Re: SNI vs Host: and a trailing dot from Roy T. Fielding on 2016-03-16 (ietf-http-wg@w3.org from January to March 2016)

From: Roy T. Fielding <fielding@gbiv.com>
Date: Wed, 16 Mar 2016 16:10:35 -0700
To: ietf-http-wg@w3.org
Message-Id: <7B0ECC85-4326-473A-8F16-142FBAC502DE@gbiv.com>

> On Mar 16, 2016, at 6:02 AM, Willy Tarreau <w@1wt.eu> wrote:
> 
> Hi guys,
> 
> On Thu, Mar 17, 2016 at 01:44:24AM +1300, Amos Jeffries wrote:
>> On 17/03/2016 1:09 a.m., Michael Sweet wrote:
>>> FWIW, CUPS has traditionally stripped the trailing dot from both since most printers (and web sites, for that matter) have difficulty handling "example.com."
>>> 
>> 
>> 
>> FWIW; Squid likewise does that as well.
>> 
>> IIRC we determined that the trailing dot syntax was an outcome of people
>> partially understanding the DNS specifications. Those DNS specs talk
>> about using the trailing dot to terminate the domain labels. But on
>> close inspection it is only supposed to be used in the wire-format for
>> DNS packets. Intermediate representations like HTTP messages or TLS SNI
>> are expected to have no trailing dot for valid FQDN.
> 
> Not exactly because you have the problem when you need to differenciate
> host names that belong to your local domain and other ones. For example
> you could have a host called "www.example.com" on your local domain, and
> if you want to be sure to use the public www.example.com and not
> www.example.com.my.local.domain, the only way is to add the trailing dot.

Yep, that's right.

> I remember having been in this exact situation many years ago by which
> I couldn't connect to my default gateway's web interface until I realized
> that the name "gw" that I was using on my local network was first resolved
> as "gw.work.local" which was my company's groupware server and it couldn't
> be accessed from where I was located (hence my belief that the device did
> not respond). Simply passing "http://gw./" solved the issue for me.

I had the same issue at UCI when the College of Medicine decided to name their
primary gateway "com", as in "{host}.com.uci.edu".  It was a short conversation.
Now we are getting inundated by new ICANN TLDs, so expect more of that soon.
It may become common for some sites to need the trailing dot just to ensure
that HTTP routing works.

> However I have no idea where in the chain this dot needs to be trimmed,
> but it definitely has a use case for the end user and in HTTP URIs (though
> not frequent).

Personally, I never trim the dot outside of DNS itself, since it has to be
presumed that someone added it for a reason (even if that reason is
nefarious -- the distinction cannot be ignored). Since both clients and
proxies are subject to local network aliases, the dot must be retained in
HTTP's authority and Host.

....Roy

Received on Wednesday, 16 March 2016 23:11:10 UTC