@@ -9,9 +9,9 @@ ______________________________________________________________________
99
1010Presently, seeding a driver with an initial list of ReplicaSet or MongoS addresses is somewhat cumbersome, requiring a
1111comma-delimited list of host names to attempt connections to. A standardized answer to this problem exists in the form
12- of SRV records, which allow administrators to configure a single domain to return a list of host names. Supporting this
13- feature would assist our users by decreasing maintenance load, primarily by removing the need to maintain seed lists at
14- an application level.
12+ of SRV records, which allow administrators to configure a single SRV record to return a list of host names. Supporting
13+ this feature would assist our users by decreasing maintenance load, primarily by removing the need to maintain seed
14+ lists at an application level.
1515
1616This specification builds on the [ Connection String] ( ../connection-string/connection-string-spec.md ) specification. It
1717adds a new protocol scheme and modifies how the
@@ -31,12 +31,38 @@ step before it considers the connection string and SDAM specifications. In this
3131host names is replaced with a single host name. The format is:
3232
3333```
34- mongodb+srv://{hostname}.{domainname} /{options}
34+ mongodb+srv://{hostname}/{options}
3535```
3636
3737` {options} ` refers to the optional elements from the [ Connection String] ( ../connection-string/connection-string-spec.md )
3838specification following the ` Host Information ` . This includes the ` Auth database ` and ` Connection Options ` .
3939
40+ For the purposes of this document, ` {hostname} ` will be divided using the following terminology. If an SRV ` {hostname} `
41+ has:
42+
43+ 1 . Three or more ` . ` separated parts, then the left-most part is the ` {subdomain} ` and the remaining portion is the
44+ ` {domainname} ` .
45+
46+ - Examples:
47+ - ` {hostname} ` = ` cluster_1.tests.mongodb.co.uk `
48+
49+ - ` {subdomain} ` = ` cluster_1 `
50+ - ` {domainname} ` = ` tests.mongodb.co.uk `
51+
52+ - ` {hostname} ` = ` hosts_34.example.com `
53+
54+ - ` {subdomain} ` = ` hosts_34 `
55+ - ` {domainname} ` = ` example.com `
56+
57+ 2 . One or two ` . ` separated part(s), then the ` {hostname} ` is equivalent to the ` {domainname} ` , and there is no
58+ subdomain.
59+
60+ - Examples:
61+ - ` {hostname} ` = ` {domainname} ` = ` localhost `
62+ - ` {hostname} ` = ` {domainname} ` = ` mongodb.local `
63+
64+ Only ` {domainname} ` is used during SRV record verification and ` {subdomain} ` is ignored.
65+
4066### MongoClient Configuration
4167
4268#### srvMaxHosts
@@ -81,30 +107,27 @@ parse error and MUST NOT do DNS resolution or contact hosts.
81107It is an error to specify more than one host name in a connection string with the ` mongodb+srv ` protocol, and the driver
82108MUST raise a parse error and MUST NOT do DNS resolution or contact hosts.
83109
84- A driver MUST verify that in addition to the ` {hostname} ` , the ` {domainname} ` consists of at least two parts: the domain
85- name, and a TLD. Drivers MUST raise an error and MUST NOT contact the DNS server to obtain SRV (or TXT records) if the
86- full URI does not consist of at least three parts.
87-
88110If ` mongodb+srv ` is used, a driver MUST implicitly also enable TLS. Clients can turn this off by passing ` tls=false ` in
89111either the Connection String, or options passed in as parameters in code to the MongoClient constructor (or equivalent
90112API for each driver), but not through a TXT record (discussed in a later section).
91113
92114#### Querying DNS
93115
94- In this preprocessing step, the driver will query the DNS server for SRV records on ` { hostname}.{domainname} ` , prefixed
95- with the SRV service name and protocol. The SRV service name is provided in the ` srvServiceName ` URI option and defaults
96- to ` mongodb ` . The protocol is always ` tcp ` . After prefixing, the URI should look like:
97- ` _{srvServiceName}._tcp.{hostname}.{domainname} ` . This DNS query is expected to respond with one or more SRV records.
116+ In this preprocessing step, the driver will query the DNS server for SRV records on the hostname, prefixed with the SRV
117+ service name and protocol. The SRV service name is provided in the ` srvServiceName ` URI option and defaults to
118+ ` mongodb ` . The protocol is always ` tcp ` . After prefixing, the URI should look like: ` _{srvServiceName}._tcp.{hostname} ` .
119+ This DNS query is expected to respond with one or more SRV records.
98120
99121The priority and weight fields in returned SRV records MUST be ignored.
100122
101123If the DNS result returns no SRV records, or no records at all, or a DNS error happens, an error MUST be raised
102124indicating that the URI could not be used to find hostnames. The error SHALL include the reason why they could not be
103125found.
104126
105- A driver MUST verify that the host names returned through SRV records have the same parent ` {domainname} ` . Drivers MUST
106- raise an error and MUST NOT initiate a connection to any returned host name which does not share the same
107- ` {domainname} ` .
127+ A driver MUST verify that the host names returned through SRV records share the original SRV's ` {domainname} ` . In
128+ addition, SRV records with fewer than three ` . ` separated parts, the returned hostname MUST have at least one more
129+ domain level than the SRV record hostname. Drivers MUST raise an error and MUST NOT initiate a connection to any
130+ returned hostname which does not fulfill these requirements.
108131
109132The driver MUST NOT attempt to connect to any hosts until the DNS query has returned its results.
110133
@@ -118,12 +141,12 @@ randomization.
118141
119142### Default Connection String Options
120143
121- As a second preprocessing step, a Client MUST also query the DNS server for TXT records on ` {hostname}.{domainname} ` . If
122- available, a TXT record provides default connection string options. The maximum length of a TXT record string is 255
123- characters, but there can be multiple strings per TXT record. A Client MUST support multiple TXT record strings and
124- concatenate them as if they were one single string in the order they are defined in each TXT record. The order of
125- multiple character strings in each TXT record is guaranteed. A Client MUST NOT allow multiple TXT records for the same
126- host name and MUST raise an error when multiple TXT records are encountered.
144+ As a second preprocessing step, a Client MUST also query the DNS server for TXT records on ` {hostname} ` . If available, a
145+ TXT record provides default connection string options. The maximum length of a TXT record string is 255 characters, but
146+ there can be multiple strings per TXT record. A Client MUST support multiple TXT record strings and concatenate them as
147+ if they were one single string in the order they are defined in each TXT record. The order of multiple character strings
148+ in each TXT record is guaranteed. A Client MUST NOT allow multiple TXT records for the same host name and MUST raise an
149+ error when multiple TXT records are encountered.
127150
128151Information returned within a TXT record is a simple URI string, just like the ` {options} ` in a connection string.
129152
@@ -148,10 +171,10 @@ the Connection String spec.
148171
149172### CNAME not supported
150173
151- The use of DNS CNAME records is not supported. Clients MUST NOT check for a CNAME record on ` {hostname}.{domainname} ` . A
152- system's DNS resolver could transparently handle CNAME, but because of how clients validate records returned from SRV
153- queries, use of CNAME could break validation. Seedlist discovery therefore does not recommend or support the use of
154- CNAME records in concert with SRV or TXT records.
174+ The use of DNS CNAME records is not supported. Clients MUST NOT check for a CNAME record on ` {hostname} ` . A system's DNS
175+ resolver could transparently handle CNAME, but because of how clients validate records returned from SRV queries, use of
176+ CNAME could break validation. Seedlist discovery therefore does not recommend or support the use of CNAME records in
177+ concert with SRV or TXT records.
155178
156179## Example
157180
@@ -169,7 +192,7 @@ _mongodb._tcp.server.mongodb.com. 86400 IN SRV 0 5 27317 mongodb1.
169192_mongodb._tcp.server.mongodb.com. 86400 IN SRV 0 5 27017 mongodb2.mongodb.com.
170193```
171194
172- The returned host names (` mongodb1.mongodb.com ` and ` mongodb2.mongodb.com ` ) must share the same parent domain name
195+ The returned host names (` mongodb1.mongodb.com ` and ` mongodb2.mongodb.com ` ) must share the same domainname
173196(` mongodb.com ` ) as the provided host name (` server.mongodb.com ` ).
174197
175198The driver also needs to request the DNS server for the TXT records on ` server.mongodb.com ` . This could return:
@@ -200,6 +223,12 @@ mongodb://mongodb1.mongodb.com:27317,mongodb2.mongodb.com:27107/?ssl=true&replic
200223
201224## Test Plan
202225
226+ ### Prose Tests
227+
228+ See README.md in the accompanying [ test directory] ( tests/README.md ) .
229+
230+ ### Spec Tests
231+
203232See README.md in the accompanying [ test directory] ( tests/README.md ) .
204233
205234Additionally, see the ` mongodb+srv ` test ` invalid-uris.yml ` in the
@@ -254,6 +283,10 @@ In the future we could consider using the priority and weight fields of the SRV
254283
255284## ChangeLog
256285
286+ - 2024-09-24: Removed requirement for URI to have three '.' separated parts; these SRVs have stricter parent domain
287+ matching requirements for security. Create terminology section. Remove usage of term ` {TLD} ` . The ` {hostname} ` now
288+ refers to the entire hostname, not just the ` {subdomain} ` .
289+
257290- 2024-03-06: Migrated from reStructuredText to Markdown.
258291
259292- 2022-10-05: Revise spec front matter and reformat changelog.
0 commit comments