Re: [idn] proposals and deadlines

[Martin Duerst <duerst@w3.org>]

At 21:08 01/07/16 +0000, Adam M. Costello wrote:
>"Eric A. Hall" <ehall@ehsco.com> wrote:
>
> > This would break things that rely on the domain name being preserved.
> > With X.509 the client and the server have to agree on the domain name,
> > for example.  If the resolver recombobulates a UTF-8 domain name from
> > ACE output, then the client and server are likely to have different
> > ideas of what the domain name should be.
>
>Not so.  This is exactly what nameprep is for.  By definition, two names
>X and Y are equal iff nameprep(X) and nameprep(Y) are byte-for-byte
>equal.  The "recombobulated" name Y will always be equal to the original
>name X according to this definition.  If an application works for X
>but fails for Y then the application is broken, not the DNS.  Even
>if DNS didn't use ACE, you never know when a domain name might get
>transferred across some 7-bit protocol, so all applications must respect
>this definition of equality.

Obviously ACE isn't needed here; the only condition is that you compare
them using the same encoding (UTF-8, today's choice of ACE, or whatever),
or you can compare characters directly.

And the above also shows the danger of doing too much folding in nameprep,
or at the wrong place. As much as possible, names should only be stored
in the namepreped version. In operational terms, it would be better if
a dn server would reject a zone file with non-namepreped names
(whether in ACE or in UTF-8 or whatever, as specified), and a nameprep
utility were available separately, than if everything would just get
namepreped without reflecting the errors back.


Regards,   Martin.