<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I think the confusion that I have here is what lies in what is
actually permitted for A and AAAA records, and what we define as a
host name. I can't find specific RFCs, but A and AAAA records don't
permit underscores.<br>
<br>
Aliases are permitted to have anything (such as the underscore),
like other domain name records. That said, we need to carefully
define whether we're permitting the request for *hostnames* or
*domain names*. Hostnames per RFC are not permitted underscores.
Aliases (CNAMEs) are allowed underscores, but are called domain
names, not host names, at the most technical DNS level.<br>
<br>
Given this, I retract my part about hosts with underscores invalid
for NGINX, provided we expand "hostname" and "requested Host" to be
different. I would say we allow domain names that are valid, though
we should also imply further restrictions on the allowed location of
underscores in the Host request:<br>
<br>
(1) A requested host beginning with an underscore (_foobar.baz.net
for example) should be invalid - there are some rules in RFCs with
regards to single-underscore prepended names.<br>
(2) A requested host should not just end with an underscore at the
end or at the end of the domain part (foobar.baz_), similar to how
hyphens are involved here.<br>
<br>
Both of those are invalid either way, but my opinion now is that we
should not just blindly permit all underscores in the request.<br>
<br>
<br>
Thomas<br>
<br>
<br>
<p>
<meta http-equiv="content-type" content="text/html;
charset=windows-1252">
</p>
<div class="moz-cite-prefix">On 11/17/2016 01:34 PM, Aleksandr
Kupriyanov wrote:<br>
</div>
<blockquote
cite="mid:CACqW075vS+Lr8M072nm67BAirucRmXQcGdsbjXX=WL+aa5uuKw@mail.gmail.com"
type="cite">
<div dir="ltr">De facto, some "big guys" already use underscores
in their host names:<br>
<br>
<a class="moz-txt-link-abbreviated" href="mailto:sasha@kernel.home:~$">sasha@kernel.home:~$</a> host <a moz-do-not-send="true"
href="http://cow_fb_cdn0-a.akamaihd.net">cow_fb_cdn0-a.akamaihd.net</a>
<br>
<a moz-do-not-send="true"
href="http://cow_fb_cdn0-a.akamaihd.net">cow_fb_cdn0-a.akamaihd.net</a>
is an alias for <a moz-do-not-send="true"
href="http://cow_fb_cdn0-a.akamaihd.net.edgesuite.net">cow_fb_cdn0-a.akamaihd.net.edgesuite.net</a>.<br>
<a moz-do-not-send="true"
href="http://cow_fb_cdn0-a.akamaihd.net.edgesuite.net">cow_fb_cdn0-a.akamaihd.net.edgesuite.net</a>
is an alias for <a moz-do-not-send="true"
href="http://a1877.g.akamai.net">a1877.g.akamai.net</a>.<br>
<a moz-do-not-send="true" href="http://a1877.g.akamai.net">a1877.g.akamai.net</a>
has address 104.73.160.114<br>
<a moz-do-not-send="true" href="http://a1877.g.akamai.net">a1877.g.akamai.net</a>
has address 104.73.160.64<br>
<a class="moz-txt-link-abbreviated" href="mailto:sasha@kernel.home:~$">sasha@kernel.home:~$</a><br>
<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Thu, Nov 17, 2016 at 12:21 PM,
Thomas Ward <span dir="ltr"><<a moz-do-not-send="true"
href="mailto:teward@dark-net.net" target="_blank">teward@dark-net.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">Correct me
if I am wrong but the discussion of underscores in DNS does
not apply to hostnames. The discussion referenced states as
such, and only touches on underscores as a part of DNS
attributes and internals, not as part of hostnames. It even
says as such that hostnames are *not permitted* to have
underscores.<br>
<br>
By extension of that, should not the Host header should be a
hostname or a requested hostname and therefore obey the
requirements for a Hostname at the bare minimum?<br>
<br>
<br>
*Sent from my iPhone. Please excuse any typos, as they are
likely to happen by accident.*<br>
<div class="HOEnZb">
<div class="h5"><br>
> On Nov 17, 2016, at 12:10, Maxim Dounin <<a
moz-do-not-send="true"
href="mailto:mdounin@mdounin.ru">mdounin@mdounin.ru</a>>
wrote:<br>
><br>
> Hello!<br>
><br>
>> On Wed, Nov 16, 2016 at 06:36:12PM -0600,
Aleksandr Kupriyanov wrote:<br>
>><br>
>> <<a moz-do-not-send="true"
href="http://www.google.com/url?q=http%3A%2F%2Fwww.instartlogic.com%2F&sa=D&sntz=1&usg=AFrqEzc4puDXYOgyifEWrSJrJIfW1sViFg"
rel="noreferrer" target="_blank">http://www.google.com/url?q=<wbr>http%3A%2F%2Fwww.instartlogic.<wbr>com%2F&sa=D&sntz=1&usg=<wbr>AFrqEzc4puDXYOgyifEWrSJrJIfW1s<wbr>ViFg</a>><br>
><br>
>> # HG changeset patch<br>
>> # User Aleksandr Kupriyanov <<a
moz-do-not-send="true"
href="mailto:sasha@instartlogic.com">sasha@instartlogic.com</a>><br>
>> # Date 1479340749 21600<br>
>> # Node ID af947b854971993f318417c70c3818<wbr>147b320a0d<br>
>> # Parent 6a26016e9a138102798a7ec3e74747<wbr>fbd6018f82<br>
>> Add directive to allow underscores in hostnames<br>
>><br>
>> Two equivalent requests generate different
responses:<br>
>><br>
>> 1. ---------------<br>
>> GET <a moz-do-not-send="true"
href="http://host_1.home/" rel="noreferrer"
target="_blank">http://host_1.home/</a> HTTP/1.1<br>
>> Host: host_1.home<br>
>> ...<br>
>> HTTP/1.1 400 Bad Request<br>
>> Server: nginx/1.X.XX<br>
>> ------------------<br>
>><br>
>> 2. ---------------<br>
>> GET / HTTP/1.1<br>
>> Host: host_1.home<br>
>> ...<br>
>> HTTP/1.1 200 OK<br>
>> Server: nginx/1.X.XX<br>
>> ------------------<br>
>><br>
>> To avoid that a new directive is proposed:<br>
>><br>
>> Syntax: underscores_in_hostname on | off;<br>
>> Default: underscores_in_headers off;<br>
>> Context: http, server<br>
>><br>
>> Enables or disables the use of underscores in
host names of<br>
>> client request line.<br>
>><br>
>> See a discussion about underscores in DNS here:<br>
>> <a moz-do-not-send="true"
href="http://domainkeys.sourceforge.net/underscore.html"
rel="noreferrer" target="_blank">http://domainkeys.sourceforge.<wbr>net/underscore.html</a><br>
><br>
> Shouldn't we just allow underscores in<br>
> ngx_http_parse_request_line() instead? It doesn't
looks like<br>
> there are reasons to keep the test that strict.<br>
><br>
> In case of underscores_in_headers there a clear
security reason:<br>
> headers are exposed via the HTTP_* variables in
CGI, and via<br>
> $http_* variables in nginx itself, and this makes
headers with<br>
> underscores indistinguishable from ones with dash,
and creates an<br>
> attack vector.<br>
><br>
> I don't see such a problem with underscores in
hostname when it's<br>
> passed via the request line - especially keeping in
mind that we<br>
> don't enforce such a limitation via the Host
header.<br>
><br>
> --<br>
> Maxim Dounin<br>
> <a moz-do-not-send="true" href="http://nginx.org/"
rel="noreferrer" target="_blank">http://nginx.org/</a><br>
><br>
> ______________________________<wbr>_________________<br>
> nginx-devel mailing list<br>
> <a moz-do-not-send="true"
href="mailto:nginx-devel@nginx.org">nginx-devel@nginx.org</a><br>
> <a moz-do-not-send="true"
href="http://mailman.nginx.org/mailman/listinfo/nginx-devel"
rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx-devel</a><br>
<br>
______________________________<wbr>_________________<br>
nginx-devel mailing list<br>
<a moz-do-not-send="true"
href="mailto:nginx-devel@nginx.org">nginx-devel@nginx.org</a><br>
<a moz-do-not-send="true"
href="http://mailman.nginx.org/mailman/listinfo/nginx-devel"
rel="noreferrer" target="_blank">http://mailman.nginx.org/<wbr>mailman/listinfo/nginx-devel</a><br>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div>
<div dir="ltr"><a moz-do-not-send="true"
href="https://sites.google.com/a/instartlogic.com/saleshub/email-signatures/Instart_Logic_Logo_100px-width-50px-height.jpg?attredirects=0"
target="_blank"><img moz-do-not-send="true"
src="https://sites.google.com/a/instartlogic.com/saleshub/_/rsrc/1466194631525/email-signatures/Instart_Logic_Logo_100px-width-50px-height.jpg"
border="0"></a> World's First Endpoint-Aware
Application Delivery Solution<br>
<br>
<table border="0" cellpadding="5" cellspacing="0"
width="100%">
<tbody>
<tr valign="top">
<td style="font-family:Trebuchet
MS,Helvetica,Arial,Sans-serif;font-size:10px;color:#333333">
<span><span style="font-family:Trebuchet
MS,Helvetica,Arial,Sans-serif;font-size:10px;color:#0079c2"><b>Aleksandr
</b></span></span><span
style="font-family:Trebuchet
MS,Helvetica,Arial,Sans-serif;font-size:10px;color:#0079c2"><b>Kupriyanov</b><br>
<br>
</span> Email: <a moz-do-not-send="true"
href="mailto:sasha@instartlogic.com"
target="_blank">sasha@instartlogic.com</a> <br>
Instart Logic | 450 Lambert Ave, Palo Alto, CA
94306 | <a moz-do-not-send="true"
href="http://www.google.com/url?q=http%3A%2F%2Fwww.instartlogic.com%2F&sa=D&sntz=1&usg=AFrqEzc4puDXYOgyifEWrSJrJIfW1sViFg"
style="color:#004f8f" target="_blank">instartlogic.com</a>
</td>
</tr>
</tbody>
</table>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
nginx-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:nginx-devel@nginx.org">nginx-devel@nginx.org</a>
<a class="moz-txt-link-freetext" href="http://mailman.nginx.org/mailman/listinfo/nginx-devel">http://mailman.nginx.org/mailman/listinfo/nginx-devel</a></pre>
</blockquote>
<br>
</body>
</html>