fix(xds): Allow and normalize trailing dot (FQDN) in matchHostName #12644
+176
−105
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
|
Please sign the EasyCLA to be able to contribute to the repo. |
PetitBaguette
force-pushed
the
fix/xds_fqdn
branch
from
1470dd2 to
4adb94d
Compare
Contributor
Author
|
@kannanjgithub Thank you for the instructions. I have signed the CLA. |
| @@ -354,15 +354,24 @@ private void updateResolutionResult(XdsConfig xdsConfig) { | |||
| */ | |||
| @VisibleForTesting | |||
| static boolean matchHostName(String hostName, String pattern) { | |||
Contributor
There was a problem hiding this comment.
This method is actually unused now for some time. Can you remove it and its calling tests? Instead make unit tests for RoutingUtils which is the actively used code.
Contributor
Author
There was a problem hiding this comment.
I have applied the requested changes.
All CI checks have passed, with the exception of grpc-java-testing-pr (grpc-testing), which indicates that it needs a /gcbrun command from a collaborator.
Please let me know if there are any other points I should address.
kannanjgithub
added
the
kokoro:run
grpc-kokoro
removed
the
kokoro:run
kannanjgithub
approved these changes
Feb 5, 2026
kannanjgithub
added
the
kokoro:run
Contributor
|
/gcb |
grpc-kokoro
removed
the
kokoro:run
Contributor
|
/gcbrun |
Contributor
Author
|
@kannanjgithub Thank you for running the command. I noticed that all CI checks have passed now. Is there anything else I need to do to get this merged? |
jdcormie
pushed a commit
to jdcormie/grpc-java
that referenced
this pull request
Feb 11, 2026
…rpc#12644) ## Summary `matchHostName` in `RoutingUtils` and `XdsNameResolver` currently rejects hostnames and patterns with a trailing dot (`.`) via `checkArgument`. A trailing dot denotes a **Fully Qualified Domain Name (FQDN)** as defined in [RFC 1034 Section 3.1](https://www.rfc-editor.org/rfc/rfc1034#section-3.1), and is a valid, well-defined representation of an absolute domain name. Rejecting it is inconsistent with the RFC. This change removes the trailing-dot rejection and adds normalization to strip the trailing dot before matching, making `example.com.` and `example.com` match equivalently. ## Background Per [RFC 1034 Section 3.1](https://www.rfc-editor.org/rfc/rfc1034#section-3.1): > "If the name ends with a dot, it is an absolute name ... For example, `poneria.ISI.EDU.`" A trailing dot simply indicates that the name is rooted at the DNS root and is semantically equivalent to the same name without the trailing dot. Treating it as invalid prevents legitimate FQDNs from being used as hostnames or virtual host domain patterns in xDS routing configuration. ## Motivation This was discovered when using gRPC Proxyless Service Mesh on a Kubernetes cluster with Istio. The issue surfaced after upgrading Istio from 1.26.8 to 1.28.3. The Istio change [istio/istio#56008](istio/istio#56008) began sending FQDN-style domain names (with trailing dots) in xDS route configuration, which caused grpc-java to throw an `IllegalArgumentException` in `matchHostName`: ```text java.lang.IllegalArgumentException: Invalid pattern/domain name at com.google.common.base.Preconditions.checkArgument(Preconditions.java:143) ``` The root cause is that grpc-java's `matchHostName` was not RFC-compliant in rejecting trailing dots — the Istio upgrade merely made it visible. The fix here is to bring grpc-java into compliance with RFC 1034, independent of any specific Istio version. ## Changes - `xds/src/main/java/io/grpc/xds/RoutingUtils.java`: Removed trailing-dot rejection and added FQDN normalization in `matchHostName`. - `xds/src/main/java/io/grpc/xds/XdsNameResolver.java`: Same as above. - `xds/src/test/java/io/grpc/xds/XdsNameResolverTest.java`: Added `matchHostName_trailingDot` test covering exact match, prefix wildcard, and suffix wildcard with trailing dot combinations. ## References - [RFC 1034 – Domain Names: Concepts and Facilities](https://www.rfc-editor.org/rfc/rfc1034) - [RFC 1035 – Domain Names: Implementation and Specification](https://www.rfc-editor.org/rfc/rfc1035) - [istio/istio#56008](istio/istio#56008) – Istio change that began sending FQDN domain names in xDS configuration
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
matchHostNameinRoutingUtilsandXdsNameResolvercurrently rejects hostnames and patternswith a trailing dot (
.) viacheckArgument. A trailing dot denotes aFully Qualified Domain Name (FQDN) as defined in
RFC 1034 Section 3.1, and is a valid,
well-defined representation of an absolute domain name. Rejecting it is inconsistent with the RFC.
This change removes the trailing-dot rejection and adds normalization to strip the trailing dot
before matching, making
example.com.andexample.commatch equivalently.Background
Per RFC 1034 Section 3.1:
A trailing dot simply indicates that the name is rooted at the DNS root and is semantically
equivalent to the same name without the trailing dot. Treating it as invalid prevents legitimate
FQDNs from being used as hostnames or virtual host domain patterns in xDS routing configuration.
Motivation
This was discovered when using gRPC Proxyless Service Mesh on a Kubernetes cluster with Istio.
The issue surfaced after upgrading Istio from 1.26.8 to 1.28.3. The Istio change
istio/istio#56008 began sending FQDN-style domain
names (with trailing dots) in xDS route configuration, which caused grpc-java to throw an
IllegalArgumentExceptioninmatchHostName:The root cause is that grpc-java's
matchHostNamewas not RFC-compliant in rejecting trailing dots — the Istio upgrade merely made it visible. The fix here is to bring grpc-java into compliance with RFC 1034, independent of any specific Istio version.Changes
xds/src/main/java/io/grpc/xds/RoutingUtils.java: Removed trailing-dot rejection and addedFQDN normalization in
matchHostName.xds/src/main/java/io/grpc/xds/XdsNameResolver.java: Same as above.xds/src/test/java/io/grpc/xds/XdsNameResolverTest.java: AddedmatchHostName_trailingDottest covering exact match, prefix wildcard, and suffix wildcard with trailing dot combinations.
References