"_" in dNSName? (was Re: [Bug 100298] New: keytool and SANs (DNS types))

Weijun Wang weijun.wang at oracle.com
Thu Feb 7 01:02:35 UTC 2013


On 02/06/2013 11:54 PM, Walter Holm wrote:
> That is correct they are talking about the data content of DNS in general which includes the naming and the content and that section addresses
> Both.
>
> Once an RFC updates another RFC, I would take that to mean there is a change or clarification of a previous RFC.  Hence you have to follow the rabbit hole of do's/don'ts and may's/shall's of these impossible chains of RFCs, correct?  It is probably useful for pointing to an earlier RFC so the family tree of RFCs after the fact are properly referenced.

I think what RFC 2181 says by "any binary string" is just too relaxed. 
Adding a single "_" might be acceptable.

Anyway, have you filed a bug at bugs.sun.com as suggested by Brad? If no 
I can file one for you.

-Weijun

>
> -Walt
>
> -----Original Message-----
> From: Weijun Wang [mailto:weijun.wang at oracle.com]
> Sent: Wednesday, February 06, 2013 9:15 AM
> To: Walter Holm
> Cc: OpenJDK
> Subject: "_" in dNSName? (was Re: [Bug 100298] New: keytool and SANs (DNS types))
>
> Hi Walt
>
> I'm adding the openjdk security-dev mail list to CC.
>
> At the beginning of RFC 2181 11 we have
>
>      Occasionally it is assumed that the Domain Name System serves only
>      the purpose of mapping Internet host names to data, and mapping
>      Internet addresses to host names.  This is not correct...
>
> In my understanding, this RFC is relaxing the syntax for general DNS names. However, the dNSName in SAN is just the "only the purpose"
> mentioned above, and its syntax is still restricted. In fact, the latest
> X.509 cert spec (RFC 5280 4.2.1.6) still references RFC 1034 as the format for dNSName.
>
> Thanks
> Weijun
>
> On 02/06/2013 09:38 PM, Walter Holm wrote:
>> Hi Weijun,
>>
>> First, thank you for taking interest in this issue.
>>
>> Although it is true that this RFC specifies a "should" for domain
>> names (in "_Preferred_ name syntax") to remove confusion.  Section 11
>> of http://www.ietf.org/rfc/rfc2181.txt (which updates RFC 1034)
>> clarifies what the name syntax is…in particular the name syntax is
>> supposed to be unrestrictive (starts with the second paragraph).  In a
>> side note about the behavior of keytool, when generating a self-signed
>> cert, if the DN contains an underscore, it is successful, it's just the SAN that fails.
>>
>> Thank you for your time,
>>
>> Sincerely,
>>
>> Walter Holm
>>
>> (Walt)
>>
>> -----Original Message-----
>> From: Weijun Wang [mailto:weijun.wang at oracle.com]
>> Sent: Wednesday, February 06, 2013 3:21 AM
>> To: Walter Holm
>> Subject: Fwd: [Bug 100298] New: keytool and SANs (DNS types)
>>
>> Hi Walter
>>
>> Hostname as specified in
>> http://tools.ietf.org/html/rfc1034#section-3.5
>>
>> which says a label can only contains let-dig-hyp
>>
>>      <let-dig-hyp> ::= <let-dig> | "-"
>>
>>      <let-dig> ::= <letter> | <digit>
>>
>> Is there any other specification that allows the underscore char?
>>
>> Thanks
>>
>> Weijun
>>
>> -------- Original Message --------
>>
>> Subject: [Bug 100298] New: keytool and SANs (DNS types)
>>
>> Date: Tue,  5 Feb 2013 12:36:35 -0800 (PST)
>>
>> From: bugzilla-daemon at bugs.openjdk.java.net
>>
>> To: weijun.wang at oracle.com
>>
>> https://bugs.openjdk.java.net/show_bug.cgi?id=100298
>>
>>               Summary: keytool and SANs (DNS types)
>>
>>               Product: security
>>
>>               Version: 7
>>
>>              Platform: all
>>
>>            OS/Version: all
>>
>>                Status: NEW
>>
>>              Severity: normal
>>
>>              Priority: P3
>>
>>             Component: other
>>
>>            AssignedTo: watch-security-other at bugs.openjdk.java.net
>> <mailto:watch-security-other at bugs.openjdk.java.net>
>>
>>            ReportedBy: walter.holm at crinj.com
>> <mailto:walter.holm at crinj.com>
>>
>>                    CC: watch-security-other at bugs.openjdk.java.net
>> <mailto:watch-security-other at bugs.openjdk.java.net>
>>
>> The SAN for DNS type does not allow _'s (underscores) in the FQDN.
>> This is of course allowed normally and should be corrected.
>>
>> Example:
>>
>> DNS:x_yz.domain.com
>>
>> will fail
>>
>> --
>>
>> Configure bugmail:
>> https://bugs.openjdk.java.net/userprefs.cgi?tab=email
>>
>> ------- You are receiving this mail because: ------- You are watching
>> the assignee of the bug.
>>
>> You are watching someone on the CC list of the bug.
>>



More information about the security-dev mailing list