Go / Unicode folks: any idea what character set does the IDNA2008 implementation in Go with StrictDomainName=false actually accepts?
https://github.com/golang/go/issues/76804
Conversation
Notices
-
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 12-Dec-2025 10:33:00 JST 
✧✦Catherine✦✧
-
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 12-Dec-2025 10:47:03 JST
✧✦Catherine✦✧
so apparently with StrictDomainName=false (which is only documented to accept `_` and some other unspecified characters), Go's IDNA library happily accepts `*.foo.bar` as a valid domain name
what.
-
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 12-Dec-2025 10:47:11 JST
✧✦Catherine✦✧
this is such a baffling, unexpected design choice coupled with completely unaccepable documentation choices https://go.dev/play/p/lL9qtinh8Qh
Rich Felker repeated this. -
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 12-Dec-2025 11:28:11 JST
✧✦Catherine✦✧
upsetting https://codeberg.org/git-pages/git-pages/commit/c88d04c71b4e44d2412d55f98d16abefb05b1977
-
Embed this notice
Rich Felker (dalias@hachyderm.io)'s status on Friday, 12-Dec-2025 11:39:18 JST 
Rich Felker
@whitequark Seems like they should have better thought out what usernames to allow if they wanted to use usernames as subdomains...
-
Embed this notice
Glyph (glyph@mastodon.social)'s status on Friday, 12-Dec-2025 11:42:04 JST 
Glyph
@whitequark I know enough about this to feel an acute sympathetic pain but not nearly enough to actually answer your question, I'm sorry :(
-
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 12-Dec-2025 11:43:10 JST
✧✦Catherine✦✧
@glyph yeah this is uh. basically what i'd expect
-
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 12-Dec-2025 11:43:31 JST
✧✦Catherine✦✧
@dalias forgejo used to allow dots in usernames too (not anymore)
so... yeah
-
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 12-Dec-2025 11:58:43 JST
✧✦Catherine✦✧
@shironeko don't think so; StrictDomainName=false allows underscores (which is the only documented allowed character), which are _not_ valid in TLS certs
-
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 12-Dec-2025 11:58:44 JST
✧✦Catherine✦✧
@shironeko i feed it into the "TLS certificate allowed y/n" endpoint, and i was not prepared for *.foo.bar to be accepted
-
Embed this notice
shironeko (shironeko@fedi.tesaguri.club)'s status on Friday, 12-Dec-2025 11:58:44 JST 
shironeko
@whitequark StrictDomainName sounds like something you would want for certificates -
Embed this notice
shironeko (shironeko@fedi.tesaguri.club)'s status on Friday, 12-Dec-2025 11:58:45 JST
shironeko
@whitequark in what scenario would it cause security problems? -
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 12-Dec-2025 12:23:04 JST
✧✦Catherine✦✧
@shironeko oh yeah =true is intended for domain registrars, TLS cert issuers and such
you do have to special-case * however, which the Go library doesn't let you do either!
-
Embed this notice
shironeko (shironeko@fedi.tesaguri.club)'s status on Friday, 12-Dec-2025 12:23:05 JST
shironeko
@whitequark yeah I mean =true better safe than sorry right? -
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 12-Dec-2025 12:37:47 JST
✧✦Catherine✦✧
@fanf do you have a good way to check the hostname-with-underscore syntax? just a regex?
-
Embed this notice
Tony Finch (fanf@mendeddrum.org)'s status on Friday, 12-Dec-2025 12:37:48 JST 
Tony Finch
@whitequark yeah idna is difficult
i think the key sentence is “This option corresponds to the UseSTD3ASCIIRules flag in UTS #46.” and in tr46 that flag basically enables or disables all hostname syntax checks, hence allowing * and everything else i bet
the approach i would take is to do idna conversion with UseSTD3ASCIIRules=false then check that the resulting punycode obeys the relaxed hostname-with-underscore syntax
on the basis that idna is designed so that it works when trad syntax is enforced by various lower layers
-
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 12-Dec-2025 12:54:54 JST
✧✦Catherine✦✧
@fanf I looked for recommendations and the recommended way to check a hostname was... IDNA
-
Embed this notice
Tony Finch (fanf@mendeddrum.org)'s status on Friday, 12-Dec-2025 12:54:55 JST
Tony Finch
@whitequark good question
i dunno the go libraries well enough, but i’d probably look around to see if there’s existing an existing hostname checker i could clone and hack
but a regex would do if i didn’t find code i like (i have used them in the past for this, but without _, heh)
one tricky thing is hostnames have per-label length limits which a regex can handle ok, but also an overall length limit which is probably best done as a separate check
oh wait, the tr46 algorithm includes length checks already!
so it might be reasonable to just check [a-z0-9._-]+
(sorry that turned into a ramble)
-
Embed this notice
✧✦Catherine✦✧ (whitequark@mastodon.social)'s status on Friday, 12-Dec-2025 13:04:39 JST
✧✦Catherine✦✧
@fanf Hm I could use that
-
Embed this notice
Tony Finch (fanf@mendeddrum.org)'s status on Friday, 12-Dec-2025 13:04:40 JST
Tony Finch
@whitequark oh dear lolsob
https://go.googlesource.com/go/+/refs/heads/master/src/net/dnsclient.go#75
-
Embed this notice
All GNU social JP content and data are available under the