[Freeipa-devel] [PATCH 0070] Normalization check only for IDNA domains
Alexander Bokovoy
abokovoy at redhat.com
Fri Jun 27 10:20:13 UTC 2014
On Fri, 27 Jun 2014, Petr Spacek wrote:
>On 27.6.2014 12:04, Alexander Bokovoy wrote:
>>diff --git a/ipalib/parameters.py b/ipalib/parameters.py
>>index 1dff13c..09fed28 100644
>>--- a/ipalib/parameters.py
>>+++ b/ipalib/parameters.py
>>@@ -1965,12 +1965,15 @@ class DNSNameParam(Param):
>> #compare if IDN normalized and original domain match
>> #there is N:1 mapping between unicode and IDNA names
>> #user should use normalized names to avoid mistakes
>>- normalized_domain_name = encodings.idna.nameprep(value)
>>- if value != normalized_domain_name:
>>- error = _("domain name '%(domain)s' and normalized domain name"
>>- " '%(normalized)s' do not match. Please use only"
>>- " normalized domains") % {'domain': value,
>>- 'normalized': normalized_domain_name}
>>+ labels = value.split('.')
>
>NACK. This is going to break with IDNA2003 as there are four different
>dots. The whole DNS refactoring was about eliminating all places where
>DNS names are threaded as strings separated by ASCII dots.
IDNA implementation in FreeIPA git master right now is wrong with
regards to nameprep use -- encodings.idna.nameprep(), as well as other
functions in encodings.idna should be applied to labels, not to the
whole DNS name.
Give me a way to split a name to labels properly and we can work on.
>
>I would like to hear reasons against fixing ipa-adtrust-install (in
>the other part of thread).
As I said, 'fixing' ipa-adtrust-install is considered a hack. Current
IDNA support is broken anyway, *it* needs to be fixed, not a long
standing convention to name DNS records in Active Directory
implementations (which Samba AD DC setup shares as well).
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list