/show_bug.cgi?id=100298
>
> Summary: keytool and SANs (DNS types)
>
> Product: security
>
> Version: 7
>
> Platform: all
>
> OS/Version: all
>
> Status: NEW
>
> Severity: normal
>
> Priority: P3
>
> Component: other
>
> AssignedTo: watch-security-other at bugs.openjdk.java.net
> <mailto:watch-security-other at bugs.openjdk.java.net>
>
> ReportedBy: walter.holm at crinj.com <mailto:walter.holm at crinj.com>
>
> CC: watch-security-other at bugs.openjdk.java.net
> <mailto:watch-security-other at bugs.openjdk.java.net>
>
> The SAN for DNS type does not allow _'s (underscores) in the FQDN. This
> is of course allowed normally and should be corrected.
>
> Example:
>
> DNS:x_yz.domain.com
>
> will fail
>
> --
>
> Configure bugmail: https://bugs.openjdk.java.net/userprefs.cgi?tab=email
>
> ------- You are receiving this mail because: ------- You are watching
> the assignee of the bug.
>
> You are watching someone on the CC list of the bug.
>
More information about the security-dev
mailing list