Request to path returning 404 for trailing dot domain

[saley89]

What steps did you take and what happened:

Configured an HttpProxy resource for a domain with a path. This was registered correctly and DNS working as expected for both my-example-domain.com and my-example-domain.com..

When issuing a curl request to a path on my domain it returns successfully, however when using the trailing dot domain it returns a 404 as presumably it is including it as part the route/path lookup.

Working:

curl https://my-example-domain.com/some-path
...
< HTTP/2 200
< server: envoy

Broken:

curl https://my-example-domain.com./some-path
...
< HTTP/2 404
< vary: Accept-Encoding
< date: Wed, 10 Apr 2024 13:56:12 GMT
< server: envoy

What did you expect to happen:

In other ingress controllers we have used this worked successfully in both scenarios.

We believe you should be able to make requests against a trailing dot domain such as this to use and resolve the domain without recursive lookups.

Anything else you would like to add:

RFC documentation on the subject:

Such a name consists of a sequence of domain labels separated by ".",
   each domain label starting and ending with an alphanumeric character
   and possibly also containing "-" characters.  The rightmost domain
   label of a fully qualified domain name in DNS may be followed by a
   single "." and should be if it is necessary to distinguish between
   the complete domain name and some local domain.

Envoy mentions this configuration in it's documentation:

strip_trailing_host_dot
(bool) Determines if trailing dot of the host should be removed from host/authority header before any processing of request by HTTP filters or routing. This affects the upstream host header. Without setting this option, incoming requests with host example.com. will not match against route with domains match set to example.com. Defaults to false. When the incoming request contains a host/authority header that includes a port number, setting this option will strip a trailing dot, if present, from the host section, leaving the port as is (e.g. host value example.com.:443 will be updated to example.com:443).

However I can see no way to set this configuration up in our Contour/Envoy deployment via the helm charts.

Environment:

• Contour version: contour:1.27.1 & envoy:1.27.3
• Kubernetes version: (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"25", GitVersion:"v1.25.4", 
Server Version: version.Info{Major:"1", Minor:"24", GitVersion:"v1.24.17", 

• Cloud provider or hardware configuration: AWS
• OS (e.g. from /etc/os-release): Debian

[github-actions]

Hey @saley89! Thanks for opening your first issue. We appreciate your contribution and welcome you to our community! We are glad to have you here and to have your input on Contour. You can also join us on our mailing list and in our channel in the Kubernetes Slack Workspace

[tsaarni]

Hi @saley89, I haven't formed an opinion yet, but found that Daniel Stenberg (of curl fame) has recorded some details about trailing dot vs HTTP here https://daniel.haxx.se/blog/2022/05/12/a-tale-of-a-trailing-dot/. Interesting read! :)

[saley89]

@tsaarni sure but just to be clear curl was used merely to illustrate the point above. We are seeing this failure from other clients too of course.

[tsaarni]

Sure 👍 I also did not mean it was related to curl, just that there were surprising complications. It wonder if those have been reason why Envoy defaults to distinguishing between the two.