Clarify that CNAMEs are permissible for server names (#1376)

Fixes https://github.com/matrix-org/matrix-spec/issues/606.
pull/1382/head
Richard van der Hoff 2 years ago committed by GitHub
parent 8a555fb411
commit f386c903c0
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -0,0 +1 @@
Clarify that CNAMEs are permissible for server names.

@ -110,11 +110,14 @@ to send. The process overall is as follows:
given. The target server must present a valid certificate for the IP given. The target server must present a valid certificate for the IP
address. The `Host` header in the request should be set to the address. The `Host` header in the request should be set to the
server name, including the port if the server name included one. server name, including the port if the server name included one.
2. If the hostname is not an IP literal, and the server name includes
an explicit port, resolve the IP address using AAAA or A records. 2. If the hostname is not an IP literal, and the server name includes an
explicit port, resolve the hostname to an IP address using CNAME, AAAA or A
records.
Requests are made to the resolved IP address and given port with a Requests are made to the resolved IP address and given port with a
`Host` header of the original server name (with port). The target `Host` header of the original server name (with port). The target
server must present a valid certificate for the hostname. server must present a valid certificate for the hostname.
3. If the hostname is not an IP literal, a regular HTTPS request is 3. If the hostname is not an IP literal, a regular HTTPS request is
made to `https://<hostname>/.well-known/matrix/server`, expecting made to `https://<hostname>/.well-known/matrix/server`, expecting
the schema defined later in this section. 30x redirects should be the schema defined later in this section. 30x redirects should be
@ -140,7 +143,7 @@ to send. The process overall is as follows:
one was provided. one was provided.
- If `<delegated_hostname>` is not an IP literal, and - If `<delegated_hostname>` is not an IP literal, and
`<delegated_port>` is present, an IP address is discovered by `<delegated_port>` is present, an IP address is discovered by
looking up an AAAA or A record for `<delegated_hostname>`. The looking up CNAME, AAAA or A records for `<delegated_hostname>`. The
resulting IP address is used, alongside the `<delegated_port>`. resulting IP address is used, alongside the `<delegated_port>`.
Requests must be made with a `Host` header of Requests must be made with a `Host` header of
`<delegated_hostname>:<delegated_port>`. The target server must `<delegated_hostname>:<delegated_port>`. The target server must
@ -153,11 +156,12 @@ to send. The process overall is as follows:
a `Host` header containing the `<delegated_hostname>`. The a `Host` header containing the `<delegated_hostname>`. The
target server must present a valid certificate for target server must present a valid certificate for
`<delegated_hostname>`. `<delegated_hostname>`.
- If no SRV record is found, an IP address is resolved using AAAA - If no SRV record is found, an IP address is resolved using CNAME, AAAA
or A records. Requests are then made to the resolve IP address or A records. Requests are then made to the resolve IP address
and a port of 8448, using a `Host` header of and a port of 8448, using a `Host` header of
`<delegated_hostname>`. The target server must present a valid `<delegated_hostname>`. The target server must present a valid
certificate for `<delegated_hostname>`. certificate for `<delegated_hostname>`.
4. If the `/.well-known` request resulted in an error response, a 4. If the `/.well-known` request resulted in an error response, a
server is found by resolving an SRV record for server is found by resolving an SRV record for
`_matrix._tcp.<hostname>`. This may result in a hostname (to be `_matrix._tcp.<hostname>`. This may result in a hostname (to be
@ -165,8 +169,9 @@ to send. The process overall is as follows:
resolved IP address and port, using 8448 as a default port, with a resolved IP address and port, using 8448 as a default port, with a
`Host` header of `<hostname>`. The target server must present a `Host` header of `<hostname>`. The target server must present a
valid certificate for `<hostname>`. valid certificate for `<hostname>`.
5. If the `/.well-known` request returned an error response, and the 5. If the `/.well-known` request returned an error response, and the
SRV record was not found, an IP address is resolved using AAAA and A SRV record was not found, an IP address is resolved using CNAME, AAAA and A
records. Requests are made to the resolved IP address using port records. Requests are made to the resolved IP address using port
8448 and a `Host` header containing the `<hostname>`. The target 8448 and a `Host` header containing the `<hostname>`. The target
server must present a valid certificate for `<hostname>`. server must present a valid certificate for `<hostname>`.
@ -180,6 +185,13 @@ delegation are:
and other applications using SRV records such [XMPP](https://datatracker.ietf.org/doc/html/rfc6120#section-13.7.2.1). and other applications using SRV records such [XMPP](https://datatracker.ietf.org/doc/html/rfc6120#section-13.7.2.1).
{{% /boxes/note %}} {{% /boxes/note %}}
{{% boxes/note %}}
Note that the target of a SRV record may *not* be a CNAME, as
mandated by [RFC2782](https://www.rfc-editor.org/rfc/rfc2782.html):
> the name MUST NOT be an alias (in the sense of RFC 1034 or RFC 2181)
{{% /boxes/note %}}
{{% http-api spec="server-server" api="wellknown" %}} {{% http-api spec="server-server" api="wellknown" %}}
### Server implementation ### Server implementation

Loading…
Cancel
Save