[Freeipa-devel] [PATCH 0070] Normalization check only for IDNA domains

Martin Basti mbasti at redhat.com
Mon Jun 30 07:17:13 UTC 2014 

On Fri, 2014-06-27 at 12:21 +0200, Petr Spacek wrote:
> On 27.6.2014 12:20, Alexander Bokovoy wrote:
> > On Fri, 27 Jun 2014, Petr Spacek wrote:
> >> On 27.6.2014 12:04, Alexander Bokovoy wrote:
> >>> diff --git a/ipalib/parameters.py b/ipalib/parameters.py
> >>> index 1dff13c..09fed28 100644
> >>> --- a/ipalib/parameters.py
> >>> +++ b/ipalib/parameters.py
> >>> @@ -1965,12 +1965,15 @@ class DNSNameParam(Param):
> >>>              #compare if IDN normalized and original domain match
> >>>              #there is N:1 mapping between unicode and IDNA names
> >>>              #user should use normalized names to avoid mistakes
> >>> -            normalized_domain_name = encodings.idna.nameprep(value)
> >>> -            if value != normalized_domain_name:
> >>> -                error = _("domain name '%(domain)s' and normalized domain
> >>> name"
> >>> -                          " '%(normalized)s' do not match. Please use only"
> >>> -                          " normalized domains") % {'domain': value,
> >>> -                          'normalized': normalized_domain_name}
> >>> +            labels = value.split('.')
> >>
> >> NACK. This is going to break with IDNA2003 as there are four different dots.
> >> The whole DNS refactoring was about eliminating all places where DNS names
> >> are threaded as strings separated by ASCII dots.
> > IDNA implementation in FreeIPA git master right now is wrong with
> > regards to nameprep use -- encodings.idna.nameprep(), as well as other
> > functions in encodings.idna should be applied to labels, not to the
> > whole DNS name.
> >
> > Give me a way to split a name to labels properly and we can work on.
> >
> >>
> >> I would like to hear reasons against fixing ipa-adtrust-install (in the
> >> other part of thread).
> > As I said, 'fixing' ipa-adtrust-install is considered a hack. Current
> > IDNA support is broken anyway, *it* needs to be fixed, not a long
> > standing convention to name DNS records in Active Directory
> > implementations (which Samba AD DC setup shares as well).
> 
> Let me add that DNS protocol is case insensitive so it doesn't matter. Let's 
> wait for mbasti's opinion.
> 

Yes DNS is, but IDNA is case sensitive, we need to allow use upper case
for non-IDNA domains, because they can be already stored in LDAP and
after upgrade these domains will raise an error.
-- 
Martin^2 Basti

More information about the Freeipa-devel mailing list