Feb 11 2020 01:52 PM
Hi,
Is this an old domain from before Windows 2000???
Are all domains using the same format?
If not, as a workaround, are you able to add credentials from a different domain that does not have a dns part with all numbers, and also has full trust with this domain?
If yes, this should work around the issue until we can research it better.
Feb 11 2020 02:01 PM
Feb 11 2020 02:22 PM
Actually No,
See RFC 1035, section 2.3.1
https://tools.ietf.org/html/rfc1035
The labels must follow the rules for ARPANET host names. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphen. There are also some restrictions on the length. Labels must be 63 characters or less.
So you can use numbers in a dns name - yes, but any part in the dns name should *not* contain *just numbers*.
so in the case of child.01.contoso.com
the .01. part is failing the validation.
if it was something like .a01. it would be fine.
Feb 18 2020 05:00 AM
But you allow this for example:
nb.1we2.contoso.org
Why?
If you are not compliant to RFC 1035, why not allow numeric only host/domain name?
Feb 18 2020 06:01 AM
nb.1we2.contoso.org is compatible to the RFC.
Where do you see a DNS Part that is just numbers (which is not allowed) ?
.1we2. is not JUST numbers, it is both numbers and letters, which is OK.
In the previous example, you had .01. which IS JUST numbers, which is not allowed.
Anyway, I raised an issue to product about it, to reconsider the RFC, as if effectively AD allows you to do that (which means AD does not conform to this RFC), we might need to change it to adhere to the same rules that AD use.
Feb 18 2020 06:09 AM
The labels must follow the rules for ARPANET host names. They must start with a letter, end with a letter or digit, and have as interior characters only letters, digits, and hyphen. There are also some restrictions on the length. Labels must be 63 characters or less.
My example did not start with a letter.
Feb 18 2020 06:25 AM
Solution@ipcdollar1 , Taking back what I wrote before, you are correct. While the code declares it enforces the RFC, it's clearly a bug that it allowed first character as digit in the label.
I will add it to the internal ticket. Product will have to decide if they want to continue to stick to the RFC, in which case fix it to not allow, or change the rules to align with AD rules, which might make more sense here.
Thanks for the feedback!
Sep 08 2021 05:29 AM
Sep 09 2021 02:54 AM
Feb 21 2022 05:28 AM
@Eli Ofek So now we are already on sensor version 2.173.14993 and the error still persists (throwing the error "Please enter a single label domain name (e.g., “Domain”)").
Do you have any more info on this issue?
Feb 21 2022 05:35 AM
Aug 26 2022 04:03 AM
Feb 18 2020 06:25 AM
Solution@ipcdollar1 , Taking back what I wrote before, you are correct. While the code declares it enforces the RFC, it's clearly a bug that it allowed first character as digit in the label.
I will add it to the internal ticket. Product will have to decide if they want to continue to stick to the RFC, in which case fix it to not allow, or change the rules to align with AD rules, which might make more sense here.
Thanks for the feedback!