secdir review of draft-ietf-idnabis-rationale-13.txt

Charlie Kaufman charliek at microsoft.com
Mon Oct 5 23:40:13 CEST 2009


I considered putting in more context, but decided against it (clearly a mistake).

IDNA specifies that all internationalized domain names served by DNS use the IDNA encoding, but the DNS spec does not. So the full statement in the draft appears to be saying that a DNS zone that does not use IDNA cannot use DNSSEC (in the sense of it wouldn't work as opposed to it MUST NOT). I cannot figure out why that would be true, though as I said there may be some subtlety I'm missing. I agree with Andrew that I can't see why this document should mention DNSSEC at all.

	--Charlie

-----Original Message-----
From: Paul Hoffman [mailto:phoffman at imc.org] 
Sent: Monday, October 05, 2009 2:09 PM
To: Charlie Kaufman; secdir at ietf.org; iesg at ietf.org; john+ietf at jck.com; vint at google.com; d3e3e3 at gmail.com; idna-update at alvestrand.no
Subject: Re: secdir review of draft-ietf-idnabis-rationale-13.txt

At 8:35 PM +0000 10/5/09, Charlie Kaufman wrote:
>I would question one statement in the document.
> 
>From Section 8.2:
> 
>In the presence of DNSSEC, no form of a zone file or query response that contains a U-label may be signed or the signature validated.
> 
>[a U-label indicates a name form containing non-ASCII characters not properly encoded with IDN].
> 
>I would expect that DNSSEC would operate at the layer below IDN, and could therefore sign and validate any data that DNS could validly return. There may be subtle reason for this restriction that I don't understand, but the justification in the document didn't seem right.

Note that the sentences before the one that you flagged are:

   IDNA specifies that all internationalized domain names served by DNS
   servers that cannot be represented directly in ASCII MUST use the
   A-label form.  Conversion to A-labels MUST be performed prior to a
   zone being signed by the private key for that zone.  Because of this
   ordering, it is important to recognize that DNSSEC authenticates a
   domain name containing A-labels or conventional LDH-labels, not
   U-labels. 

The sentence that you flagged is just plain confusing and can be elided without loss of value to the document.



More information about the Idna-update mailing list