On Fri, 2014-06-27 at 12:21 +0200, Petr Spacek wrote: > On 27.6.2014 12:20, Alexander Bokovoy wrote: > > On Fri, 27 Jun 2014, Petr Spacek wrote: > >> On 27.6.2014 12:04, Alexander Bokovoy wrote: > >>> diff --git a/ipalib/parameters.py b/ipalib/parameters.py > >>> index 1dff13c..09fed28 100644 > >>> --- a/ipalib/parameters.py > >>> +++ b/ipalib/parameters.py > >>> @@ -1965,12 +1965,15 @@ class DNSNameParam(Param): > >>> #compare if IDN normalized and original domain match > >>> #there is N:1 mapping between unicode and IDNA names > >>> #user should use normalized names to avoid mistakes > >>> - normalized_domain_name = encodings.idna.nameprep(value) > >>> - if value != normalized_domain_name: > >>> - error = _("domain name '%(domain)s' and normalized domain > >>> name" > >>> - " '%(normalized)s' do not match. Please use > >>> only" > >>> - " normalized domains") % {'domain': value, > >>> - 'normalized': normalized_domain_name} > >>> + labels = value.split('.') > >> > >> NACK. This is going to break with IDNA2003 as there are four different > >> dots. > >> The whole DNS refactoring was about eliminating all places where DNS names > >> are threaded as strings separated by ASCII dots. > > IDNA implementation in FreeIPA git master right now is wrong with > > regards to nameprep use -- encodings.idna.nameprep(), as well as other > > functions in encodings.idna should be applied to labels, not to the > > whole DNS name. > > > > Give me a way to split a name to labels properly and we can work on. > > > >> > >> I would like to hear reasons against fixing ipa-adtrust-install (in the > >> other part of thread). > > As I said, 'fixing' ipa-adtrust-install is considered a hack. Current > > IDNA support is broken anyway, *it* needs to be fixed, not a long > > standing convention to name DNS records in Active Directory > > implementations (which Samba AD DC setup shares as well). > > Let me add that DNS protocol is case insensitive so it doesn't matter. Let's > wait for mbasti's opinion. >
Yes DNS is, but IDNA is case sensitive, we need to allow use upper case for non-IDNA domains, because they can be already stored in LDAP and after upgrade these domains will raise an error. -- Martin^2 Basti _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel