Skip to content

Implement DNS hostname canonicalization #50

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Implement DNS hostname canonicalization #50

wants to merge 1 commit into from

Conversation

@steelman
Copy link

Optionally resolve hostname via CNAME recrord to its canonical form (A or AAAA record). Optionally use reverse DNS query.

Such code is necessary on Windows platforms where SSPI (unlike MIT Kerberos[1]) does not implement such operation and it is applications' responsibility[2] to take care of CNAME resolution. However, the code seems universal enough to put it into the library rather than in every single program using requests_gssapi.

[1] https://github.com/krb5/krb5/blob/ec71ac1cabbb3926f8ffaf71e1ad007e4e56e0e5/src/lib/krb5/os/sn2princ.c#L99
[2] https://learn.microsoft.com/en-us/previous-versions/office/sharepoint-server-2010/gg502606(v=office.14)?redirectedfrom=MSDN#kerberos-authentication-and-dns-cnames

@steelman steelman mentioned this pull request Dec 14, 2023
Closed
@steelman steelman force-pushed the dns-canonicalize-hostname branch from dfbc8d5 to 47aee87 Compare April 3, 2024 10:48
@steelman
Copy link
Author

steelman commented Apr 3, 2024

Ping?

@simo5
Copy link
Contributor

simo5 commented Apr 3, 2024
edited
Loading

The reason why SSPI does not implement it is that it is unsafe, and can lead to MITM scenarios, especially with protocols like NTLMSSP.

I am not entirely sure we should provide this functionality from request-gssapi, because it is bound to be used without understanding opening up users of the application to bad surprises later.

I think at the very least these should not be common options provided in the function signature, and instead accessors you need to explicitly find and set individually after the HTTPSPNEGOAuth object has been instantiated.

ie:

    >>> import requests
    >>> from requests_gssapi import HTTPSPNEGOAuth
    >>> gssapi_auth = HTTPSPNEGOAuth()
    >>> gssapi_auth.dns_canonicalize_hostname(True)
    >>> gssapi_auth.use_reverse_dns(True)
    >>> r = requests.get("http://example.org", auth=gssapi_auth)

This will discourage casual setting and each of the effects can be documented in a doc string for the accessor.

The doc string MUST contain warnings that describe why these options are BAD ideas, and point to the relvant security sections of the RFC for a full description.

@steelman steelman force-pushed the dns-canonicalize-hostname branch from 47aee87 to e526fb5 Compare April 12, 2024 09:00
@github-actions
Copy link

This pull request is stale because it has been open for 4 weeks with no activity. Remove stale label or comment or this will be closed in 2 weeks.

@github-actions github-actions bot added the stale label Oct 17, 2025
@steelman
Copy link
Author

Ping?

simo5
simo5 requested changes Oct 21, 2025
View reviewed changes
@github-actions github-actions bot removed the stale label Oct 22, 2025
simo5
simo5 requested changes Oct 23, 2025
View reviewed changes
Copy link
Contributor

@simo5 simo5 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM now,
if you can rebase on latest main branch I can merge this.

@steelman steelman force-pushed the dns-canonicalize-hostname branch 2 times, most recently from 19ddfc7 to 35cf9e6 Compare October 23, 2025 14:02
@steelman
Implement DNS hostname canonicalization
8f9116d 
Optionally resolve hostname via CNAME recrord to its canonical form
(A or AAAA record). Optionally use reverse DNS query.

Such code is necessary on Windows platforms where SSPI (unlike MIT
Kerberos[1]) does not implement such operation and it is applications'
responsibility[2] to take care of CNAME resolution. However, the code
seems universal enough to put it into the library rather than in every
single program using requests_gssapi.

Warning: Usage of insecure DNS queries is explicitly forbidden in
RFC 4120[3] and may result in the risk of man-in-the-middle attack.

[1] https://github.com/krb5/krb5/blob/ec71ac1cabbb3926f8ffaf71e1ad007e4e56e0e5/src/lib/krb5/os/sn2princ.c#L99
[2] https://learn.microsoft.com/en-us/previous-versions/office/sharepoint-server-2010/gg502606(v=office.14)?redirectedfrom=MSDN#kerberos-authentication-and-dns-cnames
[3] https://datatracker.ietf.org/doc/html/rfc4120

Signed-off-by: Łukasz Stelmach <[email protected]>
@steelman steelman force-pushed the dns-canonicalize-hostname branch from 35cf9e6 to 8f9116d Compare October 23, 2025 14:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simo5 simo5 simo5 requested changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@steelman @simo5