idnits 2.17.1
draft-ietf-idnabis-protocol-08.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
** It looks like you're using RFC 3978 boilerplate. You should update this
to the boilerplate described in the IETF Trust License Policy document
(see https://trustee.ietf.org/license-info), which is required now.
-- Found old boilerplate from RFC 3978, Section 5.1 on line 18.
-- Found old boilerplate from RFC 3978, Section 5.5, updated by RFC 4748 on
line 1013.
-- Found old boilerplate from RFC 3979, Section 5, paragraph 1 on line 1024.
-- Found old boilerplate from RFC 3979, Section 5, paragraph 2 on line 1031.
-- Found old boilerplate from RFC 3979, Section 5, paragraph 3 on line 1037.
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
-- The draft header indicates that this document obsoletes RFC3490, but the
abstract doesn't seem to mention this, which it should.
-- The draft header indicates that this document updates RFC3492, but the
abstract doesn't seem to mention this, which it should.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust Copyright Line does not match the
current year
(Using the creation date from RFC3492, updated by this document, for
RFC5378 checks: 2002-01-10)
-- The document seems to lack a disclaimer for pre-RFC5378 work, but may
have content which was first submitted before 10 November 2008. If you
have contacted all the original authors and they are all willing to grant
the BCP78 rights to the IETF Trust, then this is fine, and you can ignore
this comment. If not, you may need to add the pre-RFC5378 disclaimer.
(See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (December 7, 2008) is 5620 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Unused Reference: 'Unicode-PropertyValueAliases' is defined on line 778,
but no explicit reference was found in the text
== Unused Reference: 'Unicode-RegEx' is defined on line 783, but no
explicit reference was found in the text
== Unused Reference: 'Unicode-Scripts' is defined on line 788, but no
explicit reference was found in the text
== Unused Reference: 'ASCII' is defined on line 800, but no explicit
reference was found in the text
-- Possible downref: Non-RFC (?) normative reference: ref. 'IDNA2008-BIDI'
-- Possible downref: Non-RFC (?) normative reference: ref.
'Unicode-PropertyValueAliases'
-- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-RegEx'
-- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-Scripts'
-- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-UAX15'
-- Obsolete informational reference (is this intentional?): RFC 2535
(Obsoleted by RFC 4033, RFC 4034, RFC 4035)
-- Obsolete informational reference (is this intentional?): RFC 2671
(Obsoleted by RFC 6891)
-- Obsolete informational reference (is this intentional?): RFC 3490
(Obsoleted by RFC 5890, RFC 5891)
-- Obsolete informational reference (is this intentional?): RFC 3491
(Obsoleted by RFC 5891)
-- Obsolete informational reference (is this intentional?): RFC 4952
(Obsoleted by RFC 6530)
Summary: 1 error (**), 0 flaws (~~), 5 warnings (==), 19 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group J. Klensin
3 Internet-Draft December 7, 2008
4 Obsoletes: 3490, 3491
5 (if approved)
6 Updates: 3492 (if approved)
7 Intended status: Standards Track
8 Expires: June 10, 2009
10 Internationalized Domain Names in Applications (IDNA): Protocol
11 draft-ietf-idnabis-protocol-08.txt
13 Status of this Memo
15 By submitting this Internet-Draft, each author represents that any
16 applicable patent or other IPR claims of which he or she is aware
17 have been or will be disclosed, and any of which he or she becomes
18 aware will be disclosed, in accordance with Section 6 of BCP 79.
20 Internet-Drafts are working documents of the Internet Engineering
21 Task Force (IETF), its areas, and its working groups. Note that
22 other groups may also distribute working documents as Internet-
23 Drafts.
25 Internet-Drafts are draft documents valid for a maximum of six months
26 and may be updated, replaced, or obsoleted by other documents at any
27 time. It is inappropriate to use Internet-Drafts as reference
28 material or to cite them other than as "work in progress."
30 The list of current Internet-Drafts can be accessed at
31 http://www.ietf.org/ietf/1id-abstracts.txt.
33 The list of Internet-Draft Shadow Directories can be accessed at
34 http://www.ietf.org/shadow.html.
36 This Internet-Draft will expire on June 10, 2009.
38 Abstract
40 This document supplies the protocol definition for a revised and
41 updated specification for internationalized domain names (IDNs). The
42 rationale for these changes, the relationship to the older
43 specification, and important terminology are provided in other
44 documents. This document specifies the protocol mechanism, called
45 Internationalizing Domain Names in Applications (IDNA), for
46 registering and looking up IDNs in a way that does not require
47 changes to the DNS itself. IDNA is only meant for processing domain
48 names, not free text.
50 Table of Contents
52 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 4
53 1.1. Discussion Forum . . . . . . . . . . . . . . . . . . . . . 4
54 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 4
55 3. Requirements and Applicability . . . . . . . . . . . . . . . . 5
56 3.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . 5
57 3.2. Applicability . . . . . . . . . . . . . . . . . . . . . . 5
58 3.2.1. DNS Resource Records . . . . . . . . . . . . . . . . . 6
59 3.2.2. Non-domain-name Data Types Stored in the DNS . . . . . 6
60 4. Registration Protocol . . . . . . . . . . . . . . . . . . . . 6
61 4.1. Proposed label . . . . . . . . . . . . . . . . . . . . . . 7
62 4.2. Conversion to Unicode and Normalization . . . . . . . . . 7
63 4.3. Permitted Character and Label Validation . . . . . . . . . 7
64 4.3.1. Input Format . . . . . . . . . . . . . . . . . . . . . 7
65 4.3.2. Rejection of Characters that are not Permitted . . . . 8
66 4.3.3. Label Validation . . . . . . . . . . . . . . . . . . . 8
67 4.3.4. Registration Validation Summary . . . . . . . . . . . 9
68 4.4. Registry Restrictions . . . . . . . . . . . . . . . . . . 9
69 4.5. Punycode Conversion . . . . . . . . . . . . . . . . . . . 10
70 4.6. Insertion in the Zone . . . . . . . . . . . . . . . . . . 10
71 5. Domain Name Lookup Protocol . . . . . . . . . . . . . . . . . 10
72 5.1. Label String Input . . . . . . . . . . . . . . . . . . . . 10
73 5.2. Conversion to Unicode . . . . . . . . . . . . . . . . . . 11
74 5.3. Character Changes in Preprocessing or the User
75 Interface . . . . . . . . . . . . . . . . . . . . . . . . 11
76 5.4. A-label Input . . . . . . . . . . . . . . . . . . . . . . 12
77 5.5. Validation and Character List Testing . . . . . . . . . . 12
78 5.6. Punycode Conversion . . . . . . . . . . . . . . . . . . . 14
79 5.7. DNS Name Resolution . . . . . . . . . . . . . . . . . . . 14
80 6. Name Server Considerations . . . . . . . . . . . . . . . . . . 14
81 6.1. Processing Non-ASCII Strings . . . . . . . . . . . . . . . 14
82 6.2. DNSSEC Authentication of IDN Domain Names . . . . . . . . 15
83 6.3. Root and other DNS Server Considerations . . . . . . . . . 15
84 7. Security Considerations . . . . . . . . . . . . . . . . . . . 15
85 8. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 16
86 9. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 16
87 10. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 17
88 11. References . . . . . . . . . . . . . . . . . . . . . . . . . . 17
89 11.1. Normative References . . . . . . . . . . . . . . . . . . . 17
90 11.2. Informative References . . . . . . . . . . . . . . . . . . 18
91 Appendix A. Summary of Major Changes from IDNA2003 . . . . . . . 19
92 Appendix B. Change Log . . . . . . . . . . . . . . . . . . . . . 20
93 B.1. Changes between Version -00 and -01 of
94 draft-ietf-idnabis-protocol . . . . . . . . . . . . . . . 20
95 B.2. Version -02 . . . . . . . . . . . . . . . . . . . . . . . 20
96 B.3. Version -03 . . . . . . . . . . . . . . . . . . . . . . . 21
97 B.4. Version -04 . . . . . . . . . . . . . . . . . . . . . . . 21
98 B.5. Version -05 . . . . . . . . . . . . . . . . . . . . . . . 21
99 B.6. Version -06 . . . . . . . . . . . . . . . . . . . . . . . 21
100 B.7. Version -07 . . . . . . . . . . . . . . . . . . . . . . . 22
101 B.8. Version -08 . . . . . . . . . . . . . . . . . . . . . . . 22
102 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 22
103 Intellectual Property and Copyright Statements . . . . . . . . . . 23
105 1. Introduction
107 This document supplies the protocol definition for a revised and
108 updated specification for internationalized domain names. Essential
109 definitions and terminology for understanding this document and a
110 road map of the collection of documents that make up IDNA2008 appear
111 in [IDNA2008-Defs]. Appendix A discusses the relationship between
112 this specification and the earlier version of IDNA (referred to here
113 as "IDNA2003") and the rationale for these changes, along with
114 considerable explanatory material and advice to zone administrators
115 who support IDNs is provided in another documents, notably
116 [IDNA2008-Rationale].
118 IDNA works by allowing applications to use certain ASCII string
119 labels (beginning with a special prefix) to represent non-ASCII name
120 labels. Lower-layer protocols need not be aware of this; therefore
121 IDNA does not depend on changes to any infrastructure. In
122 particular, IDNA does not depend on any changes to DNS servers,
123 resolvers, or protocol elements, because the ASCII name service
124 provided by the existing DNS is entirely sufficient for IDNA.
126 IDNA is applied only to DNS labels. Standards for combining labels
127 into fully-qualified domain names and parsing labels out of those
128 names are covered in the base DNS standards [RFC1034] [RFC1035] and
129 their various updates. An application may, of course, apply locally-
130 appropriate conventions to the presentation forms of domain names as
131 discussed in [IDNA2008-Rationale].
133 While they share terminology, reference data, and some operations,
134 this document describes two separate protocols, one for IDN
135 registration (Section 4) and one for IDN lookup (Section 5).
137 1.1. Discussion Forum
139 [[anchor3: RFC Editor: please remove this section.]]
141 This work is being discussed in the IETF IDNABIS WG and on the
142 mailing list idna-update@alvestrand.no
144 2. Terminology
146 General terminology applicable to IDNA, but with meanings familiar to
147 those who have worked with Unicode or other character set standards
148 and the DNS, appears in [IDNA2008-Defs]. Terminology that is an
149 integral, normative, part of the IDNA definition, including the
150 definitions of "ACE", appears in that document as well. Familiarity
151 with the terminology materials in that document is assumed for
152 reading this one. The reader of this document is assumed to be
153 familiar with DNS-specific terminology as defined in RFC 1034
154 [RFC1034].
156 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
157 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
158 document are to be interpreted as described in BCP 14, RFC 2119
159 [RFC2119].
161 3. Requirements and Applicability
163 3.1. Requirements
165 IDNA conformance means adherence to the following requirements:
167 1. Whenever a domain name is put into an IDN-unaware domain name
168 slot (see Section 2 and [IDNA2008-Defs]), it MUST contain only
169 ASCII characters (i.e., must be either an A-label or an LDH-
170 label), or must be a label associated with a DNS application that
171 is not subject to either IDNA or the historical recommendations
172 for "hostname"-style names [RFC1034].
174 2. Comparison of labels MUST be done on equivalent forms: either
175 both A-Label forms or both U-Label forms. Because A-labels and
176 U-labels can be transformed into each other without loss of
177 information, these comparisons are equivalent. However, when a
178 pair of putative A-labels are compared, the comparison MUST use
179 an ASCII case-insensitive comparison (as with all comparisons of
180 ASCII DNS labels). Comparisons on putative U-labels must test
181 that the two strings are identical, without case-folding or other
182 intermediate steps. Note that it is not necessary to verify that
183 labels are valid in order to compare them. In many cases,
184 verification of validity (that the strings actually are A-labels
185 or U-labels) may be important for other reasons and SHOULD be
186 performed.
188 3. Labels being registered MUST conform to the requirements of
189 Section 4. Labels being looked up and the lookup process MUST
190 conform to the requirements of Section 5.
192 3.2. Applicability
194 IDNA is applicable to all domain names in all domain name slots
195 except where it is explicitly excluded. It is not applicable to
196 domain name slots which do not use the LDH syntax rules.
198 This implies that IDNA is applicable to many protocols that predate
199 IDNA. Note that IDNs occupying domain name slots in those older
200 protocols MUST be in A-label form until and unless those protocols
201 and implementations of them are upgraded to be IDN-aware. IDNs
202 actually appearing in DNS queries or responses MUST be A-labels.
204 3.2.1. DNS Resource Records
206 IDNA applies only to domain names in the NAME and RDATA fields of DNS
207 resource records whose CLASS is IN.
209 There are currently no other exclusions on the applicability of IDNA
210 to DNS resource records. Applicability depends entirely on the
211 CLASS, and not on the TYPE except as noted below. This will remain
212 true, even as new types are defined, unless there is a compelling
213 reason for a new type that requires type-specific rules. The special
214 naming conventions applicable to SRV records are examples of type-
215 specific rules that are incompatible with IDNA coding. Hence the
216 first two labels (the ones required to start in "_") on a record with
217 TYPE SRV MUST NOT be A-labels or U-labels (while it would be possible
218 to write a non-ASCII string with a leading underscore, conversion to
219 an A-label would be impossible without loss of information because
220 the underscore is not a letter, digit, or hyphen and is consequently
221 DISALLOWED in IDNs). Of course, those labels may be part of a domain
222 that uses IDN labels at higher levels in the tree.
224 3.2.2. Non-domain-name Data Types Stored in the DNS
226 Although IDNA enables the representation of non-ASCII characters in
227 domain names, that does not imply that IDNA enables the
228 representation of non-ASCII characters in other data types that are
229 stored in domain names, specifically in the RDATA field for types
230 that have structured RDATA format. For example, an email address
231 local part is stored in a domain name in the RNAME field as part of
232 the RDATA of an SOA record (hostmaster@example.com would be
233 represented as hostmaster.example.com). IDNA specifically does not
234 update the existing email standards, which allow only ASCII
235 characters in local parts. Even though work is in progress to define
236 internationalization for email addresses [RFC4952], changes to the
237 email address part of the SOA RDATA would require action in, or
238 updates to, other standards, specifically those that specify the
239 format of the SOA RR.
241 4. Registration Protocol
243 This section defines the procedure for registering an IDN. The
244 procedure is implementation independent; any sequence of steps that
245 produces exactly the same result for all labels is considered a valid
246 implementation.
248 Note that, while the registration and lookup protocols (Section 5)
249 are very similar in most respects, they are different and
250 implementers should carefully follow the steps they are implementing.
252 4.1. Proposed label
254 The registrant submits a request for an IDN. The user typically
255 produces the request string by the keyboard entry of a character
256 sequence in the local native character set (which might, of course,
257 be Unicode).
259 4.2. Conversion to Unicode and Normalization
261 Some system routine, or a localized front-end to the IDNA process,
262 ensures that the proposed label is a Unicode string or converts it to
263 one as appropriate. Independent of its source form, the string MUST
264 be in Unicode Normalization Form C (NFC [Unicode-UAX15]) before
265 further processing in this protocol.
267 As a local implementation choice, the implementation MAY choose to
268 map some forbidden characters to permitted characters (for instance
269 mapping uppercase characters to lowercase ones), displaying the
270 result to the user, and allowing processing to continue. This should
271 be done very conservatively to prevent interoperability problems with
272 lookup applications that do not follow exactly the same rules. In
273 particular, it is strongly recommended that, to avoid any possible
274 ambiguity, entities responsible for zone files ("registries") accept
275 registrations only for A-labels (to be converted to U-labels by the
276 registry as discussed above) or U-labels actually produced from
277 A-labels, not forms expected to be converted by some other process.
279 4.3. Permitted Character and Label Validation
281 4.3.1. Input Format
283 [[anchor8: Note in -07 -- this section was formerly the second
284 paragraph of Section 4.1. It may need additional work; suggestions
285 welcome.]]
287 The registry MAY permit submission of labels in A-label form. If it
288 does so, it MUST perform a conversion to a U-label, perform the steps
289 and tests described below, and verify that the A-label produced by
290 the step in Section 4.5 matches the one provided as input. If, for
291 some reason, it does not, the registration MUST be rejected. If the
292 conversion to a U-label is not performed, the registry MUST verify
293 that the A-label is superficially valid, i.e., that it does not
294 violate any of the rules of Punycode [RFC3492] encoding such as the
295 prohibition on trailing hyphen-minus, appearance of non-basic
296 characters before the delimiter, and so on. Invalid strings that
297 appear to be A-labels MUST NOT be placed in DNS zones.
299 4.3.2. Rejection of Characters that are not Permitted
301 The candidate Unicode string is checked to verify that characters
302 that IDNA does not permit do not appear in it. Those characters are
303 identified in the "DISALLOWED" and "UNASSIGNED" lists that are
304 specified in [IDNA2008-Tables] and described informally in
305 [IDNA2008-Rationale]. Characters that are either DISALLOWED or
306 UNASSIGNED MUST NOT be part of labels to be processed for
307 registration in the DNS.
309 4.3.3. Label Validation
311 The proposed label (in the form of a Unicode string, i.e., a putative
312 U-label) is then examined, performing tests that require examination
313 of more than one character.
315 4.3.3.1. Rejection of Hyphen Sequences in U-labels
317 The Unicode string MUST NOT contain "--" (two consecutive hyphens) in
318 the third and fourth character positions when the label is considered
319 in "on the wire" order.
321 4.3.3.2. Leading Combining Marks
323 The first character of the string (when the label is considered in
324 "on the wire" order) is examined to verify that it is not a combining
325 mark (or combining character) (see The Unicode Standard, Section 2.11
326 [Unicode] for an exact definition). If it is a combining mark, the
327 string MUST NOT be registered.
329 4.3.3.3. Contextual Rules
331 Each code point is checked for its identification as a character
332 requiring contextual processing for registration (the list of
333 characters appears as the combination of CONTEXTJ and CONTEXTO in
334 [IDNA2008-Tables] as do the contextual rules themselves). If that
335 indication appears, the table of contextual rules is checked for a
336 rule for that character. If no rule is found, the proposed label is
337 rejected and MUST NOT be installed in a zone file. If one is found,
338 it is applied (typically as a test on the entire label or on adjacent
339 characters within the label). If the application of the rule does
340 not conclude that the character is valid in context, the proposed
341 label MUST BE rejected. (See the IANA Considerations: IDNA Context
342 Registry section of [IDNA2008-Tables].)
344 These contextual rules are required to support the use of characters
345 that could be used, under other conditions, to produce misleading
346 labels or to cause unacceptable ambiguity in label matching and
347 interpretation. For example, labels containing invisible ("zero-
348 width") characters may be permitted in context with characters whose
349 presentation forms are significantly changed by the presence or
350 absence of the zero-width characters, while other labels in which
351 zero-width characters appear may be rejected.
353 4.3.3.4. Labels Containing Characters Written Right to Left
355 Special tests are required for strings containing characters that are
356 normally written from right to left. The criteria for classifying
357 characters in terms of directionality are identified in the "Bidi"
358 document [IDNA2008-BIDI] in this series. That document also
359 describes conditions for strings that contain one or more of those
360 characters to be U-labels. The tests for those conditions, specified
361 there, are applied. Strings that contain right to left characters
362 that do not conform to the IDNA Bidi rules MUST NOT be inserted as
363 labels in zone files.
365 4.3.4. Registration Validation Summary
367 Strings that contain at least one non-ASCII character, have been
368 produced by the steps above, whose contents pass the above tests, and
369 are 63 or fewer characters long in ACE form (see Section 4.5), are
370 U-labels.
372 To summarize, tests are made in Section 4.3 for invalid characters,
373 invalid combinations of characters, and for labels that are invalid
374 even if the characters they contain are valid individually.
376 4.4. Registry Restrictions
378 Registries at all levels of the DNS, not just the top level, are
379 expected to establish policies about the labels that may be
380 registered, and for the processes associated with that action. While
381 exact policies are not specified as part of IDNA2008 and it is
382 expected that different registries may specify different policies,
383 there SHOULD be policies. Even a trivial policy (e.g., "anything can
384 be registered in this zone that can be represented as an A-label -
385 U-label pair") has value because it provides notice to users and
386 applications implementers that the registry cannot be relied upon to
387 provide even minimal user-protection restrictions. These per-
388 registry policies and restrictions are an essential element of the
389 IDNA registration protocol even for registries (and corresponding
390 zone files) deep in the DNS hierarchy. As discussed in
391 [IDNA2008-Rationale], such restrictions have always existed in the
392 DNS. That document also contains a discussion and recommendations
393 about possible types of rules.
395 The string produced by the above steps is checked and processed as
396 appropriate to local registry restrictions. Application of those
397 registry restrictions may result in the rejection of some labels or
398 the application of special restrictions to others.
400 4.5. Punycode Conversion
402 The resulting U-label is converted to an A-label. The A-label, more
403 precisely defined elsewhere, is the encoding of the U-label according
404 to the Punycode algorithm [RFC3492] with the ACE prefix "xn--" added
405 at the beginning of the string. The resulting string much, of
406 course, conform to the length limits imposed by the DNS. This
407 document updates RFC 3492 only to the extent of replacing the
408 reference to the discussion of the ACE prefix. The ACE prefix is now
409 specified in this document rather than as part of RFC 3490 or
410 Nameprep [RFC3491] but is the same in both sets of documents.
412 The failure conditions identified in the Punycode encoding procedure
413 cannot occur if the input is a U-label as determined by the steps
414 above.
416 4.6. Insertion in the Zone
418 The A-label is registered in the DNS by insertion into a zone.
420 5. Domain Name Lookup Protocol
422 Lookup is conceptually different from registration and different
423 tests are applied on the client. Although some validity checks are
424 necessary to avoid serious problems with the protocol (see
425 Section 5.5ff.), the lookup-side tests are more permissive and rely
426 on the assumption that names that are present in the DNS are valid.
427 That assumption is, however, a weak one because the presence of wild
428 cards in the DNS might cause a string that is not actually registered
429 in the DNS to be successfully looked up.
431 5.1. Label String Input
433 The user supplies a string in the local character set, typically by
434 typing it or clicking on, or copying and pasting, a resource
435 identifier, e.g., a URI [RFC3986] or IRI [RFC3987] from which the
436 domain name is extracted. Alternately, some process not directly
437 involving the user may read the string from a file or obtain it in
438 some other way. Processing in this step and the next two are local
439 matters, to be accomplished prior to actual invocation of IDNA, but
440 at least the two steps in Section 5.2 and Section 5.3 must be
441 accomplished in some way.
443 5.2. Conversion to Unicode
445 The string is converted from the local character set into Unicode, if
446 it is not already Unicode. The exact nature of this conversion is
447 beyond the scope of this document, but may involve normalization as
448 described in Section 4.2. The result MUST be a Unicode string in NFC
449 form.
451 5.3. Character Changes in Preprocessing or the User Interface
453 The Unicode string MAY then be processed to prevent confounding of
454 user expectations. For instance, it might be reasonable, at this
455 step, to convert all upper case characters to lower case, if this
456 makes sense in the user's environment, but even this should be
457 approached with caution due to some edge cases: in the long term, it
458 is probably better for users to understand IDNs strictly in lower-
459 case, U-label, form. More generally, preprocessing may be useful to
460 smooth the transition from IDNA2003, especially for direct user
461 input, but with similar cautions. In general, IDNs appearing in
462 files and those transmitted across the network as part of protocols
463 are expected to be in either ASCII form (including A-labels) or to
464 contain U-labels, rather than being in forms requiring mapping or
465 other conversions.
467 Other examples of processing for localization might be applied,
468 especially to direct user input, at this point. They include
469 interpreting various characters as separating domain name components
470 from each other (label separators) because they either look like
471 periods or are used to separate sentences, mapping halfwidth or
472 fullwidth East Asian characters to the common form permitted in
473 labels, or giving special treatment to characters whose presentation
474 forms are dependent only on placement in the label. Such
475 localization changes are also outside the scope of this
476 specification.
478 Recommendations for preprocessing for global contexts (i.e., when
479 local considerations do not apply or cannot be used) and for maximum
480 interoperability with labels that might have been specified under
481 liberal readings of IDNA2003 are given in [IDNA2008-Rationale]. It
482 is important to note that the intent of these specifications is that
483 labels in application protocols, files, or links are intended to be
484 in U-label or A-label form. Preprocessing MUST NOT map a character
485 that is valid in a label as specified elsewhere in this document or
486 in [IDNA2008-Tables] into another character. Excessively liberal use
487 of preprocessing, especially to strings stored in files, poses a
488 threat to consistent and predictable behavior for the user even if
489 not to actual interoperability.
491 Because these transformations are local, it is important that domain
492 names that might be passed between systems (e.g., in IRIs) be
493 U-labels or A-labels and not forms that might be accepted locally as
494 a consequence of this step. This step is not standardized as part of
495 IDNA, and is not further specified here.
497 5.4. A-label Input
499 If the input to this procedure appears to be an A-label (i.e., it
500 starts in "xn--"), the lookup application MAY attempt to convert it
501 to a U-label and apply the tests of Section 5.5 and the conversion of
502 Section 5.6 to that form. If the label is converted to Unicode
503 (i.e., to U-label form) using the Punycode decoding algorithm, then
504 the processing specified in those two sections MUST be performed, and
505 the label MUST be rejected if the resulting label is not identical to
506 the original. See also Section 6.1.
508 That conversion and testing SHOULD be performed if the domain name
509 will later be presented to the user in native character form (this
510 requires that the lookup application be IDNA-aware). If those steps
511 are not performed, the lookup process SHOULD at least make tests to
512 determine that the string is actually an A-label, examining it for
513 the invalid formats specified in the Punycode decoding specification.
514 Applications that are not IDNA-aware will obviously omit that
515 testing; others MAY treat the string as opaque to avoid the
516 additional processing at the expense of providing less protection and
517 information to users.
519 5.5. Validation and Character List Testing
521 As with the registration procedure described in Section 4, the
522 Unicode string is checked to verify that all characters that appear
523 in it are valid as input to IDNA lookup processing. As discussed
524 above and in [IDNA2008-Rationale], the lookup check is more liberal
525 than the registration one. Putative labels with any of the following
526 characteristics MUST BE rejected prior to DNS lookup:
528 o Labels containing code points that are unassigned in the version
529 of Unicode being used by the application, i.e.,in the UNASSIGNED
530 category of [IDNA2008-Tables].
532 o Labels that are not in NFC form as defined in [Unicode-UAX15].
534 o Labels containing prohibited code points, i.e., those that are
535 assigned to the "DISALLOWED" category in the permitted character
536 table [IDNA2008-Tables].
538 o Labels containing code points that are identified in
539 [IDNA2008-Tables] as "CONTEXTJ", i.e., requiring exceptional
540 contextual rule processing on lookup, but that do not conform to
541 that rule. Note that this implies that a rule much be defined,
542 not missing: a character that requires a contextual rule but for
543 which the rule is missing is treated in this step as having failed
544 to conform to the rule.
546 o Labels containing code points that are identified in in
547 [IDNA2008-Tables] as "CONTEXTO", but for which no such rule
548 appears in the table of rules. Applications resolving DNS names
549 or carrying out equivalent operations are not required to test
550 contextual rules for "CONTEXTO" characters, only to verify that a
551 rule exists (although they MAY make such tests to give better
552 information to the user).
554 o Labels whose first character is a combining mark (see
555 Section 4.3.3.2.
557 In addition, the application SHOULD apply the following test. The
558 test may be omitted in special circumstances, such as when the lookup
559 application knows that the conditions are enforced elsewhere, because
560 an attempt to look up and resolve such strings will almost certainly
561 lead to a DNS lookup failure except when wildcards are present in the
562 zone. However, applying the test is likely to give much better
563 information about the reason for a lookup failure -- information that
564 may be usefully passed to the user when that is feasible -- than DNS
565 resolution failure information alone. In any event, lookup
566 applications should avoid attempting to resolve labels that are
567 invalid under that test.
569 o Verification that the string is compliant with the requirements
570 for right to left characters, specified in [IDNA2008-BIDI].
572 For all other strings, the lookup application MUST rely on the
573 presence or absence of labels in the DNS to determine the validity of
574 those labels and the validity of the characters they contain. If
575 they are registered, they are presumed to be valid; if they are not,
576 their possible validity is not relevant. A lookup application that
577 declines to process a string that conforms to the rules above and
578 does not look it up in the DNS is not in conformance with this
579 protocol.
581 5.6. Punycode Conversion
583 The validated string, a U-label, is converted to an A-label using the
584 Punycode algorithm with the ACE prefix added.
586 5.7. DNS Name Resolution
588 The A-label is looked up in the DNS, using normal DNS resolver
589 procedures.
591 6. Name Server Considerations
593 [[anchor15: Note in draft: If we really want this document to contain
594 only information that is necessary to proper implementation of IDNA
595 by implementers who are familiar with the DNS, the material in this
596 section is either tutorial, explanatory, or totally unnecessary.
597 Should some or all of it be moved back to Rationale?]]
599 6.1. Processing Non-ASCII Strings
601 Existing DNS servers do not know the IDNA rules for handling non-
602 ASCII forms of IDNs, and therefore need to be shielded from them.
603 All existing channels through which names can enter a DNS server
604 database (for example, master files (as described in RFC 1034) and
605 DNS update messages [RFC2136]) are IDN-unaware because they predate
606 IDNA. Other sections of this document provide the needed shielding
607 by ensuring that internationalized domain names entering DNS server
608 databases through such channels have already been converted to their
609 equivalent ASCII A-label forms.
611 Because of the design of the algorithms in Section 4 and Section 5 (a
612 domain name containing only ASCII codepoints can not be converted to
613 an A-label), there can not be more than one A-label form for any
614 given U-label.
616 As specified in RFC 2181 [RFC2181], the DNS protocol explicitly
617 allows domain labels to contain octets beyond the ASCII range
618 (0000..007F), and this document does not change that. Note, however,
619 that there is no defined interpretation of octets 0080..00FF as
620 characters. If labels containing these octets are returned to
621 applications, unpredictable behavior could result. The A-label form,
622 which cannot contain those characters, is the only standard
623 representation for internationalized labels in the DNS protocol.
625 6.2. DNSSEC Authentication of IDN Domain Names
627 DNS Security (DNSSEC) [RFC2535] is a method for supplying
628 cryptographic verification information along with DNS messages.
629 Public Key Cryptography is used in conjunction with digital
630 signatures to provide a means for a requester of domain information
631 to authenticate the source of the data. This ensures that it can be
632 traced back to a trusted source, either directly or via a chain of
633 trust linking the source of the information to the top of the DNS
634 hierarchy.
636 IDNA specifies that all internationalized domain names served by DNS
637 servers that cannot be represented directly in ASCII MUST use the
638 A-label form. Conversion to A-labels MUST be performed prior to a
639 zone being signed by the private key for that zone. Because of this
640 ordering, it is important to recognize that DNSSEC authenticates a
641 domain name containing A-labels or conventional LDH-labels, not
642 U-labels. In the presence of DNSSEC, no form of a zone file or query
643 response that contains a U-label may be signed or the signature
644 validated.
646 One consequence of this for sites deploying IDNA in the presence of
647 DNSSEC is that any special purpose proxies or forwarders used to
648 transform user input into IDNs must be earlier in the lookup flow
649 than DNSSEC authenticating nameservers for DNSSEC to work.
651 6.3. Root and other DNS Server Considerations
653 IDNs in A-label form will generally be somewhat longer than current
654 domain names, so the bandwidth needed by the root servers is likely
655 to go up by a small amount. Also, queries and responses for IDNs
656 will probably be somewhat longer than typical queries historically,
657 so EDNS0 [RFC2671] support may be more important (otherwise, queries
658 and responses may be forced to go to TCP instead of UDP).
660 7. Security Considerations
662 The general security principles and issues for IDNA appear in
663 [IDNA2008-Defs] with additional explanation in [IDNA2008-Rationale].
664 The comments below are specific to the registration and loopup
665 protocols specified in this document, but should be read in the
666 context of the material in the first of those documents and the
667 definitions and specifications, identified there, on which this one
668 depends.
670 This memo describes procedures for registering and looking up labels
671 that are not compatible with the preferred syntax described in the
672 base DNS specifications (STD13 [RFC1034] [RFC1035] and Host
673 Requirements [RFC1123]) because they contain non-ASCII characters.
674 These procedures depend on the use of a special ASCII-compatible
675 encoding form that contains only characters permitted in host names
676 by those earlier specifications. The encoding used is Punycode
677 [RFC3492]. No security issues such as string length increases or new
678 allowed values are introduced by the encoding process or the use of
679 these encoded values, apart from those introduced by the ACE encoding
680 itself.
682 Domain names (or portions of them) are sometimes compared against a
683 set of domains to be given special treatment if a match occurs, e.g.,
684 treated as more privileged than others or blocked in some way. In
685 such situations, it is especially important that the comparisons be
686 done properly, as specified in Requirement 2 of Section 3.1. For
687 labels already in ASCII form (i.e., are LDH-labels or A-labels), the
688 proper comparison reduces to the same case-insensitive ASCII
689 comparison that has always been used for ASCII labels.
691 The introduction of IDNA means that any existing labels that start
692 with the ACE prefix would be construed as A-labels, at least until
693 they failed one of the relevant tests, whether or not that was the
694 intent of the zone administrator or registrant. There is no evidence
695 that this has caused any practical problems since RFC 3490 was
696 adopted, but the risk still exists in principle.
698 8. IANA Considerations
700 IANA actions for this version of IDNA are specified in
701 [IDNA2008-Tables] and discussed informally in [IDNA2008-Rationale].
702 The components of IDNA described in this document do not require any
703 IANA actions.
705 9. Contributors
707 While the listed editor held the pen, the original versions of this
708 document represent the joint work and conclusions of an ad hoc design
709 team consisting of the editor and, in alphabetic order, Harald
710 Alvestrand, Tina Dam, Patrik Faltstrom, and Cary Karp. This document
711 draws significantly on the original version of IDNA [RFC3490] both
712 conceptually and for specific text. This second-generation version
713 would not have been possible without the work that went into that
714 first version and its authors, Patrik Faltstrom, Paul Hoffman, and
715 Adam Costello. While Faltstrom was actively involved in the creation
716 of this version, Hoffman and Costello were not and should not be held
717 responsible for any errors or omissions.
719 10. Acknowledgements
721 This revision to IDNA would have been impossible without the
722 accumulated experience since RFC 3490 was published and resulting
723 comments and complaints of many people in the IETF, ICANN, and other
724 communities, too many people to list here. Nor would it have been
725 possible without RFC 3490 itself and the efforts of the Working Group
726 that defined it. Those people whose contributions are acknowledged
727 in RFC 3490, [RFC4690], and [IDNA2008-Rationale] were particularly
728 important.
730 Specific textual changes were incorporated into this document after
731 suggestions from the other contributors, Stephane Bortzmeyer, Vint
732 Cerf, Mark Davis, Paul Hoffman, Kent Karlsson, Erik van der Poel,
733 Marcos Sanz, Andrew Sullivan, Ken Whistler, and other WG
734 participants. Special thanks are due to Paul Hoffman for permission
735 to extract material from his Internet-Draft to form the basis for
736 Appendix A
738 11. References
740 11.1. Normative References
742 [IDNA2008-BIDI]
743 Alvestrand, H. and C. Karp, "An updated IDNA criterion for
744 right-to-left scripts", July 2008, .
747 [IDNA2008-Defs]
748 Klensin, J., "Internationalized Domain Names for
749 Applications (IDNA): Definitions and Document Framework",
750 November 2008, .
753 [IDNA2008-Tables]
754 Faltstrom, P., "The Unicode Codepoints and IDNA",
755 July 2008, .
758 A version of this document is available in HTML format at
759 http://stupid.domain.name/idnabis/
760 draft-ietf-idnabis-tables-02.html
762 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
763 STD 13, RFC 1034, November 1987.
765 [RFC1035] Mockapetris, P., "Domain names - implementation and
766 specification", STD 13, RFC 1035, November 1987.
768 [RFC1123] Braden, R., "Requirements for Internet Hosts - Application
769 and Support", STD 3, RFC 1123, October 1989.
771 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
772 Requirement Levels", BCP 14, RFC 2119, March 1997.
774 [RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode
775 for Internationalized Domain Names in Applications
776 (IDNA)", RFC 3492, March 2003.
778 [Unicode-PropertyValueAliases]
779 The Unicode Consortium, "Unicode Character Database:
780 PropertyValueAliases", March 2008, .
783 [Unicode-RegEx]
784 The Unicode Consortium, "Unicode Technical Standard #18:
785 Unicode Regular Expressions", May 2005,
786 .
788 [Unicode-Scripts]
789 The Unicode Consortium, "Unicode Standard Annex #24:
790 Unicode Script Property", February 2008,
791 .
793 [Unicode-UAX15]
794 The Unicode Consortium, "Unicode Standard Annex #15:
795 Unicode Normalization Forms", 2006,
796 .
798 11.2. Informative References
800 [ASCII] American National Standards Institute (formerly United
801 States of America Standards Institute), "USA Code for
802 Information Interchange", ANSI X3.4-1968, 1968.
804 ANSI X3.4-1968 has been replaced by newer versions with
805 slight modifications, but the 1968 version remains
806 definitive for the Internet.
808 [IDNA2008-Rationale]
809 Klensin, J., Ed., "Internationalizing Domain Names for
810 Applications (IDNA): Issues, Explanation, and Rationale",
811 November 2008, .
814 [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
815 "Dynamic Updates in the Domain Name System (DNS UPDATE)",
816 RFC 2136, April 1997.
818 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
819 Specification", RFC 2181, July 1997.
821 [RFC2535] Eastlake, D., "Domain Name System Security Extensions",
822 RFC 2535, March 1999.
824 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
825 RFC 2671, August 1999.
827 [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
828 "Internationalizing Domain Names in Applications (IDNA)",
829 RFC 3490, March 2003.
831 [RFC3491] Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep
832 Profile for Internationalized Domain Names (IDN)",
833 RFC 3491, March 2003.
835 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
836 Resource Identifier (URI): Generic Syntax", STD 66,
837 RFC 3986, January 2005.
839 [RFC3987] Duerst, M. and M. Suignard, "Internationalized Resource
840 Identifiers (IRIs)", RFC 3987, January 2005.
842 [RFC4690] Klensin, J., Faltstrom, P., Karp, C., and IAB, "Review and
843 Recommendations for Internationalized Domain Names
844 (IDNs)", RFC 4690, September 2006.
846 [RFC4952] Klensin, J. and Y. Ko, "Overview and Framework for
847 Internationalized Email", RFC 4952, July 2007.
849 [Unicode] The Unicode Consortium, "The Unicode Standard, Version
850 5.0", 2007.
852 Boston, MA, USA: Addison-Wesley. ISBN 0-321-48091-0
854 Appendix A. Summary of Major Changes from IDNA2003
856 1. Update base character set from Unicode 3.2 to Unicode version-
857 agnostic.
859 2. Separate the definitions for the "registration" and "lookup"
860 activities.
862 3. Disallow symbol and punctuation characters except where special
863 exceptions are necessary.
865 4. Remove the mapping and normalization steps from the protocol and
866 have them instead done by the applications themselves, possibly
867 in a local fashion, before invoking the protocol.
869 5. Change the way that the protocol specifies which characters are
870 allowed in labels from "humans decide what the table of
871 codepoints contains" to "decision about codepoints are based on
872 Unicode properties plus a small exclusion list created by
873 humans".
875 6. Introduce the new concept of characters that can be used only in
876 specific contexts.
878 7. Allow typical words and names in languages such as Dhivehi and
879 Yiddish to be expressed.
881 8. Make bidirectional domain names (delimited strings of labels,
882 not just labels standing on their own) display in a less
883 surprising fashion whether they appear in obvious domain name
884 contexts or as part of running text in paragraphs.
886 9. Remove the dot separator from the mandatory part of the
887 protocol.
889 10. Make some currently-valid labels that are not actually IDNA
890 labels invalid.
892 Appendix B. Change Log
894 [[anchor24: RFC Editor: Please remove this appendix.]]
896 B.1. Changes between Version -00 and -01 of draft-ietf-idnabis-protocol
898 o Corrected discussion of SRV records.
900 o Several small corrections for clarity.
902 o Inserted more "open issue" placeholders.
904 B.2. Version -02
906 o Rewrote the "conversion to Unicode" text in Section 5.2 as
907 requested on-list.
909 o Added a comment (and reference) about EDNS0 to the "DNS Server
910 Conventions" section, which was also retitled.
912 o Made several editorial corrections and improvements in response to
913 various comments.
915 o Added several new discussion placeholder anchors and updated some
916 older ones.
918 B.3. Version -03
920 o Trimmed change log, removing information about pre-WG drafts.
922 o Incorporated a number of changes suggested by Marcos Sanz in his
923 note of 2008.07.17 and added several more placeholder anchors.
925 o Several minor editorial corrections and improvements.
927 o "Editor" designation temporarily removed because the automatic
928 posting machinery does not accept it.
930 B.4. Version -04
932 o Removed Contextual Rule appendices for transfer to Tables.
934 o Several changes, including removal of discussion anchors, based on
935 discussions at IETF 72 (Dublin)
937 o Rewrote the preprocessing material (Section 5.3) somewhat.
939 B.5. Version -05
941 o Updated part of the A-label input explanation (Section 5.4) per
942 note from Erik van der Poel.
944 B.6. Version -06
946 o Corrected a few typographical errors.
948 o Incorporated the material (formerly in Rationale) on the
949 relationship between IDNA2003 and IDNA2008 as an appendix and
950 pointed to the new definitions document.
952 o Text modified in several places to recognize the dangers of
953 interaction between DNS wildcards and IDNs.
955 o Text added to be explicit about the handling of edge and failure
956 cases in Punycode encoding and decoding.
958 o Revised for consistency with the new Definitions document and to
959 make the text read more smoothly.
961 B.7. Version -07
963 o Multiple small textual and editorial changes and clarifications.
965 o Requirement for normalization clarified to apply to all cases and
966 conditions for preprocessing further clarified.
968 o Substantive change to Section 4.3.1, turning a SHOULD to a MUST
969 (see note from Mark Davis, 19 November, 2008 18:14 -0800).
971 B.8. Version -08
973 o Added some references and altered text to improve clarity.
975 o Changed the description of CONTEXTJ/CONTEXTO to conform to that in
976 Tables. In other words, these are now treated as distinction
977 categories (again), rather than as specially-flagged subsets of
978 PROTOCOL VALID.
980 o The discussion of label comparisons has been rewritten to make it
981 more precise and to clarify that one does not need to verify that
982 a string is a [valid] A-label or U-label in order to test it for
983 equality with another string. The WG should verify that the
984 current text is what is desired.
986 o Other changes to reflect post-IETF discussions or editorial
987 improvements.
989 Author's Address
991 John C Klensin
992 1770 Massachusetts Ave, Ste 322
993 Cambridge, MA 02140
994 USA
996 Phone: +1 617 245 1457
997 Email: john+ietf@jck.com
999 Full Copyright Statement
1001 Copyright (C) The IETF Trust (2008).
1003 This document is subject to the rights, licenses and restrictions
1004 contained in BCP 78, and except as set forth therein, the authors
1005 retain all their rights.
1007 This document and the information contained herein are provided on an
1008 "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS
1009 OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND
1010 THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS
1011 OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF
1012 THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED
1013 WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1015 Intellectual Property
1017 The IETF takes no position regarding the validity or scope of any
1018 Intellectual Property Rights or other rights that might be claimed to
1019 pertain to the implementation or use of the technology described in
1020 this document or the extent to which any license under such rights
1021 might or might not be available; nor does it represent that it has
1022 made any independent effort to identify any such rights. Information
1023 on the procedures with respect to rights in RFC documents can be
1024 found in BCP 78 and BCP 79.
1026 Copies of IPR disclosures made to the IETF Secretariat and any
1027 assurances of licenses to be made available, or the result of an
1028 attempt made to obtain a general license or permission for the use of
1029 such proprietary rights by implementers or users of this
1030 specification can be obtained from the IETF on-line IPR repository at
1031 http://www.ietf.org/ipr.
1033 The IETF invites any interested party to bring to its attention any
1034 copyrights, patents or patent applications, or other proprietary
1035 rights that may cover technology that may be required to implement
1036 this standard. Please address the information to the IETF at
1037 ietf-ipr@ietf.org.