From 27a0168cdc326830440e87fabd60bcdc00dd45c4 Mon Sep 17 00:00:00 2001
From: Fran Bull <fran@tailscale.com>
Date: Thu, 6 Nov 2025 14:53:22 -0800
Subject: [PATCH] util/dnsname: increase maxNameLength to account for trailing
 dot

Fixes #17788

Signed-off-by: Fran Bull <fran@tailscale.com>
---
 util/dnsname/dnsname.go      |  2 +-
 util/dnsname/dnsname_test.go | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/util/dnsname/dnsname.go b/util/dnsname/dnsname.go
index 6404a9af1..ef898ebbd 100644
--- a/util/dnsname/dnsname.go
+++ b/util/dnsname/dnsname.go
@@ -14,7 +14,7 @@ const (
 	// maxLabelLength is the maximum length of a label permitted by RFC 1035.
 	maxLabelLength = 63
 	// maxNameLength is the maximum length of a DNS name.
-	maxNameLength = 253
+	maxNameLength = 254
 )
 
 // A FQDN is a fully-qualified DNS name or name suffix.
diff --git a/util/dnsname/dnsname_test.go b/util/dnsname/dnsname_test.go
index 719e28be3..49eeaee48 100644
--- a/util/dnsname/dnsname_test.go
+++ b/util/dnsname/dnsname_test.go
@@ -59,6 +59,38 @@ func TestFQDN(t *testing.T) {
 	}
 }
 
+func TestFQDNTooLong(t *testing.T) {
+	// RFC 1035 says a dns name has a max size of 255 octets, and is represented as labels of len+ASCII chars so
+	//   example.com
+	// is represented as
+	//   7example3com0
+	// which is to say that if we have a trailing dot then the dots cancel out all the len bytes except the first and
+	// we can accept 254 chars.
+
+	// This name is max length
+	name := "aaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaa.aaaaaaaaaaaaaaaaaaaaa.example.com."
+	if len(name) != 254 {
+		t.Fatalf("name should be 254 chars including trailing . (len is %d)", len(name))
+	}
+	got, err := ToFQDN(name)
+	if err != nil {
+		t.Fatalf("want: error to end with \"is too long to be a DNS name\", got: %v", err)
+	}
+	if string(got) != name {
+		t.Fatalf("want: %s, got: %s", name, got)
+	}
+
+	// This name is too long
+	name = "x" + name
+	got, err = ToFQDN(name)
+	if got != "" {
+		t.Fatalf("want: \"\", got: %s", got)
+	}
+	if err == nil || !strings.HasSuffix(err.Error(), "is too long to be a DNS name") {
+		t.Fatalf("want: error to end with \"is too long to be a DNS name\", got: %v", err)
+	}
+}
+
 func TestFQDNContains(t *testing.T) {
 	tests := []struct {
 		a, b string