[Freeipa-devel] [PATCH 0047] Allow underscore in DNAME targets

Martin Kosek mkosek at redhat.com
Thu Apr 25 10:54:24 UTC 2013 

On 04/25/2013 12:03 PM, Petr Viktorin wrote:
> On 04/23/2013 02:02 PM, Tomas Babej wrote:
>> On 04/11/2013 04:35 PM, Petr Viktorin wrote:
>>> On 04/11/2013 03:59 PM, Simo Sorce wrote:
>>>> On Thu, 2013-04-11 at 14:52 +0200, Petr Viktorin wrote:
>>>>> On 04/11/2013 02:43 PM, Simo Sorce wrote:
>>>>>> On Thu, 2013-04-11 at 14:24 +0200, Petr Viktorin wrote:
>>>>>>> On 04/11/2013 12:05 PM, Tomas Babej wrote:
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> Makes DNAME target validation less strict and allows underscore.
>>>>>>>> This is requirement for IPA sites.
>>>>>>>>
>>>>>>>> https://fedorahosted.org/freeipa/ticket/3550
>>>>>>>>
>>>>>>>> Tomas
>>>>>>>
>>>>>>> I checked with Petr², and he said it would make sense to also enable
>>>>>>> underscores for the other records types.
>>>>>>> For records other than TXT, SRV, DNAME, and NSEC we could warn if
>>>>>>> underscores are used, but that's probably not worth the trouble --
>>>>>>> just
>>>>>>> allowing underscores everywhere is fine.
>>>>>>>
>>>>>>
>>>>>> Underscores are invalid DNS characters, they should not be allowed
>>>>>> for A
>>>>>> records, only for DNAME, and SRV records IMO.
>>>>>
>>>>> Technically, they're invalid *hostname* characters; in DNS itself
>>>>> anything goes.
>>>>>
>>>>> Interestingly, we already allow them for A records:
>>>>> $ ipa dnsrecord-add idm.lab.eng.brq.redhat.com _bogus --a-rec=1.2.3.4
>>>>>     Record name: _bogus
>>>>>     A record: 1.2.3.4
>>>>>
>>>>> But this ticket is not about the record name, it's about record data
>>>>> (i.e. the *target* of the DNAME).
>>>>
>>>> So we are restricting record *data* but *not* record names ? That's  ...
>>>> odd.
>>>
>>> Yes. Apparently we relaxed the name validation because underscores are
>>> used in AD or other exotic/nonstandard setups, and now we need to
>>> relax the data validation as well.
>>>
>>> I filed a ticket to add warnings for underscores in A records:
>>> https://fedorahosted.org/freeipa/ticket/3557
>>>
>>>
>> Sorry for letting this rot on the list, I thought I sent the patch
>> already. Patchwork saved me this time.
>>
>> Here's the updated patch.
>>
>> Tomas
>
> ACK
>

Pushed to master, ipa-3-1 (rebased).

Martin

More information about the Freeipa-devel mailing list