On 04.04.2018 16:30, Tim Düsterhus wrote:
> Dale,
> Am 03.04.2018 um 16:17 schrieb Dale Smith:
>> I'm trying to understand what system is at fault here; the DNS server for
>> not responding with the same case as the query, or HAProxy which
>> should be
>> performing a case insensitive match.
> This is left unspecified in the standards, but on the other hand there
> is this Internet Draft:
> https://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00 which wants to
> mandate case preserval to make DNS spoofing harder by introducing more
> entropy in the DNS request.
> I recommend to fix your internal DNS server, because case preserving
> behaviour seems to be somewhat expected according to a quick Google search.

There is this:

Domain Name System (DNS) Case Insensitivity Clarification:

In section 3 it says this:

3.  Name Lookup, Label Types, and CLASS

   According to the original DNS design decision, comparisons on name
   lookup for DNS queries should be case insensitive [STD13].  That is
   to say, a lookup string octet with a value in the inclusive range
   from 0x41 to 0x5A, the uppercase ASCII letters, MUST match the
   identical value and also match the corresponding value in the
   inclusive range from 0x61 to 0x7A, the lowercase ASCII letters.  A
   lookup string octet with a lowercase ASCII letter value MUST
   similarly match the identical value and also match the corresponding
   value in the uppercase ASCII letter range.

   (Historical note: The terms "uppercase" and "lowercase" were invented
   after movable type.  The terms originally referred to the two font
   trays for storing, in partitioned areas, the different physical type
   elements.  Before movable type, the nearest equivalent terms were
   "majuscule" and "minuscule".)

This reads to me like HAProxy should match characters in the ranges 0x41
to 0x5A and 0x61 to 0x7A insensitively as long as the label type is ASCII.

Section 4.1 "DNS Output Case Preservation" mentions this: "No "case
conversion" or "case folding" is done during such output operations,
thus "preserving" case."


Reply via email to