When enrolling a host, an error was presented:
root : INFO Joining realm failed: RPC failed at server. invalid 'hostname': invalid domain-name: only letters, numbers, '-' are allowed. DNS label may not start or end with '-'
Where does this error originate from? Is it truly impossible to allow hosts with "_" in their name?
Amos
On Wed, Oct 23, 2019 at 10:31 PM Amos via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
When enrolling a host, an error was presented:
root : INFO Joining realm failed: RPC failed at server. invalid 'hostname': invalid domain-name: only letters, numbers, '-' are allowed. DNS label may not start or end with '-'
Where does this error originate from? Is it truly impossible to allow hosts with "_" in their name?
The way I read https://tools.ietf.org/html/rfc1035 and https://tools.ietf.org/html/rfc952 makes underscores invalid there.
Esp. from RFC1035: "When creating a new host name, the old rules for HOSTS.TXT should be followed." "The labels must follow the rules for ARPANET host names. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphen. There are also some restrictions on the length. Labels must be 63 characters or less."
RFC952 never mentions underscores.
Amos
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On ke, 23 loka 2019, François Cami via FreeIPA-users wrote:
On Wed, Oct 23, 2019 at 10:31 PM Amos via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
When enrolling a host, an error was presented:
root : INFO Joining realm failed: RPC failed at server. invalid 'hostname': invalid domain-name: only letters, numbers, '-' are allowed. DNS label may not start or end with '-'
Where does this error originate from? Is it truly impossible to allow hosts with "_" in their name?
The way I read https://tools.ietf.org/html/rfc1035 and https://tools.ietf.org/html/rfc952 makes underscores invalid there.
Esp. from RFC1035: "When creating a new host name, the old rules for HOSTS.TXT should be followed." "The labels must follow the rules for ARPANET host names. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphen. There are also some restrictions on the length. Labels must be 63 characters or less."
RFC952 never mentions underscores.
Underscore was banned originally because the keyboard of the Teletype ASR-33 had no underscore button. Being a very common terminal at the time of RFC606/608 creation, it was impractical to have underscore in it.
We need to differentiate Internet host names and DNS itself. DNS itself is a database to put any kind of data, not only Internet host names.
A key RFC here is RFC2181, Clarifications to the DNS specification. It states in section 11 (https://tools.ietf.org/html/rfc2181#section-11):
The DNS itself places only one restriction on the particular labels that can be used to identify resource records. That one restriction relates to the length of the label and the full name. The length of any one label is limited to between 1 and 63 octets. A full domain name is limited to 255 octets (including the separators). The zero length full name is defined as representing the root of the DNS tree, and is typically written and displayed as ".". Those restrictions aside, any binary string whatever can be used as the label of any resource record. Similarly, any binary string can serve as the value of any record that includes a domain name as some or all of its value (SOA, NS, MX, PTR, CNAME, and any others that may be added). Implementations of the DNS protocols must not place any restrictions on the labels that can be used. In particular, DNS servers must not refuse to serve a zone because it contains labels that might not be acceptable to some DNS client programs. A DNS server may be configurable to issue warnings when loading, or even to refuse to load, a primary zone containing labels that might be considered questionable, however this should not happen by default.
Note however, that the various applications that make use of DNS data can have restrictions imposed on what particular values are acceptable in their environment. For example, that any binary label can have an MX record does not imply that any binary name can be used as the host part of an e-mail address. Clients of the DNS can impose whatever restrictions are appropriate to their circumstances on the values they use as keys for DNS lookup requests, and on the values returned by the DNS. If the client has such restrictions, it is solely responsible for validating the data from the DNS to ensure that it conforms before it makes any use of that data.
See also [RFC1123] section 6.1.3.5.
RFC1123 section 6.1.3.5 has this:
The DNS defines domain name syntax very generally -- a string of labels each containing up to 63 8-bit octets, separated by dots, and with a maximum total of 255 octets. Particular applications of the DNS are permitted to further constrain the syntax of the domain names they use, although the DNS deployment has led to some applications allowing more general names. In particular, Section 2.1 of this document liberalizes slightly the syntax of a legal Internet host name that was defined in RFC-952 [DNS:4].
It refers to RFC1123 section 2.1:
The syntax of a legal Internet host name was specified in RFC-952 [DNS:4]. One aspect of host name syntax is hereby changed: the restriction on the first character is relaxed to allow either a letter or a digit. Host software MUST support this more liberal syntax.
Host software MUST handle host names of up to 63 characters and SHOULD handle host names of up to 255 characters.
Whenever a user inputs the identity of an Internet host, it SHOULD be possible to enter either (1) a host domain name or (2) an IP address in dotted-decimal ("#.#.#.#") form. The host SHOULD check the string syntactically for a dotted-decimal number before looking it up in the Domain Name System.
Underscore was never allowed to be used in Internet host names. On the other hand, with Active Directory use of DNS system to discover resources, use of underscore in Microsoft DNS implementation was added to allow integration into existing NT domain environments where NetBIOS names had underscore in them. Microsoft then added three types of DNS name checking in Windows 2000 DNS server. More details are in https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-20...)
Other DNS servers today block use of underscore in hostnames of A/AAAA/PTR records but allow its use in SRV and other records. In particular, BIND makes this a requirement, so we don't allow underscores in host names.
freeipa-users@lists.fedorahosted.org