nanog mailing list archives

Previous By Date Next
Previous By Thread Next

Re: looking for terminology recommendations concerning non-rooted FQDNs

From: Jay Ashworth <jra () baylink com>
Date: Fri, 22 Feb 2013 12:41:33 -0500 (EST)
----- Original Message -----

From: "Brian Reichert" <reichert () numachi com>



The core issue I'm trying to resolve surrounds the generation of a
CSR. We're trying automate this process for a network appliance
my employer sells.

When our appliance generates a CSR for itself, among the steps is
to get a PTR record; by convention (or otherwise) these are rooted
domain names.

When we generate a CSR, we're choosing to include the rooted domain
name, as well as the other form (for now, I guess it should be
called a FQDN, the version without the trailing dot).

The resulting issued certificate has both forms in the SubjectAltName
field, and this allows both hostname forms to be used to establish
an SSL connection to our server. They are considered distinct for
the Subject verification phase.


My snap reaction is to say that nothing should ever be *trying* to
compare a rooted F.Q.D.N. against a certificate; it is, as has been
noted, merely command line/entry field shorthand to tell the local
resolver where to quit; applications should all be stripping that 
trailing dot.

Do you have evidence that the extra AltName with the trailing dot
is operationally necessary?

Cheers,
-- jra
-- 
Jay R. Ashworth                  Baylink                       jra () baylink com
Designer                     The Things I Think                       RFC 2100
Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
St Petersburg FL USA               #natog                      +1 727 647 1274
Previous By Date Next
Previous By Thread Next

Current thread: