idnits 2.17.1
draft-ietf-idnabis-protocol-07.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
** It looks like you're using RFC 3978 boilerplate. You should update this
to the boilerplate described in the IETF Trust License Policy document
(see https://trustee.ietf.org/license-info), which is required now.
-- Found old boilerplate from RFC 3978, Section 5.1 on line 18.
-- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on
line 979.
-- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 990.
-- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 997.
-- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1003.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
-- The draft header indicates that this document obsoletes RFC3490, but the
abstract doesn't seem to mention this, which it should.
-- The draft header indicates that this document updates RFC3492, but the
abstract doesn't seem to mention this, which it should.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust Copyright Line does not match the
current year
(Using the creation date from RFC3492, updated by this document, for
RFC5378 checks: 2002-01-10)
-- The document seems to lack a disclaimer for pre-RFC5378 work, but may
have content which was first submitted before 10 November 2008. If you
have contacted all the original authors and they are all willing to grant
the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
this comment. If not, you may need to add the pre-RFC5378 disclaimer.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (November 28, 2008) is 5599 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Unused Reference: 'Unicode-PropertyValueAliases' is defined on line 762,
but no explicit reference was found in the text
== Unused Reference: 'Unicode-RegEx' is defined on line 767, but no
explicit reference was found in the text
== Unused Reference: 'Unicode-Scripts' is defined on line 772, but no
explicit reference was found in the text
== Unused Reference: 'ASCII' is defined on line 784, but no explicit
reference was found in the text
== Unused Reference: 'Unicode' is defined on line 833, but no explicit
reference was found in the text
-- Possible downref: Non-RFC (?) normative reference: ref. 'IDNA2008-BIDI'
-- Possible downref: Non-RFC (?) normative reference: ref.
'Unicode-PropertyValueAliases'
-- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-RegEx'
-- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-Scripts'
-- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-UAX15'
-- Obsolete informational reference (is this intentional?): RFC 2535
(Obsoleted by RFC 4033, RFC 4034, RFC 4035)
-- Obsolete informational reference (is this intentional?): RFC 2671
(Obsoleted by RFC 6891)
-- Obsolete informational reference (is this intentional?): RFC 3490
(Obsoleted by RFC 5890, RFC 5891)
-- Obsolete informational reference (is this intentional?): RFC 3491
(Obsoleted by RFC 5891)
-- Obsolete informational reference (is this intentional?): RFC 4952
(Obsoleted by RFC 6530)
Summary: 1 error (**), 0 flaws (~~), 6 warnings (==), 19 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group J. Klensin
3 Internet-Draft November 28, 2008
4 Obsoletes: 3490, 3491
5 (if approved)
6 Updates: 3492 (if approved)
7 Intended status: Standards Track
8 Expires: June 1, 2009
10 Internationalized Domain Names in Applications (IDNA): Protocol
11 draft-ietf-idnabis-protocol-07.txt
13 Status of this Memo
15 By submitting this Internet-Draft, each author represents that any
16 applicable patent or other IPR claims of which he or she is aware
17 have been or will be disclosed, and any of which he or she becomes
18 aware will be disclosed, in accordance with Section 6 of BCP 79.
20 Internet-Drafts are working documents of the Internet Engineering
21 Task Force (IETF), its areas, and its working groups. Note that
22 other groups may also distribute working documents as Internet-
23 Drafts.
25 Internet-Drafts are draft documents valid for a maximum of six months
26 and may be updated, replaced, or obsoleted by other documents at any
27 time. It is inappropriate to use Internet-Drafts as reference
28 material or to cite them other than as "work in progress."
30 The list of current Internet-Drafts can be accessed at
31 http://www.ietf.org/ietf/1id-abstracts.txt.
33 The list of Internet-Draft Shadow Directories can be accessed at
34 http://www.ietf.org/shadow.html.
36 This Internet-Draft will expire on June 1, 2009.
38 Abstract
40 This document supplies the protocol definition for a revised and
41 updated specification for internationalized domain names (IDNs). The
42 rationale for these changes, the relationship to the older
43 specification, and important terminology are provided in other
44 documents. This document specifies the protocol mechanism, called
45 Internationalizing Domain Names in Applications (IDNA), for
46 registering and looking up IDNs in a way that does not require
47 changes to the DNS itself. IDNA is only meant for processing domain
48 names, not free text.
50 Table of Contents
52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
53 1.1. Discussion Forum . . . . . . . . . . . . . . . . . . . . . 4
54 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
55 3. Requirements and Applicability . . . . . . . . . . . . . . . . 5
56 3.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . 5
57 3.2. Applicability . . . . . . . . . . . . . . . . . . . . . . 5
58 3.2.1. DNS Resource Records . . . . . . . . . . . . . . . . . 6
59 3.2.2. Non-domain-name Data Types Stored in the DNS . . . . . 6
60 4. Registration Protocol . . . . . . . . . . . . . . . . . . . . 6
61 4.1. Proposed label . . . . . . . . . . . . . . . . . . . . . . 7
62 4.2. Conversion to Unicode and Normalization . . . . . . . . . 7
63 4.3. Permitted Character and Label Validation . . . . . . . . . 7
64 4.3.1. Input Format . . . . . . . . . . . . . . . . . . . . . 7
65 4.3.2. Rejection of Characters that are not Permitted . . . . 8
66 4.3.3. Label Validation . . . . . . . . . . . . . . . . . . . 8
67 4.3.4. Registration Validation Summary . . . . . . . . . . . 9
68 4.4. Registry Restrictions . . . . . . . . . . . . . . . . . . 9
69 4.5. Punycode Conversion . . . . . . . . . . . . . . . . . . . 10
70 4.6. Insertion in the Zone . . . . . . . . . . . . . . . . . . 10
71 5. Domain Name Lookup Protocol . . . . . . . . . . . . . . . . . 10
72 5.1. Label String Input . . . . . . . . . . . . . . . . . . . . 10
73 5.2. Conversion to Unicode . . . . . . . . . . . . . . . . . . 10
74 5.3. Character Changes in Preprocessing or the User
75 Interface . . . . . . . . . . . . . . . . . . . . . . . . 11
76 5.4. A-label Input . . . . . . . . . . . . . . . . . . . . . . 12
77 5.5. Validation and Character List Testing . . . . . . . . . . 12
78 5.6. Punycode Conversion . . . . . . . . . . . . . . . . . . . 13
79 5.7. DNS Name Resolution . . . . . . . . . . . . . . . . . . . 13
80 6. Name Server Considerations . . . . . . . . . . . . . . . . . . 14
81 6.1. Processing Non-ASCII Strings . . . . . . . . . . . . . . . 14
82 6.2. DNSSEC Authentication of IDN Domain Names . . . . . . . . 14
83 6.3. Root and other DNS Server Considerations . . . . . . . . . 15
84 7. Security Considerations . . . . . . . . . . . . . . . . . . . 15
85 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
86 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 16
87 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16
88 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
89 11.1. Normative References . . . . . . . . . . . . . . . . . . . 17
90 11.2. Informative References . . . . . . . . . . . . . . . . . . 18
91 Appendix A. Summary of Major Changes from IDNA2003 . . . . . . . 19
92 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 20
93 B.1. Changes between Version -00 and -01 of
94 draft-ietf-idnabis-protocol . . . . . . . . . . . . . . . 20
95 B.2. Version -02 . . . . . . . . . . . . . . . . . . . . . . . 20
96 B.3. Version -03 . . . . . . . . . . . . . . . . . . . . . . . 21
97 B.4. Version -04 . . . . . . . . . . . . . . . . . . . . . . . 21
98 B.5. Version -05 . . . . . . . . . . . . . . . . . . . . . . . 21
99 B.6. Version -06 . . . . . . . . . . . . . . . . . . . . . . . 21
100 B.7. Version -07 . . . . . . . . . . . . . . . . . . . . . . . 21
101 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22
102 Intellectual Property and Copyright Statements . . . . . . . . . . 23
104 1. Introduction
106 This document supplies the protocol definition for a revised and
107 updated specification for internationalized domain names. Essential
108 definitions and terminology for understanding this document and a
109 road map of the collection of documents that make up IDNA2008 appear
110 in [IDNA2008-Defs]. Appendix A discusses the relationship between
111 this specification and the earlier version of IDNA (referred to here
112 as "IDNA2003") and the rationale for these changes, along with
113 considerable explanatory material and advice to zone administrators
114 who support IDNs is provided in another documents, notably
115 [IDNA2008-Rationale].
117 IDNA works by allowing applications to use certain ASCII string
118 labels (beginning with a special prefix) to represent non-ASCII name
119 labels. Lower-layer protocols need not be aware of this; therefore
120 IDNA does not depend on changes to any infrastructure. In
121 particular, IDNA does not depend on any changes to DNS servers,
122 resolvers, or protocol elements, because the ASCII name service
123 provided by the existing DNS is entirely sufficient for IDNA.
125 IDNA is applied only to DNS labels. Standards for combining labels
126 into fully-qualified domain names and parsing labels out of those
127 names are covered in the base DNS standards [RFC1034] [RFC1035] and
128 their various updates. An application may, of course, apply locally-
129 appropriate conventions to the presentation forms of domain names as
130 discussed in [IDNA2008-Rationale].
132 While they share terminology, reference data, and some operations,
133 this document describes two separate protocols, one for IDN
134 registration (Section 4) and one for IDN lookup (Section 5).
136 1.1. Discussion Forum
138 [[anchor3: RFC Editor: please remove this section.]]
140 This work is being discussed in the IETF IDNABIS WG and on the
141 mailing list idna-update@alvestrand.no
143 2. Terminology
145 General terminology applicable to IDNA, but with meanings familiar to
146 those who have worked with Unicode or other character set standards
147 and the DNS, appears in [IDNA2008-Defs]. Terminology that is an
148 integral, normative, part of the IDNA definition, including the
149 definitions of "ACE", appears in that document as well. Familiarity
150 with the terminology materials in that document is assumed for
151 reading this one. The reader of this document is assumed to be
152 familiar with DNS-specific terminology as defined in RFC 1034
153 [RFC1034].
155 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
156 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
157 document are to be interpreted as described in BCP 14, RFC 2119
158 [RFC2119].
160 3. Requirements and Applicability
162 3.1. Requirements
164 IDNA conformance means adherence to the following requirements:
166 1. Whenever a domain name is put into an IDN-unaware domain name
167 slot (see Section 2 and [IDNA2008-Defs]), it MUST contain only
168 ASCII characters (i.e., must be either an A-label or an LDH-
169 label), or must be a label associated with a DNS application that
170 is not subject to either IDNA or the historical recommendations
171 for "hostname"-style names [RFC1034].
173 2. Comparison of labels MUST be done on equivalent forms: either
174 both A-Label forms or both U-Label forms. Because A-labels and
175 U-labels can be transformed into each other without loss of
176 information, these comparisons are equivalent. However, when the
177 A-label form is compared, it MUST use an ASCII case-insensitive
178 comparison as with all comparisons of DNS labels. Comparison is
179 only valid if the putative labels have been verified to be either
180 A-Labels or U-Labels.
182 3. Labels being registered MUST conform to the requirements of
183 Section 4. Labels being looked up and the lookup process MUST
184 conform to the requirements of Section 5.
186 3.2. Applicability
188 IDNA is applicable to all domain names in all domain name slots
189 except where it is explicitly excluded. It is not applicable to
190 domain name slots which do not use the LDH syntax rules.
192 This implies that IDNA is applicable to many protocols that predate
193 IDNA. Note that IDNs occupying domain name slots in those older
194 protocols MUST be in A-label form until and unless those protocols
195 and implementations of them are upgraded to be IDN-aware and that
196 IDNs actually appearing in DNS queries or responses MUST be in
197 A-label form.
199 3.2.1. DNS Resource Records
201 IDNA applies only to domain names in the NAME and RDATA fields of DNS
202 resource records whose CLASS is IN.
204 There are currently no other exclusions on the applicability of IDNA
205 to DNS resource records. Applicability depends entirely on the
206 CLASS, and not on the TYPE except as noted below. This will remain
207 true, even as new types are defined, unless there is a compelling
208 reason for a new type that requires type-specific rules. The special
209 naming conventions applicable to SRV records are examples of type-
210 specific rules that are incompatible with IDNA coding. Hence the
211 first two labels (the ones required to start in "_") on a record with
212 TYPE SRV MUST NOT be A-labels or U-labels (while it would be possible
213 to write a non-ASCII string with a leading underscore, conversion to
214 an A-label would be impossible without loss of information because
215 the underscore is not a letter, digit, or hyphen and is consequently
216 DISALLOWED in IDNs). Of course, those labels may be part of a domain
217 that uses IDN labels at higher levels in the tree.
219 3.2.2. Non-domain-name Data Types Stored in the DNS
221 Although IDNA enables the representation of non-ASCII characters in
222 domain names, that does not imply that IDNA enables the
223 representation of non-ASCII characters in other data types that are
224 stored in domain names, specifically in the RDATA field for types
225 that have structured RDATA format. For example, an email address
226 local part is stored in a domain name in the RNAME field as part of
227 the RDATA of an SOA record (hostmaster@example.com would be
228 represented as hostmaster.example.com). IDNA specifically does not
229 update the existing email standards, which allow only ASCII
230 characters in local parts. Even though work is in progress to define
231 internationalization for email addresses [RFC4952], changes to the
232 email address part of the SOA RDATA would require action in, or
233 updates to, other standards, specifically those that specify the
234 format of the SOA RR.
236 4. Registration Protocol
238 This section defines the procedure for registering an IDN. The
239 procedure is implementation independent; any sequence of steps that
240 produces exactly the same result for all labels is considered a valid
241 implementation.
243 Note that, while the registration and lookup protocols (Section 5)
244 are very similar in most respects, they are different and
245 implementers should carefully follow the steps they are implementing.
247 4.1. Proposed label
249 The registrant submits a request for an IDN. The user typically
250 produces the request string by the keyboard entry of a character
251 sequence in the local native character set (which might, of course,
252 be Unicode).
254 4.2. Conversion to Unicode and Normalization
256 Some system routine, or a localized front-end to the IDNA process,
257 ensures that the proposed label is a Unicode string or converts it to
258 one as appropriate. Independent of its source form, the string MUST
259 be in Unicode Normalization Form C (NFC [Unicode-UAX15]) before
260 further processing in this protocol.
262 As a local implementation choice, the implementation MAY choose to
263 map some forbidden characters to permitted characters (for instance
264 mapping uppercase characters to lowercase ones), displaying the
265 result to the user, and allowing processing to continue. This should
266 be done very conservatively to prevent interoperability problems with
267 lookup applications that do not follow exactly the same rules. In
268 particular, it is strongly recommended that, to avoid any possible
269 ambiguity, entities responsible for zone files ("registries") accept
270 registrations only for A-labels (to be converted to U-labels by the
271 registry as discussed above) or U-labels actually produced from
272 A-labels, not forms expected to be converted by some other process.
274 4.3. Permitted Character and Label Validation
276 4.3.1. Input Format
278 [[anchor8: Note in -07 -- this section was formerly the second
279 paragraph of Section 4.1. It may need additional work; suggestions
280 welcome.]]
282 The registry MAY permit submission of labels in A-label form. If it
283 does so, it MUST perform a conversion to a U-label, perform the steps
284 and tests described below, and verify that the A-label produced by
285 the step in Section 4.5 matches the one provided as input. If, for
286 some reason, it does not, the registration MUST be rejected. If the
287 conversion to a U-label is not performed, the registry MUST verify
288 that the A-label is superficially valid, i.e., that it does not
289 violate any of the rules of Punycode [RFC3492] encoding such as the
290 prohibition on trailing hyphen-minus, appearance of non-basic
291 characters before the delimiter, and so on. Invalid strings that
292 appear to be A-labels MUST NOT be placed in DNS zones.
294 4.3.2. Rejection of Characters that are not Permitted
296 The candidate Unicode string is checked to verify that characters
297 that IDNA does not permit do not appear in it. Those characters are
298 identified in the "DISALLOWED" and "UNASSIGNED" lists that are
299 specified in [IDNA2008-Tables] and described informally in
300 [IDNA2008-Rationale]. Characters that are either DISALLOWED or
301 UNASSIGNED MUST NOT be part of labels to be processed for
302 registration in the DNS.
304 4.3.3. Label Validation
306 The proposed label (in the form of a Unicode string, i.e., a putative
307 U-label) is then examined, performing tests that require examination
308 of more than one character.
310 4.3.3.1. Rejection of Hyphen Sequences in U-labels
312 The Unicode string MUST NOT contain "--" (two consecutive hyphens) in
313 the third and fourth character positions when the label is considered
314 in "on the wire" order.
316 4.3.3.2. Leading Combining Marks
318 The first character of the string (when the label is considered in
319 "on the wire" order) is examined to verify that it is not a combining
320 mark. If it is a combining mark, the string MUST NOT be registered.
322 4.3.3.3. Contextual Rules
324 Each code point is checked for its identification as a character
325 requiring contextual processing for registration (the list of
326 characters appears as the combination of CONTEXTJ and CONTEXTO in
327 [IDNA2008-Tables] as do the contextual rules themselves). If that
328 indication appears, the table of contextual rules is checked for a
329 rule for that character. If no rule is found, the proposed label is
330 rejected and MUST NOT be installed in a zone file. If one is found,
331 it is applied (typically as a test on the entire label or on adjacent
332 characters within the label). If the application of the rule does
333 not conclude that the character is valid in context, the proposed
334 label MUST BE rejected. (See the IANA Considerations: IDNA Context
335 Registry section of [IDNA2008-Tables].)
337 These contextual rules are required to support the use of characters
338 that could be used, under other conditions, to produce misleading
339 labels or to cause unacceptable ambiguity in label matching and
340 interpretation. For example, labels containing invisible ("zero-
341 width") characters may be permitted in context with characters whose
342 presentation forms are significantly changed by the presence or
343 absence of the zero-width characters, while other labels in which
344 zero-width characters appear may be rejected.
346 4.3.3.4. Labels Containing Characters Written Right to Left
348 Additional special tests for right-to-left strings are applied.
349 Strings that contain right to left characters that do not conform to
350 the rule(s) identified in [IDNA2008-BIDI] MUST NOT be inserted as
351 labels in zone files.
353 4.3.4. Registration Validation Summary
355 Strings that contain at least one non-ASCII character, have been
356 produced by the steps above, whose contents pass the above tests, and
357 are 63 or fewer characters long in ACE form (see Section 4.5), are
358 U-labels.
360 To summarize, tests are made in Section 4.3 for invalid characters,
361 invalid combinations of characters, and for labels that are invalid
362 even if the characters they contain are valid individually.
364 4.4. Registry Restrictions
366 Registries at all levels of the DNS, not just the top level, are
367 expected to establish policies about the labels that may be
368 registered, and for the processes associated with that action. While
369 exact policies are not specified as part of IDNA2008 and it is
370 expected that different registries may specify different policies,
371 there SHOULD be policies. Even a trivial policy (e.g., "anything can
372 be registered in this zone that can be represented as an A-label -
373 U-label pair") has value because it provides notice to users and
374 applications implementers that the registry cannot be relied upon to
375 provide even minimal user-protection restrictions. These per-
376 registry policies and restrictions are an essential element of the
377 IDNA registration protocol even for registries (and corresponding
378 zone files) deep in the DNS hierarchy. As discussed in
379 [IDNA2008-Rationale], such restrictions have always existed in the
380 DNS. That document also contains a discussion and recommendations
381 about possible types of rules.
383 The string produced by the above steps is checked and processed as
384 appropriate to local registry restrictions. Application of those
385 registry restrictions may result in the rejection of some labels or
386 the application of special restrictions to others.
388 4.5. Punycode Conversion
390 The resulting U-label is converted to an A-label. The A-label, more
391 precisely defined elsewhere, is the encoding of the U-label according
392 to the Punycode algorithm [RFC3492] with the ACE prefix "xn--" added
393 at the beginning of the string. This document updates RFC 3492 only
394 to the extent of replacing the reference to the discussion of the ACE
395 prefix. The ACE prefix is now specified in this document rather than
396 as part of RFC 3490 or Nameprep [RFC3491] but is the same in both
397 sets of documents.
399 The failure conditions identified in the Punycode encoding procedure
400 cannot occur if the input is a U-label as determined by the steps
401 above.
403 4.6. Insertion in the Zone
405 The A-label is registered in the DNS by insertion into a zone.
407 5. Domain Name Lookup Protocol
409 Lookup is conceptually different from registration and different
410 tests are applied on the client. Although some validity checks are
411 necessary to avoid serious problems with the protocol (see
412 Section 5.5ff.), the lookup-side tests are more permissive and rely
413 on the assumption that names that are present in the DNS are valid.
414 That assumption is, however, a weak one because the presence of wild
415 cards in the DNS might cause a string that is not actually registered
416 in the DNS to be successfully looked up.
418 5.1. Label String Input
420 The user supplies a string in the local character set, typically by
421 typing it or clicking on, or copying and pasting, a resource
422 identifier, e.g., a URI [RFC3986] or IRI [RFC3987] from which the
423 domain name is extracted. Alternately, some process not directly
424 involving the user may read the string from a file or obtain it in
425 some other way. Processing in this step and the next two are local
426 matters, to be accomplished prior to actual invocation of IDNA, but
427 at least the two steps in Section 5.2 and Section 5.3 must be
428 accomplished in some way.
430 5.2. Conversion to Unicode
432 The string is converted from the local character set into Unicode, if
433 it is not already Unicode. The exact nature of this conversion is
434 beyond the scope of this document, but may involve normalization as
435 described in Section 4.2. The result MUST be a Unicode string in NFC
436 form.
438 5.3. Character Changes in Preprocessing or the User Interface
440 The Unicode string MAY then be processed to prevent confounding of
441 user expectations. For instance, it might be reasonable, at this
442 step, to convert all upper case characters to lower case, if this
443 makes sense in the user's environment, but even this should be
444 approached with caution due to some edge cases: in the long term, it
445 is probably better for users to understand IDNs strictly in lower-
446 case, U-label, form. More generally, preprocessing may be useful to
447 smooth the transition from IDNA2003, especially for direct user
448 input, but with similar cautions. In general, IDNs appearing in
449 files and those transmitted across the network as part of protocols
450 are expected to be in either ASCII form (including A-labels) or to
451 contain U-labels, rather than being in forms requiring mapping or
452 other conversions.
454 Other examples of processing for localization might be applied,
455 especially to direct user input, at this point. They include
456 interpreting various characters as separating domain name components
457 from each other (label separators) because they either look like
458 periods or are used to separate sentences, mapping halfwidth or
459 fullwidth East Asian characters to the common form permitted in
460 labels, or giving special treatment to characters whose presentation
461 forms are dependent only on placement in the label. Such
462 localization changes are also outside the scope of this
463 specification.
465 Recommendations for preprocessing for global contexts (i.e., when
466 local considerations do not apply or cannot be used) and for maximum
467 interoperability with labels that might have been specified under
468 liberal readings of IDNA2003 are given in [IDNA2008-Rationale]. It
469 is important to note that the intent of these specifications is that
470 labels in application protocols, files, or links are intended to be
471 in U-label or A-label form. Preprocessing MUST NOT map a character
472 that is valid in a label as specified elsewhere in this document or
473 in [IDNA2008-Tables] into another character. Excessively liberal use
474 of preprocessing, especially to strings stored in files, poses a
475 threat to consistent and predictable behavior for the user even if
476 not to actual interoperability.
478 Because these transformations are local, it is important that domain
479 names that might be passed between systems (e.g., in IRIs) be
480 U-labels or A-labels and not forms that might be accepted locally as
481 a consequence of this step. This step is not standardized as part of
482 IDNA, and is not further specified here.
484 5.4. A-label Input
486 If the input to this procedure appears to be an A-label (i.e., it
487 starts in "xn--"), the lookup application MAY attempt to convert it
488 to a U-label and apply the tests of Section 5.5 and the conversion of
489 Section 5.6 to that form. If the label is converted to Unicode
490 (i.e., to U-label form) using the Punycode decoding algorithm, then
491 the processing specified in those two sections MUST be performed, and
492 the label MUST be rejected if the resulting label is not identical to
493 the original. See also Section 6.1.
495 That conversion and testing SHOULD be performed if the domain name
496 will later be presented to the user in native character form (this
497 requires that the lookup application be IDNA-aware). If those steps
498 are not performed, the lookup process SHOULD at least make tests to
499 determine that the string is actually an A-label, examining it for
500 the invalid formats specified in the Punycode decoding specification.
501 Applications that are not IDNA-aware will obviously omit that
502 testing; others MAY treat the string as opaque to avoid the
503 additional processing at the expense of providing less protection and
504 information to users.
506 5.5. Validation and Character List Testing
508 As with the registration procedure, the Unicode string is checked to
509 verify that all characters that appear in it are valid as input to
510 IDNA lookup processing. As discussed above and in
511 [IDNA2008-Rationale], the lookup check is more liberal than the
512 registration one. Putative labels with any of the following
513 characteristics MUST BE rejected prior to DNS lookup:
515 o Labels containing code points that are unassigned in the version
516 of Unicode being used by the application, i.e., in the
517 "Unassigned" Unicode category or the UNASSIGNED category of
518 [IDNA2008-Tables].
520 o Labels that are not in NFC form.
522 o Labels containing prohibited code points, i.e., those that are
523 assigned to the "DISALLOWED" category in the permitted character
524 table [IDNA2008-Tables].
526 o Labels containing code points that are shown in the permitted
527 character table as requiring a contextual rule and that are
528 flagged as requiring exceptional special processing on lookup
529 ("CONTEXTJ" in the Tables) but do not conform to that rule.
531 o Labels containing other code points that are shown in the
532 permitted character table as requiring a contextual rule
533 ("CONTEXTO" in the tables), but for which no such rule appears in
534 the table of rules. Applications resolving DNS names or carrying
535 out equivalent operations are not required to test contextual
536 rules for "CONTEXTO" characters, only to verify that a rule exists
537 (although they MAY make such tests to give better information to
538 the user).
540 o Labels whose first character is a combining mark.
542 In addition, the application SHOULD apply the following test. The
543 test may be omitted in special circumstances, such as when the lookup
544 application knows that the conditions are enforced elsewhere, because
545 an attempt to look up and resolve such strings will almost certainly
546 lead to a DNS lookup failure except when wildcards are present in the
547 zone. However, applying the test is likely to give much better
548 information about the reason for a lookup failure -- information that
549 may be usefully passed to the user when that is feasible -- than DNS
550 resolution failure information alone. In any event, lookup
551 applications should avoid attempting to resolve labels that are
552 invalid under that test.
554 o Verification that the string is compliant with the requirements
555 for right to left characters, specified in [IDNA2008-BIDI].
557 For all other strings, the lookup application MUST rely on the
558 presence or absence of labels in the DNS to determine the validity of
559 those labels and the validity of the characters they contain. If
560 they are registered, they are presumed to be valid; if they are not,
561 their possible validity is not relevant. A lookup application that
562 declines to process a string that conforms to the rules above and
563 does not look it up in the DNS is not in conformance with this
564 protocol.
566 5.6. Punycode Conversion
568 The validated string, a U-label, is converted to an A-label using the
569 Punycode algorithm with the ACE prefix added.
571 5.7. DNS Name Resolution
573 The A-label is looked up in the DNS, using normal DNS resolver
574 procedures.
576 6. Name Server Considerations
578 [[anchor16: Note in draft: If we really want this document to contain
579 only information that is necessary to proper implementation of IDNA
580 by implementers who are familiar with the DNS, the material in this
581 section is either tutorial, explanatory, or totally unnecessary.
582 Should some or all of it be moved back to Rationale?]]
584 6.1. Processing Non-ASCII Strings
586 Existing DNS servers do not know the IDNA rules for handling non-
587 ASCII forms of IDNs, and therefore need to be shielded from them.
588 All existing channels through which names can enter a DNS server
589 database (for example, master files (as described in RFC 1034) and
590 DNS update messages [RFC2136]) are IDN-unaware because they predate
591 IDNA. Other sections of this document provide the needed shielding
592 by ensuring that internationalized domain names entering DNS server
593 databases through such channels have already been converted to their
594 equivalent ASCII A-label forms.
596 Because of the design of the algorithms in Section 4 and Section 5 (a
597 domain name containing only ASCII codepoints can not be converted to
598 an A-label), there can not be more than one A-label form for any
599 given U-label.
601 As specified in RFC 2181 [RFC2181], the DNS protocol explicitly
602 allows domain labels to contain octets beyond the ASCII range
603 (0000..007F), and this document does not change that. Note, however,
604 that there is no defined interpretation of octets 0080..00FF as
605 characters. If labels containing these octets are returned to
606 applications, unpredictable behavior could result. The A-label form,
607 which cannot contain those characters, is the only standard
608 representation for internationalized labels in the DNS protocol.
610 6.2. DNSSEC Authentication of IDN Domain Names
612 DNS Security [RFC2535] is a method for supplying cryptographic
613 verification information along with DNS messages. Public Key
614 Cryptography is used in conjunction with digital signatures to
615 provide a means for a requester of domain information to authenticate
616 the source of the data. This ensures that it can be traced back to a
617 trusted source, either directly or via a chain of trust linking the
618 source of the information to the top of the DNS hierarchy.
620 IDNA specifies that all internationalized domain names served by DNS
621 servers that cannot be represented directly in ASCII MUST use the
622 A-label form. Conversion to A-labels MUST be performed prior to a
623 zone being signed by the private key for that zone. Because of this
624 ordering, it is important to recognize that DNSSEC authenticates a
625 domain name containing A-labels or conventional LDH-labels, not
626 U-labels. In the presence of DNSSEC, no form of a zone file or query
627 response that contains a U-label may be signed or the signature
628 validated.
630 One consequence of this for sites deploying IDNA in the presence of
631 DNSSEC is that any special purpose proxies or forwarders used to
632 transform user input into IDNs must be earlier in the lookup flow
633 than DNSSEC authenticating nameservers for DNSSEC to work.
635 6.3. Root and other DNS Server Considerations
637 IDNs in A-label form will generally be somewhat longer than current
638 domain names, so the bandwidth needed by the root servers is likely
639 to go up by a small amount. Also, queries and responses for IDNs
640 will probably be somewhat longer than typical queries historically,
641 so EDNS0 [RFC2671] support may be more important (otherwise, queries
642 and responses may be forced to go to TCP instead of UDP).
644 7. Security Considerations
646 The general security principles and issues for IDNA appear in
647 [IDNA2008-Defs] with additional explanation in [IDNA2008-Rationale].
648 The comments below are specific to the registration and loopup
649 protocols specified in this document, but should be read in the
650 context of the material in the first of those documents and the
651 definitions and specifications, identified there, on which this one
652 depends.
654 This memo describes procedures for registering and looking up labels
655 that are not compatible with the preferred syntax described in the
656 base DNS specifications (STD13 [RFC1034] [RFC1035] and Host
657 Requirements [RFC1123]) because they contain non-ASCII characters.
658 These procedures depend on the use of a special ASCII-compatible
659 encoding form that contains only characters permitted in host names
660 by those earlier specifications. The encoding used is Punycode
661 [RFC3492]. No security issues such as string length increases or new
662 allowed values are introduced by the encoding process or the use of
663 these encoded values, apart from those introduced by the ACE encoding
664 itself.
666 Domain names (or portions of them) are sometimes compared against a
667 set of domains to be given special treatment if a match occurs, e.g.,
668 treated as more privileged than others or blocked in some way. In
669 such situations, it is especially important that the comparisons be
670 done properly, as specified in Requirement 2 of Section 3.1. For
671 labels already in ASCII form (i.e., are LDH-labels or A-labels), the
672 proper comparison reduces to the same case-insensitive ASCII
673 comparison that has always been used for ASCII labels.
675 The introduction of IDNA means that any existing labels that start
676 with the ACE prefix would be construed as A-labels, at least until
677 they failed one of the relevant tests, whether or not that was the
678 intent of the zone administrator or registrant. There is no evidence
679 that this has caused any practical problems since RFC 3490 was
680 adopted, but the risk still exists in principle.
682 8. IANA Considerations
684 IANA actions for this version of IDNA are specified in
685 [IDNA2008-Tables] and discussed informally in [IDNA2008-Rationale].
686 The components of IDNA described in this document do not require any
687 IANA actions.
689 9. Contributors
691 While the listed editor held the pen, the original versions of this
692 document represent the joint work and conclusions of an ad hoc design
693 team consisting of the editor and, in alphabetic order, Harald
694 Alvestrand, Tina Dam, Patrik Faltstrom, and Cary Karp. This document
695 draws significantly on the original version of IDNA [RFC3490] both
696 conceptually and for specific text. This second-generation version
697 would not have been possible without the work that went into that
698 first version and its authors, Patrik Faltstrom, Paul Hoffman, and
699 Adam Costello. While Faltstrom was actively involved in the creation
700 of this version, Hoffman and Costello were not and should not be held
701 responsible for any errors or omissions.
703 10. Acknowledgements
705 This revision to IDNA would have been impossible without the
706 accumulated experience since RFC 3490 was published and resulting
707 comments and complaints of many people in the IETF, ICANN, and other
708 communities, too many people to list here. Nor would it have been
709 possible without RFC 3490 itself and the efforts of the Working Group
710 that defined it. Those people whose contributions are acknowledged
711 in RFC 3490, [RFC4690], and [IDNA2008-Rationale] were particularly
712 important.
714 Specific textual changes were incorporated into this document after
715 suggestions from the other contributors, Stephane Bortzmeyer, Vint
716 Cerf, Mark Davis, Paul Hoffman, Kent Karlsson, Erik van der Poel,
717 Marcos Sanz, Andrew Sullivan, Ken Whistler, and other WG
718 participants. Special thanks are due to Paul Hoffman for permission
719 to extract material from his Internet-Draft to form the basis for
720 Appendix A
722 11. References
724 11.1. Normative References
726 [IDNA2008-BIDI]
727 Alvestrand, H. and C. Karp, "An updated IDNA criterion for
728 right-to-left scripts", July 2008, .
731 [IDNA2008-Defs]
732 Klensin, J., "Internationalized Domain Names for
733 Applications (IDNA): Definitions and Document Framework",
734 November 2008, .
737 [IDNA2008-Tables]
738 Faltstrom, P., "The Unicode Codepoints and IDNA",
739 July 2008, .
742 A version of this document is available in HTML format at
743 http://stupid.domain.name/idnabis/
744 draft-ietf-idnabis-tables-02.html
746 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
747 STD 13, RFC 1034, November 1987.
749 [RFC1035] Mockapetris, P., "Domain names - implementation and
750 specification", STD 13, RFC 1035, November 1987.
752 [RFC1123] Braden, R., "Requirements for Internet Hosts - Application
753 and Support", STD 3, RFC 1123, October 1989.
755 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
756 Requirement Levels", BCP 14, RFC 2119, March 1997.
758 [RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode
759 for Internationalized Domain Names in Applications
760 (IDNA)", RFC 3492, March 2003.
762 [Unicode-PropertyValueAliases]
763 The Unicode Consortium, "Unicode Character Database:
764 PropertyValueAliases", March 2008, .
767 [Unicode-RegEx]
768 The Unicode Consortium, "Unicode Technical Standard #18:
769 Unicode Regular Expressions", May 2005,
770 .
772 [Unicode-Scripts]
773 The Unicode Consortium, "Unicode Standard Annex #24:
774 Unicode Script Property", February 2008,
775 .
777 [Unicode-UAX15]
778 The Unicode Consortium, "Unicode Standard Annex #15:
779 Unicode Normalization Forms", 2006,
780 .
782 11.2. Informative References
784 [ASCII] American National Standards Institute (formerly United
785 States of America Standards Institute), "USA Code for
786 Information Interchange", ANSI X3.4-1968, 1968.
788 ANSI X3.4-1968 has been replaced by newer versions with
789 slight modifications, but the 1968 version remains
790 definitive for the Internet.
792 [IDNA2008-Rationale]
793 Klensin, J., Ed., "Internationalizing Domain Names for
794 Applications (IDNA): Issues, Explanation, and Rationale",
795 November 2008, .
798 [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
799 "Dynamic Updates in the Domain Name System (DNS UPDATE)",
800 RFC 2136, April 1997.
802 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
803 Specification", RFC 2181, July 1997.
805 [RFC2535] Eastlake, D., "Domain Name System Security Extensions",
806 RFC 2535, March 1999.
808 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
809 RFC 2671, August 1999.
811 [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
812 "Internationalizing Domain Names in Applications (IDNA)",
813 RFC 3490, March 2003.
815 [RFC3491] Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep
816 Profile for Internationalized Domain Names (IDN)",
817 RFC 3491, March 2003.
819 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
820 Resource Identifier (URI): Generic Syntax", STD 66,
821 RFC 3986, January 2005.
823 [RFC3987] Duerst, M. and M. Suignard, "Internationalized Resource
824 Identifiers (IRIs)", RFC 3987, January 2005.
826 [RFC4690] Klensin, J., Faltstrom, P., Karp, C., and IAB, "Review and
827 Recommendations for Internationalized Domain Names
828 (IDNs)", RFC 4690, September 2006.
830 [RFC4952] Klensin, J. and Y. Ko, "Overview and Framework for
831 Internationalized Email", RFC 4952, July 2007.
833 [Unicode] The Unicode Consortium, "The Unicode Standard, Version
834 5.0", 2007.
836 Boston, MA, USA: Addison-Wesley. ISBN 0-321-48091-0
838 Appendix A. Summary of Major Changes from IDNA2003
840 1. Update base character set from Unicode 3.2 to Unicode version-
841 agnostic.
843 2. Separate the definitions for the "registration" and "lookup"
844 activities.
846 3. Disallow symbol and punctuation characters except where special
847 exceptions are necessary.
849 4. Remove the mapping and normalization steps from the protocol and
850 have them instead done by the applications themselves, possibly
851 in a local fashion, before invoking the protocol.
853 5. Change the way that the protocol specifies which characters are
854 allowed in labels from "humans decide what the table of
855 codepoints contains" to "decision about codepoints are based on
856 Unicode properties plus a small exclusion list created by
857 humans".
859 6. Introduce the new concept of characters that can be used only in
860 specific contexts.
862 7. Allow typical words and names in languages such as Dhivehi and
863 Yiddish to be expressed.
865 8. Make bidirectional domain names (delimited strings of labels,
866 not just labels standing on their own) display in a less
867 surprising fashion whether they appear in obvious domain name
868 contexts or as part of running text in paragraphs.
870 9. Remove the dot separator from the mandatory part of the
871 protocol.
873 10. Make some currently-valid labels that are not actually IDNA
874 labels invalid.
876 Appendix B. Change Log
878 [[anchor25: RFC Editor: Please remove this appendix.]]
880 B.1. Changes between Version -00 and -01 of draft-ietf-idnabis-protocol
882 o Corrected discussion of SRV records.
884 o Several small corrections for clarity.
886 o Inserted more "open issue" placeholders.
888 B.2. Version -02
890 o Rewrote the "conversion to Unicode" text in Section 5.2 as
891 requested on-list.
893 o Added a comment (and reference) about EDNS0 to the "DNS Server
894 Conventions" section, which was also retitled.
896 o Made several editorial corrections and improvements in response to
897 various comments.
899 o Added several new discussion placeholder anchors and updated some
900 older ones.
902 B.3. Version -03
904 o Trimmed change log, removing information about pre-WG drafts.
906 o Incorporated a number of changes suggested by Marcos Sanz in his
907 note of 2008.07.17 and added several more placeholder anchors.
909 o Several minor editorial corrections and improvements.
911 o "Editor" designation temporarily removed because the automatic
912 posting machinery does not accept it.
914 B.4. Version -04
916 o Removed Contextual Rule appendices for transfer to Tables.
918 o Several changes, including removal of discussion anchors, based on
919 discussions at IETF 72 (Dublin)
921 o Rewrote the preprocessing material (Section 5.3) somewhat.
923 B.5. Version -05
925 o Updated part of the A-label input explanation (Section 5.4) per
926 note from Erik van der Poel.
928 B.6. Version -06
930 o Corrected a few typographical errors.
932 o Incorporated the material (formerly in Rationale) on the
933 relationship between IDNA2003 and IDNA2008 as an appendix and
934 pointed to the new definitions document.
936 o Text modified in several places to recognize the dangers of
937 interaction between DNS wildcards and IDNs.
939 o Text added to be explicit about the handling of edge and failure
940 cases in Punycode encoding and decoding.
942 o Revised for consistency with the new Definitions document and to
943 make the text read more smoothly.
945 B.7. Version -07
947 o Multiple small textual and editorial changes and clarifications.
949 o Requirement for normalization clarified to apply to all cases and
950 conditions for preprocessing further clarified.
952 o Substantive change to Section 4.3.1, turning a SHOULD to a MUST
953 (see note from Mark Davis, 19 November, 2008 18:14 -0800).
955 Author's Address
957 John C Klensin
958 1770 Massachusetts Ave, Ste 322
959 Cambridge, MA 02140
960 USA
962 Phone: +1 617 245 1457
963 Email: john+ietf@jck.com
965 Full Copyright Statement
967 Copyright (C) The IETF Trust (2008).
969 This document is subject to the rights, licenses and restrictions
970 contained in BCP 78, and except as set forth therein, the authors
971 retain all their rights.
973 This document and the information contained herein are provided on an
974 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
975 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
976 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
977 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
978 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
979 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
981 Intellectual Property
983 The IETF takes no position regarding the validity or scope of any
984 Intellectual Property Rights or other rights that might be claimed to
985 pertain to the implementation or use of the technology described in
986 this document or the extent to which any license under such rights
987 might or might not be available; nor does it represent that it has
988 made any independent effort to identify any such rights. Information
989 on the procedures with respect to rights in RFC documents can be
990 found in BCP 78 and BCP 79.
992 Copies of IPR disclosures made to the IETF Secretariat and any
993 assurances of licenses to be made available, or the result of an
994 attempt made to obtain a general license or permission for the use of
995 such proprietary rights by implementers or users of this
996 specification can be obtained from the IETF on-line IPR repository at
997 http://www.ietf.org/ipr.
999 The IETF invites any interested party to bring to its attention any
1000 copyrights, patents or patent applications, or other proprietary
1001 rights that may cover technology that may be required to implement
1002 this standard. Please address the information to the IETF at
1003 ietf-ipr@ietf.org.