diff --git a/CHANGES b/CHANGES index 647b682a3c..e147f40630 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,10 @@ +5771. [bug] Use idn2 UseSTD3ASCIIRules=false to disable additional + unicode validity checks because enabling the additional + checks would break valid domain names that contains + non-alphanumerical characters such as underscore + character (_) or wildcard (*). This reverts change + [GL !5738] from the previous release. [GL #1610] + 5770. [func] BIND could abort on startup on systems using old OpenSSL versions when 'protocols' option is used inside a 'tls' statement. [GL !5602] diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index 38f8021ad7..35b3d52957 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -4365,9 +4365,7 @@ idn_locale_to_ace(const char *src, char *dst, size_t dstlen) { * We trust libidn2 to return an error if 'src' is too large to be a * valid domain name. */ - res = idn2_to_ascii_lz(src, &ascii_src, - IDN2_NONTRANSITIONAL | - IDN2_USE_STD3_ASCII_RULES); + res = idn2_to_ascii_lz(src, &ascii_src, IDN2_NONTRANSITIONAL); if (res != IDN2_OK) { fatal("'%s' is not a legal IDNA2008 name (%s), use +noidnin", src, idn2_strerror(res)); @@ -4422,7 +4420,7 @@ idn_ace_to_locale(const char *src, char **dst) { * * First, convert 'src' to UTF-8, ignoring the current locale. */ - res = idn2_to_unicode_8z8z(src, &utf8_src, IDN2_USE_STD3_ASCII_RULES); + res = idn2_to_unicode_8z8z(src, &utf8_src, 0); if (res != IDN2_OK) { fatal("Bad ACE string '%s' (%s), use +noidnout", src, idn2_strerror(res)); @@ -4431,9 +4429,7 @@ idn_ace_to_locale(const char *src, char **dst) { /* * Then, check whether decoded 'src' is a valid IDNA2008 name. */ - res = idn2_to_ascii_8z(utf8_src, NULL, - IDN2_NONTRANSITIONAL | - IDN2_USE_STD3_ASCII_RULES); + res = idn2_to_ascii_8z(utf8_src, NULL, IDN2_NONTRANSITIONAL); if (res != IDN2_OK) { fatal("'%s' is not a legal IDNA2008 name (%s), use +noidnout", src, idn2_strerror(res)); @@ -4443,13 +4439,11 @@ idn_ace_to_locale(const char *src, char **dst) { * Finally, try converting the decoded 'src' into the current locale's * character encoding. */ - res = idn2_to_unicode_8zlz(utf8_src, &local_src, - IDN2_USE_STD3_ASCII_RULES); + res = idn2_to_unicode_8zlz(utf8_src, &local_src, 0); if (res != IDN2_OK) { static bool warned = false; - res = idn2_to_ascii_8z(utf8_src, &local_src, - IDN2_USE_STD3_ASCII_RULES); + res = idn2_to_ascii_8z(utf8_src, &local_src, 0); if (res != IDN2_OK) { fatal("Cannot represent '%s' " "in the current locale nor ascii (%s), " diff --git a/bin/tests/system/idna/tests.sh b/bin/tests/system/idna/tests.sh index e16809f81b..f45930d44d 100644 --- a/bin/tests/system/idna/tests.sh +++ b/bin/tests/system/idna/tests.sh @@ -348,28 +348,23 @@ idna_enabled_test() { idna_fail "$text" "+noidnin +idnout" "xn--19g" idna_fail "$text" "+idnin +idnout" "xn--19g" - # Test that the UseSTD3ASCIIRules is being used - # - # Note that "+noidnin +idnout" is not tested because libidn2 2.2.0+ parses - # Punycode more strictly than older versions and thus dig succeeds with that - # combination of options with libidn2 2.2.0+ but fails with older - # versions. - # - # Note that "+idnin +idnout" is not tested because libidn2 2.2.0+ parses - # Punycode more strictly than older versions and thus dig fails with that - # combination of options with libidn2 2.2.0+ but succeeds with older - # versions. - # - # With UseSTD13ASCIIRules=false, '☺' produces 'xn--\032o-oia59s' - # - # With UseSTD13ASCIIRules=true, '☺' produces 'xn--o-vfa' - text="Check that UseSTD3ASCIIRules is being used" - idna_test "$text" "" "☺" "\195\162\203\156\194\186." - idna_test "$text" "+noidnin +noidnout" "☺" "\195\162\203\156\194\186." - # idna_test "$text" "+noidnin +idnout" "☺" "xn--o-vfa." - idna_test "$text" "+idnin +noidnout" "☺" "xn--o-vfa." - # idna_fail "$text" "+idnin +idnout" "☺" "âo." + # Test that non-letter characters are preserved in the output. When + # UseSTD3ASCIIRules are enabled, it would mangle non-letter characters like + # `_` (underscore) and `*` (wildcard. + + test="Checking valid non-letter characters" + idna_test "$text" "" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." + idna_test "$text" "+noidnin +noidnout" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." + idna_test "$text" "+noidnin +idnout" "*.xn--nxasmq6b.com" "*.βόλοσ.com." + idna_test "$text" "+idnin +noidnout" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." + idna_test "$text" "+idnin +idnout" "*.xn--nxasmq6b.com" "*.βόλοσ.com." + + idna_test "$text" "" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." + idna_test "$text" "+noidnin +noidnout" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." + idna_test "$text" "+noidnin +idnout" "_tcp.xn--nxasmq6b.com" "_tcp.βόλοσ.com." + idna_test "$text" "+idnin +noidnout" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." + idna_test "$text" "+idnin +idnout" "_tcp.xn--nxasmq6b.com" "_tcp.βόλοσ.com." } diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 8932ffcca1..66035404ae 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -43,6 +43,12 @@ Feature Changes For example: ``allow-transfer port 853 transport tls { any; };`` :gl:`#2776` +- `UseSTD3ASCIIRules`_ is now disabled for IDN support. This disables additional + validation rules for domain names in dig because applying the rules would + silently strip characters not-allowed in hostnames such as underscore (``_``) + or wildcard (``*``) characters. This reverts change :gl:`!5738` from the + previous release. :gl:`#1610` + Bug Fixes ~~~~~~~~~