[secdir] secdir review of draft-ietf-idnabis-rationale-13.txt

John C Klensin klensin at jck.com
Tue Oct 6 16:44:56 CEST 2009

--On Tuesday, October 06, 2009 10:03 -0400 Sam Hartman
<hartmans-ietf at mit.edu> wrote:

>>>>>> "Vint" == Vint Cerf <vint at google.com> writes:
>     Vint> if we mention DNSSEC at all (and perhaps it is not
> necessary since     Vint> DNSSEC operates at the DNS level),

> I'd be happy with either no reference to dnssec or to the sort
> of statement you propose above.  I'd be happier with either
> than the current text.  However in the grand scheme of things
> this issue is not a huge one.

Editor's opinion: 

People are obviously sensitive to exactly what, if anything, is
said about this.   If there is consensus that "say nothing" (or
"no reference") is an acceptable alternative, I would recommend
that we simply remove that entire subsection rather than trying
to fine-tune it.  I'm not sure that would be the right answer in
a more perfect world, but I'm concerned that we could spend a
lot of cycles trying to get things exactly right at this late
stage in document processing... or that we could make a quick
patch that we would regret later.

FWIW, if we do start rewriting, the section needs work beyond
the confusing sentence that started the discussion.  I'm not
sure that the first paragraph (which describes what DNSSEC is
about) is needed any more.   The first sentence of the second
paragraph should stress "public DNS" or something tautological
about what an "internationalized domain name" is to skirt the
draft-iab-idn-encoding issues.  

The one problem I see with removing the section entirely has to
do with the last paragraph, on which I don't think anyone has
commented.   As I assume people on the IDNA list are aware,
there are some almost-conforming DNS server products that are
heavily promoted in some parts of the world as enabling a better
quality of IDN support.  At least one variation accepts queries
in the local character set of choice, performs some orthographic
variation processing, and only then performs IDNA processing and
makes A-label-based queries to authoritative servers.  While the
ways in which they don't work have been subtle enough in
localized environments that their advocates have periodically
claimed DNS and IDNA conformance, they will certainly not work
with DNSSEC validation to the desktop because the zone will be
signed over the A-labels but the queries will be made with
U-labels or something else.   

When the initial form of that paragraph was written a year or
two ago, it seemed worthwhile to warn about that situation.
However, at this point, maybe it isn't worthwhile enough to
justify the effort to fine-tune this section.    In an ideal
world, the warning probably belongs in the DNSSEC specs, rather
than here, anyway.


More information about the Idna-update mailing list