idnits 2.17.1
draft-ietf-idnabis-protocol-05.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
** It looks like you're using RFC 3978 boilerplate. You should update this
to the boilerplate described in the IETF Trust License Policy document
(see https://trustee.ietf.org/license-info), which is required now.
-- Found old boilerplate from RFC 3978, Section 5.1 on line 16.
-- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on
line 847.
-- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 858.
-- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 865.
-- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 871.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
-- The draft header indicates that this document obsoletes RFC3490, but the
abstract doesn't seem to mention this, which it should.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust Copyright Line does not match the
current year
-- The document seems to lack a disclaimer for pre-RFC5378 work, but may
have content which was first submitted before 10 November 2008. If you
have contacted all the original authors and they are all willing to grant
the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
this comment. If not, you may need to add the pre-RFC5378 disclaimer.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (September 26, 2008) is 5691 days in the past. Is
this intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Unused Reference: 'Unicode-PropertyValueAliases' is defined on line 757,
but no explicit reference was found in the text
== Unused Reference: 'Unicode-RegEx' is defined on line 762, but no
explicit reference was found in the text
== Unused Reference: 'Unicode-Scripts' is defined on line 767, but no
explicit reference was found in the text
== Unused Reference: 'ASCII' is defined on line 779, but no explicit
reference was found in the text
== Unused Reference: 'Unicode' is defined on line 818, but no explicit
reference was found in the text
-- Possible downref: Non-RFC (?) normative reference: ref. 'IDNA2008-BIDI'
** Downref: Normative reference to an Informational draft:
draft-ietf-idnabis-rationale (ref. 'IDNA2008-Rationale')
-- Possible downref: Non-RFC (?) normative reference: ref.
'Unicode-PropertyValueAliases'
-- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-RegEx'
-- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-Scripts'
-- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-UAX15'
-- Obsolete informational reference (is this intentional?): RFC 2535
(Obsoleted by RFC 4033, RFC 4034, RFC 4035)
-- Obsolete informational reference (is this intentional?): RFC 2671
(Obsoleted by RFC 6891)
-- Obsolete informational reference (is this intentional?): RFC 3490
(Obsoleted by RFC 5890, RFC 5891)
-- Obsolete informational reference (is this intentional?): RFC 4952
(Obsoleted by RFC 6530)
Summary: 2 errors (**), 0 flaws (~~), 6 warnings (==), 17 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group J. Klensin
3 Internet-Draft September 26, 2008
4 Obsoletes: 3490 (if approved)
5 Intended status: Standards Track
6 Expires: March 30, 2009
8 Internationalized Domain Names in Applications (IDNA): Protocol
9 draft-ietf-idnabis-protocol-05.txt
11 Status of this Memo
13 By submitting this Internet-Draft, each author represents that any
14 applicable patent or other IPR claims of which he or she is aware
15 have been or will be disclosed, and any of which he or she becomes
16 aware will be disclosed, in accordance with Section 6 of BCP 79.
18 Internet-Drafts are working documents of the Internet Engineering
19 Task Force (IETF), its areas, and its working groups. Note that
20 other groups may also distribute working documents as Internet-
21 Drafts.
23 Internet-Drafts are draft documents valid for a maximum of six months
24 and may be updated, replaced, or obsoleted by other documents at any
25 time. It is inappropriate to use Internet-Drafts as reference
26 material or to cite them other than as "work in progress."
28 The list of current Internet-Drafts can be accessed at
29 http://www.ietf.org/ietf/1id-abstracts.txt.
31 The list of Internet-Draft Shadow Directories can be accessed at
32 http://www.ietf.org/shadow.html.
34 This Internet-Draft will expire on March 30, 2009.
36 Abstract
38 This document supplies the protocol definition for a revised and
39 updated specification for internationalized domain names (IDNs). The
40 rationale for these changes, the relationship to the older
41 specification, and important terminology are provided in other
42 documents. This document specifies the protocol mechanism, called
43 Internationalizing Domain Names in Applications (IDNA), for
44 registering and looking up IDNs in a way that does not require
45 changes to the DNS itself. IDNA is only meant for processing domain
46 names, not free text.
48 Table of Contents
50 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
51 1.1. Discussion Forum . . . . . . . . . . . . . . . . . . . . . 4
52 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
53 3. Requirements and Applicability . . . . . . . . . . . . . . . . 5
54 3.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . 5
55 3.2. Applicability . . . . . . . . . . . . . . . . . . . . . . 5
56 3.2.1. DNS Resource Records . . . . . . . . . . . . . . . . . 6
57 3.2.2. Non-domain-name Data Types Stored in the DNS . . . . . 6
58 4. Registration Protocol . . . . . . . . . . . . . . . . . . . . 6
59 4.1. Proposed label . . . . . . . . . . . . . . . . . . . . . . 7
60 4.2. Conversion to Unicode and Normalization . . . . . . . . . 7
61 4.3. Permitted Character and Label Validation . . . . . . . . . 7
62 4.3.1. Rejection of Characters that are not Permitted . . . . 7
63 4.3.2. Label Validation . . . . . . . . . . . . . . . . . . . 8
64 4.3.3. Registration Validation Summary . . . . . . . . . . . 8
65 4.4. Registry Restrictions . . . . . . . . . . . . . . . . . . 9
66 4.5. Punycode Conversion . . . . . . . . . . . . . . . . . . . 9
67 4.6. Insertion in the Zone . . . . . . . . . . . . . . . . . . 9
68 5. Domain Name Lookup Protocol . . . . . . . . . . . . . . . . . 9
69 5.1. Label String Input . . . . . . . . . . . . . . . . . . . . 10
70 5.2. Conversion to Unicode . . . . . . . . . . . . . . . . . . 10
71 5.3. Character Changes in Preprocessing or the User
72 Interface . . . . . . . . . . . . . . . . . . . . . . . . 10
73 5.4. A-label Input . . . . . . . . . . . . . . . . . . . . . . 11
74 5.5. Validation and Character List Testing . . . . . . . . . . 11
75 5.6. Punycode Conversion . . . . . . . . . . . . . . . . . . . 13
76 5.7. DNS Name Resolution . . . . . . . . . . . . . . . . . . . 13
77 6. Name Server Considerations . . . . . . . . . . . . . . . . . . 13
78 6.1. Processing Non-ASCII Strings . . . . . . . . . . . . . . . 13
79 6.2. DNSSEC Authentication of IDN Domain Names . . . . . . . . 13
80 6.3. Root and other DNS Server Considerations . . . . . . . . . 14
81 7. Security Considerations . . . . . . . . . . . . . . . . . . . 14
82 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
83 9. Change Log . . . . . . . . . . . . . . . . . . . . . . . . . . 15
84 9.1. Changes between Version -00 and -01 of
85 draft-ietf-idnabis-protocol . . . . . . . . . . . . . . . 15
86 9.2. Version -02 . . . . . . . . . . . . . . . . . . . . . . . 15
87 9.3. Version -03 . . . . . . . . . . . . . . . . . . . . . . . 16
88 9.4. Version -04 . . . . . . . . . . . . . . . . . . . . . . . 16
89 9.5. Version -05 . . . . . . . . . . . . . . . . . . . . . . . 16
90 10. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 16
91 11. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16
92 12. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
93 12.1. Normative References . . . . . . . . . . . . . . . . . . . 17
94 12.2. Informative References . . . . . . . . . . . . . . . . . . 18
95 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 19
96 Intellectual Property and Copyright Statements . . . . . . . . . . 20
98 1. Introduction
100 This document supplies the protocol definition for a revised and
101 updated specification for internationalized domain names. The
102 rationale for these changes and relationship to the older
103 specification and some new terminology is provided in other
104 documents, notably [IDNA2008-Rationale].
106 IDNA works by allowing applications to use certain ASCII string
107 labels (beginning with a special prefix) to represent non-ASCII name
108 labels. Lower-layer protocols need not be aware of this; therefore
109 IDNA does not depend on changes to any infrastructure. In
110 particular, IDNA does not depend on any changes to DNS servers,
111 resolvers, or protocol elements, because the ASCII name service
112 provided by the existing DNS is entirely sufficient for IDNA.
114 IDNA is applied only to DNS labels. Standards for combining labels
115 into fully-qualified domain names and parsing labels out of those
116 names are covered in the base DNS standards [RFC1035]. An
117 application may, of course, apply locally-appropriate conventions to
118 the presentation forms of domain names as discussed in
119 [IDNA2008-Rationale].
121 While they share terminology, reference data, and some operations,
122 this document describes two separate protocols, one for IDN
123 registration (Section 4) and one for IDN lookup (Section 5).
125 A good deal of the background material that appeared in RFC 3490 has
126 been removed from this update. That material is either of historical
127 interest only or has been covered from a more recent perspective in
128 RFC 4690 [RFC4690] and [IDNA2008-Rationale].
130 [[anchor2: Note in Draft: This document still needs more specifics
131 about how to perform some of the tests in the Registration and Lookup
132 protocols described below. Those details will be supplied in a later
133 revision, but the intent should be clear from the existing text.]]
135 1.1. Discussion Forum
137 [[anchor4: RFC Editor: please remove this section.]]
139 This work is being discussed in the IETF IDNABIS WG and on the
140 mailing list idna-update@alvestrand.no
142 2. Terminology
144 General terminology applicable to IDNA, but with meanings familiar to
145 those who have worked with Unicode or other character set standards
146 and the DNS, appears in [IDNA2008-Rationale]. Terminology that is an
147 integral, normative, part of the IDNA definition, including the
148 definitions of "ACE", appears in that document as well. Familiarity
149 with the terminology materials in that document is assumed for
150 reading this one. The reader of this document is assumed to be
151 familiar with DNS-specific terminology as defined in RFC 1034
152 [RFC1034].
154 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
155 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
156 document are to be interpreted as described in BCP 14, RFC 2119
157 [RFC2119].
159 3. Requirements and Applicability
161 3.1. Requirements
163 IDNA conformance means adherence to the following requirements:
165 1. Whenever a domain name is put into an IDN-unaware domain name
166 slot (see Section 2 and [IDNA2008-Rationale]), it MUST contain
167 only ASCII characters (i.e., must be either an A-label or an LDH-
168 label), or must be a label associated with a DNS application that
169 is not subject to either IDNA or the historical recommendations
170 for "hostname"-style names [RFC1034].
172 2. Comparison of labels MUST be done on the A-label form, using an
173 ASCII case-insensitive comparison as with all comparisons of DNS
174 labels.
176 3. Labels being registered MUST conform to the requirements of
177 Section 4. Labels being looked up and the lookup process MUST
178 conform to the requirements of Section 5.
180 3.2. Applicability
182 IDNA is applicable to all domain names in all domain name slots
183 except where it is explicitly excluded. It is not applicable to
184 domain name slots which do not use the LDH syntax rules.
186 This implies that IDNA is applicable to many protocols that predate
187 IDNA. Note that IDNs occupying domain name slots in those older
188 protocols MUST be in A-label form until and unless those protocols
189 and implementations of them are upgraded.
191 3.2.1. DNS Resource Records
193 IDNA applies only to domain names in the NAME and RDATA fields of DNS
194 resource records whose CLASS is IN.
196 There are currently no other exclusions on the applicability of IDNA
197 to DNS resource records. Applicability depends entirely on the
198 CLASS, and not on the TYPE except as noted below. This will remain
199 true, even as new types are defined, unless there is a compelling
200 reason for a new type that requires type-specific rules. The special
201 naming conventions applicable to SRV records are examples of type-
202 specific rules that are incompatible with IDNA coding. Hence the
203 first two labels (the ones required to start in "_") on a record with
204 TYPE SRV MUST NOT be A-labels or U-labels (while it would be possible
205 to write a non-ASCII string with a leading underscore, conversion to
206 an A-label would be impossible without loss of information because
207 the underscore is not a letter, digit, or hyphen). Of course, those
208 labels may be part of a domain that uses IDN labels at higher levels
209 in the tree.
211 3.2.2. Non-domain-name Data Types Stored in the DNS
213 Although IDNA enables the representation of non-ASCII characters in
214 domain names, that does not imply that IDNA enables the
215 representation of non-ASCII characters in other data types that are
216 stored in domain names, specifically in the RDATA field for types
217 that have structured RDATA format. For example, an email address
218 local part is stored in a domain name in the RNAME field as part of
219 the RDATA of an SOA record (hostmaster@example.com would be
220 represented as hostmaster.example.com). IDNA specifically does not
221 update the existing email standards, which allow only ASCII
222 characters in local parts. Even though work is in progress to define
223 internationalization for email addresses [RFC4952], changes to the
224 email address part of the SOA RDATA would require action in other
225 standards, specifically those that specify the format of the SOA RR.
227 4. Registration Protocol
229 This section defines the procedure for registering an IDN. The
230 procedure is implementation independent; any sequence of steps that
231 produces exactly the same result for all labels is considered a valid
232 implementation.
234 Note that, while the registration and lookup protocols (Section 5)
235 are very similar in most respects, they are different and
236 implementers should carefully follow the steps they are implementing.
238 4.1. Proposed label
240 The registrant submits a request for an IDN. The user typically
241 produces the request string by the keyboard entry of a character
242 sequence in the local native character set (which might, of course,
243 be Unicode). The registry MAY permit submission of labels in A-label
244 form. If it does so, it SHOULD perform a conversion to a U-label,
245 perform the steps and tests described below, and verify that the
246 A-label produced by the step in Section 4.5 matches the one provided
247 as input. If, for some reason, it does not, the registration MUST be
248 rejected.
249 [[anchor9: Editorial: Should the sentences starting with "The
250 registry" be moved to 4.3? I.e., would they be more in sequence
251 there?]]
253 4.2. Conversion to Unicode and Normalization
255 Some system routine, or a localized front-end to the IDNA process,
256 ensures that the proposed label is a Unicode string or converts it to
257 one as appropriate. That string MUST be in Unicode Normalization
258 Form C (NFC [Unicode-UAX15]).
260 As a local implementation choice, the implementation MAY choose to
261 map some forbidden characters to permitted characters (for instance
262 mapping uppercase characters to lowercase ones), displaying the
263 result to the user, and allowing processing to continue. However, it
264 is strongly recommended that, to avoid any possible ambiguity,
265 entities responsible for zone files ("registries") accept
266 registrations only for A-labels (to be converted to U-labels by the
267 registry) or U-labels actually produced from A-labels, not forms
268 expected to be converted by some other process.
270 4.3. Permitted Character and Label Validation
272 4.3.1. Rejection of Characters that are not Permitted
274 The Unicode string is checked to verify that no characters that IDNA
275 does not permit in input appear in it. Those characters are
276 identified in the "DISALLOWED" and "UNASSIGNED" lists that are
277 discussed in [IDNA2008-Rationale]. The normative rules for producing
278 that list and the initial version of it are specified in
279 [IDNA2008-Tables]. Characters that are either DISALLOWED or
280 UNASSIGNED MUST NOT be part of labels being processed for
281 registration in the DNS.
283 4.3.2. Label Validation
285 The proposed label (in the form of a Unicode string, i.e., a putative
286 U-label) is then examined, performing tests that require examination
287 of more than one character.
289 4.3.2.1. Rejection of Confusing or Hostile Sequences in U-labels
291 The Unicode string MUST NOT contain "--" (two consecutive hyphens) in
292 the third and fourth character positions.
294 4.3.2.2. Leading Combining Marks
296 The first character of the string is examined to verify that it is
297 not a combining mark. If it is a combining mark, the string MUST NOT
298 be registered.
300 4.3.2.3. Contextual Rules
302 Each code point is checked for its identification as characters
303 requiring contextual processing for registration (the list of
304 characters appears as the combination of CONTEXTJ and CONTEXTO in
305 [IDNA2008-Tables]). If that indication appears, the table of
306 contextual rules is checked for a rule for that character. If no
307 rule is found, the proposed label is rejected and MUST NOT be
308 installed in a zone file. If one is found, it is applied (typically
309 as a test on the entire label or on adjacent characters). If the
310 application of the rule does not conclude that the character is valid
311 in context, the proposed label MUST BE rejected. (See the IANA
312 Considerations: IDNA Context Registry section of
313 [IDNA2008-Rationale].)
315 4.3.2.4. Labels Containing Characters Written Right to Left
317 Additional special tests for right-to-left strings are applied (See
318 [IDNA2008-BIDI]. Strings that contain right to left characters that
319 do not conform to the rule(s) identified there MUST NOT be inserted
320 as labels in zone files.
322 4.3.3. Registration Validation Summary
324 Strings that have been produced by the steps above, and whose
325 contents pass the above tests, are U-labels.
327 To summarize, tests are made here for invalid characters, invalid
328 combinations of characters, and for labels that are invalid even if
329 the characters they contain are valid individually. For example,
330 labels containing invisible ("zero-width") characters may be
331 permitted in context with characters whose presentation forms are
332 significantly changed by the presence or absence of the zero-width
333 characters, while other labels in which zero-width characters appear
334 may be rejected.
335 [[anchor16: Should the example text be removed or moved? Note that
336 I've been strongly encouraged to supply specific examples to reduce
337 abstraction and questions about the appropriateness of the text.
338 -JcK]]
340 4.4. Registry Restrictions
342 Registries at all levels of the DNS, not just the top level, are
343 expected to establish policies about the labels that may be
344 registered, and for the processes associated with that action. While
345 exact policies are not specified as part of IDNA2008 and it is
346 expected that different registries may specify different policies,
347 there SHOULD be policies. Even a trivial policy (e.g., "anything can
348 be registered in this zone that can be represented as an A-label -
349 U-label pair") has value because it provides notice to users and
350 applications implementers that the registry cannot be relied upon to
351 provide even minimal user-protection restrictions. These per-
352 registry policies and restrictions are an essential element of the
353 IDNA registration protocol even for registries (and corresponding
354 zone files) deep in the DNS hierarchy. As discussed in
355 [IDNA2008-Rationale], such restrictions have always existed in the
356 DNS.
358 The string produced by the above steps is checked and processed as
359 appropriate to local registry restrictions. Application of those
360 registry restrictions may result in the rejection of some labels or
361 the application of special restrictions to others.
363 4.5. Punycode Conversion
365 The resulting U-label is converted to an A-label (i.e., the encoding
366 of that label according to the Punycode algorithm [RFC3492] with the
367 ACE prefix added, i.e., the "xn--..." form).
368 [[anchor17: Explain why 3492 failures cannot occur or explain what to
369 do if they do.]]
371 4.6. Insertion in the Zone
373 The A-label is registered in the DNS by insertion into a zone.
375 5. Domain Name Lookup Protocol
377 Lookup is conceptually different from registration and different
378 tests are applied on the client. Although some validity checks are
379 necessary to avoid serious problems with the protocol (see
380 Section 5.5 ff.), the lookup-side tests are more permissive and rely
381 heavily on the assumption that names that are present in the DNS are
382 valid.
384 5.1. Label String Input
386 The user supplies a string in the local character set, typically by
387 typing it or clicking on, or copying and pasting, a resource
388 identifier, e.g., a URI [RFC3986] or IRI [RFC3987] from which the
389 domain name is extracted. Or some process not directly involving the
390 user may read the string from a file or obtain it in some other way.
391 Processing in this step and the next two are local matters, to be
392 accomplished prior to actual invocation of IDNA, but at least these
393 two steps must be accomplished in some way.
395 5.2. Conversion to Unicode
397 The string is converted from the local character set into Unicode, if
398 it is not already Unicode. The exact nature of this conversion is
399 beyond the scope of this document, but may involve normalization, as
400 described in Section 4.2.
402 5.3. Character Changes in Preprocessing or the User Interface
404 The Unicode string MAY then be processed to prevent confounding of
405 user expectations. For instance, it would be reasonable, at this
406 step, to convert all upper case characters to lower case, if this
407 makes sense in the user's environment. The procedures described in
408 this section are ordinarily useful only for processing direct user
409 input and when needed for backward compatibility with IDNA2003. In
410 general, IDNs appearing in files and those transmitted across the
411 network as part of protocols are expected to be in either ASCII form
412 (including A-labels) or to contain U-labels, not forms requiring
413 mapping or other conversions.
415 Other examples of processing for localization might be applied,
416 especially to direct user input, at this point. They include
417 interpreting various characters as separating domain name components
418 from each other (label separators) because they either look like
419 periods or are used to separate sentences, mapping halfwidth or
420 fullwidth East Asian characters to the common form permitted in
421 labels, or giving special treatment to characters whose presentation
422 forms are dependent only on placement in the label. Such
423 localization changes are also outside the scope of this
424 specification.
426 Recommendations for preprocessing for global contexts (i.e., when
427 local considerations do not apply or cannot be used) and for maximum
428 interoperability with labels that might have been specified under
429 liberal readings of IDNA2003 are given in [IDNA2008-Rationale]. It
430 is important to note that the intent of these specifications is that
431 labels in application protocols, files, or links are intended to be
432 in U-label or A-label form. Preprocessing MUST NOT map a character
433 that is valid in a label (i.e., one that is PROTOCOL-VALID or
434 permitted in any context) into another character. Excessively
435 liberal use of preprocessing, especially to strings stored in files,
436 poses a threat to consistent and predictable behavior for the user
437 even if not to actual interoperability.
439 Because these transformations are local, it is important that domain
440 names that might be passed between systems (e.g., in IRIs) be
441 U-labels or A-labels and not forms that might be accepted locally as
442 a consequence of this step. This step is not standardized as part of
443 IDNA, and is not further specified here.
445 5.4. A-label Input
447 If the input to this procedure appears to be an A-label (i.e., it
448 starts in "xn--"), the lookup application MAY attempt to convert it
449 to a U-label and apply the tests of Section 5.5 and, of course, the
450 conversion of Section 5.6 to that form. If the label is converted to
451 Unicode (i.e., to U-label form) using the Punycode decoding
452 algorithm, then the processing specified in those two sections MUST
453 be performed, and the label MUST be rejected if the resulting label
454 is not identical to the original. See also Section 6.1.
456 In general, that conversion and testing should be performed if the
457 domain name will later be presented to the user in native character
458 form (this requires that the lookup application be IDNA-aware).
459 Applications that are not IDNA-aware will obviously omit that
460 testing; others may treat the string as opaque to avoid the
461 additional processing at the expense of providing less protection and
462 information to users.
464 5.5. Validation and Character List Testing
466 As with the registration procedure, the Unicode string is checked to
467 verify that all characters that appear in it are valid for IDNA
468 lookup processing input. As discussed above and in
469 [IDNA2008-Rationale], the lookup check is more liberal than the
470 registration one. Putative labels with any of the following
471 characteristics MUST BE rejected prior to DNS lookup:
473 o Labels containing code points that are unassigned in the version
474 of Unicode being used by the application, i.e., in the
475 "Unassigned" Unicode category or the UNASSIGNED category of
476 [IDNA2008-Tables].
478 o Labels that are not in NFC form.
480 o Labels containing prohibited code points, i.e., those that are
481 assigned to the "DISALLOWED" category in the permitted character
482 table [IDNA2008-Tables].
484 o Labels containing code points that are shown in the permitted
485 character table as requiring a contextual rule and that are
486 flagged as requiring exceptional special processing on lookup
487 ("CONTEXTJ" in the Tables) but do not conform to that rule.
489 o Labels containing other code points that are shown in the
490 permitted character table as requiring a contextual rule
491 ("CONTEXTO" in the tables), but for which no such rule appears in
492 the table of rules. With the exception in the rule immediately
493 above, applications resolving DNS names or carrying out equivalent
494 operations are not required to test contextual rules, only to
495 verify that a rule exists.
497 o Labels whose first character is a combining mark.>
499 In addition, the application SHOULD apply the following test. The
500 test may be omitted in special circumstances, such as when the lookup
501 application knows that the conditions are enforced elsewhere, because
502 an attempt to look up and resolve such strings will almost certainly
503 lead to a DNS lookup failure. However, applying the test is likely
504 to give much better information about the reason for a lookup failure
505 -- information that may be usefully passed to the user when that is
506 feasible -- then DNS resolution failure information alone. In any
507 event, lookup applications should avoid attempting to resolve labels
508 that are invalid under that test.
510 o Verification that the string is compliant with the requirements
511 for right to left characters, specified in [IDNA2008-BIDI].
513 For all other strings, the lookup application MUST rely on the
514 presence or absence of labels in the DNS to determine the validity of
515 those labels and the validity of the characters they contain. If
516 they are registered, they are presumed to be valid; if they are not,
517 their possible validity is not relevant. A lookup application that
518 declines to process and resolve up a string that conforms to the
519 above rules is not in conformance with this protocol.
521 5.6. Punycode Conversion
523 The validated string, a U-label, is converted to an A-label using the
524 Punycode algorithm with the ACE prefix added.
526 5.7. DNS Name Resolution
528 The A-label is looked up in the DNS, using normal DNS resolver
529 procedures.
531 6. Name Server Considerations
533 6.1. Processing Non-ASCII Strings
535 Existing DNS servers do not know the IDNA rules for handling non-
536 ASCII forms of IDNs, and therefore need to be shielded from them.
537 All existing channels through which names can enter a DNS server
538 database (for example, master files (as described in RFC 1034) and
539 DNS update messages [RFC2136]) are IDN-unaware because they predate
540 IDNA. Other sections of this document provide the needed shielding
541 by ensuring that internationalized domain names entering DNS server
542 databases through such channels have already been converted to their
543 equivalent ASCII A-label forms.
545 Because of the design of the algorithms in Section 4 and Section 5 (a
546 domain name containing only ASCII codepoints can not be converted to
547 an A-label), there can not be more than one A-label form for any
548 given U-label.
550 The current update to the definition of the DNS protocol [RFC2181]
551 explicitly allows domain labels to contain octets beyond the ASCII
552 range (0000..007F), and this document does not change that. Note,
553 however, that there is no defined interpretation of octets 0080..00FF
554 as characters. If labels containing these octets are returned to
555 applications, unpredictable behavior could result. The A-label form,
556 which cannot contain those characters, is the only standard
557 representation for internationalized labels in the current DNS
558 protocol.
560 6.2. DNSSEC Authentication of IDN Domain Names
562 DNS Security [RFC2535] is a method for supplying cryptographic
563 verification information along with DNS messages. Public Key
564 Cryptography is used in conjunction with digital signatures to
565 provide a means for a requester of domain information to authenticate
566 the source of the data. This ensures that it can be traced back to a
567 trusted source, either directly or via a chain of trust linking the
568 source of the information to the top of the DNS hierarchy.
570 IDNA specifies that all internationalized domain names served by DNS
571 servers that cannot be represented directly in ASCII must use the
572 A-label form. Conversion to A-labels must be performed prior to a
573 zone being signed by the private key for that zone. Because of this
574 ordering, it is important to recognize that DNSSEC authenticates a
575 domain name containing A-labels or conventional LDH-labels, not
576 U-labels. In the presence of DNSSEC, no form of a zone file or query
577 response that contains a U-label may be signed or the signature
578 validated.
580 One consequence of this for sites deploying IDNA in the presence of
581 DNSSEC is that any special purpose proxies or forwarders used to
582 transform user input into IDNs must be earlier in the lookup flow
583 than DNSSEC authenticating nameservers for DNSSEC to work.
585 6.3. Root and other DNS Server Considerations
587 IDNs in A-label form will generally be somewhat longer than current
588 domain names, so the bandwidth needed by the root servers is likely
589 to go up by a small amount. Also, queries and responses for IDNs
590 will probably be somewhat longer than typical queries historically,
591 so EDNS0 [RFC2671] support may be more important (otherwise, queries
592 and responses may be forced to go to TCP instead of UDP).
594 7. Security Considerations
596 The general security principles and issues for IDNA appear in
597 [IDNA2008-Rationale]. The comments below are specific to this pair
598 of protocols, but should be read in the context of that material and
599 the definitions and specifications, identified there, on which this
600 one depends.
602 This memo describes procedures for registering and looking up labels
603 that are not compatible with the preferred syntax described in the
604 base DNS specifications (STD13 [RFC1034] [RFC1035] and Host
605 Requirements [RFC1123]) because they contain non-ASCII characters.
606 These procedures depend on the use of a special ASCII-compatible
607 encoding form that contains only characters permitted in host names
608 by those earlier specifications. The encoding is specified in
609 [RFC3492]. No security issues such as string length increases or new
610 allowed values are introduced by the encoding process or the use of
611 these encoded values, apart from those introduced by the ACE encoding
612 itself.
614 Domain names (or portions of them) are sometimes compared against a
615 set domains to be given special treatment if a match occurs, e.g.,
616 treated as more privileged than others or blocked in some way. In
617 such situations it is especially important that the comparisons be
618 done properly, as specified in requirement 2 of Section 3.1. For
619 labels already in ASCII form (i.e., are LDH-labels or A-labels), the
620 proper comparison reduces to the same case-insensitive ASCII
621 comparison that has always been used for ASCII labels.
623 The introduction of IDNA means that any existing labels that start
624 with the ACE prefix would be construed as A-labels, at least until
625 they failed one of the relevant tests, whether or not that was the
626 intent of the zone administrator or registrant. There is no evidence
627 that this has caused any practical problems since RFC 3490 was
628 adopted, but the risk still exists in principle.
630 8. IANA Considerations
632 IANA actions for this version of IDNA are specified in
633 [IDNA2008-Rationale]. The component of IDNA described in this
634 document does not require any IANA actions.
636 9. Change Log
638 [[anchor23: RFC Editor: Please remove this section.]]
640 9.1. Changes between Version -00 and -01 of draft-ietf-idnabis-protocol
642 o Corrected discussion of SRV records.
644 o Several small corrections for clarity.
646 o Inserted more "open issue" placeholders.
648 9.2. Version -02
650 o Rewrote the "conversion to Unicode" text in Section 5.2 as
651 requested on-list.
653 o Added a comment (and reference) about EDNS0 to the "DNS Server
654 Conventions" section, which was also retitled.
656 o Made several editorial corrections and improvements in response to
657 various comments.
659 o Added several new discussion placeholder anchors and updated some
660 older ones.
662 9.3. Version -03
664 o Trimmed change log, removing information about pre-WG drafts.
666 o Incorporated a number of changes suggested by Marcos Sanz in his
667 note of 2008.07.17 and added several more placeholder anchors.
669 o Several minor editorial corrections and improvements.
671 o "Editor" designation temporarily removed because the automatic
672 posting machinery does not accept it.
674 9.4. Version -04
676 o Removed Contextual Rule appendices for transfer to Tables.
678 o Several changes, including removal of discussion anchors, based on
679 discussions at IETF 72 (Dublin)
681 o Rewrote the preprocessing material (Section 5.3) somewhat.
683 9.5. Version -05
685 o Updated part of the A-label input explanation (Section 5.4) per
686 note from Erik van der Poel.
688 10. Contributors
690 While the listed editor held the pen, the original versions of this
691 document represent the joint work and conclusions of an ad hoc design
692 team consisting of the editor and, in alphabetic order, Harald
693 Alvestrand, Tina Dam, Patrik Faltstrom, and Cary Karp. This document
694 draws significantly on the original version of IDNA [RFC3490] both
695 conceptually and for specific text. This second-generation version
696 would not have been possible without the work that went into that
697 first version and its authors, Patrik Faltstrom, Paul Hoffman, and
698 Adam Costello. While Faltstrom was actively involved in the creation
699 of this version, Hoffman and Costello were not and should not be held
700 responsible for any errors or omissions.
702 11. Acknowledgements
704 This revision to IDNA would have been impossible without the
705 accumulated experience since RFC 3490 was published and resulting
706 comments and complaints of many people in the IETF, ICANN, and other
707 communities, too many people to list here. Nor would it have been
708 possible without RFC 3490 itself and the efforts of the Working Group
709 that defined it. Those people whose contributions are acknowledged
710 in RFC 3490, [RFC4690], and [IDNA2008-Rationale] were particularly
711 important.
713 Specific textual changes were incorporated into this document after
714 suggestions from Stephane Bortzmeyer, Mark Davis, Paul Hoffman, Erik
715 van der Poel, Marcos Sanz and others.
717 12. References
719 12.1. Normative References
721 [IDNA2008-BIDI]
722 Alvestrand, H. and C. Karp, "An updated IDNA criterion for
723 right-to-left scripts", July 2008, .
726 [IDNA2008-Rationale]
727 Klensin, J., Ed., "Internationalizing Domain Names for
728 Applications (IDNA): Issues, Explanation, and Rationale",
729 July 2008, .
732 [IDNA2008-Tables]
733 Faltstrom, P., "The Unicode Codepoints and IDNA",
734 July 2008, .
737 A version of this document is available in HTML format at
738 http://stupid.domain.name/idnabis/
739 draft-ietf-idnabis-tables-02.html
741 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
742 STD 13, RFC 1034, November 1987.
744 [RFC1035] Mockapetris, P., "Domain names - implementation and
745 specification", STD 13, RFC 1035, November 1987.
747 [RFC1123] Braden, R., "Requirements for Internet Hosts - Application
748 and Support", STD 3, RFC 1123, October 1989.
750 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
751 Requirement Levels", BCP 14, RFC 2119, March 1997.
753 [RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode
754 for Internationalized Domain Names in Applications
755 (IDNA)", RFC 3492, March 2003.
757 [Unicode-PropertyValueAliases]
758 The Unicode Consortium, "Unicode Character Database:
759 PropertyValueAliases", March 2008, .
762 [Unicode-RegEx]
763 The Unicode Consortium, "Unicode Technical Standard #18:
764 Unicode Regular Expressions", May 2005,
765 .
767 [Unicode-Scripts]
768 The Unicode Consortium, "Unicode Standard Annex #24:
769 Unicode Script Property", February 2008,
770 .
772 [Unicode-UAX15]
773 The Unicode Consortium, "Unicode Standard Annex #15:
774 Unicode Normalization Forms", 2006,
775 .
777 12.2. Informative References
779 [ASCII] American National Standards Institute (formerly United
780 States of America Standards Institute), "USA Code for
781 Information Interchange", ANSI X3.4-1968, 1968.
783 ANSI X3.4-1968 has been replaced by newer versions with
784 slight modifications, but the 1968 version remains
785 definitive for the Internet.
787 [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
788 "Dynamic Updates in the Domain Name System (DNS UPDATE)",
789 RFC 2136, April 1997.
791 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
792 Specification", RFC 2181, July 1997.
794 [RFC2535] Eastlake, D., "Domain Name System Security Extensions",
795 RFC 2535, March 1999.
797 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
798 RFC 2671, August 1999.
800 [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
801 "Internationalizing Domain Names in Applications (IDNA)",
802 RFC 3490, March 2003.
804 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
805 Resource Identifier (URI): Generic Syntax", STD 66,
806 RFC 3986, January 2005.
808 [RFC3987] Duerst, M. and M. Suignard, "Internationalized Resource
809 Identifiers (IRIs)", RFC 3987, January 2005.
811 [RFC4690] Klensin, J., Faltstrom, P., Karp, C., and IAB, "Review and
812 Recommendations for Internationalized Domain Names
813 (IDNs)", RFC 4690, September 2006.
815 [RFC4952] Klensin, J. and Y. Ko, "Overview and Framework for
816 Internationalized Email", RFC 4952, July 2007.
818 [Unicode] The Unicode Consortium, "The Unicode Standard, Version
819 5.0", 2007.
821 Boston, MA, USA: Addison-Wesley. ISBN 0-321-48091-0
823 Author's Address
825 John C Klensin
826 1770 Massachusetts Ave, Ste 322
827 Cambridge, MA 02140
828 USA
830 Phone: +1 617 245 1457
831 Email: john+ietf@jck.com
833 Full Copyright Statement
835 Copyright (C) The IETF Trust (2008).
837 This document is subject to the rights, licenses and restrictions
838 contained in BCP 78, and except as set forth therein, the authors
839 retain all their rights.
841 This document and the information contained herein are provided on an
842 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
843 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
844 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
845 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
846 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
847 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
849 Intellectual Property
851 The IETF takes no position regarding the validity or scope of any
852 Intellectual Property Rights or other rights that might be claimed to
853 pertain to the implementation or use of the technology described in
854 this document or the extent to which any license under such rights
855 might or might not be available; nor does it represent that it has
856 made any independent effort to identify any such rights. Information
857 on the procedures with respect to rights in RFC documents can be
858 found in BCP 78 and BCP 79.
860 Copies of IPR disclosures made to the IETF Secretariat and any
861 assurances of licenses to be made available, or the result of an
862 attempt made to obtain a general license or permission for the use of
863 such proprietary rights by implementers or users of this
864 specification can be obtained from the IETF on-line IPR repository at
865 http://www.ietf.org/ipr.
867 The IETF invites any interested party to bring to its attention any
868 copyrights, patents or patent applications, or other proprietary
869 rights that may cover technology that may be required to implement
870 this standard. Please address the information to the IETF at
871 ietf-ipr@ietf.org.