[Freeipa-devel] [PATCH 0047] Allow underscore in DNAME targets
Petr Viktorin
pviktori at redhat.com
Thu Apr 11 14:35:54 UTC 2013
On 04/11/2013 03:59 PM, Simo Sorce wrote:
> On Thu, 2013-04-11 at 14:52 +0200, Petr Viktorin wrote:
>> On 04/11/2013 02:43 PM, Simo Sorce wrote:
>>> On Thu, 2013-04-11 at 14:24 +0200, Petr Viktorin wrote:
>>>> On 04/11/2013 12:05 PM, Tomas Babej wrote:
>>>>> Hi,
>>>>>
>>>>> Makes DNAME target validation less strict and allows underscore.
>>>>> This is requirement for IPA sites.
>>>>>
>>>>> https://fedorahosted.org/freeipa/ticket/3550
>>>>>
>>>>> Tomas
>>>>
>>>> I checked with Petr², and he said it would make sense to also enable
>>>> underscores for the other records types.
>>>> For records other than TXT, SRV, DNAME, and NSEC we could warn if
>>>> underscores are used, but that's probably not worth the trouble -- just
>>>> allowing underscores everywhere is fine.
>>>>
>>>
>>> Underscores are invalid DNS characters, they should not be allowed for A
>>> records, only for DNAME, and SRV records IMO.
>>
>> Technically, they're invalid *hostname* characters; in DNS itself
>> anything goes.
>>
>> Interestingly, we already allow them for A records:
>> $ ipa dnsrecord-add idm.lab.eng.brq.redhat.com _bogus --a-rec=1.2.3.4
>> Record name: _bogus
>> A record: 1.2.3.4
>>
>> But this ticket is not about the record name, it's about record data
>> (i.e. the *target* of the DNAME).
>
> So we are restricting record *data* but *not* record names ? That's ...
> odd.
Yes. Apparently we relaxed the name validation because underscores are
used in AD or other exotic/nonstandard setups, and now we need to relax
the data validation as well.
I filed a ticket to add warnings for underscores in A records:
https://fedorahosted.org/freeipa/ticket/3557
--
Petr³
More information about the Freeipa-devel
mailing list