On 02/06/2013 11:54 PM, Walter Holm wrote:
That is correct they are talking about the data content of DNS in general which
includes the naming and the content and that section addresses
Both.
Once an RFC updates another RFC, I would take that to mean there is a change or
clarification of a previous RFC. Hence you have to follow the rabbit hole of
do's/don'ts and may's/shall's of these impossible chains of RFCs, correct? It
is probably useful for pointing to an earlier RFC so the family tree of RFCs
after the fact are properly referenced.
I think what RFC 2181 says by "any binary string" is just too relaxed.
Adding a single "_" might be acceptable.
Anyway, have you filed a bug at bugs.sun.com as suggested by Brad? If no
I can file one for you.
-Weijun
-Walt
-----Original Message-----
From: Weijun Wang [mailto:[email protected]]
Sent: Wednesday, February 06, 2013 9:15 AM
To: Walter Holm
Cc: OpenJDK
Subject: "_" in dNSName? (was Re: [Bug 100298] New: keytool and SANs (DNS
types))
Hi Walt
I'm adding the openjdk security-dev mail list to CC.
At the beginning of RFC 2181 11 we have
Occasionally it is assumed that the Domain Name System serves only
the purpose of mapping Internet host names to data, and mapping
Internet addresses to host names. This is not correct...
In my understanding, this RFC is relaxing the syntax for general DNS names. However, the
dNSName in SAN is just the "only the purpose"
mentioned above, and its syntax is still restricted. In fact, the latest
X.509 cert spec (RFC 5280 4.2.1.6) still references RFC 1034 as the format for
dNSName.
Thanks
Weijun
On 02/06/2013 09:38 PM, Walter Holm wrote:
Hi Weijun,
First, thank you for taking interest in this issue.
Although it is true that this RFC specifies a "should" for domain
names (in "_Preferred_ name syntax") to remove confusion. Section 11
of http://www.ietf.org/rfc/rfc2181.txt (which updates RFC 1034)
clarifies what the name syntax is…in particular the name syntax is
supposed to be unrestrictive (starts with the second paragraph). In a
side note about the behavior of keytool, when generating a self-signed
cert, if the DN contains an underscore, it is successful, it's just the SAN
that fails.
Thank you for your time,
Sincerely,
Walter Holm
(Walt)
-----Original Message-----
From: Weijun Wang [mailto:[email protected]]
Sent: Wednesday, February 06, 2013 3:21 AM
To: Walter Holm
Subject: Fwd: [Bug 100298] New: keytool and SANs (DNS types)
Hi Walter
Hostname as specified in
http://tools.ietf.org/html/rfc1034#section-3.5
which says a label can only contains let-dig-hyp
<let-dig-hyp> ::= <let-dig> | "-"
<let-dig> ::= <letter> | <digit>
Is there any other specification that allows the underscore char?
Thanks
Weijun
-------- Original Message --------
Subject: [Bug 100298] New: keytool and SANs (DNS types)
Date: Tue, 5 Feb 2013 12:36:35 -0800 (PST)
From: [email protected]
To: [email protected]
https://bugs.openjdk.java.net/show_bug.cgi?id=100298
Summary: keytool and SANs (DNS types)
Product: security
Version: 7
Platform: all
OS/Version: all
Status: NEW
Severity: normal
Priority: P3
Component: other
AssignedTo: [email protected]
<mailto:[email protected]>
ReportedBy: [email protected]
<mailto:[email protected]>
CC: [email protected]
<mailto:[email protected]>
The SAN for DNS type does not allow _'s (underscores) in the FQDN.
This is of course allowed normally and should be corrected.
Example:
DNS:x_yz.domain.com
will fail
--
Configure bugmail:
https://bugs.openjdk.java.net/userprefs.cgi?tab=email
------- You are receiving this mail because: ------- You are watching
the assignee of the bug.
You are watching someone on the CC list of the bug.
