Standards and localization (was Dot-mapping)

John C Klensin klensin at jck.com
Sat Dec 8 19:39:16 CET 2007 


--On Saturday, 08 December, 2007 23:40 +0800 YAO Jiankang
<yaojk at cnnic.cn> wrote:

> Dear John,
>       
>      Thans a lot for your good example.
>      At first, we must be sure that the domain
> "xn--0xaat?example.com" is a IDN since it includes the
> non-ascii character.  

No, that is irrelevant.   The problem with dots is that
applications that are _not_ IDNA-aware, much less
IDNA-conformant, must understand exactly what the label
separators to parse a domain name into labels.     There is _no_
problem for IDNA2003-conformant  software, because it presumably
knows what to do (including figuring out whether a string that
starts in "xn--" is, or is not, a valid IDN.

>     at second ,
>   
>      RFC3490 said  " Whenever a domain name is put into an
> IDN-unaware domain name slot       (see section 2), it MUST
> contain only ASCII characters. "        Your browser in your
> example is an IDN-unaware domain name slot.       "I copy that
> out and paste it into my browser"  is trying to put the IDN
> into an IDN-unaware domain name slot.        This is not
> allowed by RFC3490.

That is correct.   But remember that 3490 is very specific that
applications and DNS interfaces are _not_ required to conform to
it.   Someone creating, registering, or displaying an
IDNA-conformant FQDN or label has no way to know whether or not
the name string will be accessed and processed exclusively by
3490-conformant software.  If an application doesn't know
anything at all about 3490, then it still must be able to parse
any domain name it receives into labels.   And use of anything
but ASCII dot (full stop) prevents such applications from doing
that.

>      So you can not do so by puting IDN into an IDN-unaware
> domain name slot.      It violates the requirment of RFC3490.

Applications that conform (only) to RFC 1034/ 1035/ 1123 are not
required to conform to 3490. 

>     if you put IDN into an IDN-unaware domain name slot, I am
> sure that it will cause some problems.

Of course.  But this isn't about name slots.  Contrast the
following problems, assuming a domain name placed in running
text and thinking _only_ about applications and resolvers that
do not support IDNA:

* ACE-string.ACE-string2.ASCII-string

	Applications that are not-IDNA aware will pick this up,
	parse it correctly into labels, look things up in the
	DNS, and find them if they are there.   This is how IDNA
	is expected to work, so no problem.

* non-ASCII-string.non-ASCII-string2.ASCII-string

	Some applications prohibit this as part of their own
	syntax, but the application is not part of either the
	DNS or IDNA.  In the general case and absent such
	prohibitions, they are required to parse this into
	labels (which they have no trouble doing) and look those
	labels up in the DNS.  That is a requirement under RFC
	1034 and RFC 8121 is, IMO, _very_ explicit about that.
	Of course, if the domain is properly run, they won't
	find anything, but that is ok.
	
* ACE-string?ACE-string2.ASCII-string

	(Where ? is an alternate dot).  Now, IDNA2003-aware
	applications will probably work exactly the same way
	applications that are not IDNA2003-aware will work in
	the first case above.  But applications  that are not
	IDNA-aware will be unable to parse the string into
	labels as you presumably intended.  Probably the lookup
	will fail, but, since a number of protocols and
	processing models assume that FQDNs can be converted
	from external (dot-separated labels) to internal
	(lengths and strings) form by any system or back without
	loss of information, there are _far_ more opportunities
	for damage because information is lost from the label
	structure itself, not just from the interpretation of
	individual labels.  

In addition, if the ACE strings in the first example and the ACE
strings in the third one are identical, the parsing and lookup
in the first example will succeed and the second one will
presumably fail.  This also gives us two FQDNs, both in ACE
form, that IDNA considers equivalent and the 1034 DNS does not.
That is bad news.  And, again, while it may provide some
additional spoofing opportunities, spoofing has nothing to do
with the problem.

thanks,
   john

More information about the Idna-update mailing list