I think the confusion that I have here is what lies in what is actually permitted for A and AAAA records, and what we define as a host name. I can't find specific RFCs, but A and AAAA records don't permit underscores.
Aliases are permitted to have anything (such as the underscore), like other domain name records. That said, we need to carefully define whether we're permitting the request for *hostnames* or *domain names*. Hostnames per RFC are not permitted underscores. Aliases (CNAMEs) are allowed underscores, but are called domain names, not host names, at the most technical DNS level. Given this, I retract my part about hosts with underscores invalid for NGINX, provided we expand "hostname" and "requested Host" to be different. I would say we allow domain names that are valid, though we should also imply further restrictions on the allowed location of underscores in the Host request: (1) A requested host beginning with an underscore (_foobar.baz.net for example) should be invalid - there are some rules in RFCs with regards to single-underscore prepended names. (2) A requested host should not just end with an underscore at the end or at the end of the domain part (foobar.baz_), similar to how hyphens are involved here. Both of those are invalid either way, but my opinion now is that we should not just blindly permit all underscores in the request. Thomas On 11/17/2016 01:34 PM, Aleksandr Kupriyanov wrote: > De facto, some "big guys" already use underscores in their host names: > > sa...@kernel.home:~$ host cow_fb_cdn0-a.akamaihd.net > <http://cow_fb_cdn0-a.akamaihd.net> > cow_fb_cdn0-a.akamaihd.net <http://cow_fb_cdn0-a.akamaihd.net> is an > alias for cow_fb_cdn0-a.akamaihd.net.edgesuite.net > <http://cow_fb_cdn0-a.akamaihd.net.edgesuite.net>. > cow_fb_cdn0-a.akamaihd.net.edgesuite.net > <http://cow_fb_cdn0-a.akamaihd.net.edgesuite.net> is an alias for > a1877.g.akamai.net <http://a1877.g.akamai.net>. > a1877.g.akamai.net <http://a1877.g.akamai.net> has address 104.73.160.114 > a1877.g.akamai.net <http://a1877.g.akamai.net> has address 104.73.160.64 > sa...@kernel.home:~$ > > > On Thu, Nov 17, 2016 at 12:21 PM, Thomas Ward <tew...@dark-net.net > <mailto:tew...@dark-net.net>> wrote: > > Correct me if I am wrong but the discussion of underscores in DNS > does not apply to hostnames. The discussion referenced states as > such, and only touches on underscores as a part of DNS attributes > and internals, not as part of hostnames. It even says as such > that hostnames are *not permitted* to have underscores. > > By extension of that, should not the Host header should be a > hostname or a requested hostname and therefore obey the > requirements for a Hostname at the bare minimum? > > > *Sent from my iPhone. Please excuse any typos, as they are likely > to happen by accident.* > > > On Nov 17, 2016, at 12:10, Maxim Dounin <mdou...@mdounin.ru > <mailto:mdou...@mdounin.ru>> wrote: > > > > Hello! > > > >> On Wed, Nov 16, 2016 at 06:36:12PM -0600, Aleksandr Kupriyanov > wrote: > >> > >> > > <http://www.google.com/url?q=http%3A%2F%2Fwww.instartlogic.com%2F&sa=D&sntz=1&usg=AFrqEzc4puDXYOgyifEWrSJrJIfW1sViFg > > <http://www.google.com/url?q=http%3A%2F%2Fwww.instartlogic.com%2F&sa=D&sntz=1&usg=AFrqEzc4puDXYOgyifEWrSJrJIfW1sViFg>> > > > >> # HG changeset patch > >> # User Aleksandr Kupriyanov <sa...@instartlogic.com > <mailto:sa...@instartlogic.com>> > >> # Date 1479340749 21600 > >> # Node ID af947b854971993f318417c70c3818147b320a0d > >> # Parent 6a26016e9a138102798a7ec3e74747fbd6018f82 > >> Add directive to allow underscores in hostnames > >> > >> Two equivalent requests generate different responses: > >> > >> 1. --------------- > >> GET http://host_1.home/ HTTP/1.1 > >> Host: host_1.home > >> ... > >> HTTP/1.1 400 Bad Request > >> Server: nginx/1.X.XX > >> ------------------ > >> > >> 2. --------------- > >> GET / HTTP/1.1 > >> Host: host_1.home > >> ... > >> HTTP/1.1 200 OK > >> Server: nginx/1.X.XX > >> ------------------ > >> > >> To avoid that a new directive is proposed: > >> > >> Syntax: underscores_in_hostname on | off; > >> Default: underscores_in_headers off; > >> Context: http, server > >> > >> Enables or disables the use of underscores in host names of > >> client request line. > >> > >> See a discussion about underscores in DNS here: > >> http://domainkeys.sourceforge.net/underscore.html > <http://domainkeys.sourceforge.net/underscore.html> > > > > Shouldn't we just allow underscores in > > ngx_http_parse_request_line() instead? It doesn't looks like > > there are reasons to keep the test that strict. > > > > In case of underscores_in_headers there a clear security reason: > > headers are exposed via the HTTP_* variables in CGI, and via > > $http_* variables in nginx itself, and this makes headers with > > underscores indistinguishable from ones with dash, and creates an > > attack vector. > > > > I don't see such a problem with underscores in hostname when it's > > passed via the request line - especially keeping in mind that we > > don't enforce such a limitation via the Host header. > > > > -- > > Maxim Dounin > > http://nginx.org/ > > > > _______________________________________________ > > nginx-devel mailing list > > nginx-devel@nginx.org <mailto:nginx-devel@nginx.org> > > http://mailman.nginx.org/mailman/listinfo/nginx-devel > <http://mailman.nginx.org/mailman/listinfo/nginx-devel> > > _______________________________________________ > nginx-devel mailing list > nginx-devel@nginx.org <mailto:nginx-devel@nginx.org> > http://mailman.nginx.org/mailman/listinfo/nginx-devel > <http://mailman.nginx.org/mailman/listinfo/nginx-devel> > > > > > -- > <https://sites.google.com/a/instartlogic.com/saleshub/email-signatures/Instart_Logic_Logo_100px-width-50px-height.jpg?attredirects=0> > > World's First Endpoint-Aware Application Delivery Solution > > *Aleksandr **Kupriyanov* > > Email: sa...@instartlogic.com <mailto:sa...@instartlogic.com> > Instart Logic | 450 Lambert Ave, Palo Alto, CA 94306 | > instartlogic.com > <http://www.google.com/url?q=http%3A%2F%2Fwww.instartlogic.com%2F&sa=D&sntz=1&usg=AFrqEzc4puDXYOgyifEWrSJrJIfW1sViFg> > > > > > _______________________________________________ > nginx-devel mailing list > nginx-devel@nginx.org > http://mailman.nginx.org/mailman/listinfo/nginx-devel
_______________________________________________ nginx-devel mailing list nginx-devel@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx-devel
