idnits 2.17.1 draft-ietf-idnabis-protocol-07.txt: Checking boilerplate required by RFC 5378 and the IETF Trust (see https://trustee.ietf.org/license-info): ---------------------------------------------------------------------------- ** It looks like you're using RFC 3978 boilerplate. You should update this to the boilerplate described in the IETF Trust License Policy document (see https://trustee.ietf.org/license-info), which is required now. -- Found old boilerplate from RFC 3978, Section 5.1 on line 18. -- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on line 979. -- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 990. -- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 997. -- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1003. Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt: ---------------------------------------------------------------------------- No issues found here. Checking nits according to https://www.ietf.org/id-info/checklist : ---------------------------------------------------------------------------- -- The draft header indicates that this document obsoletes RFC3490, but the abstract doesn't seem to mention this, which it should. -- The draft header indicates that this document updates RFC3492, but the abstract doesn't seem to mention this, which it should. Miscellaneous warnings: ---------------------------------------------------------------------------- == The copyright year in the IETF Trust Copyright Line does not match the current year (Using the creation date from RFC3492, updated by this document, for RFC5378 checks: 2002-01-10) -- The document seems to lack a disclaimer for pre-RFC5378 work, but may have content which was first submitted before 10 November 2008. If you have contacted all the original authors and they are all willing to grant the BCP78 rights to the IETF Trust, then this is fine, and you can ignore this comment. If not, you may need to add the pre-RFC5378 disclaimer. (See the Legal Provisions document at https://trustee.ietf.org/license-info for more information.) -- The document date (November 28, 2008) is 5599 days in the past. Is this intentional? Checking references for intended status: Proposed Standard ---------------------------------------------------------------------------- (See RFCs 3967 and 4897 for information about using normative references to lower-maturity documents in RFCs) == Unused Reference: 'Unicode-PropertyValueAliases' is defined on line 762, but no explicit reference was found in the text == Unused Reference: 'Unicode-RegEx' is defined on line 767, but no explicit reference was found in the text == Unused Reference: 'Unicode-Scripts' is defined on line 772, but no explicit reference was found in the text == Unused Reference: 'ASCII' is defined on line 784, but no explicit reference was found in the text == Unused Reference: 'Unicode' is defined on line 833, but no explicit reference was found in the text -- Possible downref: Non-RFC (?) normative reference: ref. 'IDNA2008-BIDI' -- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-PropertyValueAliases' -- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-RegEx' -- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-Scripts' -- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-UAX15' -- Obsolete informational reference (is this intentional?): RFC 2535 (Obsoleted by RFC 4033, RFC 4034, RFC 4035) -- Obsolete informational reference (is this intentional?): RFC 2671 (Obsoleted by RFC 6891) -- Obsolete informational reference (is this intentional?): RFC 3490 (Obsoleted by RFC 5890, RFC 5891) -- Obsolete informational reference (is this intentional?): RFC 3491 (Obsoleted by RFC 5891) -- Obsolete informational reference (is this intentional?): RFC 4952 (Obsoleted by RFC 6530) Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 19 comments (--). Run idnits with the --verbose option for more detailed information about the items above. -------------------------------------------------------------------------------- 2 Network Working Group J. Klensin 3 Internet-Draft November 28, 2008 4 Obsoletes: 3490, 3491 5 (if approved) 6 Updates: 3492 (if approved) 7 Intended status: Standards Track 8 Expires: June 1, 2009 10 Internationalized Domain Names in Applications (IDNA): Protocol 11 draft-ietf-idnabis-protocol-07.txt 13 Status of this Memo 15 By submitting this Internet-Draft, each author represents that any 16 applicable patent or other IPR claims of which he or she is aware 17 have been or will be disclosed, and any of which he or she becomes 18 aware will be disclosed, in accordance with Section 6 of BCP 79. 20 Internet-Drafts are working documents of the Internet Engineering 21 Task Force (IETF), its areas, and its working groups. Note that 22 other groups may also distribute working documents as Internet- 23 Drafts. 25 Internet-Drafts are draft documents valid for a maximum of six months 26 and may be updated, replaced, or obsoleted by other documents at any 27 time. It is inappropriate to use Internet-Drafts as reference 28 material or to cite them other than as "work in progress." 30 The list of current Internet-Drafts can be accessed at 31 http://www.ietf.org/ietf/1id-abstracts.txt. 33 The list of Internet-Draft Shadow Directories can be accessed at 34 http://www.ietf.org/shadow.html. 36 This Internet-Draft will expire on June 1, 2009. 38 Abstract 40 This document supplies the protocol definition for a revised and 41 updated specification for internationalized domain names (IDNs). The 42 rationale for these changes, the relationship to the older 43 specification, and important terminology are provided in other 44 documents. This document specifies the protocol mechanism, called 45 Internationalizing Domain Names in Applications (IDNA), for 46 registering and looking up IDNs in a way that does not require 47 changes to the DNS itself. IDNA is only meant for processing domain 48 names, not free text. 50 Table of Contents 52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4 53 1.1. Discussion Forum . . . . . . . . . . . . . . . . . . . . . 4 54 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4 55 3. Requirements and Applicability . . . . . . . . . . . . . . . . 5 56 3.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . 5 57 3.2. Applicability . . . . . . . . . . . . . . . . . . . . . . 5 58 3.2.1. DNS Resource Records . . . . . . . . . . . . . . . . . 6 59 3.2.2. Non-domain-name Data Types Stored in the DNS . . . . . 6 60 4. Registration Protocol . . . . . . . . . . . . . . . . . . . . 6 61 4.1. Proposed label . . . . . . . . . . . . . . . . . . . . . . 7 62 4.2. Conversion to Unicode and Normalization . . . . . . . . . 7 63 4.3. Permitted Character and Label Validation . . . . . . . . . 7 64 4.3.1. Input Format . . . . . . . . . . . . . . . . . . . . . 7 65 4.3.2. Rejection of Characters that are not Permitted . . . . 8 66 4.3.3. Label Validation . . . . . . . . . . . . . . . . . . . 8 67 4.3.4. Registration Validation Summary . . . . . . . . . . . 9 68 4.4. Registry Restrictions . . . . . . . . . . . . . . . . . . 9 69 4.5. Punycode Conversion . . . . . . . . . . . . . . . . . . . 10 70 4.6. Insertion in the Zone . . . . . . . . . . . . . . . . . . 10 71 5. Domain Name Lookup Protocol . . . . . . . . . . . . . . . . . 10 72 5.1. Label String Input . . . . . . . . . . . . . . . . . . . . 10 73 5.2. Conversion to Unicode . . . . . . . . . . . . . . . . . . 10 74 5.3. Character Changes in Preprocessing or the User 75 Interface . . . . . . . . . . . . . . . . . . . . . . . . 11 76 5.4. A-label Input . . . . . . . . . . . . . . . . . . . . . . 12 77 5.5. Validation and Character List Testing . . . . . . . . . . 12 78 5.6. Punycode Conversion . . . . . . . . . . . . . . . . . . . 13 79 5.7. DNS Name Resolution . . . . . . . . . . . . . . . . . . . 13 80 6. Name Server Considerations . . . . . . . . . . . . . . . . . . 14 81 6.1. Processing Non-ASCII Strings . . . . . . . . . . . . . . . 14 82 6.2. DNSSEC Authentication of IDN Domain Names . . . . . . . . 14 83 6.3. Root and other DNS Server Considerations . . . . . . . . . 15 84 7. Security Considerations . . . . . . . . . . . . . . . . . . . 15 85 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16 86 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 16 87 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16 88 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17 89 11.1. Normative References . . . . . . . . . . . . . . . . . . . 17 90 11.2. Informative References . . . . . . . . . . . . . . . . . . 18 91 Appendix A. Summary of Major Changes from IDNA2003 . . . . . . . 19 92 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 20 93 B.1. Changes between Version -00 and -01 of 94 draft-ietf-idnabis-protocol . . . . . . . . . . . . . . . 20 95 B.2. Version -02 . . . . . . . . . . . . . . . . . . . . . . . 20 96 B.3. Version -03 . . . . . . . . . . . . . . . . . . . . . . . 21 97 B.4. Version -04 . . . . . . . . . . . . . . . . . . . . . . . 21 98 B.5. Version -05 . . . . . . . . . . . . . . . . . . . . . . . 21 99 B.6. Version -06 . . . . . . . . . . . . . . . . . . . . . . . 21 100 B.7. Version -07 . . . . . . . . . . . . . . . . . . . . . . . 21 101 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22 102 Intellectual Property and Copyright Statements . . . . . . . . . . 23 104 1. Introduction 106 This document supplies the protocol definition for a revised and 107 updated specification for internationalized domain names. Essential 108 definitions and terminology for understanding this document and a 109 road map of the collection of documents that make up IDNA2008 appear 110 in [IDNA2008-Defs]. Appendix A discusses the relationship between 111 this specification and the earlier version of IDNA (referred to here 112 as "IDNA2003") and the rationale for these changes, along with 113 considerable explanatory material and advice to zone administrators 114 who support IDNs is provided in another documents, notably 115 [IDNA2008-Rationale]. 117 IDNA works by allowing applications to use certain ASCII string 118 labels (beginning with a special prefix) to represent non-ASCII name 119 labels. Lower-layer protocols need not be aware of this; therefore 120 IDNA does not depend on changes to any infrastructure. In 121 particular, IDNA does not depend on any changes to DNS servers, 122 resolvers, or protocol elements, because the ASCII name service 123 provided by the existing DNS is entirely sufficient for IDNA. 125 IDNA is applied only to DNS labels. Standards for combining labels 126 into fully-qualified domain names and parsing labels out of those 127 names are covered in the base DNS standards [RFC1034] [RFC1035] and 128 their various updates. An application may, of course, apply locally- 129 appropriate conventions to the presentation forms of domain names as 130 discussed in [IDNA2008-Rationale]. 132 While they share terminology, reference data, and some operations, 133 this document describes two separate protocols, one for IDN 134 registration (Section 4) and one for IDN lookup (Section 5). 136 1.1. Discussion Forum 138 [[anchor3: RFC Editor: please remove this section.]] 140 This work is being discussed in the IETF IDNABIS WG and on the 141 mailing list idna-update@alvestrand.no 143 2. Terminology 145 General terminology applicable to IDNA, but with meanings familiar to 146 those who have worked with Unicode or other character set standards 147 and the DNS, appears in [IDNA2008-Defs]. Terminology that is an 148 integral, normative, part of the IDNA definition, including the 149 definitions of "ACE", appears in that document as well. Familiarity 150 with the terminology materials in that document is assumed for 151 reading this one. The reader of this document is assumed to be 152 familiar with DNS-specific terminology as defined in RFC 1034 153 [RFC1034]. 155 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", 156 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this 157 document are to be interpreted as described in BCP 14, RFC 2119 158 [RFC2119]. 160 3. Requirements and Applicability 162 3.1. Requirements 164 IDNA conformance means adherence to the following requirements: 166 1. Whenever a domain name is put into an IDN-unaware domain name 167 slot (see Section 2 and [IDNA2008-Defs]), it MUST contain only 168 ASCII characters (i.e., must be either an A-label or an LDH- 169 label), or must be a label associated with a DNS application that 170 is not subject to either IDNA or the historical recommendations 171 for "hostname"-style names [RFC1034]. 173 2. Comparison of labels MUST be done on equivalent forms: either 174 both A-Label forms or both U-Label forms. Because A-labels and 175 U-labels can be transformed into each other without loss of 176 information, these comparisons are equivalent. However, when the 177 A-label form is compared, it MUST use an ASCII case-insensitive 178 comparison as with all comparisons of DNS labels. Comparison is 179 only valid if the putative labels have been verified to be either 180 A-Labels or U-Labels. 182 3. Labels being registered MUST conform to the requirements of 183 Section 4. Labels being looked up and the lookup process MUST 184 conform to the requirements of Section 5. 186 3.2. Applicability 188 IDNA is applicable to all domain names in all domain name slots 189 except where it is explicitly excluded. It is not applicable to 190 domain name slots which do not use the LDH syntax rules. 192 This implies that IDNA is applicable to many protocols that predate 193 IDNA. Note that IDNs occupying domain name slots in those older 194 protocols MUST be in A-label form until and unless those protocols 195 and implementations of them are upgraded to be IDN-aware and that 196 IDNs actually appearing in DNS queries or responses MUST be in 197 A-label form. 199 3.2.1. DNS Resource Records 201 IDNA applies only to domain names in the NAME and RDATA fields of DNS 202 resource records whose CLASS is IN. 204 There are currently no other exclusions on the applicability of IDNA 205 to DNS resource records. Applicability depends entirely on the 206 CLASS, and not on the TYPE except as noted below. This will remain 207 true, even as new types are defined, unless there is a compelling 208 reason for a new type that requires type-specific rules. The special 209 naming conventions applicable to SRV records are examples of type- 210 specific rules that are incompatible with IDNA coding. Hence the 211 first two labels (the ones required to start in "_") on a record with 212 TYPE SRV MUST NOT be A-labels or U-labels (while it would be possible 213 to write a non-ASCII string with a leading underscore, conversion to 214 an A-label would be impossible without loss of information because 215 the underscore is not a letter, digit, or hyphen and is consequently 216 DISALLOWED in IDNs). Of course, those labels may be part of a domain 217 that uses IDN labels at higher levels in the tree. 219 3.2.2. Non-domain-name Data Types Stored in the DNS 221 Although IDNA enables the representation of non-ASCII characters in 222 domain names, that does not imply that IDNA enables the 223 representation of non-ASCII characters in other data types that are 224 stored in domain names, specifically in the RDATA field for types 225 that have structured RDATA format. For example, an email address 226 local part is stored in a domain name in the RNAME field as part of 227 the RDATA of an SOA record (hostmaster@example.com would be 228 represented as hostmaster.example.com). IDNA specifically does not 229 update the existing email standards, which allow only ASCII 230 characters in local parts. Even though work is in progress to define 231 internationalization for email addresses [RFC4952], changes to the 232 email address part of the SOA RDATA would require action in, or 233 updates to, other standards, specifically those that specify the 234 format of the SOA RR. 236 4. Registration Protocol 238 This section defines the procedure for registering an IDN. The 239 procedure is implementation independent; any sequence of steps that 240 produces exactly the same result for all labels is considered a valid 241 implementation. 243 Note that, while the registration and lookup protocols (Section 5) 244 are very similar in most respects, they are different and 245 implementers should carefully follow the steps they are implementing. 247 4.1. Proposed label 249 The registrant submits a request for an IDN. The user typically 250 produces the request string by the keyboard entry of a character 251 sequence in the local native character set (which might, of course, 252 be Unicode). 254 4.2. Conversion to Unicode and Normalization 256 Some system routine, or a localized front-end to the IDNA process, 257 ensures that the proposed label is a Unicode string or converts it to 258 one as appropriate. Independent of its source form, the string MUST 259 be in Unicode Normalization Form C (NFC [Unicode-UAX15]) before 260 further processing in this protocol. 262 As a local implementation choice, the implementation MAY choose to 263 map some forbidden characters to permitted characters (for instance 264 mapping uppercase characters to lowercase ones), displaying the 265 result to the user, and allowing processing to continue. This should 266 be done very conservatively to prevent interoperability problems with 267 lookup applications that do not follow exactly the same rules. In 268 particular, it is strongly recommended that, to avoid any possible 269 ambiguity, entities responsible for zone files ("registries") accept 270 registrations only for A-labels (to be converted to U-labels by the 271 registry as discussed above) or U-labels actually produced from 272 A-labels, not forms expected to be converted by some other process. 274 4.3. Permitted Character and Label Validation 276 4.3.1. Input Format 278 [[anchor8: Note in -07 -- this section was formerly the second 279 paragraph of Section 4.1. It may need additional work; suggestions 280 welcome.]] 282 The registry MAY permit submission of labels in A-label form. If it 283 does so, it MUST perform a conversion to a U-label, perform the steps 284 and tests described below, and verify that the A-label produced by 285 the step in Section 4.5 matches the one provided as input. If, for 286 some reason, it does not, the registration MUST be rejected. If the 287 conversion to a U-label is not performed, the registry MUST verify 288 that the A-label is superficially valid, i.e., that it does not 289 violate any of the rules of Punycode [RFC3492] encoding such as the 290 prohibition on trailing hyphen-minus, appearance of non-basic 291 characters before the delimiter, and so on. Invalid strings that 292 appear to be A-labels MUST NOT be placed in DNS zones. 294 4.3.2. Rejection of Characters that are not Permitted 296 The candidate Unicode string is checked to verify that characters 297 that IDNA does not permit do not appear in it. Those characters are 298 identified in the "DISALLOWED" and "UNASSIGNED" lists that are 299 specified in [IDNA2008-Tables] and described informally in 300 [IDNA2008-Rationale]. Characters that are either DISALLOWED or 301 UNASSIGNED MUST NOT be part of labels to be processed for 302 registration in the DNS. 304 4.3.3. Label Validation 306 The proposed label (in the form of a Unicode string, i.e., a putative 307 U-label) is then examined, performing tests that require examination 308 of more than one character. 310 4.3.3.1. Rejection of Hyphen Sequences in U-labels 312 The Unicode string MUST NOT contain "--" (two consecutive hyphens) in 313 the third and fourth character positions when the label is considered 314 in "on the wire" order. 316 4.3.3.2. Leading Combining Marks 318 The first character of the string (when the label is considered in 319 "on the wire" order) is examined to verify that it is not a combining 320 mark. If it is a combining mark, the string MUST NOT be registered. 322 4.3.3.3. Contextual Rules 324 Each code point is checked for its identification as a character 325 requiring contextual processing for registration (the list of 326 characters appears as the combination of CONTEXTJ and CONTEXTO in 327 [IDNA2008-Tables] as do the contextual rules themselves). If that 328 indication appears, the table of contextual rules is checked for a 329 rule for that character. If no rule is found, the proposed label is 330 rejected and MUST NOT be installed in a zone file. If one is found, 331 it is applied (typically as a test on the entire label or on adjacent 332 characters within the label). If the application of the rule does 333 not conclude that the character is valid in context, the proposed 334 label MUST BE rejected. (See the IANA Considerations: IDNA Context 335 Registry section of [IDNA2008-Tables].) 337 These contextual rules are required to support the use of characters 338 that could be used, under other conditions, to produce misleading 339 labels or to cause unacceptable ambiguity in label matching and 340 interpretation. For example, labels containing invisible ("zero- 341 width") characters may be permitted in context with characters whose 342 presentation forms are significantly changed by the presence or 343 absence of the zero-width characters, while other labels in which 344 zero-width characters appear may be rejected. 346 4.3.3.4. Labels Containing Characters Written Right to Left 348 Additional special tests for right-to-left strings are applied. 349 Strings that contain right to left characters that do not conform to 350 the rule(s) identified in [IDNA2008-BIDI] MUST NOT be inserted as 351 labels in zone files. 353 4.3.4. Registration Validation Summary 355 Strings that contain at least one non-ASCII character, have been 356 produced by the steps above, whose contents pass the above tests, and 357 are 63 or fewer characters long in ACE form (see Section 4.5), are 358 U-labels. 360 To summarize, tests are made in Section 4.3 for invalid characters, 361 invalid combinations of characters, and for labels that are invalid 362 even if the characters they contain are valid individually. 364 4.4. Registry Restrictions 366 Registries at all levels of the DNS, not just the top level, are 367 expected to establish policies about the labels that may be 368 registered, and for the processes associated with that action. While 369 exact policies are not specified as part of IDNA2008 and it is 370 expected that different registries may specify different policies, 371 there SHOULD be policies. Even a trivial policy (e.g., "anything can 372 be registered in this zone that can be represented as an A-label - 373 U-label pair") has value because it provides notice to users and 374 applications implementers that the registry cannot be relied upon to 375 provide even minimal user-protection restrictions. These per- 376 registry policies and restrictions are an essential element of the 377 IDNA registration protocol even for registries (and corresponding 378 zone files) deep in the DNS hierarchy. As discussed in 379 [IDNA2008-Rationale], such restrictions have always existed in the 380 DNS. That document also contains a discussion and recommendations 381 about possible types of rules. 383 The string produced by the above steps is checked and processed as 384 appropriate to local registry restrictions. Application of those 385 registry restrictions may result in the rejection of some labels or 386 the application of special restrictions to others. 388 4.5. Punycode Conversion 390 The resulting U-label is converted to an A-label. The A-label, more 391 precisely defined elsewhere, is the encoding of the U-label according 392 to the Punycode algorithm [RFC3492] with the ACE prefix "xn--" added 393 at the beginning of the string. This document updates RFC 3492 only 394 to the extent of replacing the reference to the discussion of the ACE 395 prefix. The ACE prefix is now specified in this document rather than 396 as part of RFC 3490 or Nameprep [RFC3491] but is the same in both 397 sets of documents. 399 The failure conditions identified in the Punycode encoding procedure 400 cannot occur if the input is a U-label as determined by the steps 401 above. 403 4.6. Insertion in the Zone 405 The A-label is registered in the DNS by insertion into a zone. 407 5. Domain Name Lookup Protocol 409 Lookup is conceptually different from registration and different 410 tests are applied on the client. Although some validity checks are 411 necessary to avoid serious problems with the protocol (see 412 Section 5.5ff.), the lookup-side tests are more permissive and rely 413 on the assumption that names that are present in the DNS are valid. 414 That assumption is, however, a weak one because the presence of wild 415 cards in the DNS might cause a string that is not actually registered 416 in the DNS to be successfully looked up. 418 5.1. Label String Input 420 The user supplies a string in the local character set, typically by 421 typing it or clicking on, or copying and pasting, a resource 422 identifier, e.g., a URI [RFC3986] or IRI [RFC3987] from which the 423 domain name is extracted. Alternately, some process not directly 424 involving the user may read the string from a file or obtain it in 425 some other way. Processing in this step and the next two are local 426 matters, to be accomplished prior to actual invocation of IDNA, but 427 at least the two steps in Section 5.2 and Section 5.3 must be 428 accomplished in some way. 430 5.2. Conversion to Unicode 432 The string is converted from the local character set into Unicode, if 433 it is not already Unicode. The exact nature of this conversion is 434 beyond the scope of this document, but may involve normalization as 435 described in Section 4.2. The result MUST be a Unicode string in NFC 436 form. 438 5.3. Character Changes in Preprocessing or the User Interface 440 The Unicode string MAY then be processed to prevent confounding of 441 user expectations. For instance, it might be reasonable, at this 442 step, to convert all upper case characters to lower case, if this 443 makes sense in the user's environment, but even this should be 444 approached with caution due to some edge cases: in the long term, it 445 is probably better for users to understand IDNs strictly in lower- 446 case, U-label, form. More generally, preprocessing may be useful to 447 smooth the transition from IDNA2003, especially for direct user 448 input, but with similar cautions. In general, IDNs appearing in 449 files and those transmitted across the network as part of protocols 450 are expected to be in either ASCII form (including A-labels) or to 451 contain U-labels, rather than being in forms requiring mapping or 452 other conversions. 454 Other examples of processing for localization might be applied, 455 especially to direct user input, at this point. They include 456 interpreting various characters as separating domain name components 457 from each other (label separators) because they either look like 458 periods or are used to separate sentences, mapping halfwidth or 459 fullwidth East Asian characters to the common form permitted in 460 labels, or giving special treatment to characters whose presentation 461 forms are dependent only on placement in the label. Such 462 localization changes are also outside the scope of this 463 specification. 465 Recommendations for preprocessing for global contexts (i.e., when 466 local considerations do not apply or cannot be used) and for maximum 467 interoperability with labels that might have been specified under 468 liberal readings of IDNA2003 are given in [IDNA2008-Rationale]. It 469 is important to note that the intent of these specifications is that 470 labels in application protocols, files, or links are intended to be 471 in U-label or A-label form. Preprocessing MUST NOT map a character 472 that is valid in a label as specified elsewhere in this document or 473 in [IDNA2008-Tables] into another character. Excessively liberal use 474 of preprocessing, especially to strings stored in files, poses a 475 threat to consistent and predictable behavior for the user even if 476 not to actual interoperability. 478 Because these transformations are local, it is important that domain 479 names that might be passed between systems (e.g., in IRIs) be 480 U-labels or A-labels and not forms that might be accepted locally as 481 a consequence of this step. This step is not standardized as part of 482 IDNA, and is not further specified here. 484 5.4. A-label Input 486 If the input to this procedure appears to be an A-label (i.e., it 487 starts in "xn--"), the lookup application MAY attempt to convert it 488 to a U-label and apply the tests of Section 5.5 and the conversion of 489 Section 5.6 to that form. If the label is converted to Unicode 490 (i.e., to U-label form) using the Punycode decoding algorithm, then 491 the processing specified in those two sections MUST be performed, and 492 the label MUST be rejected if the resulting label is not identical to 493 the original. See also Section 6.1. 495 That conversion and testing SHOULD be performed if the domain name 496 will later be presented to the user in native character form (this 497 requires that the lookup application be IDNA-aware). If those steps 498 are not performed, the lookup process SHOULD at least make tests to 499 determine that the string is actually an A-label, examining it for 500 the invalid formats specified in the Punycode decoding specification. 501 Applications that are not IDNA-aware will obviously omit that 502 testing; others MAY treat the string as opaque to avoid the 503 additional processing at the expense of providing less protection and 504 information to users. 506 5.5. Validation and Character List Testing 508 As with the registration procedure, the Unicode string is checked to 509 verify that all characters that appear in it are valid as input to 510 IDNA lookup processing. As discussed above and in 511 [IDNA2008-Rationale], the lookup check is more liberal than the 512 registration one. Putative labels with any of the following 513 characteristics MUST BE rejected prior to DNS lookup: 515 o Labels containing code points that are unassigned in the version 516 of Unicode being used by the application, i.e., in the 517 "Unassigned" Unicode category or the UNASSIGNED category of 518 [IDNA2008-Tables]. 520 o Labels that are not in NFC form. 522 o Labels containing prohibited code points, i.e., those that are 523 assigned to the "DISALLOWED" category in the permitted character 524 table [IDNA2008-Tables]. 526 o Labels containing code points that are shown in the permitted 527 character table as requiring a contextual rule and that are 528 flagged as requiring exceptional special processing on lookup 529 ("CONTEXTJ" in the Tables) but do not conform to that rule. 531 o Labels containing other code points that are shown in the 532 permitted character table as requiring a contextual rule 533 ("CONTEXTO" in the tables), but for which no such rule appears in 534 the table of rules. Applications resolving DNS names or carrying 535 out equivalent operations are not required to test contextual 536 rules for "CONTEXTO" characters, only to verify that a rule exists 537 (although they MAY make such tests to give better information to 538 the user). 540 o Labels whose first character is a combining mark. 542 In addition, the application SHOULD apply the following test. The 543 test may be omitted in special circumstances, such as when the lookup 544 application knows that the conditions are enforced elsewhere, because 545 an attempt to look up and resolve such strings will almost certainly 546 lead to a DNS lookup failure except when wildcards are present in the 547 zone. However, applying the test is likely to give much better 548 information about the reason for a lookup failure -- information that 549 may be usefully passed to the user when that is feasible -- than DNS 550 resolution failure information alone. In any event, lookup 551 applications should avoid attempting to resolve labels that are 552 invalid under that test. 554 o Verification that the string is compliant with the requirements 555 for right to left characters, specified in [IDNA2008-BIDI]. 557 For all other strings, the lookup application MUST rely on the 558 presence or absence of labels in the DNS to determine the validity of 559 those labels and the validity of the characters they contain. If 560 they are registered, they are presumed to be valid; if they are not, 561 their possible validity is not relevant. A lookup application that 562 declines to process a string that conforms to the rules above and 563 does not look it up in the DNS is not in conformance with this 564 protocol. 566 5.6. Punycode Conversion 568 The validated string, a U-label, is converted to an A-label using the 569 Punycode algorithm with the ACE prefix added. 571 5.7. DNS Name Resolution 573 The A-label is looked up in the DNS, using normal DNS resolver 574 procedures. 576 6. Name Server Considerations 578 [[anchor16: Note in draft: If we really want this document to contain 579 only information that is necessary to proper implementation of IDNA 580 by implementers who are familiar with the DNS, the material in this 581 section is either tutorial, explanatory, or totally unnecessary. 582 Should some or all of it be moved back to Rationale?]] 584 6.1. Processing Non-ASCII Strings 586 Existing DNS servers do not know the IDNA rules for handling non- 587 ASCII forms of IDNs, and therefore need to be shielded from them. 588 All existing channels through which names can enter a DNS server 589 database (for example, master files (as described in RFC 1034) and 590 DNS update messages [RFC2136]) are IDN-unaware because they predate 591 IDNA. Other sections of this document provide the needed shielding 592 by ensuring that internationalized domain names entering DNS server 593 databases through such channels have already been converted to their 594 equivalent ASCII A-label forms. 596 Because of the design of the algorithms in Section 4 and Section 5 (a 597 domain name containing only ASCII codepoints can not be converted to 598 an A-label), there can not be more than one A-label form for any 599 given U-label. 601 As specified in RFC 2181 [RFC2181], the DNS protocol explicitly 602 allows domain labels to contain octets beyond the ASCII range 603 (0000..007F), and this document does not change that. Note, however, 604 that there is no defined interpretation of octets 0080..00FF as 605 characters. If labels containing these octets are returned to 606 applications, unpredictable behavior could result. The A-label form, 607 which cannot contain those characters, is the only standard 608 representation for internationalized labels in the DNS protocol. 610 6.2. DNSSEC Authentication of IDN Domain Names 612 DNS Security [RFC2535] is a method for supplying cryptographic 613 verification information along with DNS messages. Public Key 614 Cryptography is used in conjunction with digital signatures to 615 provide a means for a requester of domain information to authenticate 616 the source of the data. This ensures that it can be traced back to a 617 trusted source, either directly or via a chain of trust linking the 618 source of the information to the top of the DNS hierarchy. 620 IDNA specifies that all internationalized domain names served by DNS 621 servers that cannot be represented directly in ASCII MUST use the 622 A-label form. Conversion to A-labels MUST be performed prior to a 623 zone being signed by the private key for that zone. Because of this 624 ordering, it is important to recognize that DNSSEC authenticates a 625 domain name containing A-labels or conventional LDH-labels, not 626 U-labels. In the presence of DNSSEC, no form of a zone file or query 627 response that contains a U-label may be signed or the signature 628 validated. 630 One consequence of this for sites deploying IDNA in the presence of 631 DNSSEC is that any special purpose proxies or forwarders used to 632 transform user input into IDNs must be earlier in the lookup flow 633 than DNSSEC authenticating nameservers for DNSSEC to work. 635 6.3. Root and other DNS Server Considerations 637 IDNs in A-label form will generally be somewhat longer than current 638 domain names, so the bandwidth needed by the root servers is likely 639 to go up by a small amount. Also, queries and responses for IDNs 640 will probably be somewhat longer than typical queries historically, 641 so EDNS0 [RFC2671] support may be more important (otherwise, queries 642 and responses may be forced to go to TCP instead of UDP). 644 7. Security Considerations 646 The general security principles and issues for IDNA appear in 647 [IDNA2008-Defs] with additional explanation in [IDNA2008-Rationale]. 648 The comments below are specific to the registration and loopup 649 protocols specified in this document, but should be read in the 650 context of the material in the first of those documents and the 651 definitions and specifications, identified there, on which this one 652 depends. 654 This memo describes procedures for registering and looking up labels 655 that are not compatible with the preferred syntax described in the 656 base DNS specifications (STD13 [RFC1034] [RFC1035] and Host 657 Requirements [RFC1123]) because they contain non-ASCII characters. 658 These procedures depend on the use of a special ASCII-compatible 659 encoding form that contains only characters permitted in host names 660 by those earlier specifications. The encoding used is Punycode 661 [RFC3492]. No security issues such as string length increases or new 662 allowed values are introduced by the encoding process or the use of 663 these encoded values, apart from those introduced by the ACE encoding 664 itself. 666 Domain names (or portions of them) are sometimes compared against a 667 set of domains to be given special treatment if a match occurs, e.g., 668 treated as more privileged than others or blocked in some way. In 669 such situations, it is especially important that the comparisons be 670 done properly, as specified in Requirement 2 of Section 3.1. For 671 labels already in ASCII form (i.e., are LDH-labels or A-labels), the 672 proper comparison reduces to the same case-insensitive ASCII 673 comparison that has always been used for ASCII labels. 675 The introduction of IDNA means that any existing labels that start 676 with the ACE prefix would be construed as A-labels, at least until 677 they failed one of the relevant tests, whether or not that was the 678 intent of the zone administrator or registrant. There is no evidence 679 that this has caused any practical problems since RFC 3490 was 680 adopted, but the risk still exists in principle. 682 8. IANA Considerations 684 IANA actions for this version of IDNA are specified in 685 [IDNA2008-Tables] and discussed informally in [IDNA2008-Rationale]. 686 The components of IDNA described in this document do not require any 687 IANA actions. 689 9. Contributors 691 While the listed editor held the pen, the original versions of this 692 document represent the joint work and conclusions of an ad hoc design 693 team consisting of the editor and, in alphabetic order, Harald 694 Alvestrand, Tina Dam, Patrik Faltstrom, and Cary Karp. This document 695 draws significantly on the original version of IDNA [RFC3490] both 696 conceptually and for specific text. This second-generation version 697 would not have been possible without the work that went into that 698 first version and its authors, Patrik Faltstrom, Paul Hoffman, and 699 Adam Costello. While Faltstrom was actively involved in the creation 700 of this version, Hoffman and Costello were not and should not be held 701 responsible for any errors or omissions. 703 10. Acknowledgements 705 This revision to IDNA would have been impossible without the 706 accumulated experience since RFC 3490 was published and resulting 707 comments and complaints of many people in the IETF, ICANN, and other 708 communities, too many people to list here. Nor would it have been 709 possible without RFC 3490 itself and the efforts of the Working Group 710 that defined it. Those people whose contributions are acknowledged 711 in RFC 3490, [RFC4690], and [IDNA2008-Rationale] were particularly 712 important. 714 Specific textual changes were incorporated into this document after 715 suggestions from the other contributors, Stephane Bortzmeyer, Vint 716 Cerf, Mark Davis, Paul Hoffman, Kent Karlsson, Erik van der Poel, 717 Marcos Sanz, Andrew Sullivan, Ken Whistler, and other WG 718 participants. Special thanks are due to Paul Hoffman for permission 719 to extract material from his Internet-Draft to form the basis for 720 Appendix A 722 11. References 724 11.1. Normative References 726 [IDNA2008-BIDI] 727 Alvestrand, H. and C. Karp, "An updated IDNA criterion for 728 right-to-left scripts", July 2008, . 731 [IDNA2008-Defs] 732 Klensin, J., "Internationalized Domain Names for 733 Applications (IDNA): Definitions and Document Framework", 734 November 2008, . 737 [IDNA2008-Tables] 738 Faltstrom, P., "The Unicode Codepoints and IDNA", 739 July 2008, . 742 A version of this document is available in HTML format at 743 http://stupid.domain.name/idnabis/ 744 draft-ietf-idnabis-tables-02.html 746 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities", 747 STD 13, RFC 1034, November 1987. 749 [RFC1035] Mockapetris, P., "Domain names - implementation and 750 specification", STD 13, RFC 1035, November 1987. 752 [RFC1123] Braden, R., "Requirements for Internet Hosts - Application 753 and Support", STD 3, RFC 1123, October 1989. 755 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate 756 Requirement Levels", BCP 14, RFC 2119, March 1997. 758 [RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode 759 for Internationalized Domain Names in Applications 760 (IDNA)", RFC 3492, March 2003. 762 [Unicode-PropertyValueAliases] 763 The Unicode Consortium, "Unicode Character Database: 764 PropertyValueAliases", March 2008, . 767 [Unicode-RegEx] 768 The Unicode Consortium, "Unicode Technical Standard #18: 769 Unicode Regular Expressions", May 2005, 770 . 772 [Unicode-Scripts] 773 The Unicode Consortium, "Unicode Standard Annex #24: 774 Unicode Script Property", February 2008, 775 . 777 [Unicode-UAX15] 778 The Unicode Consortium, "Unicode Standard Annex #15: 779 Unicode Normalization Forms", 2006, 780 . 782 11.2. Informative References 784 [ASCII] American National Standards Institute (formerly United 785 States of America Standards Institute), "USA Code for 786 Information Interchange", ANSI X3.4-1968, 1968. 788 ANSI X3.4-1968 has been replaced by newer versions with 789 slight modifications, but the 1968 version remains 790 definitive for the Internet. 792 [IDNA2008-Rationale] 793 Klensin, J., Ed., "Internationalizing Domain Names for 794 Applications (IDNA): Issues, Explanation, and Rationale", 795 November 2008, . 798 [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound, 799 "Dynamic Updates in the Domain Name System (DNS UPDATE)", 800 RFC 2136, April 1997. 802 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS 803 Specification", RFC 2181, July 1997. 805 [RFC2535] Eastlake, D., "Domain Name System Security Extensions", 806 RFC 2535, March 1999. 808 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)", 809 RFC 2671, August 1999. 811 [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello, 812 "Internationalizing Domain Names in Applications (IDNA)", 813 RFC 3490, March 2003. 815 [RFC3491] Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep 816 Profile for Internationalized Domain Names (IDN)", 817 RFC 3491, March 2003. 819 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform 820 Resource Identifier (URI): Generic Syntax", STD 66, 821 RFC 3986, January 2005. 823 [RFC3987] Duerst, M. and M. Suignard, "Internationalized Resource 824 Identifiers (IRIs)", RFC 3987, January 2005. 826 [RFC4690] Klensin, J., Faltstrom, P., Karp, C., and IAB, "Review and 827 Recommendations for Internationalized Domain Names 828 (IDNs)", RFC 4690, September 2006. 830 [RFC4952] Klensin, J. and Y. Ko, "Overview and Framework for 831 Internationalized Email", RFC 4952, July 2007. 833 [Unicode] The Unicode Consortium, "The Unicode Standard, Version 834 5.0", 2007. 836 Boston, MA, USA: Addison-Wesley. ISBN 0-321-48091-0 838 Appendix A. Summary of Major Changes from IDNA2003 840 1. Update base character set from Unicode 3.2 to Unicode version- 841 agnostic. 843 2. Separate the definitions for the "registration" and "lookup" 844 activities. 846 3. Disallow symbol and punctuation characters except where special 847 exceptions are necessary. 849 4. Remove the mapping and normalization steps from the protocol and 850 have them instead done by the applications themselves, possibly 851 in a local fashion, before invoking the protocol. 853 5. Change the way that the protocol specifies which characters are 854 allowed in labels from "humans decide what the table of 855 codepoints contains" to "decision about codepoints are based on 856 Unicode properties plus a small exclusion list created by 857 humans". 859 6. Introduce the new concept of characters that can be used only in 860 specific contexts. 862 7. Allow typical words and names in languages such as Dhivehi and 863 Yiddish to be expressed. 865 8. Make bidirectional domain names (delimited strings of labels, 866 not just labels standing on their own) display in a less 867 surprising fashion whether they appear in obvious domain name 868 contexts or as part of running text in paragraphs. 870 9. Remove the dot separator from the mandatory part of the 871 protocol. 873 10. Make some currently-valid labels that are not actually IDNA 874 labels invalid. 876 Appendix B. Change Log 878 [[anchor25: RFC Editor: Please remove this appendix.]] 880 B.1. Changes between Version -00 and -01 of draft-ietf-idnabis-protocol 882 o Corrected discussion of SRV records. 884 o Several small corrections for clarity. 886 o Inserted more "open issue" placeholders. 888 B.2. Version -02 890 o Rewrote the "conversion to Unicode" text in Section 5.2 as 891 requested on-list. 893 o Added a comment (and reference) about EDNS0 to the "DNS Server 894 Conventions" section, which was also retitled. 896 o Made several editorial corrections and improvements in response to 897 various comments. 899 o Added several new discussion placeholder anchors and updated some 900 older ones. 902 B.3. Version -03 904 o Trimmed change log, removing information about pre-WG drafts. 906 o Incorporated a number of changes suggested by Marcos Sanz in his 907 note of 2008.07.17 and added several more placeholder anchors. 909 o Several minor editorial corrections and improvements. 911 o "Editor" designation temporarily removed because the automatic 912 posting machinery does not accept it. 914 B.4. Version -04 916 o Removed Contextual Rule appendices for transfer to Tables. 918 o Several changes, including removal of discussion anchors, based on 919 discussions at IETF 72 (Dublin) 921 o Rewrote the preprocessing material (Section 5.3) somewhat. 923 B.5. Version -05 925 o Updated part of the A-label input explanation (Section 5.4) per 926 note from Erik van der Poel. 928 B.6. Version -06 930 o Corrected a few typographical errors. 932 o Incorporated the material (formerly in Rationale) on the 933 relationship between IDNA2003 and IDNA2008 as an appendix and 934 pointed to the new definitions document. 936 o Text modified in several places to recognize the dangers of 937 interaction between DNS wildcards and IDNs. 939 o Text added to be explicit about the handling of edge and failure 940 cases in Punycode encoding and decoding. 942 o Revised for consistency with the new Definitions document and to 943 make the text read more smoothly. 945 B.7. Version -07 947 o Multiple small textual and editorial changes and clarifications. 949 o Requirement for normalization clarified to apply to all cases and 950 conditions for preprocessing further clarified. 952 o Substantive change to Section 4.3.1, turning a SHOULD to a MUST 953 (see note from Mark Davis, 19 November, 2008 18:14 -0800). 955 Author's Address 957 John C Klensin 958 1770 Massachusetts Ave, Ste 322 959 Cambridge, MA 02140 960 USA 962 Phone: +1 617 245 1457 963 Email: john+ietf@jck.com 965 Full Copyright Statement 967 Copyright (C) The IETF Trust (2008). 969 This document is subject to the rights, licenses and restrictions 970 contained in BCP 78, and except as set forth therein, the authors 971 retain all their rights. 973 This document and the information contained herein are provided on an 974 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS 975 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND 976 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS 977 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF 978 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED 979 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. 981 Intellectual Property 983 The IETF takes no position regarding the validity or scope of any 984 Intellectual Property Rights or other rights that might be claimed to 985 pertain to the implementation or use of the technology described in 986 this document or the extent to which any license under such rights 987 might or might not be available; nor does it represent that it has 988 made any independent effort to identify any such rights. Information 989 on the procedures with respect to rights in RFC documents can be 990 found in BCP 78 and BCP 79. 992 Copies of IPR disclosures made to the IETF Secretariat and any 993 assurances of licenses to be made available, or the result of an 994 attempt made to obtain a general license or permission for the use of 995 such proprietary rights by implementers or users of this 996 specification can be obtained from the IETF on-line IPR repository at 997 http://www.ietf.org/ipr. 999 The IETF invites any interested party to bring to its attention any 1000 copyrights, patents or patent applications, or other proprietary 1001 rights that may cover technology that may be required to implement 1002 this standard. Please address the information to the IETF at 1003 ietf-ipr@ietf.org.