idnits 2.17.1 draft-ietf-idnabis-protocol-01.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 16. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 1011. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1022. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1029. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1035. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC3490, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (May 27, 2008) is 5813 days in the past. Is this intentional? -- Found something which looks like a code comment -- if you have code sections in the document, please surround them with '' and '' lines. Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'ASCII' is defined on line 774, but no explicit reference was found in the text == Unused Reference: 'Unicode' is defined on line 810, but no explicit reference was found in the text == Outdated reference: A later version (-04) exists of draft-alvestrand-idna-bidi-03 == Outdated reference: A later version (-07) exists of draft-klensin-idnabis-issues-06 -- Possible downref: Normative reference to a draft: ref. 'IDNA2008-Rationale' == Outdated reference: A later version (-05) exists of draft-faltstrom-idnabis-tables-04 -- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-PropertyValueAliases' -- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-RegEx' -- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-Scripts' -- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-UAX15' -- Obsolete informational reference (is this intentional?): RFC 2535 (Obsoleted by RFC 4033, RFC 4034, RFC 4035) -- Obsolete informational reference (is this intentional?): RFC 3490 (Obsoleted by RFC 5890, RFC 5891) -- Obsolete informational reference (is this intentional?): RFC 4952 (Obsoleted by RFC 6530) Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 17 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Klensin, Ed. 3 Internet-Draft May 27, 2008 4 Obsoletes: 3490 (if approved) 5 Intended status: Standards Track 6 Expires: November 28, 2008 8 Internationalized Domain Names in Applications (IDNA): Protocol 9 draft-ietf-idnabis-protocol-01.txt 11 Status of this Memo 13 By submitting this Internet-Draft, each author represents that any 14 applicable patent or other IPR claims of which he or she is aware 15 have been or will be disclosed, and any of which he or she becomes 16 aware will be disclosed, in accordance with Section 6 of BCP 79. 18 Internet-Drafts are working documents of the Internet Engineering 19 Task Force (IETF), its areas, and its working groups. Note that 20 other groups may also distribute working documents as Internet- 21 Drafts. 23 Internet-Drafts are draft documents valid for a maximum of six months 24 and may be updated, replaced, or obsoleted by other documents at any 25 time. It is inappropriate to use Internet-Drafts as reference 26 material or to cite them other than as "work in progress." 28 The list of current Internet-Drafts can be accessed at 29 http://www.ietf.org/ietf/1id-abstracts.txt. 31 The list of Internet-Draft Shadow Directories can be accessed at 32 http://www.ietf.org/shadow.html. 34 This Internet-Draft will expire on November 28, 2008. 36 Abstract 38 This document supplies the protocol definition for a revised and 39 updated specification for internationalized domain names (IDNs). The 40 rationale for these changes, the relationship to the older 41 specification, and important terminology are provided in other 42 documents. This document specifies the protocol mechanism, called 43 Internationalizing Domain Names in Applications (IDNA), for 44 registering and looking up IDNs in a way that does not require 45 changes to the DNS itself. IDNA is only meant for processing domain 46 names, not free text. 48 Table of Contents 50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 51 1.1. Discussion Forum . . . . . . . . . . . . . . . . . . . . . 4 52 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 53 3. Requirements and Applicability . . . . . . . . . . . . . . . . 5 54 3.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . 5 55 3.2. Applicability . . . . . . . . . . . . . . . . . . . . . . 5 56 3.2.1. DNS Resource Records . . . . . . . . . . . . . . . . . 6 57 3.2.2. Non-domain-name Data Types Stored in the DNS . . . . . 6 58 4. Registration Protocol . . . . . . . . . . . . . . . . . . . . 6 59 4.1. Proposed label . . . . . . . . . . . . . . . . . . . . . . 6 60 4.2. Conversion to Unicode and Normalization . . . . . . . . . 7 61 4.3. Permitted Character and Label Validation . . . . . . . . . 7 62 4.3.1. Rejection of Characters that are not Permitted . . . . 7 63 4.3.2. Label Validation . . . . . . . . . . . . . . . . . . . 7 64 4.3.3. Registration Validation Summary . . . . . . . . . . . 8 65 4.4. Registry Restrictions . . . . . . . . . . . . . . . . . . 8 66 4.5. Punycode Conversion . . . . . . . . . . . . . . . . . . . 9 67 4.6. Insertion in the Zone . . . . . . . . . . . . . . . . . . 9 68 5. Domain Name Resolution (Lookup) Protocol . . . . . . . . . . . 9 69 5.1. Label String Input . . . . . . . . . . . . . . . . . . . . 9 70 5.2. Conversion to Unicode . . . . . . . . . . . . . . . . . . 10 71 5.3. Character Changes in Preprocessing or the User 72 Interface . . . . . . . . . . . . . . . . . . . . . . . . 10 73 5.4. A-label Input . . . . . . . . . . . . . . . . . . . . . . 11 74 5.5. Validation and Character List Testing . . . . . . . . . . 11 75 5.6. Punycode Conversion . . . . . . . . . . . . . . . . . . . 12 76 5.7. DNS Name Resolution . . . . . . . . . . . . . . . . . . . 12 77 6. Name server Considerations . . . . . . . . . . . . . . . . . . 12 78 6.1. Processing Non-ASCII Strings . . . . . . . . . . . . . . . 12 79 6.2. DNSSEC Authentication of IDN Domain Names . . . . . . . . 13 80 6.3. Root Server Considerations . . . . . . . . . . . . . . . . 14 81 7. Security Considerations . . . . . . . . . . . . . . . . . . . 14 82 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 83 9. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 15 84 9.1. Version -00 of draft-klensin-idnabis-protocol . . . . . . 15 85 9.2. Versions -01 and -02 of draft-klensin-idnabis-protocol . . 15 86 9.3. Version -03 of draft-klensin-idnabis-protocol . . . . . . 15 87 9.4. Version -04 of draft-klensin-idnabis-protocol . . . . . . 15 88 9.5. Version -00 of draft-ietf-idnabis-protocol . . . . . . . . 16 89 9.6. Version -01 of draft-ietf-idnabis-protocol . . . . . . . . 16 90 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 16 91 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16 92 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 93 12.1. Normative References . . . . . . . . . . . . . . . . . . . 17 94 12.2. Informative References . . . . . . . . . . . . . . . . . . 18 95 Appendix A. The Contextual Rules Registry . . . . . . . . . . . . 19 96 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22 97 Intellectual Property and Copyright Statements . . . . . . . . . . 24 99 1. Introduction 101 This document supplies the protocol definition for a revised and 102 updated specification for internationalized domain names. The 103 rationale for these changes and relationship to the older 104 specification and some new terminology is provided in other 105 documents, notably [IDNA2008-Rationale]. 107 IDNA works by allowing applications to use certain ASCII string 108 labels (beginning with a special prefix) to represent non-ASCII name 109 labels. Lower-layer protocols need not be aware of this; therefore 110 IDNA does not depend on changes to any infrastructure. In 111 particular, IDNA does not depend on any changes to DNS servers, 112 resolvers, or protocol elements, because the ASCII name service 113 provided by the existing DNS is entirely sufficient for IDNA. 115 IDNA is applied only to DNS labels. Standards for combining labels 116 into fully-qualified domain names and parsing labels out of those 117 names are covered in the base DNS standards [RFC1035]. An 118 application may, of course, apply locally-appropriate conventions to 119 the presentation forms of domain names as discussed in 120 [IDNA2008-Rationale]. 122 While they share terminology, reference data, and some operations, 123 this document describes two separate protocols, one for IDN 124 registration (Section 4) and one for IDN lookup (Section 5). 126 A good deal of the background material that appeared in RFC 3490 has 127 been removed from this update. That material is either of historical 128 interest only or has been covered from a more recent perspective in 129 RFC 4690 [RFC4690] and [IDNA2008-Rationale]. 131 [[anchor2: Note in Draft: This document still needs more specifics 132 about how to perform some of the tests in the Registration and Lookup 133 protocols described below. Those details will be supplied in a later 134 revision, but the intent should be clear from the existing text.]] 136 1.1. Discussion Forum 138 [[anchor4: RFC Editor: please remove this section.]] 140 This work is being discussed in the IETF IDNABIS WG and on the 141 mailing list idna-update@alvestrand.no 143 2. Terminology 145 General terminology applicable to IDNA, but with meanings familiar to 146 those who have worked with Unicode or other character set standards 147 and the DNS, appears in [IDNA2008-Rationale]. Terminology that is an 148 integral, normative, part of the IDNA definition, including the 149 definitions of "ACE", appears in that document as well. Familiarity 150 with the terminology materials in that document is assumed for 151 reading this one. The reader of this document is assumed to be 152 familiar with DNS-specific terminology as defined in RFC 1034 153 [RFC1034]. 155 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 156 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 157 document are to be interpreted as described in BCP 14, RFC 2119 158 [RFC2119]. 160 3. Requirements and Applicability 162 3.1. Requirements 164 IDNA conformance means adherence to the following requirements: 166 1. Whenever a domain name is put into an IDN-unaware domain name 167 slot (see Section 2 and [IDNA2008-Rationale]), it MUST contain 168 only ASCII characters (i.e., must be either an A-label or an LDH- 169 label), or must be a label associated with a DNS application that 170 is not subject to either IDNA or the historical recommendations 171 for "hostname"-style names [RFC1034]. 173 2. Comparison of labels MUST be done on the A-label form, using an 174 ASCII case-insensitive comparison as with all comparisons of DNS 175 labels. 177 3. Labels being registered MUST conform to the requirements of 178 Section 4. Labels being looked up and the lookup process MUST 179 conform to the requirements of Section 5. 181 3.2. Applicability 183 IDNA is applicable to all domain names in all domain name slots 184 except where it is explicitly excluded. It is not applicable to 185 domain name slots which do not use the LDH syntax rules. 187 This implies that IDNA is applicable to many protocols that predate 188 IDNA. Note that IDNs occupying domain name slots in those older 189 protocols MUST be in A-label form until and unless those protocols 190 and implementations of them are upgraded. 192 3.2.1. DNS Resource Records 194 IDNA applies only to domain names in the NAME and RDATA fields of DNS 195 resource records whose CLASS is IN. 197 There are currently no other exclusions on the applicability of IDNA 198 to DNS resource records. Applicability depends entirely on the 199 CLASS, and not on the TYPE except as noted below. This will remain 200 true, even as new types are defined, unless there is a compelling 201 reason for a new type that requires type-specific rules. The special 202 naming conventions applicable to SRV records are examples of type- 203 specific rules that are incompatible with IDNA coding. Hence the 204 first two labels (the ones required to start in "_") on a record with 205 TYPE SRV MUST NOT be A-labels or U-labels (while it would be possible 206 to write a non-ASCII string with a leading underscore, conversion to 207 an A-label would be impossible without loss of information and 208 because the underscore is not a letter, digit, or hyphen. Of course, 209 those labels may be part of a domain that uses IDN labels at higher 210 levels in the tree. 212 3.2.2. Non-domain-name Data Types Stored in the DNS 214 Although IDNA enables the representation of non-ASCII characters in 215 domain names, that does not imply that IDNA enables the 216 representation of non-ASCII characters in other data types that are 217 stored in domain names, specifically in the RDATA field for types 218 that have structured RDATA format. For example, an email address 219 local part is stored in a domain name in the RNAME field as part of 220 the RDATA of an SOA record (hostmaster@example.com would be 221 represented as hostmaster.example.com). IDNA specifically does not 222 update the existing email standards, which allow only ASCII 223 characters in local parts. Even though work is in progress to define 224 internationalization for email addresses [RFC4952], changes to the 225 email address part of the SOA RDATA would require action in other 226 standards, specifically those that specify the format of the SOA RR. 228 4. Registration Protocol 230 This section defines the procedure for registering an IDN. The 231 procedure is implementation independent; any sequence of steps that 232 produces exactly the same result for all labels is considered a valid 233 implementation. 235 4.1. Proposed label 237 The registrant submits a request for an IDN. The user typically 238 produces the request string by the keyboard entry of a character 239 sequence in the local native character set. The registry MAY permit 240 submission of labels in A-label form. If it does so, it SHOULD 241 perform a conversion to a U-label, perform the steps and tests 242 described below, and verify that the A-label produced by the step in 243 Section 4.5 matches the one provided as input. If, for some reason, 244 it does not, the registration MUST be rejected. 246 4.2. Conversion to Unicode and Normalization 248 Some system routine, or a localized front-end to the IDNA process, 249 ensures that the proposed label is a Unicode string. That string 250 MUST be in Unicode Normalization Form C (NFC [Unicode-UAX15]). 252 As a local implementation choice, the implementation MAY choose to 253 map some forbidden characters to permitted characters (for instance 254 mapping uppercase characters to lowercase ones), displaying the 255 result to the user, and allowing processing to continue. However, it 256 is strongly recommended that, to avoid any possible ambiguity, 257 entities responsible for zone files ("registries") accept 258 registrations only for A-labels (to be converted to U-labels by the 259 registry) or U-labels actually produced from A-labels, not forms 260 expected to be converted by some other process. 262 4.3. Permitted Character and Label Validation 264 4.3.1. Rejection of Characters that are not Permitted 266 The Unicode string is checked to verify that no characters that IDNA 267 does not permit in input appear in it. Those characters are 268 identified in the "DISALLOWED" and "UNASSIGNED" lists that are 269 discussed in [IDNA2008-Rationale]. The normative rules for producing 270 that list and the initial version of it are specified in 271 [IDNA2008-Tables]. Characters that are either DISALLOWED or 272 UNASSIGNED MUST NOT be part of labels being processed for 273 registration in the DNS. 275 4.3.2. Label Validation 277 The proposed label (in the form of a Unicode string, i.e., a putative 278 U-label) is then examined, performing tests that require examination 279 of more than one character. 281 4.3.2.1. Rejection of Confusing or Hostile Sequences in U-labels 283 The Unicode string MUST NOT contain "--" (two consecutive hyphens) in 284 the third and fourth character positions. 286 4.3.2.2. Leading Combining Marks 288 The first character of the string is examined to verify that it is 289 not a combining mark. If it is a combining mark, the string MUST NOT 290 be registered. 292 4.3.2.3. Contextual Rules 294 Each code point is checked for its identification as characters 295 requiring contextual processign for registration (the list of 296 characters appears as the combination of CONTEXTJ and CONTEXTO in 297 [IDNA2008-Tables]). If that indication appears, the table of 298 contextual rules is checked for a rule for that character. If no 299 rule is found, the proposed label is rejected and MUST NOT be 300 installed in a zone file. If one is found, it is applied (typically 301 as a test on the entire label or on adjacent characters). If the 302 application of the rule does not conclude that the character is valid 303 in context, the proposed label MUST BE rejected. (See the IANA 304 Considerations: IDNA Context Registry section of [IDNA2008-Rationale] 305 and Appendix A of this document.) 307 4.3.2.4. Labels Containing Characters Written Right to Left 309 Additional special tests for right-to-left strings are applied (See 310 [IDNA2008-BIDI]. Strings that contain right to left characters that 311 do not conform to the rule(s) identified there MUST NOT be inserted 312 in zone files. 314 4.3.3. Registration Validation Summary 316 Strings that have been produced by the steps above, and whose 317 contents pass the above tests, are U-labels. 319 To summarize, tests are made here for invalid characters, invalid 320 combinations of characters, and for labels that are invalid even if 321 the characters they contain are valid individually. For example, 322 labels containing invisible ("zero-width") characters may be 323 permitted in context with characters whose presentation forms are 324 significantly changed by the presence or absence of the zero-width 325 characters, while other labels in which zero-width characters appear 326 may be rejected. 328 4.4. Registry Restrictions 330 Registries at all levels of the DNS, not just the top level, are 331 expected to establish policies about the labels that may be 332 registered, and for the processes associated with that action. While 333 exact policies are not specified as part of IDNA2008 and it is 334 expected that different registries may specify different policies, 335 there SHOULD be policies. These per-registry policies and 336 restrictions are an essential element of the IDNA registration 337 protocol even for registries (and corresponding zone files) deep in 338 the DNS hierarchy. As discussed in [IDNA2008-Rationale], such 339 restrictions have always existed in the DNS. 341 The string produced by the above steps is checked and processed as 342 appropriate to local registry restrictions. Application of those 343 registry restrictions may result in the rejection of some labels or 344 the application of special restrictions to others. 346 4.5. Punycode Conversion 348 The resulting U-label is converted to an A-label (i.e., the encoding 349 of that label according to the Punycode algorithm [RFC3492] with the 350 prefix included, i.e., the "xn--..." form). 352 4.6. Insertion in the Zone 354 The A-label is registered in the DNS by insertion into a zone. 356 5. Domain Name Resolution (Lookup) Protocol 358 Resolution is conceptually different from registration and different 359 tests are applied on the client. Although some validity checks are 360 necessary to avoid serious problems with the protocol (see 361 Section 5.5 ff.), the resolution-side tests are more permissive and 362 rely heavily on the assumption that names that are present in the DNS 363 are valid. Among other things, this distinction, applied carefully, 364 facilitates expansion of the permitted character lists to include new 365 scripts and accommodate new versions of Unicode without introducing 366 ambiguity into domain name processing. 368 5.1. Label String Input 370 The user supplies a string in the local character set, typically by 371 typing it or clicking on, or copying and pasting, a resource 372 identifier, e.g., a URI [RFC3986] or IRI [RFC3987] from which the 373 domain name is extracted. Or some process not directly involving the 374 user may read the string from a file or obtain it in some other way. 375 Processing in this step and the next two are local matters, to be 376 accomplished prior to actual invocation of IDNA, but at least these 377 two steps must be accomplished in some way. 379 5.2. Conversion to Unicode 381 The local character set, character coding conventions, and, as 382 necessary, display and presentation conventions, are converted to 383 Unicode (without surrogates), paralleling the process described above 384 in Section 4.2. 386 5.3. Character Changes in Preprocessing or the User Interface 388 The Unicode string MAY then be processed, in a way specific to the 389 local environment, to make the result of the IDNA processing match 390 user expectations. For instance, it would be reasonable, at this 391 step, to convert all upper case characters to lower case, if this 392 makes sense in the user's environment. 394 Other examples of processing for localization might be applied, if 395 appropriate, at this point. They include interpreting various 396 characters as separating domain name components from each other 397 (label separators) because they either look like periods or are used 398 to separate sentences, mapping different "width" forms of the same 399 character into the one form permitted in labels, or giving special 400 treatment to characters whose presentation forms are dependent only 401 on placement in the label. Such localization changes are even 402 further outside the scope of this specification than the ones 403 mentioned above. 405 Recommendations for preprocessing for global contexts (i.e., when 406 local considerations do not apply or cannot be used) and for maximum 407 interoperability with labels that might have been specified under 408 liberal readings of IDNA2003 are given in [IDNA2008-Rationale]. 409 [[anchor16: The question of preprocessing remains controversial in 410 the WG. One school of thought is that, for compatibility with 411 IDNA2003, preprocessing should be standardized and required, with 412 only one form permitted. Another sees important advantages in having 413 the mappings between U-labels and A-labels be symmetric, unambiguous, 414 and information-preserving. And a third believes that local mappings 415 will occur regardless of what we specify and that it is better to 416 specify the protocol on that basis than to indirectly encourage local 417 inventions. The first group (and perhaps others) believe that local 418 mappings will be, to put it mildly, "very bad... for 419 interoperability.]] 421 Because these transformations are local, it is important that domain 422 names that might be passed between systems (e.g., in IRIs) be 423 U-labels or A-labels and not forms that might be accepted locally as 424 a consequence of this step. This step is not standardized as part of 425 IDNA, and is not further specified here. 427 5.4. A-label Input 429 If the input to this procedure appears to be an A-label (i.e., it 430 starts in "xn--"), the lookup application MAY attempt to convert it 431 to a U-label and apply the tests of Section 5.5 and, of course, the 432 conversion of Section 5.6 to that form. If the A-label is converted 433 to a U-label then the processing specified in those two sections MUST 434 yield an A-label identical to the original one. See also 435 Section 6.1. 437 In general, that conversion and testing should be performed if the 438 domain name will later be presented to the user in native character 439 form (this requires that the lookup application be IDNA-aware). 440 Applications that are not IDNA-aware will obviously omit that 441 testing; others may treat the string as opaque to avoid the 442 additional processing at the expense of providing less protection and 443 information to users. 445 5.5. Validation and Character List Testing 447 In parallel with the registration procedure, the Unicode string is 448 checked to verify that all characters that appear in it are valid for 449 IDNA resolution input. As discussed above and in 450 [IDNA2008-Rationale], the resolution check is more liberal than the 451 registration one. Putative labels with any of the following 452 characteristics MUST BE rejected prior to DNS lookup: 454 o Labels containing code points that are unassigned in the version 455 of Unicode being used by the application, i.e., in the 456 "Unassigned" Unicode category or the UNASSIGNED category of 457 [IDNA2008-Tables]. 459 o Labels that are not in NFC form. 461 o Labels containing prohibited code points, i.e., those that are 462 assigned to the "DISALLOWED" category in the permitted character 463 table [IDNA2008-Tables]. 465 o Labels containing code points that are shown in the permitted 466 character table as requiring a contextual rule and that are 467 flagged as requiring exceptional special processing on lookup 468 ("CONTEXTJ" in the Tables) MUST conform to the rule, which MUST be 469 present. 471 o Labels containing other code points that are shown in the 472 permitted character table as requiring a contextual rule 473 ("CONTEXTO" in the tables), but for which no such rule appears in 474 the table of rules. With the exception in the rule immediately 475 above, applications resolving DNS names or carrying out equivalent 476 operations are not required to test contextual rules, only to 477 verify that a rule exists. 479 o Labels whose first character is a combining mark. [[anchor18: Note 480 in Draft: this definition may need to be further tightened.]] 482 In addition, the application SHOULD apply the following test. The 483 test may be omitted in special circumstances, such as when the 484 resolver application knows that the conditions are enforced 485 elsewhere, because an attempt to resolve such strings will almost 486 certainly lead to a DNS lookup failure. However, applying the test 487 is likely to give much better information about the reason for a 488 lookup failure -- information that may be usefully passed to the user 489 when that is feasible -- then DNS resolution failure alone. 490 [[anchor19: Should this be a MUST? Pro: this is the only remaining 491 SHOULD (true?), the test is relatively straightforward, and it helps 492 avoid visual ambiguity. Con: the "special circumstances" that might 493 justify doing something different are explained above.]] 495 o Verification that the string is compliant with the requirements 496 for right to left characters, specified in [IDNA2008-BIDI]. 498 For all other strings, the resolver MUST rely on the presence or 499 absence of labels in the DNS to determine the validity of those 500 labels and the validity of the characters they contain. If they are 501 registered, they are presumed to be valid; if they are not, their 502 possible validity is not relevant. A resolver that declines to look 503 up a string that conforms to the above rules is not in conformance 504 with this protocol. 506 5.6. Punycode Conversion 508 The validated string, a U-label, is converted to an A-label using the 509 punycode algorithm. 511 5.7. DNS Name Resolution 513 The A-label is looked up in the DNS, using normal DNS procedures. 515 6. Name server Considerations 517 6.1. Processing Non-ASCII Strings 519 Existing DNS servers do not know the IDNA rules for handling non- 520 ASCII forms of IDNs, and therefore need to be shielded from them. 521 All existing channels through which names can enter a DNS server 522 database (for example, master files (as described in RFC 1034) and 523 DNS update messages [RFC2136]) are IDN-unaware because they predate 524 IDNA. Other sections of this document provide the needed shielding 525 by ensuring that internationalized domain names entering DNS server 526 databases through such channels have already been converted to their 527 equivalent ASCII A-label forms. 529 Because of the design of the algorithms in Section 4 and Section 5 (a 530 domain name containing only ASCII codepoints can not be converted to 531 an A-label), there can not be more than one A-label form for each 532 U-label. 534 The current update to the definition of the DNS protocol [RFC2181] 535 explicitly allows domain labels to contain octets beyond the ASCII 536 range (0000..007F), and this document does not change that. Note, 537 however, that there is no defined interpretation of octets 0080..00FF 538 as characters. If labels containing these octets are returned to 539 applications, unpredictable behavior could result. The A-label form, 540 which cannot contain those characters, is the only standard 541 representation for internationalized labels in the current DNS 542 protocol. 544 6.2. DNSSEC Authentication of IDN Domain Names 546 DNS Security [RFC2535] is a method for supplying cryptographic 547 verification information along with DNS messages. Public Key 548 Cryptography is used in conjunction with digital signatures to 549 provide a means for a requester of domain information to authenticate 550 the source of the data. This ensures that it can be traced back to a 551 trusted source, either directly or via a chain of trust linking the 552 source of the information to the top of the DNS hierarchy. 554 IDNA specifies that all internationalized domain names served by DNS 555 servers that cannot be represented directly in ASCII must use the 556 A-label form. Conversion to A-labels must be performed prior to a 557 zone being signed by the private key for that zone. Because of this 558 ordering, it is important to recognize that DNSSEC authenticates a 559 domain name containing A-labels or conventional LDH-labels, not 560 U-labels. In the presence of DNSSEC, no form of a zone file or query 561 response that contains a U-label may be signed or the signature 562 validated. 564 One consequence of this for sites deploying IDNA in the presence of 565 DNSSEC is that any special purpose proxies or forwarders used to 566 transform user input into IDNs must be earlier in the resolution flow 567 than DNSSEC authenticating nameservers for DNSSEC to work. 569 6.3. Root Server Considerations 571 IDNs in A-label form will generally be somewhat longer than current 572 domain names, so the bandwidth needed by the root servers is likely 573 to go up by a small amount. Also, queries and responses for IDNs 574 will probably be somewhat longer than typical queries today, so more 575 queries and responses may be forced to go to TCP instead of UDP. 577 7. Security Considerations 579 The general security principles and issues for IDNA appear in 580 [IDNA2008-Rationale]. The comments below are specific to this pair 581 of protocols, but should be read in the context of that material and 582 the definitions and specifications, identified there, on which this 583 one depends. 585 This memo describes procedures for registering and looking up labels 586 that are not valid according to the base DNS specifications (STD13 587 [RFC1034] [RFC1035] and Host Requirements [RFC1123]) because they 588 contain non-ASCII characters. These procedures depend on the use of 589 a special ASCII-compatable encoded form that contains only characters 590 permitted in host names by those earlier specifications. The 591 encoding is specified in [RFC3492]. No security issues such as 592 string length increases or new allowed values are introduced by the 593 encoding process or the use of these encoded values, apart from those 594 introduced by the ACE encoding itself. 596 Domain names (or portions of them) are sometimes compared against a 597 set of privileged or anti-privileged domains. In such situations it 598 is especially important that the comparisons be done properly, as 599 specified in requirement 2 of Section 3.1. For labels already in 600 ASCII form (i.e., are LDH-labels or A-labels), the proper comparison 601 reduces to the same case-insensitive ASCII comparison that has always 602 been used for ASCII labels. 604 The introduction of IDNA means that any existing labels that start 605 with the ACE prefix would be construed as A-labels, at least until 606 they failed one of the relevant tests, whether or not that was the 607 intent of the zone administrator or registrant. There is no evidence 608 that this has caused any practical problems since RFC 3490 was 609 adopted, but the risk still exists in principle. 611 8. IANA Considerations 613 IANA actions for this version of IDNA are specified in 614 [IDNA2008-Rationale]. 616 9. Change Log 618 [[anchor25: RFC Editor: Please remove this section.]] 620 9.1. Version -00 of draft-klensin-idnabis-protocol 622 Version -00 of this draft was produced in November 2007 by moving 623 text from draft-klensin-idnabis-issues and by copy considerable text 624 from RFC 3490. The result was then extensively edited. 626 9.2. Versions -01 and -02 of draft-klensin-idnabis-protocol 628 These versions reflected a number of editorial changes, some of them 629 significant, and alignment of terminology with 630 draft-faltstrom-idnabis-tables. 632 9.3. Version -03 of draft-klensin-idnabis-protocol 634 o Abstract rewritten to bring its length within RFC Editor 635 guidelines. 637 o Corrections and revisions in response to extensive comments by 638 Mark Davis and others. 640 o Small modifications to several operations, including moving the 641 Normalization steps to a different place in the sequence. 643 o Many editorial changes. 645 9.4. Version -04 of draft-klensin-idnabis-protocol 647 o Revised terminology and removed the MAYBE category as a 648 consequence of design discussions on 30 January 2003 and followup 649 conversations. Also restructured the various operations to treat 650 CONTEXTUAL RULE REQUIRED as a validation step (paralleling bidi), 651 rather than a category. Those changes required changes elsewhere 652 in the document for consistency. 654 o Changed the requirements for normalization, making this a 655 requirement on the calling application rather than an action of 656 this protocol. This is consistent with the general "mappings 657 belong somewhere else" principle. 659 o Updated references. 661 o More editorial work, some independent of the changes, described 662 immediately above. 664 9.5. Version -00 of draft-ietf-idnabis-protocol 666 o Clarified actions to be taken if an A-label is supplied as input. 668 o Moved the contextual rules appendix into this document from 669 draft-klensin-idnabis-issues and made an initial attempt at 670 defining the actual rules. Synchronized the list of characters in 671 that appendix with tables-01. 673 o Added an explicit discussion of A-label input. 675 o Inserted a test for double-hyphen here. 677 9.6. Version -01 of draft-ietf-idnabis-protocol 679 o Corrected discussion of SRV records. 681 o Several small corrections for clarity. 683 o Inserted more "open issue" placeholders. 685 10. Contributors 687 While the listed editor held the pen, the original versions of this 688 document represent the joint work and conclusions of an ad hoc design 689 team consisting of the editor and, in alphabetic order, Harald 690 Alvestrand, Tina Dam, Patrik Faltstrom, and Cary Karp. This document 691 draws significantly on the original version of IDNA [RFC3490] both 692 conceptually and for specific text. This second-generation version 693 would not have been possible without the work that went into that 694 first version and its authors, Patrik Faltstrom, Paul Hoffman, and 695 Adam Costello. While Faltstrom was actively involved in the creation 696 of this version, Hoffman and Costello were not and should not be held 697 responsible for any errors or omissions. 699 11. Acknowledgements 701 This revision to IDNA would have been impossible without the 702 accumulated experience since RFC 3490 was published and resulting 703 comments and complaints of many people in the IETF, ICANN, and other 704 communities, too many people to list here. Nor would it have been 705 possible without RFC 3490 itself and the efforts of the Working Group 706 that defined it. Those people whose contributions are acknowledged 707 in RFC 3490, [RFC4690], and [IDNA2008-Rationale] were particularly 708 important. 710 12. References 712 12.1. Normative References 714 [IDNA2008-BIDI] 715 Alvestrand, H. and C. Karp, "An updated IDNA criterion for 716 right-to-left scripts", January 2008, . 720 [IDNA2008-Rationale] 721 Klensin, J., Ed., "Internationalizing Domain Names for 722 Applications (IDNA): Issues, Explanation, and Rationale", 723 February 2008, . 726 [IDNA2008-Tables] 727 Faltstrom, P., "The Unicode Codepoints and IDN", 728 February 2008, . 731 A version of this document, is available in HTML format at 732 http://stupid.domain.name/idnabis/ 733 draft-faltstrom-idnabis-tables-04.html 735 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 736 STD 13, RFC 1034, November 1987. 738 [RFC1035] Mockapetris, P., "Domain names - implementation and 739 specification", STD 13, RFC 1035, November 1987. 741 [RFC1123] Braden, R., "Requirements for Internet Hosts - Application 742 and Support", STD 3, RFC 1123, October 1989. 744 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 745 Requirement Levels", BCP 14, RFC 2119, March 1997. 747 [RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode 748 for Internationalized Domain Names in Applications 749 (IDNA)", RFC 3492, March 2003. 751 [Unicode-PropertyValueAliases] 752 The Unicode Consortium, "Unicode Character Database: 753 PropertyValueAliases", March 2008, . 756 [Unicode-RegEx] 757 The Unicode Consortium, "Unicode Technical Standard #18: 759 Unicode Regular Expressions", May 2005, 760 . 762 [Unicode-Scripts] 763 The Unicode Consortium, "Unicode Standard Annex #24: 764 Unicode Script Property", February 2008, 765 . 767 [Unicode-UAX15] 768 The Unicode Consortium, "Unicode Standard Annex #15: 769 Unicode Normalization Forms", 2006, 770 . 772 12.2. Informative References 774 [ASCII] American National Standards Institute (formerly United 775 States of America Standards Institute), "USA Code for 776 Information Interchange", ANSI X3.4-1968, 1968. 778 ANSI X3.4-1968 has been replaced by newer versions with 779 slight modifications, but the 1968 version remains 780 definitive for the Internet. 782 [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, 783 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 784 RFC 2136, April 1997. 786 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 787 Specification", RFC 2181, July 1997. 789 [RFC2535] Eastlake, D., "Domain Name System Security Extensions", 790 RFC 2535, March 1999. 792 [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello, 793 "Internationalizing Domain Names in Applications (IDNA)", 794 RFC 3490, March 2003. 796 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 797 Resource Identifier (URI): Generic Syntax", STD 66, 798 RFC 3986, January 2005. 800 [RFC3987] Duerst, M. and M. Suignard, "Internationalized Resource 801 Identifiers (IRIs)", RFC 3987, January 2005. 803 [RFC4690] Klensin, J., Faltstrom, P., Karp, C., and IAB, "Review and 804 Recommendations for Internationalized Domain Names 805 (IDNs)", RFC 4690, September 2006. 807 [RFC4952] Klensin, J. and Y. Ko, "Overview and Framework for 808 Internationalized Email", RFC 4952, July 2007. 810 [Unicode] The Unicode Consortium, "The Unicode Standard, Version 811 5.0", 2007. 813 Boston, MA, USA: Addison-Wesley. ISBN 0-321-48091-0 815 Appendix A. The Contextual Rules Registry 817 [[anchor36: Note in Draft: the WG needs to figure out whether this 818 table stays as part of this document, is moved to a separate one, or 819 is incorporated into "tables". Regardless of where they are placed, 820 the WG will still need to review the specific content of the rules. 821 In this version of the document, the table remains something of a 822 illustrative placeholder, not a final specification.]] 824 As discussed in the IANA Considerations section of 825 [IDNA2008-Rationale], a registry of rules that define the contexts in 826 which particular PROTOCOL-VALID characters, characters associated 827 with a requirement for Contextual Information, are permitted. These 828 rules are expressed as tests on the label in which the characters 829 appear (all, or any part of, the label may be tested). 831 For each character specified as requiring a contextual rule, a rule 832 MAY be established with the following data elements: 834 1. The code point associated with the character. 836 2. The name of the character. 838 3. An indication as to whether the code point requires the rule be 839 processed at lookup time (this indication is equivalent to the 840 difference between "CONTEXTJ" and "CONTEXTO" in the tables 841 document [IDNA2008-Tables]). 843 4. A prose description of the contextual rule. 845 5. A description of the contextual rule using Unicode Regular 846 Expression notation [Unicode-RegEx]. Only a Level 1 847 implementation is needed for the expressions below, which also 848 make reference to the Unicode Script definition [Unicode-Scripts] 849 and the Unicode Property Value Aliases list 850 [Unicode-PropertyValueAliases]. Note that in these regular 851 expressions, the label is taken to be an entire line, i.e., "^" 852 refers to the beginning of the label and "$" refers to the end of 853 the label. 855 These regular expressions are used as tests. The contextual 856 requirement is met if there is a match for the regular expression 857 and not met if there is no match. 859 [[anchor37: Patrik and I (JcK) would like to find a way to state 860 these rules that does not require the reader and implementer to 861 understand what we believe to be a fairly exotic element of the 862 Unicode specification. Suggestions welcome.]] 864 6. An optional comment preceded by "#" 866 Should there be any conflict between the two statements of a rule, 867 the regular expression form MUST be considered normative until the 868 registry can be corrected. 870 The rules for the characters listed in the Tables document as 871 exception cases or Join_Controls and for which rules are being 872 defined at this time appear below. 874 [[anchor38: Note in draft: This table is not complete and the rule 875 entries below are temporarily only examples.]] 877 002D; HYPHEN-MINUS; F; 878 Must not appear at the beginning or end of a label; 879 Regular expression: 880 [^^]\u002D|\u00SD[^$] ; 881 # Note that a prohibition on having two hyphens as the third and 882 fourth characters of anything but a valid A-label appears in the 883 specification. 885 200C; ZERO WIDTH NON-JOINER; T; 886 Between two characters from the same script only. The script must 887 be one in which the use of this character causes significant 888 visual transformation of one or both of the adjacent characters; 889 Regular expression: 890 [\p(Script:Deva)\p(Script:Tamil)]\u200C[\p(Script:Deva)\p(Script: 891 Tamil)] ; 892 [[anchor39: That script list is _not_ complete and, in particular, 893 more Indic scripts certainly need to be listed. It also does not 894 correctly express the "same script" restriction mentioned in the 895 prose, since it only tests adjacent characters. Whether this 896 character is required for Arabic script, and with what 897 restrictions if it is, is under discussion in the WG and in other 898 forums. It is clear that a Unicode derived property for script 899 groups that would permit testing, e.g., "Indic Script", would be 900 very helpful here.]] 902 200D; ZERO WIDTH JOINER; T; 903 Between two characters from the same script only. The script must 904 be one in which the use of this character causes significant 905 visual transformation of one or both of the adjacent characters; 906 Regular expression: 907 [\p(Script:Deva)\p(Script:Tamil)]+ 908 \u200D[\p(Script:Deva)\p(Script:Tamil)]+ ; 909 [[anchor40: That script list is _not_ complete and, in particular, 910 more Indic scripts certainly need to be listed. It also does not 911 correctly express the "same script" restriction mentioned in the 912 prose, since it only tests adjacent characters. Whether this 913 character is required for Arabic script, and with what 914 restrictions if it is, is under discussion in the WG and in other 915 forums.]] 917 00B7; MIDDLE DOT; F; 918 Between two 'l' (U+006C) characters only, used to permit the 919 Catalan character ela geminada to be expressed; 920 Regular expression: 921 \u006C\u00B7\u006c ; 923 0375; GREEK LOWER NUMERAL SIGN (KERAIA); F; 924 Greek script only. Might be further restricted to specific 925 following characters; 926 Regular expression: 927 \0375\(Script:Greek) ; 929 02B9; MODIFIER LETTER PRIME; F;;; 930 # Permitted only in contexts in which GREEK LOWER NUMERAL SIGN, 931 U+0375, is permitted. GREEK NUMERAL SIGN, U+0374, and the Lower 932 Numeral Sign (U+0375) are indicators for numeric use of letters in 933 older Greek writing systems. U+02B9 is relevant because 934 normalization maps U+0374 into it.; 935 Regular expression: 936 \(Script:Greek)\02B9\(Script:Greek) ; 937 [[anchor41: The test is that the adjacent characters be in the 938 Greek script. It is not clear whether this is sufficient. The 939 requirement for a preceding Greek letter may not be necessary. 940 More input needed.]] 942 0483; COMBINING CYRILLIC TITLO; F; 943 Cyrillic script only. Might be further restricted to permit only 944 a preceding list of characters. 945 Regular expression: 946 \p(Script:Cyrillic)\u0483 ; 948 05F3; HEBREW PUNCTUATION GERESH; F; 949 The script of the preceding character and the subsequent 950 character, if any, MUST be Hebrew; 951 Regular expression: 952 \p(Script:Hebrew)\u05F3\p(Script:Hebrew)? ; 954 05F4; HEBREW PUNCTUATION GERSHAYIM; F 955 The script of the preceding character and the subsequent 956 character, if any, MUST be Hebrew; 957 Regular expression: 958 \p(Script:Hebrew)\u05F3\p(Script:Hebrew)? ; 960 3005; IDEOGRAPHIC ITERATION MARK; F; 961 MUST NOT be at the beginning of the label, and the previous 962 character MUST be in Han Script; 963 Regular expression: 964 \p(Script:Hani)\u30FB ; 966 303B; VERTICAL IDEOGRAPHIC ITERATION MARK; F; 967 MUST NOT be at the beginning of the label, and the previous 968 character MUST be in Han Script; 969 Regular expression: 970 \p(Script:Hani)\u303B ; 972 30FB; KATAKANA MIDDLE DOT; F; 973 Adjacent characters MUST be Katakana; 974 Regular expression: 975 \p(Script:Kana)\u30FB\p(Script:Kana) ; 977 While the information above is to be used to initialize the registry, 978 IANA should treat the table format in this Appendix simply as an 979 initial, tentative, suggestion. Subject to review and comment from 980 the IESG and any Expert Reviewers, IANA is responsible for, and 981 should develop, a format for that registry, or a copy of it 982 maintained in parallel, that is convenient for retrieval and machine 983 processing and publish the location of that version. 985 Author's Address 987 John C Klensin (editor) 988 1770 Massachusetts Ave, Ste 322 989 Cambridge, MA 02140 990 USA 992 Phone: +1 617 245 1457 993 Fax: 994 Email: john+ietf@jck.com 995 URI: 997 Full Copyright Statement 999 Copyright (C) The IETF Trust (2008). 1001 This document is subject to the rights, licenses and restrictions 1002 contained in BCP 78, and except as set forth therein, the authors 1003 retain all their rights. 1005 This document and the information contained herein are provided on an 1006 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 1007 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 1008 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 1009 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 1010 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 1011 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 1013 Intellectual Property 1015 The IETF takes no position regarding the validity or scope of any 1016 Intellectual Property Rights or other rights that might be claimed to 1017 pertain to the implementation or use of the technology described in 1018 this document or the extent to which any license under such rights 1019 might or might not be available; nor does it represent that it has 1020 made any independent effort to identify any such rights. Information 1021 on the procedures with respect to rights in RFC documents can be 1022 found in BCP 78 and BCP 79. 1024 Copies of IPR disclosures made to the IETF Secretariat and any 1025 assurances of licenses to be made available, or the result of an 1026 attempt made to obtain a general license or permission for the use of 1027 such proprietary rights by implementers or users of this 1028 specification can be obtained from the IETF on-line IPR repository at 1029 http://www.ietf.org/ipr. 1031 The IETF invites any interested party to bring to its attention any 1032 copyrights, patents or patent applications, or other proprietary 1033 rights that may cover technology that may be required to implement 1034 this standard. Please address the information to the IETF at 1035 ietf-ipr@ietf.org.