Brian Candler wrote:
But I don't really see the point. Why not simply proxy it to the authoritative server, and let that server reply that it's invalid? Why distribute policy about which realms may (or may not) be valid all over the place? Such policy, if it is ever wrong, is likely to lead to difficult-to-debug problems.
As Alan && Stefan pointed out, that's a bad idea. When problems are created at the edge of the network, it's best to stop them there. Sending them to the core makes it harder for everyone.
For an example of how this breaks things, look at all those websites which validate domains to only .com, .net, .org and so on. Now that hundreds of new TLDs are coming along, those sites will all erroneously reject perfectly valid domains. The DNS is a database, so you may as well just query it, and get the additional benefit of rejecting specific non-existent domains.
The same argument applies to RADIUS proxying IMO.
Except the regexes that Alan posted don't verify domain *names*. They verify realm *format*. It's like looking for non-ASCII in DNS packets. If you see it, it's definitively wrong. The protocol specifically forbids it. In RADIUS proxying, the realm format is largely email addresses. Most other formats have disappeared. So checking for that, and discarding *known bad* formats is a good idea. Alan DeKok.