IDN processing-related security considerations for draft-ietf-websec-strict-transport-sec

Andrew Sullivan ajs at
Fri Sep 30 23:47:58 CEST 2011

On Fri, Sep 30, 2011 at 11:27:17PM +0200, Frank Ellermann wrote:

> AFAICT they are not invalid outside of IDNA.  The RFCs defining host
> names / HTTP / URLs are not updated by IDNA.  For *all* LDH labels,
> if you are *not* interested to find U-labels for A-labels, simply do
> not put them into any IDNA processing, because the result will not be
> what you want in certain corner cases.

Any LDH-label that is a putative A-label but that is not actually an
A-label is still a valid label in DNS (and even valid under the LDH
rules).  That's part of the design of IDNA.  

Non-LDH labels could be valid DNS labels, too, of course.  Strictly
speaking, you can put "can't" into the DNS and it will work.  Whether
any of your software will spit up on it is quite another question.

> Otherwise, if you want to find U-labels, take only XN-labels as input
> for IDNA processing, because anything else cannot be a valid A-label.

There is actually a perfectly good test of what a valid A-label is in
the IDNA2008 documents, and it seems to me that rather than providing
partial advice one ought to just point over there, no?


Andrew Sullivan
ajs at

More information about the Idna-update mailing list