"_" in dNSName? (was Re: [Bug 100298] New: keytool and SANs (DNS types))
Walter Holm
Walter.Holm at crinj.com
Wed Feb 6 15:54:18 UTC 2013
That is correct they are talking about the data content of DNS in general which includes the naming and the content and that section addresses
Both.
Once an RFC updates another RFC, I would take that to mean there is a change or clarification of a previous RFC. Hence you have to follow the rabbit hole of do's/don'ts and may's/shall's of these impossible chains of RFCs, correct? It is probably useful for pointing to an earlier RFC so the family tree of RFCs after the fact are properly referenced.
-Walt
-----Original Message-----
From: Weijun Wang [mailto:weijun.wang at oracle.com]
Sent: Wednesday, February 06, 2013 9:15 AM
To: Walter Holm
Cc: OpenJDK
Subject: "_" in dNSName? (was Re: [Bug 100298] New: keytool and SANs (DNS types))
Hi Walt
I'm adding the openjdk security-dev mail list to CC.
At the beginning of RFC 2181 11 we have
Occasionally it is assumed that the Domain Name System serves only
the purpose of mapping Internet host names to data, and mapping
Internet addresses to host names. This is not correct...
In my understanding, this RFC is relaxing the syntax for general DNS names. However, the dNSName in SAN is just the "only the purpose"
mentioned above, and its syntax is still restricted. In fact, the latest
X.509 cert spec (RFC 5280 4.2.1.6) still references RFC 1034 as the format for dNSName.
Thanks
Weijun
On 02/06/2013 09:38 PM, Walter Holm wrote:
> Hi Weijun,
>
> First, thank you for taking interest in this issue.
>
> Although it is true that this RFC specifies a "should" for domain
> names (in "_Preferred_ name syntax") to remove confusion. Section 11
> of http://www.ietf.org/rfc/rfc2181.txt (which updates RFC 1034)
> clarifies what the name syntax is…in particular the name syntax is
> supposed to be unrestrictive (starts with the second paragraph). In a
> side note about the behavior of keytool, when generating a self-signed
> cert, if the DN contains an underscore, it is successful, it's just the SAN that fails.
>
> Thank you for your time,
>
> Sincerely,
>
> Walter Holm
>
> (Walt)
>
> -----Original Message-----
> From: Weijun Wang [mailto:weijun.wang at oracle.com]
> Sent: Wednesday, February 06, 2013 3:21 AM
> To: Walter Holm
> Subject: Fwd: [Bug 100298] New: keytool and SANs (DNS types)
>
> Hi Walter
>
> Hostname as specified in
> http://tools.ietf.org/html/rfc1034#section-3.5
>
> which says a label can only contains let-dig-hyp
>
> <let-dig-hyp> ::= <let-dig> | "-"
>
> <let-dig> ::= <letter> | <digit>
>
> Is there any other specification that allows the underscore char?
>
> Thanks
>
> Weijun
>
> -------- Original Message --------
>
> Subject: [Bug 100298] New: keytool and SANs (DNS types)
>
> Date: Tue, 5 Feb 2013 12:36:35 -0800 (PST)
>
> From: bugzilla-daemon at bugs.openjdk.java.net
>
> To: weijun.wang at oracle.com
>
> https://bugs.openjdk.java.net/show_bug.cgi?id=100298
>
> Summary: keytool and SANs (DNS types)
>
> Product: security
>
> Version: 7
>
> Platform: all
>
> OS/Version: all
>
> Status: NEW
>
> Severity: normal
>
> Priority: P3
>
> Component: other
>
> AssignedTo: watch-security-other at bugs.openjdk.java.net
> <mailto:watch-security-other at bugs.openjdk.java.net>
>
> ReportedBy: walter.holm at crinj.com
> <mailto:walter.holm at crinj.com>
>
> CC: watch-security-other at bugs.openjdk.java.net
> <mailto:watch-security-other at bugs.openjdk.java.net>
>
> The SAN for DNS type does not allow _'s (underscores) in the FQDN.
> This is of course allowed normally and should be corrected.
>
> Example:
>
> DNS:x_yz.domain.com
>
> will fail
>
> --
>
> Configure bugmail:
> https://bugs.openjdk.java.net/userprefs.cgi?tab=email
>
> ------- You are receiving this mail because: ------- You are watching
> the assignee of the bug.
>
> You are watching someone on the CC list of the bug.
>
More information about the security-dev
mailing list