secdir review of draft-ietf-idnabis-rationale-13.txt

Vint Cerf vint at google.com
Mon Oct 5 22:39:44 CEST 2009 

i think the point was precisely that DNSSEC should operate at DNS  
level (using only LDH-form domain names or, in IDNA2008 parlance, A- 
labels. No other form of label valid under IDNA2008 (such as a U- 
label) should be used in conjunction with DNSSEC.

If I have not quite got that right I am sure my colleagues on IDNA- 
UPDATE with correct me.

vint


On Oct 5, 2009, at 4:35 PM, Charlie Kaufman wrote:

> I am reviewing this document as part of the security directorate's  
> ongoing effort to review all IETF documents being processed by the  
> IESG.  These comments were written primarily for the benefit of the  
> security area directors.  Document editors and WG chairs should  
> treat these comments just like any other last call comments. Feel  
> free to forward to any appropriate forum.
>
> This I-D is part of a set of I-D’s that update the RFCs on  
> Internationalized Domain Names. This document is intended to become  
> an Informational RFC and provides a rationale for the proposed  
> changes (as well as for the initial design of IDNA). Its Security  
> Considerations section defers to draft-ietf-idnabis-defs-11.txt,  
> which has a good Security Considerations section.
>
> In my opinion, the change to IDNs that warrants the most concern is  
> the fact that for some IDNs the new set of RFCs will specify a  
> different representation than the old one did. This could in theory  
> cause security problems, though that seems intuitively unlikely (to  
> me, at least).
>
> I would question one statement in the document.
>
> From Section 8.2:
>
> In the presence of DNSSEC, no form of a zone file or query response  
> that contains a U-label may be signed or the signature validated.
>
> [a U-label indicates a name form containing non-ASCII characters not  
> properly encoded with IDN].
>
> I would expect that DNSSEC would operate at the layer below IDN, and  
> could therefore sign and validate any data that DNS could validly  
> return. There may be subtle reason for this restriction that I don’t  
> understand, but the justification in the document didn’t seem right.
>
>                 --Charlie

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.alvestrand.no/pipermail/idna-update/attachments/20091005/80502989/attachment-0001.htm

More information about the Idna-update mailing list