On 6/27/22 4:13 PM, Viktor Dukhovni wrote:
On Mon, Jun 27, 2022 at 02:43:43PM -0600, Peter Saint-Andre wrote:
On 6/27/22 1:08 PM, Viktor Dukhovni wrote:
On Mon, Jun 27, 2022 at 12:52:00PM -0600, Peter Saint-Andre wrote:
Yep, we can punt the definition but then we need to address all the special
cases.
I would prefer to bring back the reference to RFC 1034.
A DNS FQDN is sequence of dot-separated labels each of whose wire forms
is at most 63 octets, and where the total wire length including the
final zero length byte (terminating empty root label) is at most 255
bytes. Due to potential characters that need escaping, the presentation
form of such a name can contain labels whose length exceeds 63 bytes,
and whole name can exceed 255 bytes.
It is not clear to me that DNS names in certificates are a priori
constrained by the host requirements RFC which constrains hostnames to
LDH label forms, although perhaps the scope of RFC6125bis is exclusively
for certificates that identify end-entities that meet the host
requirements RFC.
I'm not necessarily saying that - I'm saying only that Jeff and I tried
to find a canonical definition of "fully-qualified domain name" and the
best we could do was RFC 1034. Alternative proposals are welcome.
There are only two possible answers:
- All DNS names are valid, so long as they have a wire form that
meets the requirements of RFC 1034.
- Only names that comply with section 2.1 of the Host Requirements RFC:
https://datatracker.ietf.org/doc/html/rfc1123#page-13
are valid. These are LDH forms, whose labels therefore require no
special processing in presentation form, and so the limits are at
most 63 octets per label, and at most 254 bytes total (allowing for
an extra byte for the final 0 length wire-form label).
In LDH form the hyphens must not be the first or last character of
any label. Names starting with "xx--" for various values of "xx"
are special reserved forms with (IIRC) "xn" being the only presently
defined prefix, but I don't think that it is appropriate for the
present document to delve into this level of detail.
The host requirements RFC further recomments staying under 63 bytes,
and though this is somewhat dated, it is nevertheless prudent if
possible.
RFC 6125 (and now 6125bis) are not documents about the definition or
enforcement of DNS naming rules, only about client-side matching of
service identifiers presented in X.509 certificates against the client's
conception of what the service ought to be (i.e., against a reference
identifier). I see no reason to expand the scope of 6125bis in the
direction you might be proposing. Thus I would favor the first option above.
Peter
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
