<!-- 
RSS generated by JIRA (9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66) at Thu Feb 08 08:24:37 UTC 2024

It is possible to restrict the fields that are returned in this document by specifying the 'field' parameter in your request.
For example, to request only the issue key and summary append 'field=key&field=summary' to the URL of your request.
-->
<rss version="0.92" >
<channel>
    <title>MongoDB Jira</title>
    <link>https://jira.mongodb.org</link>
    <description>This file is an XML representation of an issue</description>
    <language>en-us</language>    <build-info>
        <version>9.7.1</version>
        <build-number>970001</build-number>
        <build-date>13-04-2023</build-date>
    </build-info>


<item>
            <title>[DRIVERS-2057] Determine how drivers should handle trailing dots in SRV results</title>
                <link>https://jira.mongodb.org/browse/DRIVERS-2057</link>
                <project id="10980" key="DRIVERS">Drivers</project>
                    <description>&lt;p&gt;Per &lt;a href=&quot;https://jira.mongodb.org/browse/DRIVERS-2087&quot; title=&quot;Test parsing of hosts with trailing dots&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DRIVERS-2087&quot;&gt;SPEC-1264&lt;/a&gt;, drivers will test that trailing dots are permitted in host names. As this relates to initial DNS seedlist discovery, we should permit trailing dots in SRV results but must also decide how, if at all, trailing dots factor in to matching domain suffixes between the original service (host is URI string) and SRV results.&lt;/p&gt;

&lt;p&gt;In &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-31965&quot; title=&quot;Mongo Shell does not handle FQDN from SRV target values correctly&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-31965&quot;&gt;&lt;del&gt;SERVER-31965&lt;/del&gt;&lt;/a&gt;, a fix for the &lt;tt&gt;mongo&lt;/tt&gt; shell&apos;s validation of certificates entailed stripping a trailing dots from SRV results; however, I&apos;m not sure if that&apos;s relevant to domain suffix matching for drivers.&lt;/p&gt;</description>
                <environment></environment>
        <key id="724098">DRIVERS-2057</key>
            <summary>Determine how drivers should handle trailing dots in SRV results</summary>
                <type id="14901" iconUrl="https://jira.mongodb.org/secure/viewavatar?size=xsmall&amp;avatarId=14700&amp;avatarType=issuetype">Spec Change</type>
                                            <priority id="3" iconUrl="https://jira.mongodb.org/images/icons/priorities/major.svg">Major - P3</priority>
                        <status id="10038" iconUrl="https://jira.mongodb.org/images/icons/subtask.gif" description="">Backlog</status>
                    <statusCategory id="2" key="new" colorName="default"/>
                                    <resolution id="-1">Unresolved</resolution>
                                        <assignee username="-1">Unassigned</assignee>
                                    <reporter username="jmikola@mongodb.com">Jeremy Mikola</reporter>
                        <labels>
                    </labels>
                <created>Wed, 27 Mar 2019 19:07:19 +0000</created>
                <updated>Thu, 31 Mar 2022 14:17:22 +0000</updated>
                                                                <component>Initial DNS Seedlist Discovery</component>
                                        <votes>0</votes>
                                    <watches>4</watches>
                                                                                                                <comments>
                            <comment id="2195262" author="adam.martin" created="Thu, 28 Mar 2019 21:16:02 +0000"  >&lt;p&gt;Spencer&apos;s assessment appears to be correct.&lt;/p&gt;</comment>
                            <comment id="2194915" author="spencer.jackson@10gen.com" created="Thu, 28 Mar 2019 17:35:35 +0000"  >&lt;p&gt;1) All SRV results are fully qualified. SRV results &lt;b&gt;implicitly&lt;/b&gt; have a dot at the end. Drivers probably should be able to accept dots at the end of connection string hosts.&lt;br/&gt;
2) Yes, but this is less scary than it sounds. CAs sign certificates for names that they observe within some namespace. Clients opening connections to some name will observe a certificate. If the client&apos;s original DNS lookup obtains a name from the global namespace, there&apos;s no problem with CA having issued a certificate for a global name without a dot. If the client&apos;s DNS lookup obtains a name from a non-global scope, then for the certificate to be valid, the client and the CA have to have been using names from the same scope.&lt;br/&gt;
If the client intended to connect to a global name, but due to a lack of qualification actually wound up connecting to a name from a scope, AND was given a valid certificate, then the CA colluded with the DNS operator and the host. But, CAs are by definition trusted.&lt;br/&gt;
3a) In your example, I believe that if you perform an SRV lookup on &amp;lt;&lt;tt&gt;foo.example.com.&lt;/tt&gt;&amp;gt;, the result &amp;lt;&lt;tt&gt;a.example.com&lt;/tt&gt;&amp;gt; should match, because all SRV results are fully qualified.&lt;br/&gt;
3b) In the case where you perform a lookup on an unqualified name, I believe it is fine to accept the results in either case, because the results  are always qualified. You are relying on your CA&apos;s view of the DNS topology to enforce that both names are in the same namespace.&lt;/p&gt;

&lt;p&gt;CC &lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=adam.martin&quot; class=&quot;user-hover&quot; rel=&quot;adam.martin&quot;&gt;adam.martin&lt;/a&gt; who implemented this in the shell, and has feelings about DNS RFCs. Does this response sound right?&lt;/p&gt;</comment>
                            <comment id="2194750" author="jmikola@gmail.com" created="Thu, 28 Mar 2019 15:57:28 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=oleg.pudeyev&quot; class=&quot;user-hover&quot; rel=&quot;oleg.pudeyev&quot;&gt;oleg.pudeyev&lt;/a&gt;: Thanks for the link. This definitely seems related to this issue, as well as &lt;a href=&quot;https://jira.mongodb.org/browse/DRIVERS-2087&quot; title=&quot;Test parsing of hosts with trailing dots&quot; class=&quot;issue-link&quot; data-issue-key=&quot;DRIVERS-2087&quot;&gt;SPEC-1264&lt;/a&gt; (for general connection string parsing).&lt;/p&gt;

&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=spencer.jackson&quot; class=&quot;user-hover&quot; rel=&quot;spencer.jackson&quot;&gt;spencer.jackson&lt;/a&gt;: Can you chime in on this issue and answer a few outstanding questions?&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;Would drivers do well to accept trailing dots in connection string hosts and SRV results (assuming they do not today)?&lt;/li&gt;
	&lt;li&gt;Assuming drivers do accept trailing dots, would they need a similar solution as &lt;a href=&quot;https://jira.mongodb.org/browse/SERVER-31965&quot; title=&quot;Mongo Shell does not handle FQDN from SRV target values correctly&quot; class=&quot;issue-link&quot; data-issue-key=&quot;SERVER-31965&quot;&gt;&lt;del&gt;SERVER-31965&lt;/del&gt;&lt;/a&gt; as it relates to certificate validation?&lt;/li&gt;
	&lt;li&gt;Are the comparison examples and reasoning in my &lt;a href=&quot;https://jira.mongodb.org/browse/SPEC-1265?focusedCommentId=2194693&amp;amp;page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-2194693&quot; class=&quot;external-link&quot; rel=&quot;nofollow&quot;&gt;previous comment&lt;/a&gt; sound?&lt;/li&gt;
	&lt;li&gt;Are there any other security concerns we may be missing in this conversation? I don&apos;t want to run afoul of SECURITY-488.&lt;/li&gt;
&lt;/ul&gt;
</comment>
                            <comment id="2194742" author="oleg.pudeyev" created="Thu, 28 Mar 2019 15:51:17 +0000"  >&lt;p&gt;&lt;a href=&quot;https://jira.mongodb.org/secure/ViewProfile.jspa?name=jmikola&quot; class=&quot;user-hover&quot; rel=&quot;jmikola&quot;&gt;jmikola&lt;/a&gt; There is also &lt;a href=&quot;https://jira.mongodb.org/browse/SPEC-1228?filter=25987&quot; class=&quot;external-link&quot; rel=&quot;nofollow&quot;&gt;https://jira.mongodb.org/browse/SPEC-1228?filter=25987&lt;/a&gt; which may be relevant to the work here.&lt;/p&gt;</comment>
                            <comment id="2194693" author="jmikola@gmail.com" created="Thu, 28 Mar 2019 15:41:28 +0000"  >&lt;p&gt;If we ensure that drivers allow a trailing dot in host names, this &lt;em&gt;will&lt;/em&gt; likely require some changes to the current logic for enforcing a common suffix between the service host name and SRV results. In the case of libmongoc, which doesn&apos;t yet permit trailing dots (&lt;a href=&quot;https://jira.mongodb.org/browse/CDRIVER-3043&quot; title=&quot;valid_hostname() should not rejects strings with trailing dots&quot; class=&quot;issue-link&quot; data-issue-key=&quot;CDRIVER-3043&quot;&gt;&lt;del&gt;CDRIVER-3043&lt;/del&gt;&lt;/a&gt;), a suffix is extracted from the service as the substring following the second-to-last dot through the end of the string. If libmongoc were to start allowing trailing dots, this could lead to &lt;tt&gt;.com.&lt;/tt&gt; being parsed as the suffix for &lt;tt&gt;foo.example.com.&lt;/tt&gt; when we would actually want to use &lt;tt&gt;.example.com.&lt;/tt&gt;.&lt;/p&gt;

&lt;p&gt;Therefore, drivers may need to alter their suffix extraction logic to account for the optional trailing dot. With that addressed, I think the following logic would apply:&lt;/p&gt;

&lt;ul&gt;
	&lt;li&gt;Service with trailing dot: &lt;tt&gt;foo.example.com.&lt;/tt&gt;
	&lt;ul&gt;
		&lt;li&gt;SRV result &lt;tt&gt;a.example.com&lt;/tt&gt; does not match (without trailing dot, resolution may add a suffix from the DNS searchlist)&lt;/li&gt;
		&lt;li&gt;SRV result &lt;tt&gt;a.example.com.&lt;/tt&gt; does match&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
	&lt;li&gt;Service without trailing dot: &lt;tt&gt;foo.example.com&lt;/tt&gt;
	&lt;ul&gt;
		&lt;li&gt;SRV result &lt;tt&gt;a.example.com&lt;/tt&gt; does match. While unlikely, we can&apos;t be certain if resolution will add a suffix from the DNS searchlist to either the service or SRV result. We also can&apos;t be sure that the same suffix will be used for both hosts. That said, this is the most common case and we should attempt to match as-is.&lt;/li&gt;
		&lt;li&gt;SRV result &lt;tt&gt;a.example.com.&lt;/tt&gt; does not match&lt;/li&gt;
	&lt;/ul&gt;
	&lt;/li&gt;
&lt;/ul&gt;
</comment>
                    </comments>
                <issuelinks>
                            <issuelinktype id="10011">
                    <name>Depends</name>
                                                                <inwardlinks description="is depended on by">
                                                        </inwardlinks>
                                    </issuelinktype>
                            <issuelinktype id="10012">
                    <name>Related</name>
                                            <outwardlinks description="related to">
                                        <issuelink>
            <issuekey id="705355">DRIVERS-2058</issuekey>
        </issuelink>
                            </outwardlinks>
                                                                <inwardlinks description="is related to">
                                        <issuelink>
            <issuekey id="458414">SERVER-31965</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="723626">CDRIVER-3043</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="724094">DRIVERS-2087</issuekey>
        </issuelink>
            <issuelink>
            <issuekey id="723463">DRIVERS-2123</issuekey>
        </issuelink>
                            </inwardlinks>
                                    </issuelinktype>
                    </issuelinks>
                <attachments>
                    </attachments>
                <subtasks>
                    </subtasks>
                <customfields>
                                                                                                                                                                                                                                                                                                            <customfield id="customfield_15850" key="com.atlassian.jira.plugins.jira-development-integration-plugin:devsummary">
                        <customfieldname>Development</customfieldname>
                        <customfieldvalues>
                            
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                    <customfield id="customfield_10951" key="com.atlassian.jira.plugin.system.customfieldtypes:radiobuttons">
                        <customfieldname>Driver Changes</customfieldname>
                        <customfieldvalues>
                                <customfieldvalue key="10748"><![CDATA[Needed]]></customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        <customfield id="customfield_12550" key="com.pyxis.greenhopper.jira:gh-lexo-rank">
                        <customfieldname>Rank</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>2|huhmkv:</customfieldvalue>

                        </customfieldvalues>
                    </customfield>
                                                                <customfield id="customfield_10558" key="com.pyxis.greenhopper.jira:gh-global-rank">
                        <customfieldname>Rank (Obsolete)</customfieldname>
                        <customfieldvalues>
                            <customfieldvalue>9223372036854775807</customfieldvalue>
                        </customfieldvalues>
                    </customfield>
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        </customfields>
    </item>
</channel>
</rss>