Should host/domain names travel over the internet with a trailing dot?

Jay Ashworth jra at baylink.com
Mon Feb 25 17:11:48 UTC 2013


----- Original Message -----
> From: "Brian Reichert" <reichert at numachi.com>

> > Right. And I'm asserting that that's wrong: the client side libraries
> > Really Ought To normalize that name before trying to compare it against
> > the retrieved certificate to see if it matches, which would relieve you
> > of having to have the altName with the trailing dot in such a cert.
> 
> I know for internal testing, I've had to introduce unqualified
> hostnames in the CSR as well (e.g. 'testhost', instead of
> 'testhost.example.com'), to handle the case of the client not using
> domain names at all (when framing queries). This illustrates that
> there's not even an effort to synthesize a FQDN.

And there probably shouldn't be, and yes, you will probably have to have
short names in there as altnames; there isn't -- and again, cannot be --
a rule for that; it's implementation dependent.

> Who should implement the normalization logic? Not the SSL library,
> certainly. That sounds like the bailiwick of the resolver library...

No, in fact, I think this is layer... 3 or 4, not 2; this *should* 
be in the SSL library -- *you're not resolving this name*.

> > The controlling standard *appears* to be RFC 2246, TLS v1.0. I'm
> > doing
> > some work this morning, but that's up in a tab for coffee breaks;
> > I'll
> > try to figure out what I think Dierks and Allen thought about this
> > topic,
> > if anything, during the day.
> 
> I look forward to the fruits of your research. :)

Pomegranates.  Martha Stewart taught me over the weekend how to get
the seeds out without ruining them.

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra at baylink.com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274




More information about the NANOG mailing list