I have not yet, I would appreciate it, thank you. Sent from Windows Surface
From: Weijun Wang Sent: February 6, 2013 8:02 PM To: Walter Holm CC: OpenJDK Subject: Re: "_" in dNSName? (was Re: [Bug 100298] New: keytool and SANs (DNS types)) On 02/06/2013 11:54 PM, Walter Holm wrote: > That is correct they are talking about the data content of DNS in general > which includes the naming and the content and that section addresses > Both. > > Once an RFC updates another RFC, I would take that to mean there is a change > or clarification of a previous RFC. Hence you have to follow the rabbit hole > of do's/don'ts and may's/shall's of these impossible chains of RFCs, correct? > It is probably useful for pointing to an earlier RFC so the family tree of > RFCs after the fact are properly referenced. I think what RFC 2181 says by "any binary string" is just too relaxed. Adding a single "_" might be acceptable. Anyway, have you filed a bug at bugs.sun.com as suggested by Brad? If no I can file one for you. -Weijun > > -Walt > > -----Original Message----- > From: Weijun Wang [mailto:weijun.w...@oracle.com] > Sent: Wednesday, February 06, 2013 9:15 AM > To: Walter Holm > Cc: OpenJDK > Subject: "_" in dNSName? (was Re: [Bug 100298] New: keytool and SANs (DNS > types)) > > Hi Walt > > I'm adding the openjdk security-dev mail list to CC. > > At the beginning of RFC 2181 11 we have > > Occasionally it is assumed that the Domain Name System serves only > the purpose of mapping Internet host names to data, and mapping > Internet addresses to host names. This is not correct... > > In my understanding, this RFC is relaxing the syntax for general DNS names. > However, the dNSName in SAN is just the "only the purpose" > mentioned above, and its syntax is still restricted. In fact, the latest > X.509 cert spec (RFC 5280 4.2.1.6) still references RFC 1034 as the format > for dNSName. > > Thanks > Weijun > > On 02/06/2013 09:38 PM, Walter Holm wrote: >> Hi Weijun, >> >> First, thank you for taking interest in this issue. >> >> Although it is true that this RFC specifies a "should" for domain >> names (in "_Preferred_ name syntax") to remove confusion. Section 11 >> of http://www.ietf.org/rfc/rfc2181.txt (which updates RFC 1034) >> clarifies what the name syntax is…in particular the name syntax is >> supposed to be unrestrictive (starts with the second paragraph). In a >> side note about the behavior of keytool, when generating a self-signed >> cert, if the DN contains an underscore, it is successful, it's just the SAN >> that fails. >> >> Thank you for your time, >> >> Sincerely, >> >> Walter Holm >> >> (Walt) >> >> -----Original Message----- >> From: Weijun Wang [mailto:weijun.w...@oracle.com] >> Sent: Wednesday, February 06, 2013 3:21 AM >> To: Walter Holm >> Subject: Fwd: [Bug 100298] New: keytool and SANs (DNS types) >> >> Hi Walter >> >> Hostname as specified in >> http://tools.ietf.org/html/rfc1034#section-3.5 >> >> which says a label can only contains let-dig-hyp >> >> <let-dig-hyp> ::= <let-dig> | "-" >> >> <let-dig> ::= <letter> | <digit> >> >> Is there any other specification that allows the underscore char? >> >> Thanks >> >> Weijun >> >> -------- Original Message -------- >> >> Subject: [Bug 100298] New: keytool and SANs (DNS types) >> >> Date: Tue, 5 Feb 2013 12:36:35 -0800 (PST) >> >> From: bugzilla-dae...@bugs.openjdk.java.net >> >> To: weijun.w...@oracle.com >> >> https://bugs.openjdk.java.net/show_bug.cgi?id=100298 >> >> Summary: keytool and SANs (DNS types) >> >> Product: security >> >> Version: 7 >> >> Platform: all >> >> OS/Version: all >> >> Status: NEW >> >> Severity: normal >> >> Priority: P3 >> >> Component: other >> >> AssignedTo: watch-security-ot...@bugs.openjdk.java.net >> <mailto:watch-security-ot...@bugs.openjdk.java.net> >> >> ReportedBy: walter.h...@crinj.com >> <mailto:walter.h...@crinj.com> >> >> CC: watch-security-ot...@bugs.openjdk.java.net >> <mailto:watch-security-ot...@bugs.openjdk.java.net> >> >> The SAN for DNS type does not allow _'s (underscores) in the FQDN. >> This is of course allowed normally and should be corrected. >> >> Example: >> >> DNS:x_yz.domain.com >> >> will fail >> >> -- >> >> Configure bugmail: >> https://bugs.openjdk.java.net/userprefs.cgi?tab=email >> >> ------- You are receiving this mail because: ------- You are watching >> the assignee of the bug. >> >> You are watching someone on the CC list of the bug. >>
