Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema

Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema

[Dietmar Maurer]

So we should call it SCOPED_DNS_NAME, and require the underscore at start?

> On 04/28/2021 6:34 PM Thomas Lamprecht <t.lamprecht@proxmox.com> wrote:
> 
>  
> On 28.04.21 18:10, Dietmar Maurer wrote:
> > Seems DNS names in general are totally unrestricted and
> > may contain arbitrary binary data:
> > 
> > https://tools.ietf.org/html/rfc2181#section-11
> > 
> > Only host names and url are restricted.
> > 
> > ?!
> 
> FYI, from a off-list message from Wolfgang:
> 
> >> and why now only allow as first one?
> > mostly because that's what we did in PVE and because using underscores
> > anywhere else is silly ;-)
> > it's used for scoping, there was even an RFC draft but it's expired and only
> > marked as "best current practice" whatever that's worth:
> > https://tools.ietf.org/id/draft-ietf-dnsop-attrleaf-07.html#rfc.section.1.1
> > so basically: we used to not allow underscores, people do use leading
> > underscores for scoping, and we use it particularly for ACME aliases...
> 
> There was some confusion with which ALIAS you meant, as there's a not really
> used DNS record type named "ALIAS" too (which is unrelated to that one here).

Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema

[Wolfgang Bumiller]

On Wed, Apr 28, 2021 at 08:18:21PM +0200, Dietmar Maurer wrote:
> So we should call it SCOPED_DNS_NAME, and require the underscore at start?

No, the scoping is optional.

Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema

[Wolfgang Bumiller]

On Wed, Apr 28, 2021 at 05:55:27PM +0200, Dietmar Maurer wrote:
> Is this the same syntax used for DNS SRV records?
> 
> https://en.wikipedia.org/wiki/SRV_record

Disclaimer: My main motivation was, I just followed along with what
we're doing in PVE (and did the same in PMG as well).

TBH I don't know if any ACME implementation worries about that at all.
The main idea is this:

  * you want to get a certificate for foo.bar.com
  * giving pbs direct access to managing the `foo.bar.com` or `bar.com`
    zones is inconvenient or impossible
  * you setup a `CNAME` for `_acme-challenge.foo.bar.com` to point to
    X.Y.Z
  * you configure the domain foo.bar.com and set the alias to X.Y.Z, so
    that our DNS plugins will set the TXT entry for X.Y.Z instead of
    `_acme-challenge.foo.bar.comm`
  * the ACME provider's DNS resolver will decide which values for X, Y
    and Z they're willing to accept while resolving the TXT entry.
      Most likely they can be completely arbitrary. We know that due to
    common practice, they'll most likely allow at least hostnames with
    the addition of leading underscores, but as far as formal
    definitions go, the DNS RFC is the only "real source of
    what-should-be-the-truth", while in practice you'll just have to try
    and see if it works...

And sure, *technically* we could just relax the DNS schema in general,
but then user's may run into issues when they configure something that
should be legal as per the DNS RFC but is not accepted by their browsers
or some other tool. Of course we could still relax it and just keep the
"normal" restrictions purely in the GUI... I don't know.

Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema

[Thomas Lamprecht]

On 28.04.21 18:10, Dietmar Maurer wrote:
> Seems DNS names in general are totally unrestricted and
> may contain arbitrary binary data:
> 
> https://tools.ietf.org/html/rfc2181#section-11
> 
> Only host names and url are restricted.
> 
> ?!

FYI, from a off-list message from Wolfgang:

>> and why now only allow as first one?
> mostly because that's what we did in PVE and because using underscores
> anywhere else is silly ;-)
> it's used for scoping, there was even an RFC draft but it's expired and only
> marked as "best current practice" whatever that's worth:
> https://tools.ietf.org/id/draft-ietf-dnsop-attrleaf-07.html#rfc.section.1.1
> so basically: we used to not allow underscores, people do use leading
> underscores for scoping, and we use it particularly for ACME aliases...

There was some confusion with which ALIAS you meant, as there's a not really
used DNS record type named "ALIAS" too (which is unrelated to that one here).

Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema

[Dietmar Maurer]

Seems DNS names in general are totally unrestricted and
may contain arbitrary binary data:

https://tools.ietf.org/html/rfc2181#section-11

Only host names and url are restricted.

?!

> On 04/28/2021 5:55 PM Dietmar Maurer <dietmar@proxmox.com> wrote:
> 
>  
> Is this the same syntax used for DNS SRV records?
> 
> https://en.wikipedia.org/wiki/SRV_record
> 
> > On 04/28/2021 1:15 PM Dietmar Maurer <dietmar@proxmox.com> wrote:
> > 
> >  
> > > On 04/28/2021 1:07 PM Wolfgang Bumiller <w.bumiller@proxmox.com> wrote:
> > > 
> > >  
> > > On Wed, Apr 28, 2021 at 12:26:11PM +0200, Dietmar Maurer wrote:
> > > > Sorry, I don't get this. Why is DNS_LABEL and DNS_ALIAS_LABEL different?
> > > 
> > > One allows underscores at the beginning, the other doesn't, as for
> > 
> > But where is it defined that an ALIAS may contain underscores?
> > Do you have a link to the corresponding RFC?
> > 
> > 
> > _______________________________________________
> > pbs-devel mailing list
> > pbs-devel@lists.proxmox.com
> > https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
> 
> 
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema

[Dietmar Maurer]

Is this the same syntax used for DNS SRV records?

https://en.wikipedia.org/wiki/SRV_record

> On 04/28/2021 1:15 PM Dietmar Maurer <dietmar@proxmox.com> wrote:
> 
>  
> > On 04/28/2021 1:07 PM Wolfgang Bumiller <w.bumiller@proxmox.com> wrote:
> > 
> >  
> > On Wed, Apr 28, 2021 at 12:26:11PM +0200, Dietmar Maurer wrote:
> > > Sorry, I don't get this. Why is DNS_LABEL and DNS_ALIAS_LABEL different?
> > 
> > One allows underscores at the beginning, the other doesn't, as for
> 
> But where is it defined that an ALIAS may contain underscores?
> Do you have a link to the corresponding RFC?
> 
> 
> _______________________________________________
> pbs-devel mailing list
> pbs-devel@lists.proxmox.com
> https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel

Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema

[Wolfgang Bumiller]

On Wed, Apr 28, 2021 at 01:15:01PM +0200, Dietmar Maurer wrote:
> 
> > On 04/28/2021 1:07 PM Wolfgang Bumiller <w.bumiller@proxmox.com> wrote:
> > 
> >  
> > On Wed, Apr 28, 2021 at 12:26:11PM +0200, Dietmar Maurer wrote:
> > > Sorry, I don't get this. Why is DNS_LABEL and DNS_ALIAS_LABEL different?
> > 
> > One allows underscores at the beginning, the other doesn't, as for
> 
> But where is it defined that an ALIAS may contain underscores?
> Do you have a link to the corresponding RFC?

I suppose it makes more sense to rename it to DNS_ACME_ALIAS...

Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema

[Dietmar Maurer]

> On 04/28/2021 1:07 PM Wolfgang Bumiller <w.bumiller@proxmox.com> wrote:
> 
>  
> On Wed, Apr 28, 2021 at 12:26:11PM +0200, Dietmar Maurer wrote:
> > Sorry, I don't get this. Why is DNS_LABEL and DNS_ALIAS_LABEL different?
> 
> One allows underscores at the beginning, the other doesn't, as for

But where is it defined that an ALIAS may contain underscores?
Do you have a link to the corresponding RFC?

Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema

[Wolfgang Bumiller]

On Wed, Apr 28, 2021 at 12:26:11PM +0200, Dietmar Maurer wrote:
> Sorry, I don't get this. Why is DNS_LABEL and DNS_ALIAS_LABEL different?

One allows underscores at the beginning, the other doesn't, as for
"regular" domains that's not allowed, and the acme challenge domain uses
`_acme_challenge` as a prefix and it makes sense to allow users to use
this in their aliases as well, as that's just the domain where the
challenge data ultimately ends up at.

> 
> 
> On 4/22/21 4:01 PM, Wolfgang Bumiller wrote:
> > Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
> > ---
> >   src/api2/types/mod.rs | 10 ++++++++++
> >   1 file changed, 10 insertions(+)
> > 
> > diff --git a/src/api2/types/mod.rs b/src/api2/types/mod.rs
> > index 9d1bd301..eee91dfd 100644
> > --- a/src/api2/types/mod.rs
> > +++ b/src/api2/types/mod.rs
> > @@ -51,6 +51,11 @@ pub const FILENAME_FORMAT: ApiStringFormat = ApiStringFormat::VerifyFn(|name| {
> >   macro_rules! DNS_LABEL { () => (r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)") }
> >   macro_rules! DNS_NAME { () => (concat!(r"(?:(?:", DNS_LABEL!() , r"\.)*", DNS_LABEL!(), ")")) }
> > +macro_rules! DNS_ALIAS_LABEL { () => (r"(?:[a-zA-Z0-9_](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)") }
> > +macro_rules! DNS_ALIAS_NAME {
> > +    () => (concat!(r"(?:(?:", DNS_ALIAS_LABEL!() , r"\.)*", DNS_ALIAS_LABEL!(), ")"))
> > +}
> > +
> >   macro_rules! CIDR_V4_REGEX_STR { () => (concat!(r"(?:", IPV4RE!(), r"/\d{1,2})$")) }
> >   macro_rules! CIDR_V6_REGEX_STR { () => (concat!(r"(?:", IPV6RE!(), r"/\d{1,3})$")) }
> > @@ -87,6 +92,8 @@ const_regex!{
> >       pub DNS_NAME_REGEX =  concat!(r"^", DNS_NAME!(), r"$");
> > +    pub DNS_ALIAS_REGEX =  concat!(r"^", DNS_ALIAS_NAME!(), r"$");
> > +
> >       pub DNS_NAME_OR_IP_REGEX = concat!(r"^(?:", DNS_NAME!(), "|",  IPRE!(), r")$");
> >       pub BACKUP_REPO_URL_REGEX = concat!(r"^^(?:(?:(", USER_ID_REGEX_STR!(), "|", APITOKEN_ID_REGEX_STR!(), ")@)?(", DNS_NAME!(), "|",  IPRE_BRACKET!() ,"):)?(?:([0-9]{1,5}):)?(", PROXMOX_SAFE_ID_REGEX_STR!(), r")$");
> > @@ -142,6 +149,9 @@ pub const HOSTNAME_FORMAT: ApiStringFormat =
> >   pub const DNS_NAME_FORMAT: ApiStringFormat =
> >       ApiStringFormat::Pattern(&DNS_NAME_REGEX);
> > +pub const DNS_ALIAS_FORMAT: ApiStringFormat =
> > +    ApiStringFormat::Pattern(&DNS_ALIAS_REGEX);
> > +
> >   pub const DNS_NAME_OR_IP_FORMAT: ApiStringFormat =
> >       ApiStringFormat::Pattern(&DNS_NAME_OR_IP_REGEX);

Re: [pbs-devel] [PATCH v2 backup 02/27] add dns alias schema

[Dietmar Maurer]

Sorry, I don't get this. Why is DNS_LABEL and DNS_ALIAS_LABEL different?


On 4/22/21 4:01 PM, Wolfgang Bumiller wrote:
> Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
> ---
>   src/api2/types/mod.rs | 10 ++++++++++
>   1 file changed, 10 insertions(+)
>
> diff --git a/src/api2/types/mod.rs b/src/api2/types/mod.rs
> index 9d1bd301..eee91dfd 100644
> --- a/src/api2/types/mod.rs
> +++ b/src/api2/types/mod.rs
> @@ -51,6 +51,11 @@ pub const FILENAME_FORMAT: ApiStringFormat = ApiStringFormat::VerifyFn(|name| {
>   macro_rules! DNS_LABEL { () => (r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)") }
>   macro_rules! DNS_NAME { () => (concat!(r"(?:(?:", DNS_LABEL!() , r"\.)*", DNS_LABEL!(), ")")) }
>   
> +macro_rules! DNS_ALIAS_LABEL { () => (r"(?:[a-zA-Z0-9_](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)") }
> +macro_rules! DNS_ALIAS_NAME {
> +    () => (concat!(r"(?:(?:", DNS_ALIAS_LABEL!() , r"\.)*", DNS_ALIAS_LABEL!(), ")"))
> +}
> +
>   macro_rules! CIDR_V4_REGEX_STR { () => (concat!(r"(?:", IPV4RE!(), r"/\d{1,2})$")) }
>   macro_rules! CIDR_V6_REGEX_STR { () => (concat!(r"(?:", IPV6RE!(), r"/\d{1,3})$")) }
>   
> @@ -87,6 +92,8 @@ const_regex!{
>   
>       pub DNS_NAME_REGEX =  concat!(r"^", DNS_NAME!(), r"$");
>   
> +    pub DNS_ALIAS_REGEX =  concat!(r"^", DNS_ALIAS_NAME!(), r"$");
> +
>       pub DNS_NAME_OR_IP_REGEX = concat!(r"^(?:", DNS_NAME!(), "|",  IPRE!(), r")$");
>   
>       pub BACKUP_REPO_URL_REGEX = concat!(r"^^(?:(?:(", USER_ID_REGEX_STR!(), "|", APITOKEN_ID_REGEX_STR!(), ")@)?(", DNS_NAME!(), "|",  IPRE_BRACKET!() ,"):)?(?:([0-9]{1,5}):)?(", PROXMOX_SAFE_ID_REGEX_STR!(), r")$");
> @@ -142,6 +149,9 @@ pub const HOSTNAME_FORMAT: ApiStringFormat =
>   pub const DNS_NAME_FORMAT: ApiStringFormat =
>       ApiStringFormat::Pattern(&DNS_NAME_REGEX);
>   
> +pub const DNS_ALIAS_FORMAT: ApiStringFormat =
> +    ApiStringFormat::Pattern(&DNS_ALIAS_REGEX);
> +
>   pub const DNS_NAME_OR_IP_FORMAT: ApiStringFormat =
>       ApiStringFormat::Pattern(&DNS_NAME_OR_IP_REGEX);
>   

[pbs-devel] [PATCH v2 backup 02/27] add dns alias schema

[Wolfgang Bumiller]

Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
---
 src/api2/types/mod.rs | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/api2/types/mod.rs b/src/api2/types/mod.rs
index 9d1bd301..eee91dfd 100644
--- a/src/api2/types/mod.rs
+++ b/src/api2/types/mod.rs
@@ -51,6 +51,11 @@ pub const FILENAME_FORMAT: ApiStringFormat = ApiStringFormat::VerifyFn(|name| {
 macro_rules! DNS_LABEL { () => (r"(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)") }
 macro_rules! DNS_NAME { () => (concat!(r"(?:(?:", DNS_LABEL!() , r"\.)*", DNS_LABEL!(), ")")) }
 
+macro_rules! DNS_ALIAS_LABEL { () => (r"(?:[a-zA-Z0-9_](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?)") }
+macro_rules! DNS_ALIAS_NAME {
+    () => (concat!(r"(?:(?:", DNS_ALIAS_LABEL!() , r"\.)*", DNS_ALIAS_LABEL!(), ")"))
+}
+
 macro_rules! CIDR_V4_REGEX_STR { () => (concat!(r"(?:", IPV4RE!(), r"/\d{1,2})$")) }
 macro_rules! CIDR_V6_REGEX_STR { () => (concat!(r"(?:", IPV6RE!(), r"/\d{1,3})$")) }
 
@@ -87,6 +92,8 @@ const_regex!{
 
     pub DNS_NAME_REGEX =  concat!(r"^", DNS_NAME!(), r"$");
 
+    pub DNS_ALIAS_REGEX =  concat!(r"^", DNS_ALIAS_NAME!(), r"$");
+
     pub DNS_NAME_OR_IP_REGEX = concat!(r"^(?:", DNS_NAME!(), "|",  IPRE!(), r")$");
 
     pub BACKUP_REPO_URL_REGEX = concat!(r"^^(?:(?:(", USER_ID_REGEX_STR!(), "|", APITOKEN_ID_REGEX_STR!(), ")@)?(", DNS_NAME!(), "|",  IPRE_BRACKET!() ,"):)?(?:([0-9]{1,5}):)?(", PROXMOX_SAFE_ID_REGEX_STR!(), r")$");
@@ -142,6 +149,9 @@ pub const HOSTNAME_FORMAT: ApiStringFormat =
 pub const DNS_NAME_FORMAT: ApiStringFormat =
     ApiStringFormat::Pattern(&DNS_NAME_REGEX);
 
+pub const DNS_ALIAS_FORMAT: ApiStringFormat =
+    ApiStringFormat::Pattern(&DNS_ALIAS_REGEX);
+
 pub const DNS_NAME_OR_IP_FORMAT: ApiStringFormat =
     ApiStringFormat::Pattern(&DNS_NAME_OR_IP_REGEX);
 
-- 
2.20.1