Completely off-topic: what about legacy UTF-8 DNS and IDNA2003?

Andrew Sullivan ajs at
Mon Mar 2 21:10:52 CET 2009

On Mon, Mar 02, 2009 at 11:48:49AM -0800, Shawn Steele (???) wrote:

> I've had some questions asked about how punycode names and UTF-8
> names should interoperate in environments where there's a history of
> UTF-8 DNS.  (Yea, I know it'll take a bajillion years for DNS to
> support UTF-8, but the fact is that most name servers seem to allow
> characters > 0x7f, and so in many environments UTF-8 names actually
> work and there is an installed base that users want to keep working,
> AND coexist with Punicode names.)

As a matter of protocol, the DNS was never 7 bit.  It is supposed to
be 8 bit, but 1034/1035 note that there are other restrictions on
network names that ought to be taken into consideration.  As a result,
some people treated the DNS as effectively 7 bit, and that's roughly
how we ended up with the LDH rule.  (I have grossly oversimplified
this.  I think John put up somewhere a fairly lengthy discussion of
the history.)  So I'm not surprised that some networks have high-bit
characters in labels, and that they work for some values of "work".  
> Mostly the suggestions I've heard so far are "use utf-8 for intranet
> names and punicode for internet names," but I suspect that leaves a
> lot to be desired.

That suggestion depends on the implicit premise that the "intranet
names" won't leak.  They will.  The right answer is, "Don't do that,
please."[1]  There are no protocol police, and there's going to be
nothing we can do about it if people do in fact use such labels in the
DNS.  But their local DNS will be more fragile, and they will probably
contribute to the large volume of crap that flows to the global root
servers.  Treating any part of the DNS space as something that is
"only local" never works.  (If you need a demonstration of this, do
some searching for war stories about printers and other such "LAN
only" devices that suddenly stopped working the day one of the large
gTLDs added a wild card record to their largest zone.)


[1] Yes, yes, I know that there are perfectly legitimate uses of DNS
that rely on the 8 bits, and that a well-operated local configuration
of views can be made mostly safe, &c. &c.  I think we have enough
empirical evidence to provide advice that amounts to, "a.  You should
only do such tricks if you're a wizard.  b. If you think you're a
wizard and you've proven your trick can't leak, go back and do the
proof again."

Andrew Sullivan
ajs at
Shinkuro, Inc.

More information about the Idna-update mailing list