public inbox for pbs-devel@lists.proxmox.com
 help / color / mirror / Atom feed
* Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema
@ 2021-04-28 18:18 Dietmar Maurer
  2021-04-29  6:51 ` Wolfgang Bumiller
  0 siblings, 1 reply; 11+ messages in thread
From: Dietmar Maurer @ 2021-04-28 18:18 UTC (permalink / raw)
  To: Thomas Lamprecht, Proxmox Backup Server development discussion,
	Wolfgang Bumiller

So we should call it SCOPED_DNS_NAME, and require the underscore at start?

> On 04/28/2021 6:34 PM Thomas Lamprecht <t.lamprecht@proxmox.com> wrote:
> 
>  
> On 28.04.21 18:10, Dietmar Maurer wrote:
> > Seems DNS names in general are totally unrestricted and
> > may contain arbitrary binary data:
> > 
> > https://tools.ietf.org/html/rfc2181#section-11
> > 
> > Only host names and url are restricted.
> > 
> > ?!
> 
> FYI, from a off-list message from Wolfgang:
> 
> >> and why now only allow as first one?
> > mostly because that's what we did in PVE and because using underscores
> > anywhere else is silly ;-)
> > it's used for scoping, there was even an RFC draft but it's expired and only
> > marked as "best current practice" whatever that's worth:
> > https://tools.ietf.org/id/draft-ietf-dnsop-attrleaf-07.html#rfc.section.1.1
> > so basically: we used to not allow underscores, people do use leading
> > underscores for scoping, and we use it particularly for ACME aliases...
> 
> There was some confusion with which ALIAS you meant, as there's a not really
> used DNS record type named "ALIAS" too (which is unrelated to that one here).




^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema
  2021-04-28 18:18 [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema Dietmar Maurer
@ 2021-04-29  6:51 ` Wolfgang Bumiller
  0 siblings, 0 replies; 11+ messages in thread
From: Wolfgang Bumiller @ 2021-04-29  6:51 UTC (permalink / raw)
  To: Dietmar Maurer
  Cc: Thomas Lamprecht, Proxmox Backup Server development discussion

On Wed, Apr 28, 2021 at 08:18:21PM +0200, Dietmar Maurer wrote:
> So we should call it SCOPED_DNS_NAME, and require the underscore at start?

No, the scoping is optional.




^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema
  2021-04-28 15:55 Dietmar Maurer
@ 2021-04-29  7:12 ` Wolfgang Bumiller
  0 siblings, 0 replies; 11+ messages in thread
From: Wolfgang Bumiller @ 2021-04-29  7:12 UTC (permalink / raw)
  To: Dietmar Maurer; +Cc: Proxmox Backup Server development discussion

On Wed, Apr 28, 2021 at 05:55:27PM +0200, Dietmar Maurer wrote:
> Is this the same syntax used for DNS SRV records?
> 
> https://en.wikipedia.org/wiki/SRV_record

Disclaimer: My main motivation was, I just followed along with what
we're doing in PVE (and did the same in PMG as well).

TBH I don't know if any ACME implementation worries about that at all.
The main idea is this:

  * you want to get a certificate for foo.bar.com
  * giving pbs direct access to managing the `foo.bar.com` or `bar.com`
    zones is inconvenient or impossible
  * you setup a `CNAME` for `_acme-challenge.foo.bar.com` to point to
    X.Y.Z
  * you configure the domain foo.bar.com and set the alias to X.Y.Z, so
    that our DNS plugins will set the TXT entry for X.Y.Z instead of
    `_acme-challenge.foo.bar.comm`
  * the ACME provider's DNS resolver will decide which values for X, Y
    and Z they're willing to accept while resolving the TXT entry.
      Most likely they can be completely arbitrary. We know that due to
    common practice, they'll most likely allow at least hostnames with
    the addition of leading underscores, but as far as formal
    definitions go, the DNS RFC is the only "real source of
    what-should-be-the-truth", while in practice you'll just have to try
    and see if it works...

And sure, *technically* we could just relax the DNS schema in general,
but then user's may run into issues when they configure something that
should be legal as per the DNS RFC but is not accepted by their browsers
or some other tool. Of course we could still relax it and just keep the
"normal" restrictions purely in the GUI... I don't know.




^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema
  2021-04-28 16:10 Dietmar Maurer
@ 2021-04-28 16:34 ` Thomas Lamprecht
  0 siblings, 0 replies; 11+ messages in thread
From: Thomas Lamprecht @ 2021-04-28 16:34 UTC (permalink / raw)
  To: Proxmox Backup Server development discussion, Dietmar Maurer,
	Wolfgang Bumiller

On 28.04.21 18:10, Dietmar Maurer wrote:
> Seems DNS names in general are totally unrestricted and
> may contain arbitrary binary data:
> 
> https://tools.ietf.org/html/rfc2181#section-11
> 
> Only host names and url are restricted.
> 
> ?!

FYI, from a off-list message from Wolfgang:

>> and why now only allow as first one?
> mostly because that's what we did in PVE and because using underscores
> anywhere else is silly ;-)
> it's used for scoping, there was even an RFC draft but it's expired and only
> marked as "best current practice" whatever that's worth:
> https://tools.ietf.org/id/draft-ietf-dnsop-attrleaf-07.html#rfc.section.1.1
> so basically: we used to not allow underscores, people do use leading
> underscores for scoping, and we use it particularly for ACME aliases...

There was some confusion with which ALIAS you meant, as there's a not really
used DNS record type named "ALIAS" too (which is unrelated to that one here).





^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema
@ 2021-04-28 16:10 Dietmar Maurer
  2021-04-28 16:34 ` Thomas Lamprecht
  0 siblings, 1 reply; 11+ messages in thread
From: Dietmar Maurer @ 2021-04-28 16:10 UTC (permalink / raw)
  To: Proxmox Backup Server development discussion, Wolfgang Bumiller

Seems DNS names in general are totally unrestricted and
may contain arbitrary binary data:

https://tools.ietf.org/html/rfc2181#section-11

Only host names and url are restricted.

?!

> On 04/28/2021 5:55 PM Dietmar Maurer <dietmar@proxmox.com> wrote:
> 
>  
> Is this the same syntax used for DNS SRV records?
> 
> https://en.wikipedia.org/wiki/SRV_record
> 
> > On 04/28/2021 1:15 PM Dietmar Maurer <dietmar@proxmox.com> wrote:
> > 
> >  
> > > On 04/28/2021 1:07 PM Wolfgang Bumiller <w.bumiller@proxmox.com> wrote:
> > > 
> > >  
> > > On Wed, Apr 28, 2021 at 12:26:11PM +0200, Dietmar Maurer wrote:
> > > > Sorry, I don't get this. Why is DNS_LABEL and DNS_ALIAS_LABEL different?
> > > 
> > > One allows underscores at the beginning, the other doesn't, as for
> > 
> > But where is it defined that an ALIAS may contain underscores?
> > Do you have a link to the corresponding RFC?
> > 
> > 
> > _______________________________________________
> > pbs-devel mailing list
> > pbs-devel@lists.proxmox.com
> > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
> 
> 
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel




^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema
@ 2021-04-28 15:55 Dietmar Maurer
  2021-04-29  7:12 ` Wolfgang Bumiller
  0 siblings, 1 reply; 11+ messages in thread
From: Dietmar Maurer @ 2021-04-28 15:55 UTC (permalink / raw)
  To: Proxmox Backup Server development discussion, Wolfgang Bumiller

Is this the same syntax used for DNS SRV records?

https://en.wikipedia.org/wiki/SRV_record

> On 04/28/2021 1:15 PM Dietmar Maurer <dietmar@proxmox.com> wrote:
> 
>  
> > On 04/28/2021 1:07 PM Wolfgang Bumiller <w.bumiller@proxmox.com> wrote:
> > 
> >  
> > On Wed, Apr 28, 2021 at 12:26:11PM +0200, Dietmar Maurer wrote:
> > > Sorry, I don't get this. Why is DNS_LABEL and DNS_ALIAS_LABEL different?
> > 
> > One allows underscores at the beginning, the other doesn't, as for
> 
> But where is it defined that an ALIAS may contain underscores?
> Do you have a link to the corresponding RFC?
> 
> 
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel




^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema
  2021-04-28 11:15 Dietmar Maurer
@ 2021-04-28 11:42 ` Wolfgang Bumiller
  0 siblings, 0 replies; 11+ messages in thread
From: Wolfgang Bumiller @ 2021-04-28 11:42 UTC (permalink / raw)
  To: Dietmar Maurer; +Cc: Proxmox Backup Server development discussion

On Wed, Apr 28, 2021 at 01:15:01PM +0200, Dietmar Maurer wrote:
> 
> > On 04/28/2021 1:07 PM Wolfgang Bumiller <w.bumiller@proxmox.com> wrote:
> > 
> >  
> > On Wed, Apr 28, 2021 at 12:26:11PM +0200, Dietmar Maurer wrote:
> > > Sorry, I don't get this. Why is DNS_LABEL and DNS_ALIAS_LABEL different?
> > 
> > One allows underscores at the beginning, the other doesn't, as for
> 
> But where is it defined that an ALIAS may contain underscores?
> Do you have a link to the corresponding RFC?

I suppose it makes more sense to rename it to DNS_ACME_ALIAS...




^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema
@ 2021-04-28 11:15 Dietmar Maurer
  2021-04-28 11:42 ` Wolfgang Bumiller
  0 siblings, 1 reply; 11+ messages in thread
From: Dietmar Maurer @ 2021-04-28 11:15 UTC (permalink / raw)
  To: Wolfgang Bumiller; +Cc: Proxmox Backup Server development discussion


> On 04/28/2021 1:07 PM Wolfgang Bumiller <w.bumiller@proxmox.com> wrote:
> 
>  
> On Wed, Apr 28, 2021 at 12:26:11PM +0200, Dietmar Maurer wrote:
> > Sorry, I don't get this. Why is DNS_LABEL and DNS_ALIAS_LABEL different?
> 
> One allows underscores at the beginning, the other doesn't, as for

But where is it defined that an ALIAS may contain underscores?
Do you have a link to the corresponding RFC?




^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema
  2021-04-28 10:26   ` Dietmar Maurer
@ 2021-04-28 11:07     ` Wolfgang Bumiller
  0 siblings, 0 replies; 11+ messages in thread
From: Wolfgang Bumiller @ 2021-04-28 11:07 UTC (permalink / raw)
  To: Dietmar Maurer; +Cc: Proxmox Backup Server development discussion

On Wed, Apr 28, 2021 at 12:26:11PM +0200, Dietmar Maurer wrote:
> Sorry, I don't get this. Why is DNS_LABEL and DNS_ALIAS_LABEL different?

One allows underscores at the beginning, the other doesn't, as for
"regular" domains that's not allowed, and the acme challenge domain uses
`_acme_challenge` as a prefix and it makes sense to allow users to use
this in their aliases as well, as that's just the domain where the
challenge data ultimately ends up at.

> 
> 
> On 4/22/21 4:01 PM, Wolfgang Bumiller wrote:
> > Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
> > ---
> >   src/api2/types/mod.rs | 10 ++++++++++
> >   1 file changed, 10 insertions(+)
> > 
> > diff --git a/src/api2/types/mod.rs b/src/api2/types/mod.rs
> > index 9d1bd301..eee91dfd 100644
> > --- a/src/api2/types/mod.rs
> > +++ b/src/api2/types/mod.rs
> > @@ -51,6 +51,11 @@ pub const FILENAME_FORMAT: ApiStringFormat = ApiStringFormat::VerifyFn(|name| {
> >   macro_rules! DNS_LABEL { () => (r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)") }
> >   macro_rules! DNS_NAME { () => (concat!(r"(?:(?:", DNS_LABEL!() , r"\.)*", DNS_LABEL!(), ")")) }
> > +macro_rules! DNS_ALIAS_LABEL { () => (r"(?:[a-zA-Z0-9_](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)") }
> > +macro_rules! DNS_ALIAS_NAME {
> > +    () => (concat!(r"(?:(?:", DNS_ALIAS_LABEL!() , r"\.)*", DNS_ALIAS_LABEL!(), ")"))
> > +}
> > +
> >   macro_rules! CIDR_V4_REGEX_STR { () => (concat!(r"(?:", IPV4RE!(), r"/\d{1,2})$")) }
> >   macro_rules! CIDR_V6_REGEX_STR { () => (concat!(r"(?:", IPV6RE!(), r"/\d{1,3})$")) }
> > @@ -87,6 +92,8 @@ const_regex!{
> >       pub DNS_NAME_REGEX =  concat!(r"^", DNS_NAME!(), r"$");
> > +    pub DNS_ALIAS_REGEX =  concat!(r"^", DNS_ALIAS_NAME!(), r"$");
> > +
> >       pub DNS_NAME_OR_IP_REGEX = concat!(r"^(?:", DNS_NAME!(), "|",  IPRE!(), r")$");
> >       pub BACKUP_REPO_URL_REGEX = concat!(r"^^(?:(?:(", USER_ID_REGEX_STR!(), "|", APITOKEN_ID_REGEX_STR!(), ")@)?(", DNS_NAME!(), "|",  IPRE_BRACKET!() ,"):)?(?:([0-9]{1,5}):)?(", PROXMOX_SAFE_ID_REGEX_STR!(), r")$");
> > @@ -142,6 +149,9 @@ pub const HOSTNAME_FORMAT: ApiStringFormat =
> >   pub const DNS_NAME_FORMAT: ApiStringFormat =
> >       ApiStringFormat::Pattern(&DNS_NAME_REGEX);
> > +pub const DNS_ALIAS_FORMAT: ApiStringFormat =
> > +    ApiStringFormat::Pattern(&DNS_ALIAS_REGEX);
> > +
> >   pub const DNS_NAME_OR_IP_FORMAT: ApiStringFormat =
> >       ApiStringFormat::Pattern(&DNS_NAME_OR_IP_REGEX);




^ permalink raw reply	[flat|nested] 11+ messages in thread

* Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema
  2021-04-22 14:01 ` [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema Wolfgang Bumiller
@ 2021-04-28 10:26   ` Dietmar Maurer
  2021-04-28 11:07     ` Wolfgang Bumiller
  0 siblings, 1 reply; 11+ messages in thread
From: Dietmar Maurer @ 2021-04-28 10:26 UTC (permalink / raw)
  To: Proxmox Backup Server development discussion, Wolfgang Bumiller

Sorry, I don't get this. Why is DNS_LABEL and DNS_ALIAS_LABEL different?


On 4/22/21 4:01 PM, Wolfgang Bumiller wrote:
> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
> ---
>   src/api2/types/mod.rs | 10 ++++++++++
>   1 file changed, 10 insertions(+)
>
> diff --git a/src/api2/types/mod.rs b/src/api2/types/mod.rs
> index 9d1bd301..eee91dfd 100644
> --- a/src/api2/types/mod.rs
> +++ b/src/api2/types/mod.rs
> @@ -51,6 +51,11 @@ pub const FILENAME_FORMAT: ApiStringFormat = ApiStringFormat::VerifyFn(|name| {
>   macro_rules! DNS_LABEL { () => (r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)") }
>   macro_rules! DNS_NAME { () => (concat!(r"(?:(?:", DNS_LABEL!() , r"\.)*", DNS_LABEL!(), ")")) }
>   
> +macro_rules! DNS_ALIAS_LABEL { () => (r"(?:[a-zA-Z0-9_](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)") }
> +macro_rules! DNS_ALIAS_NAME {
> +    () => (concat!(r"(?:(?:", DNS_ALIAS_LABEL!() , r"\.)*", DNS_ALIAS_LABEL!(), ")"))
> +}
> +
>   macro_rules! CIDR_V4_REGEX_STR { () => (concat!(r"(?:", IPV4RE!(), r"/\d{1,2})$")) }
>   macro_rules! CIDR_V6_REGEX_STR { () => (concat!(r"(?:", IPV6RE!(), r"/\d{1,3})$")) }
>   
> @@ -87,6 +92,8 @@ const_regex!{
>   
>       pub DNS_NAME_REGEX =  concat!(r"^", DNS_NAME!(), r"$");
>   
> +    pub DNS_ALIAS_REGEX =  concat!(r"^", DNS_ALIAS_NAME!(), r"$");
> +
>       pub DNS_NAME_OR_IP_REGEX = concat!(r"^(?:", DNS_NAME!(), "|",  IPRE!(), r")$");
>   
>       pub BACKUP_REPO_URL_REGEX = concat!(r"^^(?:(?:(", USER_ID_REGEX_STR!(), "|", APITOKEN_ID_REGEX_STR!(), ")@)?(", DNS_NAME!(), "|",  IPRE_BRACKET!() ,"):)?(?:([0-9]{1,5}):)?(", PROXMOX_SAFE_ID_REGEX_STR!(), r")$");
> @@ -142,6 +149,9 @@ pub const HOSTNAME_FORMAT: ApiStringFormat =
>   pub const DNS_NAME_FORMAT: ApiStringFormat =
>       ApiStringFormat::Pattern(&DNS_NAME_REGEX);
>   
> +pub const DNS_ALIAS_FORMAT: ApiStringFormat =
> +    ApiStringFormat::Pattern(&DNS_ALIAS_REGEX);
> +
>   pub const DNS_NAME_OR_IP_FORMAT: ApiStringFormat =
>       ApiStringFormat::Pattern(&DNS_NAME_OR_IP_REGEX);
>   




^ permalink raw reply	[flat|nested] 11+ messages in thread

* [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema
  2021-04-22 14:01 [pbs-devel] [PATCH v2 backup 00/27] Implements ACME support for PBS Wolfgang Bumiller
@ 2021-04-22 14:01 ` Wolfgang Bumiller
  2021-04-28 10:26   ` Dietmar Maurer
  0 siblings, 1 reply; 11+ messages in thread
From: Wolfgang Bumiller @ 2021-04-22 14:01 UTC (permalink / raw)
  To: pbs-devel

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/api2/types/mod.rs | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/api2/types/mod.rs b/src/api2/types/mod.rs
index 9d1bd301..eee91dfd 100644
--- a/src/api2/types/mod.rs
+++ b/src/api2/types/mod.rs
@@ -51,6 +51,11 @@ pub const FILENAME_FORMAT: ApiStringFormat = ApiStringFormat::VerifyFn(|name| {
 macro_rules! DNS_LABEL { () => (r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)") }
 macro_rules! DNS_NAME { () => (concat!(r"(?:(?:", DNS_LABEL!() , r"\.)*", DNS_LABEL!(), ")")) }
 
+macro_rules! DNS_ALIAS_LABEL { () => (r"(?:[a-zA-Z0-9_](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)") }
+macro_rules! DNS_ALIAS_NAME {
+    () => (concat!(r"(?:(?:", DNS_ALIAS_LABEL!() , r"\.)*", DNS_ALIAS_LABEL!(), ")"))
+}
+
 macro_rules! CIDR_V4_REGEX_STR { () => (concat!(r"(?:", IPV4RE!(), r"/\d{1,2})$")) }
 macro_rules! CIDR_V6_REGEX_STR { () => (concat!(r"(?:", IPV6RE!(), r"/\d{1,3})$")) }
 
@@ -87,6 +92,8 @@ const_regex!{
 
     pub DNS_NAME_REGEX =  concat!(r"^", DNS_NAME!(), r"$");
 
+    pub DNS_ALIAS_REGEX =  concat!(r"^", DNS_ALIAS_NAME!(), r"$");
+
     pub DNS_NAME_OR_IP_REGEX = concat!(r"^(?:", DNS_NAME!(), "|",  IPRE!(), r")$");
 
     pub BACKUP_REPO_URL_REGEX = concat!(r"^^(?:(?:(", USER_ID_REGEX_STR!(), "|", APITOKEN_ID_REGEX_STR!(), ")@)?(", DNS_NAME!(), "|",  IPRE_BRACKET!() ,"):)?(?:([0-9]{1,5}):)?(", PROXMOX_SAFE_ID_REGEX_STR!(), r")$");
@@ -142,6 +149,9 @@ pub const HOSTNAME_FORMAT: ApiStringFormat =
 pub const DNS_NAME_FORMAT: ApiStringFormat =
     ApiStringFormat::Pattern(&DNS_NAME_REGEX);
 
+pub const DNS_ALIAS_FORMAT: ApiStringFormat =
+    ApiStringFormat::Pattern(&DNS_ALIAS_REGEX);
+
 pub const DNS_NAME_OR_IP_FORMAT: ApiStringFormat =
     ApiStringFormat::Pattern(&DNS_NAME_OR_IP_REGEX);
 
-- 
2.20.1





^ permalink raw reply	[flat|nested] 11+ messages in thread

end of thread, other threads:[~2021-04-29  7:12 UTC | newest]

Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-04-28 18:18 [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema Dietmar Maurer
2021-04-29  6:51 ` Wolfgang Bumiller
  -- strict thread matches above, loose matches on Subject: below --
2021-04-28 16:10 Dietmar Maurer
2021-04-28 16:34 ` Thomas Lamprecht
2021-04-28 15:55 Dietmar Maurer
2021-04-29  7:12 ` Wolfgang Bumiller
2021-04-28 11:15 Dietmar Maurer
2021-04-28 11:42 ` Wolfgang Bumiller
2021-04-22 14:01 [pbs-devel] [PATCH v2 backup 00/27] Implements ACME support for PBS Wolfgang Bumiller
2021-04-22 14:01 ` [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema Wolfgang Bumiller
2021-04-28 10:26   ` Dietmar Maurer
2021-04-28 11:07     ` Wolfgang Bumiller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox
Service provided by Proxmox Server Solutions GmbH | Privacy | Legal