FQDN with trailing dot or not?

certtools / intelmq

IntelMQ is a solution for IT security teams for collecting and processing security feeds using a message queuing protocol.

https://docs.intelmq.org/latest/

GNU Affero General Public License v3.0

976 stars 297 forks source link

FQDN with trailing dot or not? #369

Closed sebix closed 9 years ago

sebix commented 9 years ago

The current implementation allows bots variants, with and without the trailing dot for the root zone. Sanitize does not add or remove it.

>>> intelmq.lib.harmonization.FQDN.is_valid(u'foobar.example.')
True
>>> intelmq.lib.harmonization.FQDN.is_valid(u'foobar.example')
True
>>> intelmq.lib.harmonization.FQDN.sanitize(u'foobar.example')
u'foobar.example'
>>> intelmq.lib.harmonization.FQDN.sanitize(u'foobar.example.')
u'foobar.example.'

This can potentially lead to duplicates.

Which variant do you prefer?

SYNchroACK commented 9 years ago

'foobar.example'

robcza commented 9 years ago

Talking of indicators of compromise I think foobar.example and foobar.example. carry exactly the same information. As I would expect from IntelMQ, that the output is normalized I prefer the variant, when sanitization always produces fqdn without trailing dot.

sebix commented 9 years ago

@aaronkaplan What do you think here?

aaronkaplan commented 9 years ago

On 20 Oct 2015, at 17:12, Sebastian notifications@github.com wrote:

@aaronkaplan What do you think here?

Robert’s proposal is fine for me. It’s easy to rtrim(‘.’) at the end.

sebix commented 9 years ago

Ok, we have a consensus here. Trailing dot is not allowed and will be removed in sanitation.

aaronkaplan commented 9 years ago

On 20 Oct 2015, at 17:18, Sebastian notifications@github.com wrote:

Ok, we have a consensus here. Trailing dot is not allowed and will be removed in sanitation.

Yes