From 8c7bc699072c3c3764d37df8666af0d1732b0ae5 Mon Sep 17 00:00:00 2001 From: Iris Date: Thu, 11 Jun 2026 14:31:41 -0700 Subject: [PATCH 1/9] add srvAllowedHostsSuffix --- .../initial-dns-seedlist-discovery.md | 19 +++++++++++++++---- .../srvAllowedHostsSuffix-mismatch.json | 5 +++++ .../srvAllowedHostsSuffix-mismatch.yml | 4 ++++ .../srvAllowedHostsSuffix-with_dot.json | 11 +++++++++++ .../srvAllowedHostsSuffix-with_dot.yml | 7 +++++++ ...rvAllowedHostsSuffix-without_dot_fail.json | 5 +++++ ...srvAllowedHostsSuffix-without_dot_fail.yml | 3 +++ ...rvAllowedHostsSuffix-without_dot_pass.json | 11 +++++++++++ ...srvAllowedHostsSuffix-without_dot_pass.yml | 7 +++++++ source/uri-options/uri-options.md | 7 +++++-- 10 files changed, 73 insertions(+), 6 deletions(-) create mode 100644 source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.json create mode 100644 source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.yml create mode 100644 source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-with_dot.json create mode 100644 source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-with_dot.yml create mode 100644 source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.json create mode 100644 source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml create mode 100644 source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_pass.json create mode 100644 source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_pass.yml diff --git a/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md b/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md index 92d4de9e77..7363034088 100644 --- a/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md +++ b/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md @@ -37,7 +37,8 @@ mongodb+srv://{hostname}/{options} `{options}` refers to the optional elements from the [Connection String](../connection-string/connection-string-spec.md) specification following the `Host Information`. This includes the `Auth database` and `Connection Options`. -For the purposes of this document, `{hostname}` will be divided using the following terminology. If an SRV `{hostname}` +For the purposes of this document, `{hostname}` will be divided using the following terminology. If +`srvAllowedHostsSuffix` has been configured, then that will act as the `{domainname}`. Otherwise, if an SRV `{hostname}` has: 1. Three or more `.` separated parts, then the left-most part is the `{subdomain}` and the remaining portion is the @@ -65,6 +66,14 @@ Only `{domainname}` is used during SRV record verification and `{subdomain}` is ### MongoClient Configuration +#### srvAllowedHostsSuffix + +This option is used to validate hosts. If present, its value MUST be treated as the domain for DNS validation. For +example, `srvAllowedHostsSuffix=.mydomain.net`. If the value does not begin with a `.`, for example, +`srvAllowedHostsSuffix=mydomain.net`, the `.` MUST be automatically prepended prior to validation. If this option is not +present, the domain MUST be inferred from the hostname. This option MUST only be configurable at the level of a +`MongoClient`. + #### srvMaxHosts This option is used to limit the number of mongos connections that may be created for sharded topologies. This option @@ -84,9 +93,9 @@ requires a string value and defaults to "mongodb". This option MUST only be conf #### URI Validation -The driver MUST report an error if either the `srvServiceName` or `srvMaxHosts` URI options are specified with a non-SRV -URI (i.e. scheme other than `mongodb+srv`). The driver MUST allow specifying the `srvServiceName` and `srvMaxHosts` URI -options with an SRV URI (i.e. `mongodb+srv` scheme). +The driver MUST report an error if any of `srvServiceName`, `srvMaxHosts`, or `srvAllowedHostsSuffix` URI options are +specified with a non-SRV URI (i.e. scheme other than `mongodb+srv`). The driver MUST allow specifying the +`srvServiceName`, `srvMaxHosts`, and `srvAllowedHostsSuffix` URI options with an SRV URI (i.e. `mongodb+srv` scheme). If `srvMaxHosts` is a positive integer, the driver MUST throw an error in the following cases: @@ -283,6 +292,8 @@ In the future we could consider using the priority and weight fields of the SRV ## ChangeLog +- 2026-06-08: Add `srvAllowedHostsSuffix` MongoClient option. + - 2024-09-24: Removed requirement for URI to have three '.' separated parts; these SRVs have stricter parent domain matching requirements for security. Create terminology section. Remove usage of term `{TLD}`. The `{hostname}` now refers to the entire hostname, not just the `{subdomain}`. diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.json b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.json new file mode 100644 index 0000000000..29506579ea --- /dev/null +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.json @@ -0,0 +1,5 @@ +{ + "uri": "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=test.build.10gen.cc", + "seeds": [], + "hosts": [] +} diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.yml b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.yml new file mode 100644 index 0000000000..074b7c1a73 --- /dev/null +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.yml @@ -0,0 +1,4 @@ +# DNS record for test12.test.build.10gen.cc returns localhost.build.10gen.cc which would not match test.build.10gen.cc +uri: "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=test.build.10gen.cc" +seeds: [] +hosts: [] \ No newline at end of file diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-with_dot.json b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-with_dot.json new file mode 100644 index 0000000000..8ff14a8958 --- /dev/null +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-with_dot.json @@ -0,0 +1,11 @@ +{ + "uri": "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=.build.10gen.cc", + "seeds": [ + "localhost.build.10gen.cc:27017" + ], + "options": { + "srvAllowedHostsSuffix": ".build.10gen.cc", + "ssl": true + }, + "ping": false +} diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-with_dot.yml b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-with_dot.yml new file mode 100644 index 0000000000..3c0173cc68 --- /dev/null +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-with_dot.yml @@ -0,0 +1,7 @@ +uri: "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=.build.10gen.cc" +seeds: + - localhost.build.10gen.cc:27017 +options: + srvAllowedHostsSuffix: .build.10gen.cc + ssl: true +ping: false \ No newline at end of file diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.json b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.json new file mode 100644 index 0000000000..78883916af --- /dev/null +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.json @@ -0,0 +1,5 @@ +{ + "uri": "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=uild.10gen.cc", + "seeds": [], + "hosts": [] +} diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml new file mode 100644 index 0000000000..cf4f5a8fe5 --- /dev/null +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml @@ -0,0 +1,3 @@ +"uri": "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=uild.10gen.cc" +seeds: [] +hosts: [] \ No newline at end of file diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_pass.json b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_pass.json new file mode 100644 index 0000000000..3f4c1f1f71 --- /dev/null +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_pass.json @@ -0,0 +1,11 @@ +{ + "uri": "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=build.10gen.cc", + "seeds": [ + "localhost.build.10gen.cc:27017" + ], + "options": { + "srvAllowedHostsSuffix": "build.10gen.cc", + "ssl": true + }, + "ping": false +} diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_pass.yml b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_pass.yml new file mode 100644 index 0000000000..79ccddfaf3 --- /dev/null +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_pass.yml @@ -0,0 +1,7 @@ +uri: mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=build.10gen.cc +seeds: + - localhost.build.10gen.cc:27017 +options: + srvAllowedHostsSuffix: .build.10gen.cc + ssl: true +ping: false \ No newline at end of file diff --git a/source/uri-options/uri-options.md b/source/uri-options/uri-options.md index 85a137671c..5a3d70d054 100644 --- a/source/uri-options/uri-options.md +++ b/source/uri-options/uri-options.md @@ -43,9 +43,9 @@ The driver MUST report an error if the `directConnection=true` URI option is spe The driver MUST report an error if the `directConnection=true` URI option is specified with an SRV URI, because the URI may resolve to multiple hosts. The driver MUST allow specifying `directConnection=false` URI option with an SRV URI. -### srvServiceName and srvMaxHosts URI options +### srvServiceName, srvMaxHosts, and srvAllowedHostsSuffix URI options -For URI option validation pertaining to `srvServiceName` and `srvMaxHosts`, please see the +For URI option validation pertaining to `srvServiceName`, `srvMaxHosts`, and `srvAllowedHostsSuffix`, please see the [Initial DNS Seedlist Discovery spec](../initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md#uri-validation) for details. @@ -104,6 +104,7 @@ to URI options apply here. | serverSelectionTimeoutMS | positive integer; a driver may also accept 0 to be used for a special case, provided that it documents the meaning | defined in [server selection spec](../server-selection/server-selection.md#serverselectiontimeoutms) | no | A timeout in milliseconds to block for server selection before raising an error | | serverSelectionTryOnce | "true" or "false" | defined in [server selection spec](../server-selection/server-selection.md#serverselectiontryonce) | required for single-threaded drivers | Scan the topology only once after a server selection failure instead of repeatedly until the server selection times out | | socketTimeoutMS | non-negative integer; 0 means no timeout | no timeout | no | NOTE: This option is deprecated in favor of [timeoutMS](../client-side-operations-timeout/client-side-operations-timeout.md#timeoutms)

Amount of time spent attempting to send or receive on a socket before timing out; note that this only applies to application operations, not SDAM. | +| srvAllowedHostsSuffix | a valid DNS hostname suffix (e.g. ".mydomain.net") | none; domain is inferred from the SRV hostname | no | A hostname suffix used to validate hosts returned via SRV lookup, replacing the domain inferred from the SRV hostname. Defined in the [Initial DNS Seedlist Discovery spec](../initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md#srvallowedhostssuffix). | | srvMaxHosts | non-negative integer; 0 means no maximum | defined in the [Initial DNS Seedlist Discovery spec](../initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md#srvmaxhosts) | no | The maximum number of SRV results to randomly select when initially populating the seedlist or, during SRV polling, adding new hosts to the topology. | | srvServiceName | a valid SRV service name according to [RFC 6335](https://datatracker.ietf.org/doc/html/rfc6335#section-5.1) | "mongodb" | no | the service name to use for SRV lookup in [initial DNS seedlist discovery](../initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md#srvservicename) and [SRV polling](../polling-srv-records-for-mongos-discovery/polling-srv-records-for-mongos-discovery.md) | | ssl | "true" or "false" | same as "tls" | no | alias of "tls"; required to ensure that Atlas connection strings continue to work | @@ -184,6 +185,8 @@ changes. ## Changelog +- 2026-06-08: Add `srvAllowedHostsSuffix` option. + - 2024-05-08: Migrated from reStructuredText to Markdown. - 2023-08-21: Add serverMonitoringMode option. From 790505e9b8c570a6ae193f34b2c7a0fb8762d859 Mon Sep 17 00:00:00 2001 From: Iris Date: Mon, 15 Jun 2026 10:41:54 -0700 Subject: [PATCH 2/9] fix yml test --- .../replica-set/srvAllowedHostsSuffix-without_dot_pass.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_pass.yml b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_pass.yml index 79ccddfaf3..ffee59d769 100644 --- a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_pass.yml +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_pass.yml @@ -2,6 +2,6 @@ uri: mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=build.10gen seeds: - localhost.build.10gen.cc:27017 options: - srvAllowedHostsSuffix: .build.10gen.cc + srvAllowedHostsSuffix: build.10gen.cc ssl: true ping: false \ No newline at end of file From 914c830db0bffcc9f1567a0c92217a8df1c9a51b Mon Sep 17 00:00:00 2001 From: Iris Date: Mon, 15 Jun 2026 12:57:43 -0700 Subject: [PATCH 3/9] tests should error --- .../tests/replica-set/srvAllowedHostsSuffix-mismatch.json | 3 ++- .../tests/replica-set/srvAllowedHostsSuffix-mismatch.yml | 3 ++- .../replica-set/srvAllowedHostsSuffix-without_dot_fail.json | 3 ++- .../replica-set/srvAllowedHostsSuffix-without_dot_fail.yml | 3 ++- 4 files changed, 8 insertions(+), 4 deletions(-) diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.json b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.json index 29506579ea..56e26524c4 100644 --- a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.json +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.json @@ -1,5 +1,6 @@ { "uri": "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=test.build.10gen.cc", "seeds": [], - "hosts": [] + "hosts": [], + "error": true } diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.yml b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.yml index 074b7c1a73..d4d411097e 100644 --- a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.yml +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.yml @@ -1,4 +1,5 @@ # DNS record for test12.test.build.10gen.cc returns localhost.build.10gen.cc which would not match test.build.10gen.cc uri: "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=test.build.10gen.cc" seeds: [] -hosts: [] \ No newline at end of file +hosts: [] +error: true \ No newline at end of file diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.json b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.json index 78883916af..b7544b66f2 100644 --- a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.json +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.json @@ -1,5 +1,6 @@ { "uri": "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=uild.10gen.cc", "seeds": [], - "hosts": [] + "hosts": [], + "error": true } diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml index cf4f5a8fe5..9864fe3129 100644 --- a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml @@ -1,3 +1,4 @@ "uri": "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=uild.10gen.cc" seeds: [] -hosts: [] \ No newline at end of file +hosts: [] +error: true \ No newline at end of file From 529ad3be2760dc94d57575f3bc2a280badce2f62 Mon Sep 17 00:00:00 2001 From: Iris <58442094+sleepyStick@users.noreply.github.com> Date: Mon, 22 Jun 2026 11:40:02 -0700 Subject: [PATCH 4/9] Update source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md Co-authored-by: Matt Dale <9760375+matthewdale@users.noreply.github.com> --- .../initial-dns-seedlist-discovery.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md b/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md index 7363034088..7d8ed96a67 100644 --- a/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md +++ b/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md @@ -68,7 +68,7 @@ Only `{domainname}` is used during SRV record verification and `{subdomain}` is #### srvAllowedHostsSuffix -This option is used to validate hosts. If present, its value MUST be treated as the domain for DNS validation. For +This option is used to validate hosts. If present, its value MUST be treated as the `{domainname}` for DNS validation. For example, `srvAllowedHostsSuffix=.mydomain.net`. If the value does not begin with a `.`, for example, `srvAllowedHostsSuffix=mydomain.net`, the `.` MUST be automatically prepended prior to validation. If this option is not present, the domain MUST be inferred from the hostname. This option MUST only be configurable at the level of a From 6556c3054c82d775344498795280c40b3bb8d902 Mon Sep 17 00:00:00 2001 From: Iris <58442094+sleepyStick@users.noreply.github.com> Date: Mon, 22 Jun 2026 11:40:13 -0700 Subject: [PATCH 5/9] Update source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md Co-authored-by: Matt Dale <9760375+matthewdale@users.noreply.github.com> --- .../initial-dns-seedlist-discovery.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md b/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md index 7d8ed96a67..a5b5fb9dbe 100644 --- a/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md +++ b/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md @@ -71,7 +71,7 @@ Only `{domainname}` is used during SRV record verification and `{subdomain}` is This option is used to validate hosts. If present, its value MUST be treated as the `{domainname}` for DNS validation. For example, `srvAllowedHostsSuffix=.mydomain.net`. If the value does not begin with a `.`, for example, `srvAllowedHostsSuffix=mydomain.net`, the `.` MUST be automatically prepended prior to validation. If this option is not -present, the domain MUST be inferred from the hostname. This option MUST only be configurable at the level of a +present, the`{domainname}` MUST be inferred from the `{hostname}` (as described in [Connection String Format](#connection-string-format)). This option MUST only be configurable at the level of a `MongoClient`. #### srvMaxHosts From 871c812e7812a2364e834e38c8bf19252a0bf695 Mon Sep 17 00:00:00 2001 From: Iris Date: Mon, 22 Jun 2026 11:49:20 -0700 Subject: [PATCH 6/9] address MD feedback --- .../initial-dns-seedlist-discovery.md | 9 +++++---- .../srvAllowedHostsSuffix-without_dot_fail.yml | 1 + 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md b/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md index a5b5fb9dbe..0920fd5711 100644 --- a/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md +++ b/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md @@ -68,10 +68,11 @@ Only `{domainname}` is used during SRV record verification and `{subdomain}` is #### srvAllowedHostsSuffix -This option is used to validate hosts. If present, its value MUST be treated as the `{domainname}` for DNS validation. For -example, `srvAllowedHostsSuffix=.mydomain.net`. If the value does not begin with a `.`, for example, -`srvAllowedHostsSuffix=mydomain.net`, the `.` MUST be automatically prepended prior to validation. If this option is not -present, the`{domainname}` MUST be inferred from the `{hostname}` (as described in [Connection String Format](#connection-string-format)). This option MUST only be configurable at the level of a +This option is used to validate hosts. If present, its value MUST be treated as the `{domainname}` for +[DNS validation](#querying-dns). For example, `srvAllowedHostsSuffix=.mydomain.net`. If the value does not begin with a +`.`, for example, `srvAllowedHostsSuffix=mydomain.net`, the `.` MUST be automatically prepended prior to validation. If +this option is not present, the`{domainname}` MUST be inferred from the `{hostname}` (as described in +[Connection String Format](#connection-string-format)). This option MUST only be configurable at the level of a `MongoClient`. #### srvMaxHosts diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml index 9864fe3129..7be3101f0a 100644 --- a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml @@ -1,3 +1,4 @@ +# dot should be prepended causing the host to be .uild.10gen.cc "uri": "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=uild.10gen.cc" seeds: [] hosts: [] From c3f590c786366a70e91c47b2d0886f5c356c07a1 Mon Sep 17 00:00:00 2001 From: Iris Date: Mon, 22 Jun 2026 11:55:43 -0700 Subject: [PATCH 7/9] edit comment on yml test --- .../replica-set/srvAllowedHostsSuffix-without_dot_fail.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml index 7be3101f0a..637a44e917 100644 --- a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml @@ -1,4 +1,4 @@ -# dot should be prepended causing the host to be .uild.10gen.cc +# dot should be prepended to srvAllowedHostsSuffix causing the host to be .uild.10gen.cc which should not match any available DNS records "uri": "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=uild.10gen.cc" seeds: [] hosts: [] From 2dd89df8d258e8284e87330093c267fc2cbc1d91 Mon Sep 17 00:00:00 2001 From: Iris Date: Mon, 22 Jun 2026 12:03:51 -0700 Subject: [PATCH 8/9] minor edit to comment again haha --- .../replica-set/srvAllowedHostsSuffix-without_dot_fail.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml index 637a44e917..cd81ca7528 100644 --- a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml @@ -1,4 +1,4 @@ -# dot should be prepended to srvAllowedHostsSuffix causing the host to be .uild.10gen.cc which should not match any available DNS records +# dot should be prepended to `srvAllowedHostsSuffix` causing the host to be .uild.10gen.cc which does not match any available DNS records "uri": "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=uild.10gen.cc" seeds: [] hosts: [] From 86d16333261d13226a210353ee740b64d8b5ecdb Mon Sep 17 00:00:00 2001 From: Iris Date: Wed, 24 Jun 2026 11:24:07 -0700 Subject: [PATCH 9/9] AC feedback --- .../initial-dns-seedlist-discovery.md | 2 +- .../tests/replica-set/srvAllowedHostsSuffix-mismatch.yml | 2 +- .../tests/replica-set/srvAllowedHostsSuffix-with_dot.yml | 2 +- .../replica-set/srvAllowedHostsSuffix-without_dot_fail.yml | 4 ++-- .../replica-set/srvAllowedHostsSuffix-without_dot_pass.yml | 2 +- 5 files changed, 6 insertions(+), 6 deletions(-) diff --git a/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md b/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md index 0920fd5711..124dc271b3 100644 --- a/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md +++ b/source/initial-dns-seedlist-discovery/initial-dns-seedlist-discovery.md @@ -71,7 +71,7 @@ Only `{domainname}` is used during SRV record verification and `{subdomain}` is This option is used to validate hosts. If present, its value MUST be treated as the `{domainname}` for [DNS validation](#querying-dns). For example, `srvAllowedHostsSuffix=.mydomain.net`. If the value does not begin with a `.`, for example, `srvAllowedHostsSuffix=mydomain.net`, the `.` MUST be automatically prepended prior to validation. If -this option is not present, the`{domainname}` MUST be inferred from the `{hostname}` (as described in +this option is not present, the `{domainname}` MUST be inferred from the `{hostname}` (as described in [Connection String Format](#connection-string-format)). This option MUST only be configurable at the level of a `MongoClient`. diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.yml b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.yml index d4d411097e..db6ee9811b 100644 --- a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.yml +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-mismatch.yml @@ -2,4 +2,4 @@ uri: "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=test.build.10gen.cc" seeds: [] hosts: [] -error: true \ No newline at end of file +error: true diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-with_dot.yml b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-with_dot.yml index 3c0173cc68..69549b1869 100644 --- a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-with_dot.yml +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-with_dot.yml @@ -4,4 +4,4 @@ seeds: options: srvAllowedHostsSuffix: .build.10gen.cc ssl: true -ping: false \ No newline at end of file +ping: false diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml index cd81ca7528..57fab7a570 100644 --- a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_fail.yml @@ -1,5 +1,5 @@ # dot should be prepended to `srvAllowedHostsSuffix` causing the host to be .uild.10gen.cc which does not match any available DNS records -"uri": "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=uild.10gen.cc" +uri: "mongodb+srv://test12.test.build.10gen.cc/?srvAllowedHostsSuffix=uild.10gen.cc" seeds: [] hosts: [] -error: true \ No newline at end of file +error: true diff --git a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_pass.yml b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_pass.yml index ffee59d769..982eec2a36 100644 --- a/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_pass.yml +++ b/source/initial-dns-seedlist-discovery/tests/replica-set/srvAllowedHostsSuffix-without_dot_pass.yml @@ -4,4 +4,4 @@ seeds: options: srvAllowedHostsSuffix: build.10gen.cc ssl: true -ping: false \ No newline at end of file +ping: false