Dot should not be an allowed domain name character

[akhmerov]

Bug description

If a username contains a period and subdomains are enabled, they will get a sub-subdomain now because this code doesn't mind sub-subdomains:

jupyterhub/jupyterhub/user.py

Lines 58 to 60 in 49c5189

	# set of chars that are safe in dns labels
	# (allow '.' because we don't mind multiple levels of subdomains)
	_dns_safe = set(string.ascii_letters + string.digits + '-.')

I believe, however, that this doesn't match a common use case. For example, wildcard certificates don't support multilevel nesting, if I understand correctly.

Expected behaviour

Dot isn't considered a _dns_safe character.

[minrk]

Interesting! It definitely is valid sometimes, so I guess it needs to be configurable? But you're right that 'regular' wildcard SSL won't be sufficient (nested subdomains can be added via SAN, but I imagine that's pretty unusual).

[akhmerov]

Would it perhaps be a reasonable idea to consider other pathways for providing a more complex subdomain structure than accidentally via the username? Deeper nested domains are a reasonable niche application, but arbitrary level nesting based on a username seems too weird. Plus I'm not even sure if one...two.example.com is a legitimate domain name.

[minrk]

Would it perhaps be a reasonable idea to consider other pathways for providing a more complex subdomain structure than accidentally via the username?

I definitely think a custom hook to totally override domain-for-user makes sense.

Plus I'm not even sure if one...two.example.com is a legitimate domain name.

I'm pretty sure it's not.

There's a comment that we should really be using idna encoding for full DNS-safe labels. There's a package for that, but it doesn't handle the ASCII part of it (escape ., can't start or end with -, etc.).