Hello,
I’m trying to create DNS records for DNS-SD (RFC 6763), but at least when I’m trying to do it at desec.io on the web, it’s overly stringent and prohibits me from making subnames with uppercase characters, for example. See Section 4.1.1. and especially Appendix E of that RFC for details, but in general almost all UTF-8 characters are permitted. These names used for service enumeration are not host names, and are not bound by the limitations of host names, but deSEC.io seems to be treating this as such.
For those not familiar with DNS-SD, an example will probably help. Fortunately there is an example domain, aptly named ‘dns-sd.org’. To discover all of the different kinds of services that may be associated with dns-sd.org, we perform a PTR query for the magic name used for this purpose, such as with dig:
$ dig -t PTR -q _services._dns-sd._udp.dns-sd.org +noall +answer
_services._dns-sd._udp.dns-sd.org. 60 IN PTR _ftp._tcp.dns-sd.org.
_services._dns-sd._udp.dns-sd.org. 60 IN PTR _ipp._tcp.dns-sd.org.
_services._dns-sd._udp.dns-sd.org. 60 IN PTR _ssh._tcp.dns-sd.org.
_services._dns-sd._udp.dns-sd.org. 60 IN PTR _http._tcp.dns-sd.org.
_services._dns-sd._udp.dns-sd.org. 60 IN PTR _printer._tcp.dns-sd.org.
_services._dns-sd._udp.dns-sd.org. 60 IN PTR _afpovertcp._tcp.dns-sd.org.
_services._dns-sd._udp.dns-sd.org. 60 IN PTR _pdl-datastream._tcp.dns-sd.org.
_services._dns-sd._udp.dns-sd.org. 60 IN PTR _nq._tcp.dns-sd.org.
Now I can see that the domain has IPP services for printing. Next I can do another PTR query specifically for IPP service instances to see, in human-friendly form, what kinds of printers might be available.
$ dig -t PTR -q _ipp._tcp.dns-sd.org +noall +answer
_ipp._tcp.dns-sd.org. 21 IN PTR Stuart\226\128\153s\032Remote\032AirPrint\032Printer._ipp._tcp.dns-sd.org.
_ipp._tcp.dns-sd.org. 21 IN PTR Sales._ipp._tcp.dns-sd.org.
_ipp._tcp.dns-sd.org. 21 IN PTR Engineering._ipp._tcp.dns-sd.org.
_ipp._tcp.dns-sd.org. 21 IN PTR 3rd\.\032Floor\032Copy\032Room._ipp._tcp.dns-sd.org.
_ipp._tcp.dns-sd.org. 21 IN PTR Marketing._ipp._tcp.dns-sd.org.
The last column is what you should find interesting here: all of those human-readable names contain uppercase characters, and the applicable standards actually allow this. Choosing service instance names with correct case and punctuation is strongly advised.
It seems like this has been overlooked. When I try to create such a PTR subname, I’m unable to set it to something like “Engineering”, because it says Allowed characters: a-z, 0-9, and -_. May start with “." or just be "”.
When creating that record, it also asks for the “target hostname” that the PTR record should point at. Again, there is no actual, technical obligation that the target be a hostname, and the targets of the _services._dns-sd._udp.dns-sd.org PTR records most certainly are not.
In fact, DNS has a lot in common with a generic directory service like LDAP when one comes to think of it: except for particular record types where it wouldn’t make sense, the protocol is designed to be agnostic with respect to its application, and can legitimately be used to store information about things that aren’t machines at all.
I am not sure if using deSEC’s API would allow one to work around this. It seems that deSEC’s limitations on such names are artificial and self-imposed, and probably by mistake, so I would appreciate seeing them lifted so I can use meaningful names in DNS-SD.
