On Mon, Jun 27, 2022 at 02:43:43PM -0600, Peter Saint-Andre wrote:
> On 6/27/22 1:08 PM, Viktor Dukhovni wrote:
> > On Mon, Jun 27, 2022 at 12:52:00PM -0600, Peter Saint-Andre wrote:
> >
> >>> Yep, we can punt the definition but then we need to address all the
> >>> special cases.
> >>
> >> I would prefer to bring back the reference to RFC 1034.
> >
> > A DNS FQDN is sequence of dot-separated labels each of whose wire forms
> > is at most 63 octets, and where the total wire length including the
> > final zero length byte (terminating empty root label) is at most 255
> > bytes. Due to potential characters that need escaping, the presentation
> > form of such a name can contain labels whose length exceeds 63 bytes,
> > and whole name can exceed 255 bytes.
> >
> > It is not clear to me that DNS names in certificates are a priori
> > constrained by the host requirements RFC which constrains hostnames to
> > LDH label forms, although perhaps the scope of RFC6125bis is exclusively
> > for certificates that identify end-entities that meet the host
> > requirements RFC.
>
> I'm not necessarily saying that - I'm saying only that Jeff and I tried
> to find a canonical definition of "fully-qualified domain name" and the
> best we could do was RFC 1034. Alternative proposals are welcome.
There are only two possible answers:
- All DNS names are valid, so long as they have a wire form that
meets the requirements of RFC 1034.
- Only names that comply with section 2.1 of the Host Requirements RFC:
https://datatracker.ietf.org/doc/html/rfc1123#page-13
are valid. These are LDH forms, whose labels therefore require no
special processing in presentation form, and so the limits are at
most 63 octets per label, and at most 254 bytes total (allowing for
an extra byte for the final 0 length wire-form label).
In LDH form the hyphens must not be the first or last character of
any label. Names starting with "xx--" for various values of "xx"
are special reserved forms with (IIRC) "xn" being the only presently
defined prefix, but I don't think that it is appropriate for the
present document to delve into this level of detail.
The host requirements RFC further recomments staying under 63 bytes,
and though this is somewhat dated, it is nevertheless prudent if
possible.
--
Viktor.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
