Punycode Mixed-case annotation

Andrew Sullivan ajs at shinkuro.com
Tue Jun 30 17:12:38 CEST 2009

On Mon, Jun 29, 2009 at 01:48:41AM +1000, Wil Tan wrote:
> checking the validity of the characters. I'm not aware of any
> side-effects of ASCII lowercasing, but do appreciate that the protocol
> steps must be very carefully considered.

Steve Crocker noticed that I didn't mention this, and I should have.

There is a draft floating around, and which has been implemented in at
least some servers and resolvers, that uses the upper and lower case
of a query as part of a strategy to effectively increase the
randomness available to resolvers in order to detect spoofed answers.
It's far from perfect, but it works in some cases.  In Stockholm,
DNSEXT will be contemplating whether to adopt this strategy (among
others) as a work item.

The draft is available from
http://tools.ietf.org/html/draft-vixie-dnsext-dns0x20-00 (or your
favourite repository of Internet Drafts).  The basic idea is that the
DNS spec be modified to REQUIRE that the labels as presented in the
question be copied back to the answer section.  The idea is that the
requesting client could randomize the 0x20 bit on the characters in a
label.  This way each character can be either upper or lower case, and
the client can then use the randomized labels as a sort of channel
back to itself; that would allow a client to detect an answer that did
not correctly echo the 0x20 arrangement of the request.  The idea is
that this allows a client to detect when a cache has been poisoned by
some other client's efforts.  (The details are off topic for this
list; if that description is too sketchy, please read the draft.)

The upshot of adoption of that work by the DNSEXT WG would not
actually affect this WG's work, since we're making changes prior to
any query going into the DNS itself.  That said, we might want to keep
this in mind when making decisions about what we can do with upper and
lower case ASCII (and, in particular, if we want to be sensitive to
such upper and lower case when the data comes back to us from the DNS
resolver level).


Andrew Sullivan
ajs at shinkuro.com
Shinkuro, Inc.

More information about the Idna-update mailing list