"_" in dNSName? (was Re: [Bug 100298] New: keytool and SANs (DNS types))

[Weijun Wang]

Hi Walt

I'm adding the openjdk security-dev mail list to CC.
At the beginning of RFC 2181 11 we have

   Occasionally it is assumed that the Domain Name System serves only
   the purpose of mapping Internet host names to data, and mapping
   Internet addresses to host names.  This is not correct...

In my understanding, this RFC is relaxing the syntax for general DNS 
names. However, the dNSName in SAN is just the "only the purpose" 
mentioned above, and its syntax is still restricted. In fact, the latest 
X.509 cert spec (RFC 5280 4.2.1.6) still references RFC 1034 as the 
format for dNSName.

Thanks
Weijun

On 02/06/2013 09:38 PM, Walter Holm wrote:
Hi Weijun,

First, thank you for taking interest in this issue.

Although it is true that this RFC specifies a "should" for domain names
(in "_Preferred_ name syntax") to remove confusion.  Section 11 of
http://www.ietf.org/rfc/rfc2181.txt (which updates RFC 1034) clarifies
what the name syntax is…in particular the name syntax is supposed to be
unrestrictive (starts with the second paragraph).  In a side note about
the behavior of keytool, when generating a self-signed cert, if the DN
contains an underscore, it is successful, it's just the SAN that fails.

Thank you for your time,

Sincerely,

Walter Holm

(Walt)

-----Original Message-----
From: Weijun Wang [mailto:weijun.w...@oracle.com]
Sent: Wednesday, February 06, 2013 3:21 AM
To: Walter Holm
Subject: Fwd: [Bug 100298] New: keytool and SANs (DNS types)

Hi Walter

Hostname as specified in http://tools.ietf.org/html/rfc1034#section-3.5

which says a label can only contains let-dig-hyp

    <let-dig-hyp> ::= <let-dig> | "-"

    <let-dig> ::= <letter> | <digit>

Is there any other specification that allows the underscore char?

Thanks

Weijun

-------- Original Message --------

Subject: [Bug 100298] New: keytool and SANs (DNS types)

Date: Tue,  5 Feb 2013 12:36:35 -0800 (PST)

From: bugzilla-dae...@bugs.openjdk.java.net

To: weijun.w...@oracle.com

https://bugs.openjdk.java.net/show_bug.cgi?id=100298

             Summary: keytool and SANs (DNS types)

             Product: security

             Version: 7

            Platform: all

          OS/Version: all

              Status: NEW

            Severity: normal

            Priority: P3

           Component: other

          AssignedTo: watch-security-ot...@bugs.openjdk.java.net
<mailto:watch-security-ot...@bugs.openjdk.java.net>

          ReportedBy: walter.h...@crinj.com <mailto:walter.h...@crinj.com>

                  CC: watch-security-ot...@bugs.openjdk.java.net
<mailto:watch-security-ot...@bugs.openjdk.java.net>

The SAN for DNS type does not allow _'s (underscores) in the FQDN.  This
is of course allowed normally and should be corrected.

Example:

DNS:x_yz.domain.com

will fail

--

Configure bugmail: https://bugs.openjdk.java.net/userprefs.cgi?tab=email

------- You are receiving this mail because: ------- You are watching
the assignee of the bug.

You are watching someone on the CC list of the bug.