[cabfpub] Underscore Characters in SANs
Erwann Abalea
erwann.abalea at keynectis.com
Wed Aug 7 09:22:13 UTC 2013
Taken from X.509: "dNSName is an Internet domain name defined in
accordance with Internet RFC 1035."
So far, IIRC, the only possible DNS entries that support the underscore
character are of type TXT and SRV. A, AAAA, CNAME, NS, MX records can't
use such a character.
Refering to a TXT entry is useless in a SAN, refering to a SRV entry may
have a meaning (this needs to be discussed). But in that case, the entry
MUST follow RFC2782 format ("_Service._Proto.Name", for example
"_xmpp._tcp.godaddy.com").
Even in such a case, you'll have a DNS entry such as this one:
_xmpp._tcp.godaddy.com. IN SRV 0 1 5222 chat.godaddy.com.
and the certificate would certainly be delivered to "chat.godaddy.com".
--
Erwann ABALEA
Le 07/08/2013 06:47, Wayne Thayer a écrit :
> Can anyone tell me if there is a reason not to allow an underscore (_)
> character in a DNSName SAN field? From what I can tell, a DNSName can
> contain this character, and I can do DNS queries that return public
> FQDNs in the format "a_b.domain.tld". A _host_ name does not permit
> this character, so it may not work properly in a browser, but from
> what I can tell, some other type of service using SSL should be able
> to leverage an SSL certificate with this character in the SAN.
>
> Thanks,
>
> Wayne
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20130807/4813c253/attachment-0003.html>
More information about the Public
mailing list