From 69cfc07d006405fd171c3c9014ed873e00a9478e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 30 Nov 2021 15:18:40 +0100 Subject: [PATCH 1/4] Disable IDN2_USE_STD3_ASCII_RULES to idn2 conversion functions Disable IDN2_USE_STD3_ASCII_RULES to the libidn2 conversion because it broke encoding some non-letter but valid domain names like _tcp or *. This reverts commit ef8aa91740592a78c9162f3f7109167f2c9297a5. --- bin/dig/dighost.c | 16 +++++----------- 1 file changed, 5 insertions(+), 11 deletions(-) diff --git a/bin/dig/dighost.c b/bin/dig/dighost.c index 38f8021ad7..35b3d52957 100644 --- a/bin/dig/dighost.c +++ b/bin/dig/dighost.c @@ -4365,9 +4365,7 @@ idn_locale_to_ace(const char *src, char *dst, size_t dstlen) { * We trust libidn2 to return an error if 'src' is too large to be a * valid domain name. */ - res = idn2_to_ascii_lz(src, &ascii_src, - IDN2_NONTRANSITIONAL | - IDN2_USE_STD3_ASCII_RULES); + res = idn2_to_ascii_lz(src, &ascii_src, IDN2_NONTRANSITIONAL); if (res != IDN2_OK) { fatal("'%s' is not a legal IDNA2008 name (%s), use +noidnin", src, idn2_strerror(res)); @@ -4422,7 +4420,7 @@ idn_ace_to_locale(const char *src, char **dst) { * * First, convert 'src' to UTF-8, ignoring the current locale. */ - res = idn2_to_unicode_8z8z(src, &utf8_src, IDN2_USE_STD3_ASCII_RULES); + res = idn2_to_unicode_8z8z(src, &utf8_src, 0); if (res != IDN2_OK) { fatal("Bad ACE string '%s' (%s), use +noidnout", src, idn2_strerror(res)); @@ -4431,9 +4429,7 @@ idn_ace_to_locale(const char *src, char **dst) { /* * Then, check whether decoded 'src' is a valid IDNA2008 name. */ - res = idn2_to_ascii_8z(utf8_src, NULL, - IDN2_NONTRANSITIONAL | - IDN2_USE_STD3_ASCII_RULES); + res = idn2_to_ascii_8z(utf8_src, NULL, IDN2_NONTRANSITIONAL); if (res != IDN2_OK) { fatal("'%s' is not a legal IDNA2008 name (%s), use +noidnout", src, idn2_strerror(res)); @@ -4443,13 +4439,11 @@ idn_ace_to_locale(const char *src, char **dst) { * Finally, try converting the decoded 'src' into the current locale's * character encoding. */ - res = idn2_to_unicode_8zlz(utf8_src, &local_src, - IDN2_USE_STD3_ASCII_RULES); + res = idn2_to_unicode_8zlz(utf8_src, &local_src, 0); if (res != IDN2_OK) { static bool warned = false; - res = idn2_to_ascii_8z(utf8_src, &local_src, - IDN2_USE_STD3_ASCII_RULES); + res = idn2_to_ascii_8z(utf8_src, &local_src, 0); if (res != IDN2_OK) { fatal("Cannot represent '%s' " "in the current locale nor ascii (%s), " From 70d8395ca33d5306b27200b215bcef33ef85f93f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 30 Nov 2021 15:20:07 +0100 Subject: [PATCH 2/4] Remove idna test for UseSTD3ASCIIRules=true We had to disable UseSTD3ASCIIRules=true because it broke non-letter domain names like _tcp or *. Disable the idna test too. --- bin/tests/system/idna/tests.sh | 23 ----------------------- 1 file changed, 23 deletions(-) diff --git a/bin/tests/system/idna/tests.sh b/bin/tests/system/idna/tests.sh index e16809f81b..d7da8e3427 100644 --- a/bin/tests/system/idna/tests.sh +++ b/bin/tests/system/idna/tests.sh @@ -347,29 +347,6 @@ idna_enabled_test() { idna_test "$text" "+noidnin +noidnout" "xn--19g" "xn--19g." idna_fail "$text" "+noidnin +idnout" "xn--19g" idna_fail "$text" "+idnin +idnout" "xn--19g" - - # Test that the UseSTD3ASCIIRules is being used - # - # Note that "+noidnin +idnout" is not tested because libidn2 2.2.0+ parses - # Punycode more strictly than older versions and thus dig succeeds with that - # combination of options with libidn2 2.2.0+ but fails with older - # versions. - # - # Note that "+idnin +idnout" is not tested because libidn2 2.2.0+ parses - # Punycode more strictly than older versions and thus dig fails with that - # combination of options with libidn2 2.2.0+ but succeeds with older - # versions. - # - # With UseSTD13ASCIIRules=false, '☺' produces 'xn--\032o-oia59s' - # - # With UseSTD13ASCIIRules=true, '☺' produces 'xn--o-vfa' - - text="Check that UseSTD3ASCIIRules is being used" - idna_test "$text" "" "☺" "\195\162\203\156\194\186." - idna_test "$text" "+noidnin +noidnout" "☺" "\195\162\203\156\194\186." - # idna_test "$text" "+noidnin +idnout" "☺" "xn--o-vfa." - idna_test "$text" "+idnin +noidnout" "☺" "xn--o-vfa." - # idna_fail "$text" "+idnin +idnout" "☺" "âo." } From ce1256c0665dcbec31b92fa86d773a55f51d661c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Wed, 1 Dec 2021 10:20:31 +0100 Subject: [PATCH 3/4] Add an idna test that _ and * characters are preserved Add a idna that checks whether non-character letters like _ and * are preserved when IDN is enabled. This wasn't the case when UseSTD3ASCIIRules were enabled, f.e. _ from _tcp would get mangled to tcp. --- bin/tests/system/idna/tests.sh | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/bin/tests/system/idna/tests.sh b/bin/tests/system/idna/tests.sh index d7da8e3427..f45930d44d 100644 --- a/bin/tests/system/idna/tests.sh +++ b/bin/tests/system/idna/tests.sh @@ -347,6 +347,24 @@ idna_enabled_test() { idna_test "$text" "+noidnin +noidnout" "xn--19g" "xn--19g." idna_fail "$text" "+noidnin +idnout" "xn--19g" idna_fail "$text" "+idnin +idnout" "xn--19g" + + + # Test that non-letter characters are preserved in the output. When + # UseSTD3ASCIIRules are enabled, it would mangle non-letter characters like + # `_` (underscore) and `*` (wildcard. + + test="Checking valid non-letter characters" + idna_test "$text" "" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." + idna_test "$text" "+noidnin +noidnout" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." + idna_test "$text" "+noidnin +idnout" "*.xn--nxasmq6b.com" "*.βόλοσ.com." + idna_test "$text" "+idnin +noidnout" "*.xn--nxasmq6b.com" "*.xn--nxasmq6b.com." + idna_test "$text" "+idnin +idnout" "*.xn--nxasmq6b.com" "*.βόλοσ.com." + + idna_test "$text" "" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." + idna_test "$text" "+noidnin +noidnout" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." + idna_test "$text" "+noidnin +idnout" "_tcp.xn--nxasmq6b.com" "_tcp.βόλοσ.com." + idna_test "$text" "+idnin +noidnout" "_tcp.xn--nxasmq6b.com" "_tcp.xn--nxasmq6b.com." + idna_test "$text" "+idnin +idnout" "_tcp.xn--nxasmq6b.com" "_tcp.βόλοσ.com." } From 1d42178c4679a03b92a3c46d54fd341c7d492081 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Sur=C3=BD?= Date: Tue, 30 Nov 2021 15:25:22 +0100 Subject: [PATCH 4/4] Add CHANGES and release note for [GL #1610] --- CHANGES | 7 +++++++ doc/notes/notes-current.rst | 6 ++++++ 2 files changed, 13 insertions(+) diff --git a/CHANGES b/CHANGES index 647b682a3c..e147f40630 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,10 @@ +5771. [bug] Use idn2 UseSTD3ASCIIRules=false to disable additional + unicode validity checks because enabling the additional + checks would break valid domain names that contains + non-alphanumerical characters such as underscore + character (_) or wildcard (*). This reverts change + [GL !5738] from the previous release. [GL #1610] + 5770. [func] BIND could abort on startup on systems using old OpenSSL versions when 'protocols' option is used inside a 'tls' statement. [GL !5602] diff --git a/doc/notes/notes-current.rst b/doc/notes/notes-current.rst index 8932ffcca1..66035404ae 100644 --- a/doc/notes/notes-current.rst +++ b/doc/notes/notes-current.rst @@ -43,6 +43,12 @@ Feature Changes For example: ``allow-transfer port 853 transport tls { any; };`` :gl:`#2776` +- `UseSTD3ASCIIRules`_ is now disabled for IDN support. This disables additional + validation rules for domain names in dig because applying the rules would + silently strip characters not-allowed in hostnames such as underscore (``_``) + or wildcard (``*``) characters. This reverts change :gl:`!5738` from the + previous release. :gl:`#1610` + Bug Fixes ~~~~~~~~~