[Freeipa-devel] [PATCH 0029-0046, 0047] Internationalized domain names in DNS plugin

Jan Cholasta jcholast at redhat.com
Tue Jun 3 06:24:30 UTC 2014 

On 2.6.2014 17:29, Martin Basti wrote:
> On Mon, 2014-06-02 at 17:09 +0200, Martin Basti wrote:
>> On Mon, 2014-06-02 at 16:21 +0200, Jan Cholasta wrote:
>>> On 2.6.2014 13:50, Martin Basti wrote:
>>>> Rebased patches attached
>>>>
>>>
>>> I got this test failure:
>>>
>>> ======================================================================
>>> ERROR: test suite for <class
>>> 'ipatests.test_xmlrpc.test_dns_plugin.test_dns'>
>>> ----------------------------------------------------------------------
>>> Traceback (most recent call last):
>>>     File "/usr/lib/python2.7/site-packages/nose/suite.py", line 208, in run
>>>       self.setUp()
>>>     File "/usr/lib/python2.7/site-packages/nose/suite.py", line 291, in setUp
>>>       self.setupContext(ancestor)
>>>     File "/usr/lib/python2.7/site-packages/nose/suite.py", line 314, in
>>> setupContext
>>>       try_run(context, names)
>>>     File "/usr/lib/python2.7/site-packages/nose/util.py", line 469, in
>>> try_run
>>>       return func()
>>>     File
>>> "/usr/lib/python2.7/site-packages/ipatests/test_xmlrpc/test_dns_plugin.py",
>>> line 214, in setUpClass
>>>       force = True,
>>>     File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 436,
>>> in __call__
>>>       ret = self.run(*args, **options)
>>>     File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 758,
>>> in run
>>>       return self.forward(*args, **options)
>>>     File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 779,
>>> in forward
>>>       return self.Backend.rpcclient.forward(self.name, *args, **kw)
>>>     File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 876, in
>>> forward
>>>       return self._call_command(command, params)
>>>     File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 853, in
>>> _call_command
>>>       return command(*params)
>>>     File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 993, in _call
>>>       return self.__request(name, args)
>>>     File "/usr/lib/python2.7/site-packages/ipalib/rpc.py", line 987, in
>>> __request
>>>       raise error_class(message=error['message'])
>>> DNSDataMismatch: DNS check failed: Expected {_kerberos.dnszone.test.
>>> 86400 IN TXT "IDM.LAB.BOS.REDHAT.COM"} got {None}
>> This is caused by wait_for_dns option. Try to set larger time limit, at
>> least 10sec.

Oh, OK, thanks.

>>
>>>
>>> Patch 31:
>>>
>>> +            #compare if IDN normalized and original domain match
>>> +            #there is N:1 mapping between unicode and IDNA names
>>> +            #user should use normalized names to avoid mistakes
>>> +            normalized_domain_name = encodings.idna.nameprep(value)
>>> +            if value != normalized_domain_name:
>>> +                error = _("domain name '%(domain)s' and normalized
>>> domain name"
>>> +                          " '%(normalized)s' do not match. Please use only"
>>> +                          " normalized domains") % {'domain': value,
>>> +                          'normalized': normalized_domain_name}
>>>
>>> I thought we decided to drop this check, because of IDNA 2008?
>> We decided not to change IDNA2003 to 2008, because registrators are more
>> strictly than both of the RFC standards, and this is part of 2003 which
>> makes it safer, and in some way more compatible with 2008 (like only
>> small caps, etc)
>>
>> But German registrator allows only IDNA2008, Switzerland allows only
>> IDNA2003, so we have problem with 'ß' character, because it is encoded
>> differently.
>>
>> For the IDNA2008, we need extra library out of standard python libs.
>>
>> So we should support both, or use pure punycode algorithm to
>> encode/decode, because it has no limitation instead of IDNA standard.
>> I propose to file a new ticket.
>>
> And also AD support IDNA2003. So we are compatible.

What I mean is that with the check, we support only IDNA2003 and without 
it, we support both IDNA2003 and IDNA2008, so it might be better just to 
remove it. Yes, users can enter invalid names without the check, but 
there is only so much babysitting we should do.

Maybe we can do a compromise and make it a warning instead?

>
>
>>>
>>> Patch 38:
>>>
>>> It seems you left out the normalize_zonemgr and normalize_zone
>>> modifications I have suggested. Is there a reason for this?
>>>
>> I left there original code, which works with strings.
>>
>> I dont use normalize_zone in DNS plugin anymore. So it would be better
>> to work only with string, no conversion string to object and back to
>> string.
>>
>> Should I modify normalize_zonemgr then? Old version works good, and code
>> will be little longer than your example.

Yes please, just to be safe ;-)

-- 
Jan Cholasta

More information about the Freeipa-devel mailing list