Question about BadDer(DNS name)

[3pointer]

Hi, I got an BadDER error when use rust-tls to build non-web tls application.
After investigation. I found the cause of BadDER is the DNS name *.b is not valid.

I've tried some format.

a.b -> legal
*.b  -> BadDER
*b -> BadDER
*.b.b -> legal

After check the code, I found it's was intentional.

webpki/src/name/dns_name.rs

Lines 568 to 572 in b481381

	// Like NSS, require at least two labels to follow the wildcard label.
	// TODO: Allow the TrustDomain to control this on a per-eTLD+1 basis,
	// similar to Chromium. Even then, it might be better to still enforce
	// that there are at least two labels after the wildcard.
	if label_count < 3 {

May I know why it had this check or based on what specification？

Because I'm not the one who generate this certificate. if the DNS name is illegal or it has security issue, I think I need some evidence to convince others.

Thks

[3pointer]

And it seems a little strange.
When I put the illegal DNS name after the legal DNS name in my test env. it works. but it doesn't work if I change the order.

For example
It works:

[alt_names]
DNS.1 = localhost
DNS.2 = *.b
IP.1 = 127.0.0.1

Doesn't work:

[alt_names]
DNS.1 = *.b
DNS.2 = localhost
IP.1 = 127.0.0.1

[3pointer]

So I guess maybe return Some(false) is better than return None? @briansmith could you help confirm this?

webpki/src/name/dns_name.rs

Line 298 in b481381

return None;