idnits 2.17.1
draft-ietf-idnabis-protocol-12.txt:
Checking boilerplate required by RFC 5378 and the IETF Trust (see
https://trustee.ietf.org/license-info):
----------------------------------------------------------------------------
** The document seems to lack a License Notice according IETF Trust
Provisions of 28 Dec 2009, Section 6.b.i or Provisions of 12 Sep 2009
Section 6.b -- however, there's a paragraph with a matching beginning.
Boilerplate error?
(You're using the IETF Trust Provisions' Section 6.b License Notice from
12 Feb 2009 rather than one of the newer Notices. See
https://trustee.ietf.org/license-info/.)
Checking nits according to https://www.ietf.org/id-info/1id-guidelines.txt:
----------------------------------------------------------------------------
No issues found here.
Checking nits according to https://www.ietf.org/id-info/checklist :
----------------------------------------------------------------------------
-- The draft header indicates that this document obsoletes RFC3490, but the
abstract doesn't seem to mention this, which it should.
-- The draft header indicates that this document updates RFC3492, but the
abstract doesn't seem to mention this, which it should.
Miscellaneous warnings:
----------------------------------------------------------------------------
== The copyright year in the IETF Trust and authors Copyright Line does not
match the current year
(Using the creation date from RFC3492, updated by this document, for
RFC5378 checks: 2002-01-10)
-- The document seems to contain a disclaimer for pre-RFC5378 work, and may
have content which was first submitted before 10 November 2008. The
disclaimer is necessary when there are original authors that you have
been unable to contact, or if some do not wish to grant the BCP78 rights
to the IETF Trust. If you are able to get all authors (current and
original) to grant those rights, you can and should remove the
disclaimer; otherwise, the disclaimer is needed and you can ignore this
comment. (See the Legal Provisions document at
https://trustee.ietf.org/license-info for more information.)
-- The document date (May 8, 2009) is 5466 days in the past. Is this
intentional?
Checking references for intended status: Proposed Standard
----------------------------------------------------------------------------
(See RFCs 3967 and 4897 for information about using normative references
to lower-maturity documents in RFCs)
== Unused Reference: 'RFC1123' is defined on line 673, but no explicit
reference was found in the text
== Unused Reference: 'Unicode-PropertyValueAliases' is defined on line 683,
but no explicit reference was found in the text
== Unused Reference: 'Unicode-RegEx' is defined on line 688, but no
explicit reference was found in the text
== Unused Reference: 'Unicode-Scripts' is defined on line 693, but no
explicit reference was found in the text
== Unused Reference: 'ASCII' is defined on line 705, but no explicit
reference was found in the text
== Unused Reference: 'RFC2136' is defined on line 719, but no explicit
reference was found in the text
== Unused Reference: 'RFC2181' is defined on line 723, but no explicit
reference was found in the text
== Unused Reference: 'RFC2535' is defined on line 726, but no explicit
reference was found in the text
-- Possible downref: Non-RFC (?) normative reference: ref. 'IDNA2008-BIDI'
-- Possible downref: Non-RFC (?) normative reference: ref.
'Unicode-PropertyValueAliases'
-- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-RegEx'
-- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-Scripts'
-- Possible downref: Non-RFC (?) normative reference: ref. 'Unicode-UAX15'
-- Obsolete informational reference (is this intentional?): RFC 2535
(Obsoleted by RFC 4033, RFC 4034, RFC 4035)
-- Obsolete informational reference (is this intentional?): RFC 2671
(Obsoleted by RFC 6891)
-- Obsolete informational reference (is this intentional?): RFC 3490
(Obsoleted by RFC 5890, RFC 5891)
-- Obsolete informational reference (is this intentional?): RFC 3491
(Obsoleted by RFC 5891)
-- Obsolete informational reference (is this intentional?): RFC 4952
(Obsoleted by RFC 6530)
Summary: 1 error (**), 0 flaws (~~), 9 warnings (==), 14 comments (--).
Run idnits with the --verbose option for more detailed information about
the items above.
--------------------------------------------------------------------------------
2 Network Working Group J. Klensin
3 Internet-Draft May 8, 2009
4 Obsoletes: 3490, 3491
5 (if approved)
6 Updates: 3492 (if approved)
7 Intended status: Standards Track
8 Expires: November 9, 2009
10 Internationalized Domain Names in Applications (IDNA): Protocol
11 draft-ietf-idnabis-protocol-12.txt
13 Status of this Memo
15 This Internet-Draft is submitted to IETF in full conformance with the
16 provisions of BCP 78 and BCP 79. This document may contain material
17 from IETF Documents or IETF Contributions published or made publicly
18 available before November 10, 2008. The person(s) controlling the
19 copyright in some of this material may not have granted the IETF
20 Trust the right to allow modifications of such material outside the
21 IETF Standards Process. Without obtaining an adequate license from
22 the person(s) controlling the copyright in such materials, this
23 document may not be modified outside the IETF Standards Process, and
24 derivative works of it may not be created outside the IETF Standards
25 Process, except to format it for publication as an RFC or to
26 translate it into languages other than English.
28 Internet-Drafts are working documents of the Internet Engineering
29 Task Force (IETF), its areas, and its working groups. Note that
30 other groups may also distribute working documents as Internet-
31 Drafts.
33 Internet-Drafts are draft documents valid for a maximum of six months
34 and may be updated, replaced, or obsoleted by other documents at any
35 time. It is inappropriate to use Internet-Drafts as reference
36 material or to cite them other than as "work in progress."
38 The list of current Internet-Drafts can be accessed at
39 http://www.ietf.org/ietf/1id-abstracts.txt.
41 The list of Internet-Draft Shadow Directories can be accessed at
42 http://www.ietf.org/shadow.html.
44 This Internet-Draft will expire on November 9, 2009.
46 Copyright Notice
48 Copyright (c) 2009 IETF Trust and the persons identified as the
49 document authors. All rights reserved.
51 This document is subject to BCP 78 and the IETF Trust's Legal
52 Provisions Relating to IETF Documents in effect on the date of
53 publication of this document (http://trustee.ietf.org/license-info).
54 Please review these documents carefully, as they describe your rights
55 and restrictions with respect to this document.
57 Abstract
59 This document is the revised protocol definition for
60 internationalized domain names (IDNs). The rationale for changes,
61 the relationship to the older specification, and important
62 terminology are provided in other documents. This document specifies
63 the protocol mechanism, called Internationalizing Domain Names in
64 Applications (IDNA), for registering and looking up IDNs in a way
65 that does not require changes to the DNS itself. IDNA is only meant
66 for processing domain names, not free text.
68 Table of Contents
70 1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 5
71 1.1. Discussion Forum . . . . . . . . . . . . . . . . . . . . . 5
72 2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 5
73 3. Requirements and Applicability . . . . . . . . . . . . . . . . 6
74 3.1. Requirements . . . . . . . . . . . . . . . . . . . . . . . 6
75 3.2. Applicability . . . . . . . . . . . . . . . . . . . . . . 6
76 3.2.1. DNS Resource Records . . . . . . . . . . . . . . . . . 7
77 3.2.2. Non-domain-name Data Types Stored in the DNS . . . . . 7
78 4. Registration Protocol . . . . . . . . . . . . . . . . . . . . 7
79 4.1. Input to IDNA Registration Process . . . . . . . . . . . . 8
80 4.2. Permitted Character and Label Validation . . . . . . . . . 8
81 4.2.1. Input Format . . . . . . . . . . . . . . . . . . . . . 8
82 4.2.2. Rejection of Characters that are not Permitted . . . . 8
83 4.2.3. Label Validation . . . . . . . . . . . . . . . . . . . 8
84 4.2.4. Registration Validation Summary . . . . . . . . . . . 9
85 4.3. Registry Restrictions . . . . . . . . . . . . . . . . . . 10
86 4.4. Punycode Conversion . . . . . . . . . . . . . . . . . . . 10
87 4.5. Insertion in the Zone . . . . . . . . . . . . . . . . . . 10
88 5. Domain Name Lookup Protocol . . . . . . . . . . . . . . . . . 10
89 5.1. Label String Input . . . . . . . . . . . . . . . . . . . . 11
90 5.2. Conversion to Unicode . . . . . . . . . . . . . . . . . . 11
91 5.3. Character Changes in Preprocessing or the User
92 Interface . . . . . . . . . . . . . . . . . . . . . . . . 11
93 5.4. A-label Input . . . . . . . . . . . . . . . . . . . . . . 12
94 5.5. Validation and Character List Testing . . . . . . . . . . 13
95 5.6. Punycode Conversion . . . . . . . . . . . . . . . . . . . 14
96 5.7. DNS Name Resolution . . . . . . . . . . . . . . . . . . . 14
97 6. Security Considerations . . . . . . . . . . . . . . . . . . . 14
98 7. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 15
99 8. Contributors . . . . . . . . . . . . . . . . . . . . . . . . . 15
100 9. Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . 15
101 10. References . . . . . . . . . . . . . . . . . . . . . . . . . . 16
102 10.1. Normative References . . . . . . . . . . . . . . . . . . . 16
103 10.2. Informative References . . . . . . . . . . . . . . . . . . 17
104 Appendix A. Local Mapping Alternatives . . . . . . . . . . . . . 18
105 A.1. Transitional Mapping Model . . . . . . . . . . . . . . . . 18
106 A.1.1. Fallback Lookup . . . . . . . . . . . . . . . . . . . 19
107 A.1.2. Two-step Lookup . . . . . . . . . . . . . . . . . . . 19
108 A.2. Internationalized Resource Identifier (IRI) Mapping
109 Model . . . . . . . . . . . . . . . . . . . . . . . . . . 20
110 Appendix B. Summary of Major Changes from IDNA2003 . . . . . . . 21
111 Appendix C. Change Log . . . . . . . . . . . . . . . . . . . . . 21
112 C.1. Changes between Version -00 and -01 of
113 draft-ietf-idnabis-protocol . . . . . . . . . . . . . . . 21
114 C.2. Version -02 . . . . . . . . . . . . . . . . . . . . . . . 22
115 C.3. Version -03 . . . . . . . . . . . . . . . . . . . . . . . 22
116 C.4. Version -04 . . . . . . . . . . . . . . . . . . . . . . . 22
117 C.5. Version -05 . . . . . . . . . . . . . . . . . . . . . . . 22
118 C.6. Version -06 . . . . . . . . . . . . . . . . . . . . . . . 23
119 C.7. Version -07 . . . . . . . . . . . . . . . . . . . . . . . 23
120 C.8. Version -08 . . . . . . . . . . . . . . . . . . . . . . . 23
121 C.9. Version -09 . . . . . . . . . . . . . . . . . . . . . . . 24
122 C.10. Version -10 . . . . . . . . . . . . . . . . . . . . . . . 24
123 C.11. Version -11 . . . . . . . . . . . . . . . . . . . . . . . 24
124 C.12. Version -12 . . . . . . . . . . . . . . . . . . . . . . . 25
125 Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 25
127 1. Introduction
129 This document supplies the protocol definition for internationalized
130 domain names. Essential definitions and terminology for
131 understanding this document and a road map of the collection of
132 documents that make up IDNA2008 appear in [IDNA2008-Defs].
133 Appendix B discusses the relationship between this specification and
134 the earlier version of IDNA (referred to here as "IDNA2003") and the
135 rationale for these changes, along with considerable explanatory
136 material and advice to zone administrators who support IDNs is
137 provided in another documents, notably [IDNA2008-Rationale].
139 IDNA works by allowing applications to use certain ASCII string
140 labels (beginning with a special prefix) to represent non-ASCII name
141 labels. Lower-layer protocols need not be aware of this; therefore
142 IDNA does not changes any infrastructure. In particular, IDNA does
143 not depend on any changes to DNS servers, resolvers, or protocol
144 elements, because the ASCII name service provided by the existing DNS
145 can be used for IDNA.
147 IDNA applies only to DNS labels. The base DNS standards [RFC1034]
148 [RFC1035] and their various updates specify how to combine labels
149 into fully-qualified domain names and parse labels out of those
150 names.
152 This document describes two separate protocols, one for IDN
153 registration (Section 4) and one for IDN lookup (Section 5), that
154 share some terminology, reference data and operations. [[anchor2:
155 Note in draft: See the note in the introduction to.]]Section 5
157 1.1. Discussion Forum
159 [[anchor4: RFC Editor: please remove this section.]]
161 This work is being discussed in the IETF IDNABIS WG and on the
162 mailing list idna-update@alvestrand.no
164 2. Terminology
166 Terminology used in IDNA, but also in Unicode or other character set
167 standards and the DNS, appears in [IDNA2008-Defs]. Terminology that
168 is required as part of the IDNA definition, including the definitions
169 of "ACE", appears in that document as well. Readers of this document
170 are assumed to be familiar with [IDNA2008-Defs] and with the DNS-
171 specific terminology in RFC 1034 [RFC1034].
173 The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
174 "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
175 document are to be interpreted as described in BCP 14, RFC 2119
176 [RFC2119].
178 3. Requirements and Applicability
180 3.1. Requirements
182 IDNA makes the following requirements:
184 1. Whenever a domain name is put into an IDN-unaware domain name
185 slot (see Section 2 and [IDNA2008-Defs]), it MUST contain only
186 ASCII characters (i.e., must be either an A-label or an NR-LDH-
187 label), unless the DNS application is not subject to historical
188 recommendations for "hostname"-style names (see [RFC1034] and
189 Section 3.2.1).
191 2. Labels MUST be compared using equivalent forms: either both
192 A-Label forms or both U-Label forms. Because A-labels and
193 U-labels can be transformed into each other without loss of
194 information, these comparisons are equivalent. A pair of
195 A-labels MUST be compared as case-insensitive ASCII (as with all
196 comparisons of ASCII DNS labels). U-labels must be compared
197 as-is, without case-folding or other intermediate steps. Note
198 that it is not necessary to validate labels in order to compare
199 them. In many cases, validation may be important for other
200 reasons and SHOULD be performed.
202 3. Labels being registered MUST conform to the requirements of
203 Section 4. Labels being looked up and the lookup process MUST
204 conform to the requirements of Section 5.
206 3.2. Applicability
208 IDNA applies to all domain names in all domain name slots in
209 protocols except where it is explicitly excluded. It does not apply
210 to domain name slots which do not use the Letter/Digit/Hyphen (LDH)
211 syntax rules.
213 Because it uses the DNS, IDNA applies to many protocols that were
214 specified before it was designed. IDNs occupying domain name slots
215 in those older protocols MUST be in A-label form until and unless
216 those protocols and implementations of them are explicitly upgraded
217 to be aware of IDNs in Unicode. IDNs actually appearing in DNS
218 queries or responses MUST be A-labels.
220 IDNA is not defined for extended label types (see RFC 2671, Section 3
222 [RFC2671]).
224 3.2.1. DNS Resource Records
226 IDNA applies only to domain names in the NAME and RDATA fields of DNS
227 resource records whose CLASS is IN. See RFC 1034 [RFC1034] for
228 precise definitions of these terms.
230 The application of IDNA to DNS resource records depends entirely on
231 the CLASS of the record, and not on the TYPE except as noted below.
232 This will remain true, even as new types are defined, unless a new
233 type defines type-specific rules. Special naming conventions for SRV
234 records (and "underscore names" more generally) are incompatible with
235 IDNA coding. The first two labels on a SRV type record (the ones
236 required to start in "_") MUST NOT be A-labels or U-labels, because
237 conversion to an A-label would lose information (since the underscore
238 is not a letter, digit, or hyphen and is consequently DISALLOWED in
239 IDNs). Of course, those labels may be part of a domain that uses IDN
240 labels at higher levels in the tree.
242 3.2.2. Non-domain-name Data Types Stored in the DNS
244 Although IDNA enables the representation of non-ASCII characters in
245 domain names, that does not imply that IDNA enables the
246 representation of non-ASCII characters in other data types that are
247 stored in domain names, specifically in the RDATA field for types
248 that have structured RDATA format. For example, an email address
249 local part is stored in a domain name in the RNAME field as part of
250 the RDATA of an SOA record (hostmaster@example.com would be
251 represented as hostmaster.example.com). IDNA does not update the
252 existing email standards, which allow only ASCII characters in local
253 parts. Even though work is in progress to define
254 internationalization for email addresses [RFC4952], changes to the
255 email address part of the SOA RDATA would require action in, or
256 updates to, other standards, specifically those that specify the
257 format of the SOA RR.
259 4. Registration Protocol
261 This section defines the procedure for registering an IDN. The
262 procedure is implementation independent; any sequence of steps that
263 produces exactly the same result for all labels is considered a valid
264 implementation.
266 Note that, while the registration and lookup protocols (Section 5)
267 are very similar in most respects, they are different and
268 implementers should carefully follow the appropriate steps.
270 4.1. Input to IDNA Registration Process
272 Registration processes, especially processing by entities, such as
273 "registrars" who deal with registrants before the request actually
274 reaches the zone manager ("registry") are outside the scope of these
275 protocols and may differ significantly depending on local needs. By
276 the time a string enters the IDNA registration process as described
277 in this specification, it is expected to be in Unicode and MUST be in
278 Unicode Normalization Form C (NFC [Unicode-UAX15]). Entities
279 responsible for zone files ("registries") are expected to accept only
280 the exact string for which registration is requested, free of any
281 mappings or local adjustments. They SHOULD avoid any possible
282 ambiguity by accepting registrations only for A-labels, possibly
283 paired with the relevant U-labels so that they can verify the
284 correspondence.
286 4.2. Permitted Character and Label Validation
288 4.2.1. Input Format
290 The registry SHOULD permit submission of labels in A-label form and
291 is encouraged to accept both the A-label form and the U-label one.
292 If it does so, it MUST perform a conversion to a U-label, perform the
293 steps and tests described below, and verify that the A-label produced
294 by the step in Section 4.4 matches the one provided as input. In
295 addition, if a U-label was provided, that U-label and the one
296 obtained by conversion of the A-label MUST match exactly. If, for
297 some reason, these tests fail, the registration MUST be rejected. If
298 the conversion to a U-label is not performed, the registry MUST still
299 verify that the A-label is superficially valid, i.e., that it does
300 not violate any of the rules of Punycode [RFC3492] encoding such as
301 the prohibition on trailing hyphen-minus, appearance of non-basic
302 characters before the delimiter, and so on. Fake A-labels, i.e.,
303 invalid strings that appear to be A-labels but are not, MUST NOT be
304 placed in DNS zones that support IDNA.
306 4.2.2. Rejection of Characters that are not Permitted
308 The candidate Unicode string MUST NOT contain characters in the
309 "DISALLOWED" and "UNASSIGNED" lists specified in [IDNA2008-Tables].
311 4.2.3. Label Validation
313 The proposed label (in the form of a Unicode string, i.e., a string
314 that at least superficially appears to be a U-label) is then
315 examined, performing tests that require examination of more than one
316 character. Character order is considered to be the on-the-wire
317 order, not the display order.
319 4.2.3.1. Consecutive Hyphens
321 The Unicode string MUST NOT contain "--" (two consecutive hyphens) in
322 the third and fourth character positions.
324 4.2.3.2. Leading Combining Marks
326 The Unicode string MUST NOT begin with a combining mark or combining
327 character (see The Unicode Standard, Section 2.11 [Unicode] for an
328 exact definition).
330 4.2.3.3. Contextual Rules
332 The Unicode string MUST NOT contain any characters whose validity is
333 context-dependent, unless the validity is positively confirmed by a
334 contextual rule. To check this, each code-point marked as CONTEXTJ
335 and CONTEXTO in [IDNA2008-Tables] MUST have a non-null rule. If such
336 a code-point is missing a rule, it is invalid. If the rule exists
337 but the result of applying the rule is negative or inconclusive, the
338 proposed label is invalid.
340 NOTE: These contextual rules are required to support characters that
341 could be used, under some conditions, to produce misleading labels or
342 to cause unacceptable ambiguity in label matching and interpretation.
343 For example, labels containing zero-width characters may be permitted
344 in context with characters whose presentation forms are significantly
345 changed by the zero-width characters, while other labels in which
346 zero-width characters appear may be rejected.
347 [[anchor11: Note in draft: Should this note be moved to Rationale???
348 It has no normative consequences here.]]
350 4.2.3.4. Labels Containing Characters Written Right to Left
352 If the proposed label contains any characters that are written from
353 right to left it MUST meet the "bidi" criteria [IDNA2008-BIDI].
355 4.2.4. Registration Validation Summary
357 Strings that contain at least one non-ASCII character, have been
358 produced by the steps above, whose contents pass all of the tests in
359 Section 4.2, and are 63 or fewer characters long in ACE form (see
360 Section 4.4), are U-labels.
362 To summarize, tests are made in Section 4.2 for invalid characters,
363 invalid combinations of characters, for labels that are invalid even
364 if the characters they contain are valid individually, and for labels
365 that do not conform to the restrictions for strings containing right
366 to left characters.
368 4.3. Registry Restrictions
370 In addition to the rules and tests above, there are many reasons why
371 a registry could reject a label. Registries at all levels of the
372 DNS, not just the top level, establish policies about label
373 registrations. Policies are likely to be informed by the local
374 languages and may depend on many factors including what characters
375 are in the label (for example, a label may be rejected based on other
376 labels already registered). See [IDNA2008-Rationale] for a
377 discussion and recommendations about registry policies.
379 The string produced by the above steps is checked and processed as
380 appropriate to local registry restrictions. Application of those
381 registry restrictions may result in the rejection of some labels or
382 the application of special restrictions to others.
384 4.4. Punycode Conversion
386 The resulting U-label is converted to an A-label. The A-label, more
387 precisely defined elsewhere, is the encoding of the U-label according
388 to the Punycode algorithm [RFC3492] with the ACE prefix "xn--" added
389 at the beginning of the string. The resulting string must, of
390 course, conform to the length limits imposed by the DNS. This
391 document updates RFC 3492 only to the extent of replacing the
392 reference to the discussion of the ACE prefix. The ACE prefix is now
393 specified in this document rather than as part of RFC 3490 or
394 Nameprep [RFC3491] but is the same in both sets of documents.
396 The failure conditions identified in the Punycode encoding procedure
397 cannot occur if the input is a U-label as determined by the steps
398 above.
400 4.5. Insertion in the Zone
402 The A-label is registered in the DNS by insertion into a zone.
404 5. Domain Name Lookup Protocol
406 Lookup is different from registration and different tests are applied
407 on the client. Although some validity checks are necessary to avoid
408 serious problems with the protocol, the lookup-side tests are more
409 permissive and rely on the assumption that names that are present in
410 the DNS are valid. That assumption is, however, a weak one because
411 the presence of wild cards in the DNS might cause a string that is
412 not actually registered in the DNS to be successfully looked up.
414 The two steps in Section 5.2 and Section 5.3 are required.
416 [[anchor14: Note in Draft: Try to reorganize and renumber Section 5
417 (Lookup) so that it exactly parallels Section 4 (Registration). This
418 has not been done in drafts -10 through -12 because the task will be
419 much easier if the local mapping material is pulled from here (and
420 there is no point trying to align the section numbers twice).]]
422 5.1. Label String Input
424 The user supplies a string in the local character set, typically by
425 typing it or clicking on, or copying and pasting, a resource
426 identifier, e.g., a URI [RFC3986] or IRI [RFC3987] from which the
427 domain name is extracted. Alternately, some process not directly
428 involving the user may read the string from a file or obtain it in
429 some other way. Processing in this step and the next two are local
430 matters, to be accomplished prior to actual invocation of IDNA.
432 5.2. Conversion to Unicode
434 The string is converted from the local character set into Unicode, if
435 it is not already Unicode. A Unicode string may require
436 normalization as discussed in Section 4.1. The result MUST be a
437 Unicode string in NFC form.
439 5.3. Character Changes in Preprocessing or the User Interface
441 [[anchor15: Note in Draft -12. This entire section is likely to need
442 to be rewritten when we make final decisions about mapping.]]
444 The Unicode string MAY then be processed to prevent confounding of
445 user expectations. For instance, it might be reasonable, at this
446 step, to convert all upper case characters to lower case, if this
447 makes sense in the user's environment, but even this should be
448 approached with caution due to some edge cases: in the long term, it
449 is probably better for users to understand IDNs strictly in lower-
450 case, U-label, form. More generally, preprocessing may be useful to
451 smooth the transition from IDNA2003, especially for direct user
452 input, but with similar cautions. In general, IDNs appearing in
453 files and those transmitted across the network as part of protocols
454 are expected to be in either ASCII form (including A-labels) or to
455 contain U-labels, rather than being in forms requiring mapping or
456 other conversions.
458 Other examples of processing for localization might be applied,
459 especially to direct user input, at this point. They include
460 interpreting various characters as separating domain name components
461 from each other (label separators) because they either look like
462 periods or are used to separate sentences, mapping halfwidth or
463 fullwidth East Asian characters to the common form permitted in
464 labels, or giving special treatment to characters whose presentation
465 forms are dependent only on placement in the label. Such
466 localization changes are also outside the scope of this
467 specification.
469 Recommendations for preprocessing for global contexts (i.e., when
470 local considerations do not apply or cannot be used) and for maximum
471 interoperability with labels that might have been specified under
472 liberal readings of IDNA2003 are given in [IDNA2008-Rationale]. It
473 is important to note that the intent of these specifications is that
474 labels in application protocols, files, or links are intended to be
475 in U-label or A-label form. Preprocessing MUST NOT map a character
476 that is valid in a label as specified elsewhere in this document or
477 in [IDNA2008-Tables] into another character. Excessively liberal use
478 of preprocessing, especially to strings stored in files, poses a
479 threat to consistent and predictable behavior for the user even if
480 not to actual interoperability.
482 Because these transformations are local, it is important that domain
483 names that might be passed between systems (e.g., in IRIs) be
484 U-labels or A-labels and not forms that might be accepted locally as
485 a consequence of this step. This step is not standardized as part of
486 IDNA, and is not further specified here.
488 5.4. A-label Input
490 If the input to this procedure appears to be an A-label (i.e., it
491 starts in "xn--"), the lookup application MAY attempt to convert it
492 to a U-label and apply the tests of Section 5.5 and the conversion of
493 Section 5.6 to that form. If the label is converted to Unicode
494 (i.e., to U-label form) using the Punycode decoding algorithm, then
495 the processing specified in those two sections MUST be performed, and
496 the label MUST be rejected if the resulting label is not identical to
497 the original. See the Name Server Considerations section of
498 [IDNA2008-Rationale] for additional discussion on this topic.
500 That conversion and testing SHOULD be performed if the domain name
501 will later be presented to the user in native character form (this
502 requires that the lookup application be IDNA-aware). If those steps
503 are not performed, the lookup process SHOULD at least make tests to
504 determine that the string is actually an A-label, examining it for
505 the invalid formats specified in the Punycode decoding specification.
506 Applications that are not IDNA-aware will obviously omit that
507 testing; others MAY treat the string as opaque to avoid the
508 additional processing at the expense of providing less protection and
509 information to users.
511 5.5. Validation and Character List Testing
513 As with the registration procedure described in Section 4, the
514 Unicode string is checked to verify that all characters that appear
515 in it are valid as input to IDNA lookup processing. As discussed
516 above and in [IDNA2008-Rationale], the lookup check is more liberal
517 than the registration one. Putative labels with any of the following
518 characteristics MUST BE rejected prior to DNS lookup:
520 o Labels containing code points that are unassigned in the version
521 of Unicode being used by the application, i.e.,in the UNASSIGNED
522 category of [IDNA2008-Tables].
524 o Labels that are not in NFC form as defined in [Unicode-UAX15].
526 o Labels containing prohibited code points, i.e., those that are
527 assigned to the "DISALLOWED" category in the permitted character
528 table [IDNA2008-Tables].
530 o Labels containing code points that are identified in
531 [IDNA2008-Tables] as "CONTEXTJ", i.e., requiring exceptional
532 contextual rule processing on lookup, but that do not conform to
533 that rule. Note that this implies that a rule much be defined,
534 not null: a character that requires a contextual rule but for
535 which the rule is null is treated in this step as having failed to
536 conform to the rule.
538 o Labels containing code points that are identified in
539 [IDNA2008-Tables] as "CONTEXTO", but for which no such rule
540 appears in the table of rules. Applications resolving DNS names
541 or carrying out equivalent operations are not required to test
542 contextual rules for "CONTEXTO" characters, only to verify that a
543 rule is defined (although they MAY make such tests to provide
544 better protection or give better information to the user).
546 o Labels whose first character is a combining mark (see
547 Section 4.2.3.2).
549 In addition, the application SHOULD apply the following test. The
550 test may be omitted in special circumstances, such as when the lookup
551 application knows that the conditions are enforced elsewhere, because
552 an attempt to look up and resolve such strings will almost certainly
553 lead to a DNS lookup failure except when wildcards are present in the
554 zone. However, applying the test is likely to give much better
555 information about the reason for a lookup failure -- information that
556 may be usefully passed to the user when that is feasible -- than DNS
557 resolution failure information alone. In any event, lookup
558 applications should avoid attempting to resolve labels that are
559 invalid under that test.
561 o Verification that the string is compliant with the requirements
562 for right to left characters, specified in [IDNA2008-BIDI].
564 For all other strings, the lookup application MUST rely on the
565 presence or absence of labels in the DNS to determine the validity of
566 those labels and the validity of the characters they contain. If
567 they are registered, they are presumed to be valid; if they are not,
568 their possible validity is not relevant. While a lookup application
569 may reasonably issue warnings about strings it believes may be
570 problematic, applications that decline to process a string that
571 conforms to the rules above (i.e., does not look it up in the DNS)
572 are not in conformance with this protocol.
574 5.6. Punycode Conversion
576 The string that has now been validated for lookup is converted to ACE
577 form using the Punycode algorithm (with the ACE prefix added). With
578 the understanding that this summary is not normative (the steps above
579 are), the string is either
581 o in Unicode NFC form that contains no leading combining marks,
582 contains no DISALLOWED or UNASSIGNED code points, has rules
583 associated with any code points in CONTEXTJ or CONTEXTO, and, for
584 those in CONTEXTJ, to satisfies the conditions of the rules; or
586 o in A-label form, was supplied under circumstances in which the
587 U-label conversions and tests have not been performed (see
588 Section 5.4).
590 5.7. DNS Name Resolution
592 That resulting validated string is looked up in the DNS, using normal
593 DNS resolver procedures. That lookup can obviously either succeed
594 (returning information) or fail.
596 6. Security Considerations
598 Security Considerations for this version of IDNA, except for the
599 special issues associated with right to left scripts and characters,
600 are described in [IDNA2008-Defs]. Specific issues for labels
601 containing characters associated with scripts written right to left
602 appear in [IDNA2008-BIDI].
604 7. IANA Considerations
606 IANA actions for this version of IDNA are specified in
607 [IDNA2008-Tables] and discussed informally in [IDNA2008-Rationale].
608 The components of IDNA described in this document do not require any
609 IANA actions.
611 8. Contributors
613 While the listed editor held the pen, the original versions of this
614 document represent the joint work and conclusions of an ad hoc design
615 team consisting of the editor and, in alphabetic order, Harald
616 Alvestrand, Tina Dam, Patrik Faltstrom, and Cary Karp. This document
617 draws significantly on the original version of IDNA [RFC3490] both
618 conceptually and for specific text. This second-generation version
619 would not have been possible without the work that went into that
620 first version and its authors, Patrik Faltstrom, Paul Hoffman, and
621 Adam Costello. While Faltstrom was actively involved in the creation
622 of this version, Hoffman and Costello were not and should not be held
623 responsible for any errors or omissions.
625 9. Acknowledgments
627 This revision to IDNA would have been impossible without the
628 accumulated experience since RFC 3490 was published and resulting
629 comments and complaints of many people in the IETF, ICANN, and other
630 communities, too many people to list here. Nor would it have been
631 possible without RFC 3490 itself and the efforts of the Working Group
632 that defined it. Those people whose contributions are acknowledged
633 in RFC 3490, [RFC4690], and [IDNA2008-Rationale] were particularly
634 important.
636 Specific textual changes were incorporated into this document after
637 suggestions from the other contributors, Stephane Bortzmeyer, Vint
638 Cerf, Lisa Dusseault, Mark Davis, Paul Hoffman, Kent Karlsson, Erik
639 van der Poel, Marcos Sanz, Andrew Sullivan, Ken Whistler, and other
640 WG participants. Special thanks are due to Paul Hoffman for
641 permission to extract material from his Internet-Draft to form the
642 basis for Appendix B.
644 10. References
645 10.1. Normative References
647 [IDNA2008-BIDI]
648 Alvestrand, H. and C. Karp, "An updated IDNA criterion for
649 right-to-left scripts", July 2008, .
652 [IDNA2008-Defs]
653 Klensin, J., "Internationalized Domain Names for
654 Applications (IDNA): Definitions and Document Framework",
655 February 2009, .
658 [IDNA2008-Tables]
659 Faltstrom, P., "The Unicode Codepoints and IDNA",
660 July 2008, .
663 A version of this document is available in HTML format at
664 http://stupid.domain.name/idnabis/
665 draft-ietf-idnabis-tables-02.html
667 [RFC1034] Mockapetris, P., "Domain names - concepts and facilities",
668 STD 13, RFC 1034, November 1987.
670 [RFC1035] Mockapetris, P., "Domain names - implementation and
671 specification", STD 13, RFC 1035, November 1987.
673 [RFC1123] Braden, R., "Requirements for Internet Hosts - Application
674 and Support", STD 3, RFC 1123, October 1989.
676 [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate
677 Requirement Levels", BCP 14, RFC 2119, March 1997.
679 [RFC3492] Costello, A., "Punycode: A Bootstring encoding of Unicode
680 for Internationalized Domain Names in Applications
681 (IDNA)", RFC 3492, March 2003.
683 [Unicode-PropertyValueAliases]
684 The Unicode Consortium, "Unicode Character Database:
685 PropertyValueAliases", March 2008, .
688 [Unicode-RegEx]
689 The Unicode Consortium, "Unicode Technical Standard #18:
690 Unicode Regular Expressions", May 2005,
691 .
693 [Unicode-Scripts]
694 The Unicode Consortium, "Unicode Standard Annex #24:
695 Unicode Script Property", February 2008,
696 .
698 [Unicode-UAX15]
699 The Unicode Consortium, "Unicode Standard Annex #15:
700 Unicode Normalization Forms", 2006,
701 .
703 10.2. Informative References
705 [ASCII] American National Standards Institute (formerly United
706 States of America Standards Institute), "USA Code for
707 Information Interchange", ANSI X3.4-1968, 1968.
709 ANSI X3.4-1968 has been replaced by newer versions with
710 slight modifications, but the 1968 version remains
711 definitive for the Internet.
713 [IDNA2008-Rationale]
714 Klensin, J., Ed., "Internationalizing Domain Names for
715 Applications (IDNA): Issues, Explanation, and Rationale",
716 February 2009, .
719 [RFC2136] Vixie, P., Thomson, S., Rekhter, Y., and J. Bound,
720 "Dynamic Updates in the Domain Name System (DNS UPDATE)",
721 RFC 2136, April 1997.
723 [RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS
724 Specification", RFC 2181, July 1997.
726 [RFC2535] Eastlake, D., "Domain Name System Security Extensions",
727 RFC 2535, March 1999.
729 [RFC2671] Vixie, P., "Extension Mechanisms for DNS (EDNS0)",
730 RFC 2671, August 1999.
732 [RFC3490] Faltstrom, P., Hoffman, P., and A. Costello,
733 "Internationalizing Domain Names in Applications (IDNA)",
734 RFC 3490, March 2003.
736 [RFC3491] Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep
737 Profile for Internationalized Domain Names (IDN)",
738 RFC 3491, March 2003.
740 [RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
741 Resource Identifier (URI): Generic Syntax", STD 66,
742 RFC 3986, January 2005.
744 [RFC3987] Duerst, M. and M. Suignard, "Internationalized Resource
745 Identifiers (IRIs)", RFC 3987, January 2005.
747 [RFC4690] Klensin, J., Faltstrom, P., Karp, C., and IAB, "Review and
748 Recommendations for Internationalized Domain Names
749 (IDNs)", RFC 4690, September 2006.
751 [RFC4952] Klensin, J. and Y. Ko, "Overview and Framework for
752 Internationalized Email", RFC 4952, July 2007.
754 [Unicode] The Unicode Consortium, "The Unicode Standard, Version
755 5.0", 2007.
757 Boston, MA, USA: Addison-Wesley. ISBN 0-321-48091-0
759 Appendix A. Local Mapping Alternatives
761 The subsections of this appendix are temporary and represent
762 different sketches of possible replacements for Section 5.3. They do
763 not represent an assertion of WG consensus or any assertion about the
764 possibility of including one of them as part of the WG's work
765 program. Instead, they are supplied only for purposes of comparison,
766 discussion, and, should it be relevant, refinement.
768 The first paragraph of each subsection describes how the material
769 would be placed relative to the existing main document text.
770 Subsequent paragraphs are the actual suggestions, although in
771 incomplete sketch form.
773 A.1. Transitional Mapping Model
775 If this subsection were adopted, Section 5.3 would be deleted and
776 this one would be inserted after, or integrated with, Section 5.7.
778 This specification does not support the extensive mappings from one
779 character to another, including Unicode Case Folding and
780 Compatibility Character mapping, of IDNA2003. It also changes the
781 interpretations of a small number of characters relative to IDNA2003.
782 Most applications, especially those with which IDNs have been used
783 for some time, will need to maintain reasonable compatibility with
784 files created under IDNA2003 and user interfaces designed for it.
785 This section specifies additional steps to be taken to provide
786 maximum IDNA2003 compatibility.
788 If an application requires IDNA2003 backward compatibility, it MUST
789 execute the steps in one of the two subsections that immediately
790 follow.
792 A.1.1. Fallback Lookup
794 If the string validates and the resolution attempt in Section 5.7
795 successfully returns a result, the lookup process terminates with
796 that result. If validation succeeds but resolution fails, the
797 validated string is proceeded through the ToASCII operation specified
798 in IDNA2003 [RFC3490]. Assuming it produces a valid result, the
799 resulting string is compared to the previous validated one. If they
800 are not identical, a resolution attempt is made with the ToASCII
801 output and the result of that attempt is returned as the result of
802 the lookup operation.
804 Should IDNA2008 validation fail, the string is processed through
805 ToASCII and, assuming the result is valid, the resulting string is
806 resolved and the result of that attempt returned as the result of the
807 lookup operation.
809 If ToASCII (IDNA2003) conversion is attempted and fails, the lookup
810 operation behaves as if no name was found in the DNS.
812 Note that this procedure involves, at most, one DNS lookup
813 (resolution attempt). If IDNA2008 string validation, conversion, and
814 resolution succeed, no attempt is made to use IDNA2003 mechanisms.
815 The procedure does, however, require that lookup applications fully
816 support both IDNA2008 and IDNA2003 lookup operations so that the
817 fallback can occur.
819 A.1.2. Two-step Lookup
821 Prior to the resolution attempt in Section 5.7, ACE strings are
822 computed using both IDNA2003 (ToASCII) and IDNA2008 methods (as
823 specified here). Assuming both validate, those strings are compared.
824 If they are identical, or only one was valid, then a single DNS
825 resolution is performed and its result is the result of the lookup
826 operation. If both are valid but they are not identical, one
827 resolution attempt is made with each of the two ACE strings.
829 If neither string is valid as an IDN, then the lookup operation
830 fails.
832 When two resolutions are attempted, if one of the two is successful
833 and the other is not, the successful value is used as the result of
834 the lookup. If both are successful, the user or calling application
835 must be presented with a choice in some way.
837 This procedure will require two DNS lookups (resolution attempts) in
838 all cases except those in which the label string fails IDNA2008
839 validation, neither IDNA2003 or IDNA2008 can validate the string and
840 translate it to ACE form, or the strings obtained from the two
841 conversions are identical. As with the prior option, IDNA
842 implementations will need to support both the IDNA2003 algorithm and
843 tables and the IDNA2008 one. The question of how multiple results
844 from different interpretations of the same input string should be
845 handled by applications is a difficult one, with potential false
846 positive and security attack vector implications as well as the
847 possibility of general confusion.
849 In particular, if both interpretations of the name return values, the
850 lookup application has no practical way to tell whether the relevant
851 registry has applied "variant" or "bundling" techniques to ensure
852 that both domain names are under the same control or not. From that
853 perspective, the approach in the previous subsection assumes that has
854 been done (if the IDNA2003-interpretation label is present at all)
855 while this one assumes that such bundling is unlikely to have
856 occurred.
858 [[anchor25: Note in Draft: If this appendix is used, RFC3490 must be
859 moved from Informative to Normative.]]
861 A.2. Internationalized Resource Identifier (IRI) Mapping Model
863 This subsection is intended to be descriptive of an approach that
864 lies outside IDNA, rather than a normative component of it. If it
865 were adopted, Section 5.3 would be deleted and the material below
866 would be referenced, either as a non-normative Appendix in Protocol
867 or, more reasonably, as a section of Rationale.
869 IDNA2003 supported extensive mappings from one character to another,
870 including Unicode Case Folding and Compatibility Character mapping.
871 Those mappings are no longer supported on registration and are
872 inconsistent with the "exact match" lookups that people expect from
873 the DNS. Some mapping should still be supported, both for
874 compatibility with applications that assume IDNA2003 and to avoid
875 confounding user expectations. The specific mappings involved are
876 not part of IDNA, but are expected to be specified as part of a
877 revision to the IRI specification [RFC3987] and the conversion from
878 IRI form to URI form. That change leaves mapping unspecified and
879 prohibited for actual domain names, however, in practice, most domain
880 names, especially in the web applications that appear to have been
881 most important for IDNs between the publication of IDNA2003 and the
882 release of this specification, are not interpreted as themselves but
883 as abbreviated form of URIs or IRIs and hence subject to the
884 transformation rules of the latter.
886 Appendix B. Summary of Major Changes from IDNA2003
888 1. Update base character set from Unicode 3.2 to Unicode version-
889 agnostic.
891 2. Separate the definitions for the "registration" and "lookup"
892 activities.
894 3. Disallow symbol and punctuation characters except where special
895 exceptions are necessary.
897 4. Remove the mapping and normalization steps from the protocol and
898 have them instead done by the applications themselves, possibly
899 in a local fashion, before invoking the protocol.
901 5. Change the way that the protocol specifies which characters are
902 allowed in labels from "humans decide what the table of
903 codepoints contains" to "decision about codepoints are based on
904 Unicode properties plus a small exclusion list created by
905 humans".
907 6. Introduce the new concept of characters that can be used only in
908 specific contexts.
910 7. Allow typical words and names in languages such as Dhivehi and
911 Yiddish to be expressed.
913 8. Make bidirectional domain names (delimited strings of labels,
914 not just labels standing on their own) display in a less
915 surprising fashion whether they appear in obvious domain name
916 contexts or as part of running text in paragraphs.
918 9. Remove the dot separator from the mandatory part of the
919 protocol.
921 10. Make some currently-valid labels that are not actually IDNA
922 labels invalid.
924 Appendix C. Change Log
926 [[anchor28: RFC Editor: Please remove this appendix.]]
928 C.1. Changes between Version -00 and -01 of draft-ietf-idnabis-protocol
930 o Corrected discussion of SRV records.
932 o Several small corrections for clarity.
934 o Inserted more "open issue" placeholders.
936 C.2. Version -02
938 o Rewrote the "conversion to Unicode" text in Section 5.2 as
939 requested on-list.
941 o Added a comment (and reference) about EDNS0 to the "DNS Server
942 Conventions" section, which was also retitled.
944 o Made several editorial corrections and improvements in response to
945 various comments.
947 o Added several new discussion placeholder anchors and updated some
948 older ones.
950 C.3. Version -03
952 o Trimmed change log, removing information about pre-WG drafts.
954 o Incorporated a number of changes suggested by Marcos Sanz in his
955 note of 2008.07.17 and added several more placeholder anchors.
957 o Several minor editorial corrections and improvements.
959 o "Editor" designation temporarily removed because the automatic
960 posting machinery does not accept it.
962 C.4. Version -04
964 o Removed Contextual Rule appendices for transfer to Tables.
966 o Several changes, including removal of discussion anchors, based on
967 discussions at IETF 72 (Dublin)
969 o Rewrote the preprocessing material (Section 5.3) somewhat.
971 C.5. Version -05
973 o Updated part of the A-label input explanation (Section 5.4) per
974 note from Erik van der Poel.
976 C.6. Version -06
978 o Corrected a few typographical errors.
980 o Incorporated the material (formerly in Rationale) on the
981 relationship between IDNA2003 and IDNA2008 as an appendix and
982 pointed to the new definitions document.
984 o Text modified in several places to recognize the dangers of
985 interaction between DNS wildcards and IDNs.
987 o Text added to be explicit about the handling of edge and failure
988 cases in Punycode encoding and decoding.
990 o Revised for consistency with the new Definitions document and to
991 make the text read more smoothly.
993 C.7. Version -07
995 o Multiple small textual and editorial changes and clarifications.
997 o Requirement for normalization clarified to apply to all cases and
998 conditions for preprocessing further clarified.
1000 o Substantive change to Section 4.2.1, turning a SHOULD to a MUST
1001 (see note from Mark Davis, 19 November, 2008 18:14 -0800).
1003 C.8. Version -08
1005 o Added some references and altered text to improve clarity.
1007 o Changed the description of CONTEXTJ/CONTEXTO to conform to that in
1008 Tables. In other words, these are now treated as distinction
1009 categories (again), rather than as specially-flagged subsets of
1010 PROTOCOL VALID.
1012 o The discussion of label comparisons has been rewritten to make it
1013 more precise and to clarify that one does not need to verify that
1014 a string is a [valid] A-label or U-label in order to test it for
1015 equality with another string. The WG should verify that the
1016 current text is what is desired.
1018 o Other changes to reflect post-IETF discussions or editorial
1019 improvements.
1021 C.9. Version -09
1023 o Removed Security Considerations material to Defs document.
1025 o Removed the Name Server Considerations material to Rationale.
1026 That material is not normative and not needed to implement the
1027 protocol itself.
1029 o Adjusted terminology to match new version of Defs.
1031 o Removed all discussion of local mapping and option for it from
1032 registration protocol. Such mapping is now completely prohibited
1033 on Registration.
1035 o Removed some old placeholders and inquiries because no comments
1036 have been received.
1038 o Small editorial corrections.
1040 C.10. Version -10
1042 o Rewrote the registration input material slightly to further
1043 clarify the "no mapping on registration" principle.
1045 o Added placeholder notes about several tasks, notably reorganizing
1046 Section 4 and Section 5 so that subsection numbers are parallel.
1048 o Cleaned up an incorrect use of the terms "A-label" and "U-label"
1049 in the lookup phase that was spotted by Mark Davis. Inserted a
1050 note there about alternate ways to deal with the resulting
1051 terminology problem.
1053 o Added a temporarily appendix (above) to document alternate
1054 strategies for possible replacements for Section 5.3.
1056 C.11. Version -11
1058 o Removed dangling reference to "C-label" (editing error in prior
1059 draft).
1061 o Recast the last steps of the Lookup description to eliminate
1062 "apparent" (previously "putative") terminology.
1064 o Rewrote major portions of the temporary appendix that describes
1065 transitional mappings to improve clarity and add context.
1067 o Did some fine-tuning of terminology, notably in Section 3.2.1.
1069 C.12. Version -12
1071 o Extensive editorial improvements, mostly due to suggestions from
1072 Lisa Dusseault.
1074 o Conformance statements have been made consistent, especially in
1075 Section 4.2.1 and subsequent text, which said "SHOULD" in one
1076 place and then said "MAY" as the result of incomplete removal of
1077 registration-time mapping. Also clarified the definition of
1078 "registration processes" in Section 4.1 -- the previous text had
1079 confused several people.
1081 o A few new "question to the WG notes have been added about
1082 appropriateness or placement of text. If there are no comments on
1083 the mailing list, the editor will apply his own judgment.
1085 o Several of the usual small typos and other editorial errors have
1086 been corrected.
1088 o Section 5 has still not been reorganized to match Section 4 in
1089 structure and subsection numbering -- will be done as soon as the
1090 mapping decisions and references are final.
1092 Author's Address
1094 John C Klensin
1095 1770 Massachusetts Ave, Ste 322
1096 Cambridge, MA 02140
1097 USA
1099 Phone: +1 617 245 1457
1100 Email: john+ietf@jck.com