[Freeipa-devel] DNS/bind-dyndb-ldap development plans
Simo Sorce
simo at redhat.com
Mon Mar 19 16:46:39 UTC 2012
On Mon, 2012-03-19 at 15:28 +0100, Martin Kosek wrote:
> > >> IDN (Internationalized Domain Names) support
> > >> --------------------------------------------
> > >> Non ASCII domain names are encoded to ASCII strings.
> Theoretically it IS
> > >> supported now in plugin, from plugin point of view it is nothing
> special.
> > >> Another side is support for encoding/decoding strings in all our
> > >> utilities, documentation and testing.
> > >>
> > >> Nowadays it's supported in DNS system from top-level and it's
> usable.
> > >>
> > >> The Question: Is there any user of this? I'm not really sure if
> somebody
> > >> really uses IDN. But people with non-latin alphabet will probably
> have
> > >> another opinion :-)
> > >>
> > >> https://fedorahosted.org/bind-dyndb-ldap/ticket/58
> > > Isn't this a matter of just having the UI compute the right value
> to
> > > store in the plugin ? I do not think we want to do on the fly
> > > conversions within the plugin, would be very inefficient.
>
> Simo, I suppose you mean that encoding unicode<->punycode in
> bind-dyndb-ldap plugin would be inefficient. I can agree with that. I
> think our DNS plugin (CLI and WebUI) should simply do the
> encoding/decoding from unicode to punycode, bind-dyndb-ldap will then
> just pass the data to bind.
Yes this is what I mean and would like to see.
> > I am not sure this is a priority. Let us wait until asked.
>
> +1. This may need some designing before we implement it and also we
> would need to define a scope of IDN support in the entire FreeIPA.
> Whether to implement it just for DNS resolution or also for other
> parts
> where we process hostnames.
Yes we may need this elsewhere, one key place we need to deal with this
is kerberos. Currently it is undefined what the format should be for
fqdns that want to use non ascii characters and laegly depends on what
is storage in the kdc, except that we do not know what clients would do.
At the last Kerberos Consortium Conference we also asked Microsoft what
they do, in order to avoid making non-interoperable choice. MS people
there didn't know for sure but they thought that in their Krb
implementation utf8 names may be used an not punycode.
So before we move forward we need to make a comprehensive research and
possibly file bugs against upstream krb5 if it turns out the MIT client
libraries or the MIT KDC need to smarten up somehow to handle IDN names.
W/o making this type of research all we will obtain is broken hosts I
would guess.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
More information about the Freeipa-devel
mailing list