[Freeipa-devel] [PATCH 0047] Allow underscore in DNAME targets
Petr Viktorin
pviktori at redhat.com
Thu Apr 25 10:03:17 UTC 2013
On 04/23/2013 02:02 PM, Tomas Babej wrote:
> On 04/11/2013 04:35 PM, Petr Viktorin wrote:
>> On 04/11/2013 03:59 PM, Simo Sorce wrote:
>>> On Thu, 2013-04-11 at 14:52 +0200, Petr Viktorin wrote:
>>>> On 04/11/2013 02:43 PM, Simo Sorce wrote:
>>>>> On Thu, 2013-04-11 at 14:24 +0200, Petr Viktorin wrote:
>>>>>> On 04/11/2013 12:05 PM, Tomas Babej wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> Makes DNAME target validation less strict and allows underscore.
>>>>>>> This is requirement for IPA sites.
>>>>>>>
>>>>>>> https://fedorahosted.org/freeipa/ticket/3550
>>>>>>>
>>>>>>> Tomas
>>>>>>
>>>>>> I checked with Petr², and he said it would make sense to also enable
>>>>>> underscores for the other records types.
>>>>>> For records other than TXT, SRV, DNAME, and NSEC we could warn if
>>>>>> underscores are used, but that's probably not worth the trouble --
>>>>>> just
>>>>>> allowing underscores everywhere is fine.
>>>>>>
>>>>>
>>>>> Underscores are invalid DNS characters, they should not be allowed
>>>>> for A
>>>>> records, only for DNAME, and SRV records IMO.
>>>>
>>>> Technically, they're invalid *hostname* characters; in DNS itself
>>>> anything goes.
>>>>
>>>> Interestingly, we already allow them for A records:
>>>> $ ipa dnsrecord-add idm.lab.eng.brq.redhat.com _bogus --a-rec=1.2.3.4
>>>> Record name: _bogus
>>>> A record: 1.2.3.4
>>>>
>>>> But this ticket is not about the record name, it's about record data
>>>> (i.e. the *target* of the DNAME).
>>>
>>> So we are restricting record *data* but *not* record names ? That's ...
>>> odd.
>>
>> Yes. Apparently we relaxed the name validation because underscores are
>> used in AD or other exotic/nonstandard setups, and now we need to
>> relax the data validation as well.
>>
>> I filed a ticket to add warnings for underscores in A records:
>> https://fedorahosted.org/freeipa/ticket/3557
>>
>>
> Sorry for letting this rot on the list, I thought I sent the patch
> already. Patchwork saved me this time.
>
> Here's the updated patch.
>
> Tomas
ACK
--
Petr³
More information about the Freeipa-devel
mailing list