idnits 2.17.1
draft-ietf-idn-idna-13.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
** Looks like you're using RFC 2026 boilerplate. This must be updated to
follow RFC 3978/3979, as updated by RFC 4748.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
** Missing expiration date. The document expiration date should appear on
the first and last page.
** The document is more than 15 pages and seems to lack a Table of Contents.
== No 'Intended status' indicated for this document; assuming Proposed
Standard
== The page length should not exceed 58 lines per page, but there was 1
longer page, the longest (page 1) being 831 lines
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
** There are 2 instances of too long lines in the document, the longest one
being 2 characters in excess of 72.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The document seems to lack the recommended RFC 2119 boilerplate, even if
it appears to use RFC 2119 keywords.
(The document does seem to have the reference to RFC 2119 which the
ID-Checklist requires).
-- The document seems to lack a disclaimer for pre-RFC5378 work, but may
have content which was first submitted before 10 November 2008. If you
have contacted all the original authors and they are all willing to grant
the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
this comment. If not, you may need to add the pre-RFC5378 disclaimer.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- Couldn't find a document date in the document -- date freshness check
skipped.
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Missing Reference: 'RFC2136' is mentioned on line 656, but not defined
== Unused Reference: 'UAX9' is defined on line 718, but no explicit
reference was found in the text
-- Obsolete informational reference (is this intentional?): RFC 2535 (ref.
'DNSSEC') (Obsoleted by RFC 4033, RFC 4034, RFC 4035)
Summary: 4 errors (**), 0 flaws (~~), 5 warnings (==), 3 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
1 Internet Draft Patrik Faltstrom
2 draft-ietf-idn-idna-13.txt Cisco
3 October 4, 2002 Paul Hoffman
4 Expires in six months IMC & VPNC
5 Adam M. Costello
6 UC Berkeley
8 Internationalizing Domain Names in Applications (IDNA)
10 Status of this Memo
12 This document is an Internet-Draft and is in full conformance with all
13 provisions of Section 10 of RFC2026.
15 Internet-Drafts are working documents of the Internet Engineering Task
16 Force (IETF), its areas, and its working groups. Note that other groups
17 may also distribute working documents as Internet-Drafts.
19 Internet-Drafts are draft documents valid for a maximum of six months
20 and may be updated, replaced, or obsoleted by other documents at any
21 time. It is inappropriate to use Internet-Drafts as reference material
22 or to cite them other than as "work in progress."
24 The list of current Internet-Drafts can be accessed at
25 http://www.ietf.org/ietf/1id-abstracts.txt
27 The list of Internet-Draft Shadow Directories can be accessed at
28 http://www.ietf.org/shadow.html.
30 Abstract
32 Until now, there has been no standard method for domain names to use
33 characters outside the ASCII repertoire. This document defines
34 internationalized domain names (IDNs) and a mechanism called IDNA for
35 handling them in a standard fashion. IDNs use characters drawn from a
36 large repertoire (Unicode), but IDNA allows the non-ASCII characters to
37 be represented using only the ASCII characters already allowed in
38 so-called host names today. This backward-compatible representation is
39 required in existing protocols like DNS, so that IDNs can be introduced
40 with no changes to the existing infrastructure. IDNA is only meant for
41 processing domain names, not free text.
43 1. Introduction
45 IDNA works by allowing applications to use certain ASCII name labels
46 (beginning with a special prefix) to represent non-ASCII name labels.
47 Lower-layer protocols need not be aware of this; therefore IDNA does not
48 depend on changes to any infrastructure. In particular, IDNA does not
49 depend on any changes to DNS servers, resolvers, or protocol elements,
50 because the ASCII name service provided by the existing DNS is entirely
51 sufficient for IDNA.
53 This document does not require any applications to conform to IDNA, but
54 applications can elect to use IDNA in order to support IDN while
55 maintaining interoperability with existing infrastructure. If an
56 application wants to use non-ASCII characters in domain names, IDNA is
57 the only currently-defined option. Adding IDNA support to an existing
58 application entails changes to the application only, and leaves room for
59 flexibility in the user interface.
61 A great deal of the discussion of IDN solutions has focused on
62 transition issues and how IDN will work in a world where not all of the
63 components have been updated. Proposals that were not chosen by the IDN
64 Working Group would depend on user applications, resolvers, and DNS
65 servers being updated in order for a user to use an internationalized
66 domain name. Rather than rely on widespread updating of all components,
67 IDNA depends on updates to user applications only; no changes are needed
68 to the DNS protocol or any DNS servers or the resolvers on user's
69 computers.
71 1.1 Brief overview for application developers
73 Applications can use IDNA to support internationalized domain names
74 anywhere that ASCII domain names are already supported, including DNS
75 master files and resolver interfaces. (Applications can also define
76 protocols and interfaces that support IDNs directly using non-ASCII
77 representations. IDNA does not prescribe any particular representation
78 for new protocols, but it still defines which names are valid and how
79 they are compared.)
81 The IDNA protocol is contained completely within applications. It is not
82 a client-server or peer-to-peer protocol: everything is done inside the
83 application itself. When used with a DNS resolver library, IDNA is
84 inserted as a "shim" between the application and the resolver library.
85 When used for writing names into a DNS zone, IDNA is used just before
86 the name is committed to the zone.
88 There are two operations described in section 4 of this document:
90 - The ToASCII operation is used before sending an IDN to something that
91 expects ASCII names (such as a resolver) or writing an IDN into a place
92 that expects ASCII names (such as a DNS master file).
94 - The ToUnicode operation is used when displaying names to users, for
95 example names obtained from a DNS zone.
97 It is important to note that the ToASCII operation can fail. If it fails
98 when processing a domain name, that domain name cannot be used as an
99 internationalized domain name and the application has to have some
100 method of dealing with this failure.
102 IDNA requires that implementations process input strings with Nameprep
103 [NAMEPREP], which is a profile of Stringprep [STRINGPREP], and then with
104 Punycode [PUNYCODE]. Implementations of IDNA MUST fully implement
105 Nameprep and Punycode; neither Nameprep nor Punycode are optional.
107 2 Terminology
109 The key words "MUST", "SHALL", "REQUIRED", "SHOULD", "RECOMMENDED", and
110 "MAY" in this document are to be interpreted as described in RFC 2119
111 [RFC2119].
113 A code point is an integral value associated with a character in a coded
114 character set.
116 Unicode [UNICODE] is a coded character set containing tens of thousands
117 of characters. A single Unicode code point is denoted by "U+" followed
118 by four to six hexadecimal digits, while a range of Unicode code points
119 is denoted by two hexadecimal numbers separated by "..", with no
120 prefixes.
122 ASCII means US-ASCII [USASCII], a coded character set containing 128
123 characters associated with code points in the range 0..7F. Unicode is an
124 extension of ASCII: it includes all the ASCII characters and associates
125 them with the same code points.
127 The term "LDH code points" is defined in this document to mean the code
128 points associated with ASCII letters, digits, and the hyphen-minus; that
129 is, U+002D, 30..39, 41..5A, and 61..7A. "LDH" is an abbreviation for
130 "letters, digits, hyphen".
132 [STD13] talks about "domain names" and "host names", but many people use
133 the terms interchangeably. Further, because [STD13] was not terribly
134 clear, many people who are sure they know the exact definitions of each
135 of these terms disagree on the definitions. In this document the term
136 "domain name" is used in general. This document explicitly cites [STD3]
137 whenever referring to the host name syntax restrictions defined therein.
139 A label is an individual part of a domain name. Labels are usually shown
140 separated by dots; for example, the domain name "www.example.com" is
141 composed of three labels: "www", "example", and "com". (The zero-length
142 root label described in [STD13], which can be explicit as in
143 "www.example.com." or implicit as in "www.example.com", is not
144 considered a label in this specification.) IDNA extends the set of
145 usable characters in labels that are text. For the rest of this
146 document, the term "label" is shorthand for "text label", and "every
147 label" means "every text label".
149 An "internationalized label" is a label to which the ToASCII operation
150 (see section 4) can be applied without failing. This implies that every
151 ASCII label that satisfies the [STD13] length restriction is an
152 internationalized label. Therefore the term "internationalized label" is
153 a generalization, embracing both old ASCII labels and new non-ASCII
154 labels. Although most Unicode characters can appear in internationalized
155 labels, ToASCII will fail for some input strings, and such strings are
156 not valid internationalized labels.
158 An "internationalized domain name" (IDN) is a domain name in which every
159 label is an internationalized label. This implies that every ASCII
160 domain name is an IDN. This document does not attempt to define an
161 "internationalized host name". Just as has been the case with ASCII
162 names, some DNS zone administrators may impose restrictions, beyond
163 those imposed by DNS or IDNA, on the characters or strings that may be
164 registered as labels in their zones. Such restrictions have no impact on
165 the syntax or semantics of DNS protocol messages; a query for a name
166 that matches no records will yield the same response regardless of the
167 reason why it is not in the zone. Clients issuing queries or
168 interpreting responses cannot be assumed to have any knowledge of
169 zone-specific restrictions or conventions.
171 In IDNA, equivalence of labels is defined in terms of the ToASCII
172 operation, which constructs an ASCII form for a given label, whether or
173 not the label was already an ASCII label. Labels are defined to be
174 equivalent if and only if their ASCII forms produced by ToASCII match
175 using a case-insensitive ASCII comparison. ASCII labels already have a
176 notion of equivalence: upper case and lower case are considered
177 equivalent. The IDNA notion of equivalence is an extension of that older
178 notion. Equivalent labels in IDNA are treated as alternate forms of the
179 same label, just as "foo" and "Foo" are treated as alternate forms of
180 the same label.
182 To allow internationalized labels to be handled by existing
183 applications, IDNA uses an "ACE label" (ACE stands for ASCII Compatible
184 Encoding). An ACE label is an internationalized label that can be
185 rendered in ASCII and is equivalent to an internationalized label that
186 cannot be rendered in ASCII. Given any internationalized label that
187 cannot be rendered in ASCII, the ToASCII operation will convert it to an
188 equivalent ACE label (whereas an ASCII label will be left unaltered by
189 ToASCII). ACE labels are unsuitable for display to users. The ToUnicode
190 operation will convert any label to an equivalent non-ACE label. In
191 fact, an ACE label is formally defined to be any label that the
192 ToUnicode operation would alter (whereas non-ACE labels are left
193 unaltered by ToUnicode). Every ACE label begins with the ACE prefix
194 specified in section 5. The ToASCII and ToUnicode operations are
195 specified in section 4.
197 The "ACE prefix" is defined in this document to be a string of ASCII
198 characters that appears at the beginning of every ACE label. It is
199 specified in section 5.
201 A "domain name slot" is defined in this document to be a protocol
202 element or a function argument or a return value (and so on) explicitly
203 designated for carrying a domain name. Examples of domain name slots
204 include: the QNAME field of a DNS query; the name argument of the
205 gethostbyname() library function; the part of an email address following
206 the at-sign (@) in the From: field of an email message header; and the
207 host portion of the URI in the src attribute of an HTML tag.
208 General text that just happens to contain a domain name is not a domain
209 name slot; for example, a domain name appearing in the plain text body
210 of an email message is not occupying a domain name slot.
212 An "IDN-aware domain name slot" is defined in this document to be a
213 domain name slot explicitly designated for carrying an internationalized
214 domain name as defined in this document. The designation may be static
215 (for example, in the specification of the protocol or interface) or
216 dynamic (for example, as a result of negotiation in an interactive
217 session).
219 An "IDN-unaware domain name slot" is defined in this document to be any
220 domain name slot that is not an IDN-aware domain name slot. Obviously,
221 this includes any domain name slot whose specification predates IDNA.
223 3. Requirements and applicability
225 3.1 Requirements
227 IDNA conformance means adherence to the following four requirements:
229 1) Whenever dots are used as label separators, the following characters
230 MUST be recognized as dots: U+002E (full stop), U+3002 (ideographic full
231 stop), U+FF0E (fullwidth full stop), U+FF61 (halfwidth ideographic full
232 stop).
234 2) Whenever a domain name is put into an IDN-unaware domain name slot
235 (see section 2), it MUST contain only ASCII characters.
236 Given an internationalized domain name (IDN), an equivalent domain name
237 satisfying this requirement can be obtained by applying the ToASCII
238 operation (see section 4) to each label and, if dots are
239 used as label separators, changing all the label separators to U+002E.
241 3) ACE labels obtained from domain name slots SHOULD be hidden from
242 users when it is known that the environment can handle the non-ACE form,
243 except when the ACE form is explicitly requested. When it is not known
244 whether or not the environment can handle the non-ACE form, the
245 application MAY use the non-ACE form (which might fail, such as by not
246 being displayed properly), or it MAY use the ACE form (which will look
247 unintelligle to the user). Given an internationalized domain name, an
248 equivalent domain name containing no ACE labels can be obtained by
249 applying the ToUnicode operation (see section 4) to each label. When
250 requirements 2 and 3 both apply, requirement 2 takes precedence.
252 4) Whenever two labels are compared, they MUST be considered to match if
253 and only if they are equivalent, that is, their ASCII forms (obtained by
254 applying ToASCII) match using a case-insensitive ASCII comparison.
255 Whenever two names are compared, they MUST be considered to match if and
256 only if their corresponding labels match, regardless of whether the
257 names use the same forms of label separators.
259 3.2 Applicability
261 IDNA is applicable to all domain names in all domain name slots except
262 where it is explicitly excluded.
264 This implies that IDNA is applicable to many protocols that predate
265 IDNA. Note that IDNs occupying domain name slots in those protocols
266 MUST be in ASCII form (see section 3.1, requirement 2).
268 3.2.1. DNS resource records
270 IDNA does not apply to domain names in the NAME and RDATA fields of DNS
271 resource records whose CLASS is not IN. This exclusion applies to every
272 non-IN class, present and future, except where future standards override
273 this exclusion by explicitly inviting the use of IDNA.
275 There are currently no other exclusions on the applicability of IDNA to
276 DNS resource records; it depends entirely on the CLASS, and not on the
277 TYPE. This will remain true, even as new types are defined, unless
278 there is a compelling reason for a new type to complicate matters by
279 imposing type-specific rules.
281 3.2.2. Non-domain-name data types stored in domain names
283 Although IDNA enables the representation of non-ASCII characters in
284 domain names, that does not imply that IDNA enables the representation
285 of non-ASCII characters in other data types that are stored in domain
286 names. For example, an email address local part is sometimes stored in
287 a domain label (hostmaster@example.com would be represented as
288 hostmaster.example.com in the RDATA field of an SOA record). IDNA does
289 not update the existing email standards, which allow only ASCII
290 characters in local parts. Therefore, unless the email standards are
291 revised to invite the use of IDNA for local parts, a domain label that
292 holds the local part of an email address SHOULD NOT begin with the ACE
293 prefix, and even if it does, it is to be interpreted literally as a
294 local part that happens to begin with the ACE prefix.
296 4. Conversion operations
298 An application converts a domain name put into an IDN-unaware slot or
299 displayed to a user. This section specifies the steps to perform in the
300 conversion, and the ToASCII and ToUnicode operations.
302 The input to ToASCII or ToUnicode is a single label that is a sequence
303 of Unicode code points (remember that all ASCII code points are also
304 Unicode code points). If a domain name is represented using a character
305 set other than Unicode or US-ASCII, it will first need to be transcoded
306 to Unicode.
308 Starting from a whole domain name, the steps that an application takes
309 to do the conversions are:
311 1) Decide whether the domain name is a "stored string" or a "query
312 string" as described in [STRINGPREP]. If this conversion follows the
313 "queries" rule from [STRINGPREP], set the flag called "AllowUnassigned".
315 2) Split the domain name into individual labels as described in section
316 3.1. The labels do not include the separator.
318 3) For each label, decide whether or not to enforce the restrictions on
319 ASCII characters in host names [STD3]. If the restrictions are to be
320 enforced, set the flag called "UseSTD3ASCIIRules" for that label.
322 4) Process each label with either the ToASCII or the ToUnicode
323 operation. Use the ToASCII operation if you are about to put
324 the name into an IDN-unaware slot. Use the ToUnicode operation if you
325 are displaying the name to a user.
327 5) If ToASCII was applied in step 4 and dots are used as label
328 separators, change all the label separators to U+002E (full stop).
330 The following two subsections define the ToASCII and ToUnicode
331 operations that are used in step 4.
333 4.1 ToASCII
335 The ToASCII operation takes a sequence of Unicode code points that make
336 up one label and transforms it into a sequence of code points in the
337 ASCII range (0..7F). If ToASCII succeeds, the original sequence and the
338 resulting sequence are equivalent labels.
340 It is important to note that the ToASCII operation can fail. ToASCII
341 fails if any step of it fails. If any step of the ToASCII operation
342 fails on any label in a domain name, that domain name MUST NOT be used
343 as an internationalized domain name. The application needs to have some
344 method of dealing with this failure.
346 The inputs to ToASCII are a sequence of code points, the AllowUnassigned
347 flag, and the UseSTD3ASCIIRules flag. The output of ToASCII is either a
348 sequence of ASCII code points or a failure condition.
350 ToASCII never alters a sequence of code points that are all in the ASCII
351 range to begin with (although it could fail). Applying the ToASCII
352 operation multiple times has exactly the same effect as applying it just
353 once.
355 ToASCII consists of the following steps:
357 1. If all code points in the sequence are in the ASCII range (0..7F)
358 then skip to step 3.
360 2. Perform the steps specified in [NAMEPREP] and fail if there is
361 an error. The AllowUnassigned flag is used in [NAMEPREP].
363 3. If the UseSTD3ASCIIRules flag is set, then perform these checks:
365 (a) Verify the absence of non-LDH ASCII code points; that is,
366 the absence of 0..2C, 2E..2F, 3A..40, 5B..60, and 7B..7F.
368 (b) Verify the absence of leading and trailing hyphen-minus;
369 that is, the absence of U+002D at the beginning and end of
370 the sequence.
372 4. If all code points in the sequence are in the ASCII range
373 (0..7F), then skip to step 8.
375 5. Verify that the sequence does NOT begin with the ACE prefix.
377 6. Encode the sequence using the encoding algorithm in [PUNYCODE]
378 and fail if there is an error.
380 7. Prepend the ACE prefix.
382 8. Verify that the number of code points is in the range 1 to 63
383 inclusive.
385 4.2 ToUnicode
387 The ToUnicode operation takes a sequence of Unicode code points that
388 make up one label and returns a sequence of Unicode code points. If the
389 input sequence is a label in ACE form, then the result is an equivalent
390 internationalized label that is not in ACE form, otherwise the original
391 sequence is returned unaltered.
393 ToUnicode never fails. If any step fails, then the original input
394 sequence is returned immediately in that step.
396 The inputs to ToUnicode are a sequence of code points, the
397 AllowUnassigned flag, and the UseSTD3ASCIIRules flag. The output of
398 ToUnicode is always a sequence of Unicode code points.
400 1. If all code points in the sequence are in the ASCII range (0..7F)
401 then skip to step 3.
403 2. Perform the steps specified in [NAMEPREP] and fail if there is an
404 error. (If step 3 of ToASCII is also performed here, it will not
405 affect the overall behavior of ToUnicode, but it is not
406 necessary.) The AllowUnassigned flag is used in [NAMEPREP].
408 3. Verify that the sequence begins with the ACE prefix, and save a
409 copy of the sequence.
411 4. Remove the ACE prefix.
413 5. Decode the sequence using the decoding algorithm in [PUNYCODE]
414 and fail if there is an error. Save a copy of the result of
415 this step.
417 6. Apply ToASCII.
419 7. Verify that the result of step 6 matches the saved copy from
420 step 3, using a case-insensitive ASCII comparison.
422 8. Return the saved copy from step 5.
424 5. ACE prefix
426 [[ Note to the IESG and Internet Draft readers: The two uses of the
427 string "IESG--" below are to be changed at time of publication to a
428 prefix which fulfills the requirements in the first paragraph. IANA will
429 assign this value. ]]
431 The ACE prefix, used in the conversion operations (section 4), is two
432 alphanumeric ASCII characters followed by two hyphen-minuses. It cannot
433 be any of the prefixes already used in earlier documents, which includes
434 the following: "bl--", "bq--", "dq--", "lq--", "mq--", "ra--", "wq--"
435 and "zq--". The ToASCII and ToUnicode operations MUST recognize the ACE
436 prefix in a case-insensitive manner.
438 The ACE prefix for IDNA is "IESG--".
440 This means that an ACE label might be "IESG--de-jg4avhby1noc0d", where
441 "de-jg4avhby1noc0d" is the part of the ACE label that is generated by
442 the encoding steps in [PUNYCODE].
444 While all ACE labels begin with the ACE prefix, not all labels beginning
445 with the ACE prefix are necessarily ACE labels. Non-ACE labels that
446 begin with the ACE prefix will confuse users and SHOULD NOT be allowed
447 in DNS zones.
449 6. Implications for typical applications using DNS
451 In IDNA, applications perform the processing needed to input
452 internationalized domain names from users, display internationalized
453 domain names to users, and process the inputs and outputs from DNS and
454 other protocols that carry domain names.
456 The components and interfaces between them can be represented
457 pictorially as:
459 +------+
460 | User |
461 +------+
462 ^
463 | Input and display: local interface methods
464 | (pen, keyboard, glowing phosphorus, ...)
465 +-------------------|-------------------------------+
466 | v |
467 | +-----------------------------+ |
468 | | Application | |
469 | | (ToASCII and ToUnicode | |
470 | | operations may be | |
471 | | called here) | |
472 | +-----------------------------+ |
473 | ^ ^ | End system
474 | | | |
475 | Call to resolver: | | Application-specific |
476 | ACE | | protocol: |
477 | v | ACE unless the |
478 | +----------+ | protocol is updated |
479 | | Resolver | | to handle other |
480 | +----------+ | encodings |
481 | ^ | |
482 +-----------------|----------|----------------------+
483 DNS protocol: | |
484 ACE | |
485 v v
486 +-------------+ +---------------------+
487 | DNS servers | | Application servers |
488 +-------------+ +---------------------+
490 The box labeled "Application" is where the application splits a domain
491 name into labels, sets the appropriate flags, and performs the ToASCII
492 and ToUnicode operations. This is described in section 4.
494 6.1 Entry and display in applications
496 Applications can accept domain names using any character set or sets
497 desired by the application developer, and can display domain names in
498 any charset. That is, the IDNA protocol does not affect the interface
499 between users and applications.
501 An IDNA-aware application can accept and display internationalized
502 domain names in two formats: the internationalized character set(s)
503 supported by the application, and as an ACE label. ACE labels that are
504 displayed or input MUST always include the ACE prefix. Applications MAY
505 allow input and display of ACE labels, but are not encouraged to do so
506 except as an interface for special purposes, possibly for debugging, or
507 to cope with display limitations as described in section 6.4.. ACE
508 encoding is opaque and ugly, and should thus only be exposed to users
509 who absolutely need it. Because name labels encoded as ACE name labels
510 can be rendered either as the encoded ASCII characters or the proper
511 decoded characters, the application MAY have an option for the user to
512 select the preferred method of display; if it does, rendering the ACE
513 SHOULD NOT be the default.
515 Domain names are often stored and transported in many places. For
516 example, they are part of documents such as mail messages and web pages.
517 They are transported in many parts of many protocols, such as both the
518 control commands and the RFC 2822 body parts of SMTP, and the headers
519 and the body content in HTTP. It is important to remember that domain
520 names appear both in domain name slots and in the content that is passed
521 over protocols.
523 In protocols and document formats that define how to handle
524 specification or negotiation of charsets, labels can be encoded in any
525 charset allowed by the protocol or document format. If a protocol or
526 document format only allows one charset, the labels MUST be given in
527 that charset.
529 In any place where a protocol or document format allows transmission of
530 the characters in internationalized labels, internationalized labels
531 SHOULD be transmitted using whatever character encoding and escape
532 mechanism that the protocol or document format uses at that place.
534 All protocols that use domain name slots already have the capacity for
535 handling domain names in the ASCII charset. Thus, ACE labels
536 (internationalized labels that have been processed with the ToASCII
537 operation) can inherently be handled by those protocols.
539 6.2 Applications and resolver libraries
541 Applications normally use functions in the operating system when they
542 resolve DNS queries. Those functions in the operating system are often
543 called "the resolver library", and the applications communicate with the
544 resolver libraries through a programming interface (API).
546 Because these resolver libraries today expect only domain names in
547 ASCII, applications MUST prepare labels that are passed to the resolver
548 library using the ToASCII operation. Labels received from the resolver
549 library contain only ASCII characters; internationalized labels that
550 cannot be represented directly in ASCII use the ACE form. ACE labels
551 always include the ACE prefix.
553 An operating system might have a set of libraries for performing the
554 ToASCII operation. The input to such a library might be in one or more
555 charsets that are used in applications (UTF-8 and UTF-16 are likely
556 candidates for almost any operating system, and script-specific charsets
557 are likely for localized operating systems).
559 IDNA-aware applications MUST be able to work with both
560 non-internationalized labels (those that conform to [STD13] and [STD3])
561 and internationalized labels.
563 It is expected that new versions of the resolver libraries in the future
564 will be able to accept domain names in other formats than ASCII, and
565 application developers might one day pass not only domain names in
566 Unicode, but also in local script to a new API for the resolver
567 libraries in the operating system. Thus the ToASCII and ToUnicode
568 operations might be performed inside these new versions of the resolver
569 libraries.
571 Domain names passed to resolvers or put into the question
572 section of DNS requests follow the rules for "queries" from
573 [STRINGPREP].
575 6.3 DNS servers
577 Domain names stored in zones follow the rules for "stored strings" from
578 [STRINGPREP].
580 For internationalized labels that cannot be represented directly in
581 ASCII, DNS servers MUST use the ACE form produced by the ToASCII
582 operation. All IDNs served by DNS servers MUST contain only ASCII
583 characters.
585 If a signaling system which makes negotiation possible between old and
586 new DNS clients and servers is standardized in the future, the encoding
587 of the query in the DNS protocol itself can be changed from ACE to
588 something else, such as UTF-8. The question whether or not this should
589 be used is, however, a separate problem and is not discussed in this
590 memo.
592 6.4 Avoiding exposing users to the raw ACE encoding
594 Any application that might show the user a domain name obtained from a
595 domain name slot, such as from gethostbyaddr or part of a mail header,
596 will need to be updated if it is to prevent users from seeing the ACE.
598 If an application decodes an ACE name using ToUnicode but cannot show
599 all of the characters in the decoded name, such as if the name contains
600 characters that the output system cannot display, the application SHOULD
601 show the name in ACE format (which always includes the ACE prefix)
602 instead of displaying the name with the replacement character (U+FFFD).
603 This is to make it easier for the user to transfer the name correctly to
604 other programs. Programs that by default show the ACE form when they
605 cannot show all the characters in a name label SHOULD also have a
606 mechanism to show the name that is produced by the ToUnicode operation
607 with as many characters as possible and replacement characters in the
608 positions where characters cannot be displayed.
610 The ToUnicode operation does not alter labels that are not valid ACE
611 labels, even if they begin with the ACE prefix. After ToUnicode has been
612 applied, if a label still begins with the ACE prefix, then it is not a
613 valid ACE label, and is not equivalent to any of the intermediate
614 Unicode strings constructed by ToUnicode.
616 6.5 DNSSEC authentication of IDN domain names
618 DNS Security [DNSSEC] is a method for supplying cryptographic
619 verification information along with DNS messages. Public Key
620 Cryptography is used in conjunction with digital signatures to provide a
621 means for a requester of domain information to authenticate the source
622 of the data. This ensures that it can be traced back to a trusted
623 source, either directly, or via a chain of trust linking the source of
624 the information to the top of the DNS hierarchy.
626 IDNA specifies that all internationalized domain names served by DNS
627 servers that cannot be represented directly in ASCII must use the ACE
628 form produced by the ToASCII operation. This operation must be performed
629 prior to a zone being signed by the private key for that zone. Because
630 of this ordering, it is important to recognize that DNSSEC authenticates
631 the ASCII domain name, not the Unicode form or the mapping between the
632 Unicode form and the ASCII form. In the presence of DNSSEC, this is the
633 name that MUST be signed in the zone and MUST be validated against.
635 One consequence of this for sites deploying IDNA in the presence of
636 DNSSEC is that any special purpose proxies or forwarders used to
637 transform user input into IDNs must be earlier in the resolution flow
638 than DNSSEC authenticating nameservers for DNSSEC to work.
640 6.6 Limitations of IDNA
642 The IDNA protocol does not solve all linguistic issues with users
643 inputting names in different scripts. Many important language-based and
644 script-based mappings are not covered in IDNA and must be handled
645 outside the protocol. For example, names that are entered in a mix of
646 traditional and simplified Chinese characters will not be mapped to a
647 single canonical name. Another example is Scandinavian names that are
648 entered with U+00F6 (LATIN SMALL LETTER O WITH DIAERESIS) will not be
649 mapped to U+00F8 (LATIN SMALL LETTER O WITH STROKE).
651 7. Name server considerations
653 Existing DNS servers do not know the IDNA rules for handling non-ASCII
654 forms of IDNs, and therefore need to be shielded from them. All
655 existing channels through which names can enter a DNS server database
656 (for example, master files [STD13] and DNS update messages [RFC2136])
657 are IDN-unaware because they predate IDNA, and therefore requirement 2
658 of section 3.1 of this document provides the needed shielding, by ensuring
659 that internationalized domain names entering DNS server databases
660 through such channels have already been converted to their equivalent
661 ASCII forms.
663 It is imperative that there be only one ASCII encoding for a particular
664 domain name. Because of the design of the ToASCII and ToUnicode
665 operations, there are no ACE labels that decode to ASCII labels, and
666 therefore name servers cannot contain multiple ASCII encodings of the
667 same domain name.
669 [RFC2181] explicitly allows domain labels to contain octets beyond the
670 ASCII range (0..7F), and this document does not change that. Note,
671 however, that there is no defined interpretation of octets 80..FF as
672 characters. If labels containing these octets are returned to
673 applications, unpredictable behavior could result. The ASCII form
674 defined by ToASCII is the only standard representation for
675 internationalized labels in the current DNS protocol.
677 8. Root server considerations
679 IDNs are likely to be somewhat longer than current domain names, so the
680 bandwidth needed by the root servers is likely to go up by a small amount.
681 Also, queries and responses for IDNs will probably be somewhat longer
682 than typical queries today, so more queries and responses may be forced
683 to go to TCP instead of UDP.
685 9. References
687 9.1 Normative references
689 [PUNYCODE] Adam Costello, "Punycode: An encoding of Unicode for use with
690 IDNA", draft-ietf-idn-punycode.
692 [NAMEPREP] Paul Hoffman and Marc Blanchet, "Nameprep: A Stringprep
693 Profile for Internationalized Domain Names", draft-ietf-idn-nameprep.
695 [STD3] Bob Braden, "Requirements for Internet Hosts -- Communication
696 Layers" (RFC 1122) and "Requirements for Internet Hosts -- Application
697 and Support" (RFC 1123), STD 3, October 1989.
699 [STD13] Paul Mockapetris, "Domain names - concepts and facilities" (RFC
700 1034) and "Domain names - implementation and specification" (RFC 1035),
701 STD 13, November 1987.
703 [STRINGPREP] Paul Hoffman and Marc Blanchet, "Preparation of
704 Internationalized Strings ("stringprep")", draft-hoffman-stringprep,
705 work in progress
707 9.2 Informative references
709 [DNSSEC] Don Eastlake, "Domain Name System Security Extensions", RFC
710 2535, March 1999.
712 [RFC2119] Scott Bradner, "Key words for use in RFCs to Indicate
713 Requirement Levels", March 1997, RFC 2119.
715 [RFC2181] Robert Elz and Randy Bush, "Clarifications to the DNS
716 Specification", RFC 2181, July 1997.
718 [UAX9] Unicode Standard Annex #9, The Bidirectional Algorithm,
719 .
721 [UNICODE] The Unicode Consortium. The Unicode Standard, Version 3.2.0 is
722 defined by The Unicode Standard, Version 3.0 (Reading, MA,
723 Addison-Wesley, 2000. ISBN 0-201-61633-5), as amended by the Unicode
724 Standard Annex #27: Unicode 3.1 (http://www.unicode.org/reports/tr27/)
725 and by the Unicode Standard Annex #28: Unicode 3.2
726 (http://www.unicode.org/reports/tr28/).
728 [USASCII] Vint Cerf, "ASCII format for Network Interchange", October
729 1969, RFC 20.
731 10. Security considerations
733 Security on the Internet partly relies on the DNS. Thus, any change to
734 the characteristics of the DNS can change the security of much of the
735 Internet.
737 This memo describes an algorithm which encodes characters that are not
738 valid according to STD3 and STD13 into octet values that are valid. No
739 security issues such as string length increases or new allowed values
740 are introduced by the encoding process or the use of these encoded
741 values, apart from those introduced by the ACE encoding itself.
743 Domain names are used by users to identify and connect to Internet
744 servers. The security of the Internet is compromised if a user entering
745 a single internationalized name is connected to different servers based
746 on different interpretations of the internationalized domain name.
748 When systems use local character sets other than ASCII and Unicode, this
749 specification leaves the the problem of transcoding between the local
750 character set and Unicode up to the application. If different
751 applications (or different versions of one application) implement
752 different transcoding rules, they could interpret the same name
753 differently and contact different servers. This problem is not solved by
754 security protocols like TLS that do not take local character sets into
755 account.
757 Because this document normatively refers to [NAMEPREP], [PUNYCODE], and
758 [STRINGPREP], it includes the security considerations from those
759 documents as well.
761 If or when this specification is updated to use a more recent Unicode
762 normalization table, the new normalization table will need to be
763 compared with the old to spot backwards incompatible changes. If there
764 are such changes, they will need to be handled somehow, or there will be
765 security as well as operational implications. Methods to handle the
766 conflicts could include keeping the old normalization, or taking care of
767 the conflicting characters by operational means, or some other method.
769 Implementations MUST NOT use more recent normalization tables than the
770 one referenced from this document, even though more recent tables may be
771 provided by operating systems. If an application is unsure of which
772 version of the normalization tables are in the operating system, the
773 application needs to include the normalization tables itself. Using
774 normalization tables other than the one referenced from this
775 specification could have security and operational implications.
777 To help prevent confusion between characters that are visually similar,
778 it is suggested that implementations provide visual indications where a
779 domain name contains multiple scripts. Such mechanisms can also be used
780 to show when a name contains a mixture of simplified and traditional
781 Chinese characters, or to distinguish zero and one from O and l.
783 Domain names (or portions of them) are sometimes compared against a set
784 of privileged or anti-privileged domains. In such situations it is
785 especially important that the comparisons be done properly, as specified
786 in section 3.1 requirement 4. For labels already in ASCII form, the
787 proper comparison reduces to the same case-insensitive ASCII comparison
788 that has always been used for ASCII labels.
790 11. IANA considerations
792 IANA will assign the ACE prefix in consultation with the IESG.
794 12. Authors' addresses
796 Patrik Faltstrom
797 Cisco Systems
798 Arstaangsvagen 31 J
799 S-117 43 Stockholm Sweden
800 paf@cisco.com
802 Paul Hoffman
803 Internet Mail Consortium and VPN Consortium
804 127 Segre Place
805 Santa Cruz, CA 95060 USA
806 phoffman@imc.org
808 Adam M. Costello
809 University of California, Berkeley
810 idna-spec.amc @ nicemice.net
812 A. Changes from -12 to -13
814 [[ To be removed when published as an RFC ]]
816 In section 2, in the definition of "internationalized domain name",
817 changed "does not exist" to "matches no records".