Addressable Terminator Case Sensitivity Issue

[emoscardini]

When setting up dial by identity/bind using edge identity, using any uppercase character in the name causes the dial to fail.

Intercept config:

{
    "portRanges": [
      {
        "high": 22,
        "low": 22
      }
    ],
    "addresses": [
      "*.test"
    ],
    "dialOptions": {
      "identity": "$dst_hostname"
    },
    "protocols": [
      "tcp"
    ]
  }

Host config:

{
    "address": "localhost",
    "forwardProtocol": true,
    "forwardPort": true,
    "allowedPortRanges": [
      {
        "high": 22,
        "low": 22
      }
    ],
    "allowedProtocols": [
      "tcp"
    ],
    "httpChecks": [],
    "listenOptions": {
      "bindUsingEdgeIdentity": true
    },
    "portChecks": []
  }

Example:

If the hosting identity is named Host.test(capital H) & attempting to dial

ERROR ziti-sdk:connect.c:1044 connect_reply_cb() conn[4.7/LdZfipfz/Connecting] failed to connect, reason=service TVNkzPdzEVrfHoyV33G9X has no terminators for instanceId host.test It attempts to dial a all lowercase instance.

The terminators is created with the uppercase character which is why it doesn't exist as all lower case:

╭───────────────────────┬──────────────────┬───────────────┬─────────┬───────────────────────┬───────────┬──────┬────────────┬──────────────┬───────────╮
│ ID                    │ SERVICE          │ ROUTER        │ BINDING │ ADDRESS               │ INSTANCE  │ COST │ PRECEDENCE │ DYNAMIC COST │ HOST ID   │
├───────────────────────┼──────────────────┼───────────────┼─────────┼───────────────────────┼───────────┼──────┼────────────┼──────────────┼───────────┤
│ ZUwER5yuXnKvRW8KBQsQo │ Addressable-Term │ AWS-us-east-1 │ edge    │ ZUwER5yuXnKvRW8KBQsQo │ Host.test │    0 │ default    │            0 │ 5KwO0mTjT │
╰───────────────────────┴──────────────────┴───────────────┴─────────┴───────────────────────┴───────────┴──────┴────────────┴──────────────┴───────────╯

If you rename the hosting identity(& restart) to all lowercase host.test the dial is successful.

Ziti Version: 1.1.11
Hosting ZET Version 2.0.0-alpha23

[scareything]

Identity names are case sensitive in ziti.

$ ziti edge create identity Auser
New identity Auser created with id: Mddy6mlIlN
$ ziti edge create identity auser
New identity auser created with id: itbb6mMIlN

As long as this is the case I think the addressable terminator matching should also be case sensitive.

[emoscardini]

Not sure I understand the comment. I too think identities names should be case sensitive.

The terminator created by the hosting identity is case sensitive & matches the case of the identity. The dialing identity tries to connect to that same case sensitive hosting identity name & for some reason the current tunnel translates that into all lowercase & therefore fails. Meaning try to dial Host.test & the tunnel reports it errored trying to reach host.test even though there's a terminator for Host.test

[scareything]

Thanks for clarifying. zet’s internal dns server down cases any host names that it will answer for, and the lower case name is used as a key in the map of known host names. In the context of dns this is a fine thing to do, since dns host names are not case sensitive and using a map for lookups is much faster than iterating a list.

Without knowing the need behind this issue, I’d be inclined to say that we should update the doc to be clear that identity names should be lower case when $dst_hostname is being used.

Would that suffice?

[emoscardini]

Yes, I believe having documentation stating this is a limitation would suffice & be very helpful for others.