secdir review of draft-ietf-idnabis-rationale-13.txt

Paul Hoffman phoffman at
Mon Oct 5 23:08:31 CEST 2009

At 8:35 PM +0000 10/5/09, Charlie Kaufman wrote:
>I would question one statement in the document.
>From Section 8.2:
>In the presence of DNSSEC, no form of a zone file or query response that contains a U-label may be signed or the signature validated.
>[a U-label indicates a name form containing non-ASCII characters not properly encoded with IDN].
>I would expect that DNSSEC would operate at the layer below IDN, and could therefore sign and validate any data that DNS could validly return. There may be subtle reason for this restriction that I don't understand, but the justification in the document didn't seem right.

Note that the sentences before the one that you flagged are:

   IDNA specifies that all internationalized domain names served by DNS
   servers that cannot be represented directly in ASCII MUST use the
   A-label form.  Conversion to A-labels MUST be performed prior to a
   zone being signed by the private key for that zone.  Because of this
   ordering, it is important to recognize that DNSSEC authenticates a
   domain name containing A-labels or conventional LDH-labels, not

The sentence that you flagged is just plain confusing and can be elided without loss of value to the document.

More information about the Idna-update mailing list