Re: SNI vs Host: and a trailing dot

Hi guys,

On Thu, Mar 17, 2016 at 01:44:24AM +1300, Amos Jeffries wrote:
> On 17/03/2016 1:09 a.m., Michael Sweet wrote:
> > FWIW, CUPS has traditionally stripped the trailing dot from both since most printers (and web sites, for that matter) have difficulty handling "example.com."
> > 
> 
> 
> FWIW; Squid likewise does that as well.
> 
> IIRC we determined that the trailing dot syntax was an outcome of people
> partially understanding the DNS specifications. Those DNS specs talk
> about using the trailing dot to terminate the domain labels. But on
> close inspection it is only supposed to be used in the wire-format for
> DNS packets. Intermediate representations like HTTP messages or TLS SNI
> are expected to have no trailing dot for valid FQDN.

Not exactly because you have the problem when you need to differenciate
host names that belong to your local domain and other ones. For example
you could have a host called "www.example.com" on your local domain, and
if you want to be sure to use the public www.example.com and not
www.example.com.my.local.domain, the only way is to add the trailing dot.

I remember having been in this exact situation many years ago by which
I couldn't connect to my default gateway's web interface until I realized
that the name "gw" that I was using on my local network was first resolved
as "gw.work.local" which was my company's groupware server and it couldn't
be accessed from where I was located (hence my belief that the device did
not respond). Simply passing "http://gw./" solved the issue for me.

However I have no idea where in the chain this dot needs to be trimmed,
but it definitely has a use case for the end user and in HTTP URIs (though
not frequent).

Cheers,
Willy

Received on Wednesday, 16 March 2016 13:02:48 UTC