secdir review of draft-ietf-idnabis-rationale-13.txt

Andrew Sullivan ajs at
Mon Oct 5 22:56:40 CEST 2009

On Mon, Oct 05, 2009 at 04:39:44PM -0400, Vint Cerf wrote:
> i think the point was precisely that DNSSEC should operate at DNS level 
> (using only LDH-form domain names or, in IDNA2008 parlance, A-labels. No 
> other form of label valid under IDNA2008 (such as a U-label) should be 
> used in conjunction with DNSSEC.
> If I have not quite got that right I am sure my colleagues on IDNA- 
> UPDATE with correct me.

That's exactly right.  DNSSEC operates on DNS responses, which are
required to be A-labels.  Therefore, DNSSEC is completely unaffected
by IDNA.

I think it would be a bad idea to add anything to any section,
including the security considerations section, that made any remarks
specifically about DNSSEC.  If someone really wanted to add something
about the effects of IDNA on the security of the DNS _as such_ (rather
than the use of labels as humnans understand them), I'd suggest
instead somethign to the following effect: "IDNA operates at a level
above DNS, and therefore does not affect the security of the DNS
protocols.  Security issues in the DNS protocols are also security
issues for IDNA, because IDNA depends on the DNS."  Or something like
that.  (But I don't think adding anything is a good idea.)  


Andrew Sullivan
ajs at
Shinkuro, Inc.

More information about the Idna-update mailing list