Path: blob/main/crypto/heimdal/lib/wind/rfc3490.txt
34907 views
123456Network Working Group P. Faltstrom7Request for Comments: 3490 Cisco8Category: Standards Track P. Hoffman9IMC & VPNC10A. Costello11UC Berkeley12March 2003131415Internationalizing Domain Names in Applications (IDNA)1617Status of this Memo1819This document specifies an Internet standards track protocol for the20Internet community, and requests discussion and suggestions for21improvements. Please refer to the current edition of the "Internet22Official Protocol Standards" (STD 1) for the standardization state23and status of this protocol. Distribution of this memo is unlimited.2425Copyright Notice2627Copyright (C) The Internet Society (2003). All Rights Reserved.2829Abstract3031Until now, there has been no standard method for domain names to use32characters outside the ASCII repertoire. This document defines33internationalized domain names (IDNs) and a mechanism called34Internationalizing Domain Names in Applications (IDNA) for handling35them in a standard fashion. IDNs use characters drawn from a large36repertoire (Unicode), but IDNA allows the non-ASCII characters to be37represented using only the ASCII characters already allowed in so-38called host names today. This backward-compatible representation is39required in existing protocols like DNS, so that IDNs can be40introduced with no changes to the existing infrastructure. IDNA is41only meant for processing domain names, not free text.4243Table of Contents44451. Introduction.................................................. 2461.1 Problem Statement......................................... 3471.2 Limitations of IDNA....................................... 3481.3 Brief overview for application developers................. 4492. Terminology................................................... 5503. Requirements and applicability................................ 7513.1 Requirements.............................................. 7523.2 Applicability............................................. 8533.2.1. DNS resource records................................ 854555657Faltstrom, et al. Standards Track [Page 1]5859RFC 3490 IDNA March 20036061623.2.2. Non-domain-name data types stored in domain names... 9634. Conversion operations......................................... 9644.1 ToASCII................................................... 10654.2 ToUnicode................................................. 11665. ACE prefix.................................................... 12676. Implications for typical applications using DNS............... 13686.1 Entry and display in applications......................... 14696.2 Applications and resolver libraries....................... 15706.3 DNS servers............................................... 15716.4 Avoiding exposing users to the raw ACE encoding........... 16726.5 DNSSEC authentication of IDN domain names................ 16737. Name server considerations.................................... 17748. Root server considerations.................................... 17759. References.................................................... 18769.1 Normative References...................................... 18779.2 Informative References.................................... 187810. Security Considerations...................................... 197911. IANA Considerations.......................................... 208012. Authors' Addresses........................................... 218113. Full Copyright Statement..................................... 2282831. Introduction8485IDNA works by allowing applications to use certain ASCII name labels86(beginning with a special prefix) to represent non-ASCII name labels.87Lower-layer protocols need not be aware of this; therefore IDNA does88not depend on changes to any infrastructure. In particular, IDNA89does not depend on any changes to DNS servers, resolvers, or protocol90elements, because the ASCII name service provided by the existing DNS91is entirely sufficient for IDNA.9293This document does not require any applications to conform to IDNA,94but applications can elect to use IDNA in order to support IDN while95maintaining interoperability with existing infrastructure. If an96application wants to use non-ASCII characters in domain names, IDNA97is the only currently-defined option. Adding IDNA support to an98existing application entails changes to the application only, and99leaves room for flexibility in the user interface.100101A great deal of the discussion of IDN solutions has focused on102transition issues and how IDN will work in a world where not all of103the components have been updated. Proposals that were not chosen by104the IDN Working Group would depend on user applications, resolvers,105and DNS servers being updated in order for a user to use an106internationalized domain name. Rather than rely on widespread107updating of all components, IDNA depends on updates to user108applications only; no changes are needed to the DNS protocol or any109DNS servers or the resolvers on user's computers.110111112113Faltstrom, et al. Standards Track [Page 2]114115RFC 3490 IDNA March 20031161171181.1 Problem Statement119120The IDNA specification solves the problem of extending the repertoire121of characters that can be used in domain names to include the Unicode122repertoire (with some restrictions).123124IDNA does not extend the service offered by DNS to the applications.125Instead, the applications (and, by implication, the users) continue126to see an exact-match lookup service. Either there is a single127exactly-matching name or there is no match. This model has served128the existing applications well, but it requires, with or without129internationalized domain names, that users know the exact spelling of130the domain names that the users type into applications such as web131browsers and mail user agents. The introduction of the larger132repertoire of characters potentially makes the set of misspellings133larger, especially given that in some cases the same appearance, for134example on a business card, might visually match several Unicode code135points or several sequences of code points.136137IDNA allows the graceful introduction of IDNs not only by avoiding138upgrades to existing infrastructure (such as DNS servers and mail139transport agents), but also by allowing some rudimentary use of IDNs140in applications by using the ASCII representation of the non-ASCII141name labels. While such names are very user-unfriendly to read and142type, and hence are not suitable for user input, they allow (for143instance) replying to email and clicking on URLs even though the144domain name displayed is incomprehensible to the user. In order to145allow user-friendly input and output of the IDNs, the applications146need to be modified to conform to this specification.147148IDNA uses the Unicode character repertoire, which avoids the149significant delays that would be inherent in waiting for a different150and specific character set be defined for IDN purposes by some other151standards developing organization.1521531.2 Limitations of IDNA154155The IDNA protocol does not solve all linguistic issues with users156inputting names in different scripts. Many important language-based157and script-based mappings are not covered in IDNA and need to be158handled outside the protocol. For example, names that are entered in159a mix of traditional and simplified Chinese characters will not be160mapped to a single canonical name. Another example is Scandinavian161names that are entered with U+00F6 (LATIN SMALL LETTER O WITH162DIAERESIS) will not be mapped to U+00F8 (LATIN SMALL LETTER O WITH163STROKE).164165166167168169Faltstrom, et al. Standards Track [Page 3]170171RFC 3490 IDNA March 2003172173174An example of an important issue that is not considered in detail in175IDNA is how to provide a high probability that a user who is entering176a domain name based on visual information (such as from a business177card or billboard) or aural information (such as from a telephone or178radio) would correctly enter the IDN. Similar issues exist for ASCII179domain names, for example the possible visual confusion between the180letter 'O' and the digit zero, but the introduction of the larger181repertoire of characters creates more opportunities of similar182looking and similar sounding names. Note that this is a complex183issue relating to languages, input methods on computers, and so on.184Furthermore, the kind of matching and searching necessary for a high185probability of success would not fit the role of the DNS and its186exact matching function.1871881.3 Brief overview for application developers189190Applications can use IDNA to support internationalized domain names191anywhere that ASCII domain names are already supported, including DNS192master files and resolver interfaces. (Applications can also define193protocols and interfaces that support IDNs directly using non-ASCII194representations. IDNA does not prescribe any particular195representation for new protocols, but it still defines which names196are valid and how they are compared.)197198The IDNA protocol is contained completely within applications. It is199not a client-server or peer-to-peer protocol: everything is done200inside the application itself. When used with a DNS resolver201library, IDNA is inserted as a "shim" between the application and the202resolver library. When used for writing names into a DNS zone, IDNA203is used just before the name is committed to the zone.204205There are two operations described in section 4 of this document:206207- The ToASCII operation is used before sending an IDN to something208that expects ASCII names (such as a resolver) or writing an IDN209into a place that expects ASCII names (such as a DNS master file).210211- The ToUnicode operation is used when displaying names to users,212for example names obtained from a DNS zone.213214It is important to note that the ToASCII operation can fail. If it215fails when processing a domain name, that domain name cannot be used216as an internationalized domain name and the application has to have217some method of dealing with this failure.218219IDNA requires that implementations process input strings with220Nameprep [NAMEPREP], which is a profile of Stringprep [STRINGPREP],221and then with Punycode [PUNYCODE]. Implementations of IDNA MUST222223224225Faltstrom, et al. Standards Track [Page 4]226227RFC 3490 IDNA March 2003228229230fully implement Nameprep and Punycode; neither Nameprep nor Punycode231are optional.2322332. Terminology234235The key words "MUST", "SHALL", "REQUIRED", "SHOULD", "RECOMMENDED",236and "MAY" in this document are to be interpreted as described in BCP23714, RFC 2119 [RFC2119].238239A code point is an integer value associated with a character in a240coded character set.241242Unicode [UNICODE] is a coded character set containing tens of243thousands of characters. A single Unicode code point is denoted by244"U+" followed by four to six hexadecimal digits, while a range of245Unicode code points is denoted by two hexadecimal numbers separated246by "..", with no prefixes.247248ASCII means US-ASCII [USASCII], a coded character set containing 128249characters associated with code points in the range 0..7F. Unicode250is an extension of ASCII: it includes all the ASCII characters and251associates them with the same code points.252253The term "LDH code points" is defined in this document to mean the254code points associated with ASCII letters, digits, and the hyphen-255minus; that is, U+002D, 30..39, 41..5A, and 61..7A. "LDH" is an256abbreviation for "letters, digits, hyphen".257258[STD13] talks about "domain names" and "host names", but many people259use the terms interchangeably. Further, because [STD13] was not260terribly clear, many people who are sure they know the exact261definitions of each of these terms disagree on the definitions. In262this document the term "domain name" is used in general. This263document explicitly cites [STD3] whenever referring to the host name264syntax restrictions defined therein.265266A label is an individual part of a domain name. Labels are usually267shown separated by dots; for example, the domain name268"www.example.com" is composed of three labels: "www", "example", and269"com". (The zero-length root label described in [STD13], which can270be explicit as in "www.example.com." or implicit as in271"www.example.com", is not considered a label in this specification.)272IDNA extends the set of usable characters in labels that are text.273For the rest of this document, the term "label" is shorthand for274"text label", and "every label" means "every text label".275276277278279280281Faltstrom, et al. Standards Track [Page 5]282283RFC 3490 IDNA March 2003284285286An "internationalized label" is a label to which the ToASCII287operation (see section 4) can be applied without failing (with the288UseSTD3ASCIIRules flag unset). This implies that every ASCII label289that satisfies the [STD13] length restriction is an internationalized290label. Therefore the term "internationalized label" is a291generalization, embracing both old ASCII labels and new non-ASCII292labels. Although most Unicode characters can appear in293internationalized labels, ToASCII will fail for some input strings,294and such strings are not valid internationalized labels.295296An "internationalized domain name" (IDN) is a domain name in which297every label is an internationalized label. This implies that every298ASCII domain name is an IDN (which implies that it is possible for a299name to be an IDN without it containing any non-ASCII characters).300This document does not attempt to define an "internationalized host301name". Just as has been the case with ASCII names, some DNS zone302administrators may impose restrictions, beyond those imposed by DNS303or IDNA, on the characters or strings that may be registered as304labels in their zones. Such restrictions have no impact on the305syntax or semantics of DNS protocol messages; a query for a name that306matches no records will yield the same response regardless of the307reason why it is not in the zone. Clients issuing queries or308interpreting responses cannot be assumed to have any knowledge of309zone-specific restrictions or conventions.310311In IDNA, equivalence of labels is defined in terms of the ToASCII312operation, which constructs an ASCII form for a given label, whether313or not the label was already an ASCII label. Labels are defined to314be equivalent if and only if their ASCII forms produced by ToASCII315match using a case-insensitive ASCII comparison. ASCII labels316already have a notion of equivalence: upper case and lower case are317considered equivalent. The IDNA notion of equivalence is an318extension of that older notion. Equivalent labels in IDNA are319treated as alternate forms of the same label, just as "foo" and "Foo"320are treated as alternate forms of the same label.321322To allow internationalized labels to be handled by existing323applications, IDNA uses an "ACE label" (ACE stands for ASCII324Compatible Encoding). An ACE label is an internationalized label325that can be rendered in ASCII and is equivalent to an326internationalized label that cannot be rendered in ASCII. Given any327internationalized label that cannot be rendered in ASCII, the ToASCII328operation will convert it to an equivalent ACE label (whereas an329ASCII label will be left unaltered by ToASCII). ACE labels are330unsuitable for display to users. The ToUnicode operation will331convert any label to an equivalent non-ACE label. In fact, an ACE332label is formally defined to be any label that the ToUnicode333operation would alter (whereas non-ACE labels are left unaltered by334335336337Faltstrom, et al. Standards Track [Page 6]338339RFC 3490 IDNA March 2003340341342ToUnicode). Every ACE label begins with the ACE prefix specified in343section 5. The ToASCII and ToUnicode operations are specified in344section 4.345346The "ACE prefix" is defined in this document to be a string of ASCII347characters that appears at the beginning of every ACE label. It is348specified in section 5.349350A "domain name slot" is defined in this document to be a protocol351element or a function argument or a return value (and so on)352explicitly designated for carrying a domain name. Examples of domain353name slots include: the QNAME field of a DNS query; the name argument354of the gethostbyname() library function; the part of an email address355following the at-sign (@) in the From: field of an email message356header; and the host portion of the URI in the src attribute of an357HTML <IMG> tag. General text that just happens to contain a domain358name is not a domain name slot; for example, a domain name appearing359in the plain text body of an email message is not occupying a domain360name slot.361362An "IDN-aware domain name slot" is defined in this document to be a363domain name slot explicitly designated for carrying an364internationalized domain name as defined in this document. The365designation may be static (for example, in the specification of the366protocol or interface) or dynamic (for example, as a result of367negotiation in an interactive session).368369An "IDN-unaware domain name slot" is defined in this document to be370any domain name slot that is not an IDN-aware domain name slot.371Obviously, this includes any domain name slot whose specification372predates IDNA.3733743. Requirements and applicability3753763.1 Requirements377378IDNA conformance means adherence to the following four requirements:3793801) Whenever dots are used as label separators, the following381characters MUST be recognized as dots: U+002E (full stop), U+3002382(ideographic full stop), U+FF0E (fullwidth full stop), U+FF61383(halfwidth ideographic full stop).3843852) Whenever a domain name is put into an IDN-unaware domain name slot386(see section 2), it MUST contain only ASCII characters. Given an387internationalized domain name (IDN), an equivalent domain name388satisfying this requirement can be obtained by applying the389390391392393Faltstrom, et al. Standards Track [Page 7]394395RFC 3490 IDNA March 2003396397398ToASCII operation (see section 4) to each label and, if dots are399used as label separators, changing all the label separators to400U+002E.4014023) ACE labels obtained from domain name slots SHOULD be hidden from403users when it is known that the environment can handle the non-ACE404form, except when the ACE form is explicitly requested. When it405is not known whether or not the environment can handle the non-ACE406form, the application MAY use the non-ACE form (which might fail,407such as by not being displayed properly), or it MAY use the ACE408form (which will look unintelligle to the user). Given an409internationalized domain name, an equivalent domain name410containing no ACE labels can be obtained by applying the ToUnicode411operation (see section 4) to each label. When requirements 2 and4123 both apply, requirement 2 takes precedence.4134144) Whenever two labels are compared, they MUST be considered to match415if and only if they are equivalent, that is, their ASCII forms416(obtained by applying ToASCII) match using a case-insensitive417ASCII comparison. Whenever two names are compared, they MUST be418considered to match if and only if their corresponding labels419match, regardless of whether the names use the same forms of label420separators.4214223.2 Applicability423424IDNA is applicable to all domain names in all domain name slots425except where it is explicitly excluded.426427This implies that IDNA is applicable to many protocols that predate428IDNA. Note that IDNs occupying domain name slots in those protocols429MUST be in ASCII form (see section 3.1, requirement 2).4304313.2.1. DNS resource records432433IDNA does not apply to domain names in the NAME and RDATA fields of434DNS resource records whose CLASS is not IN. This exclusion applies435to every non-IN class, present and future, except where future436standards override this exclusion by explicitly inviting the use of437IDNA.438439There are currently no other exclusions on the applicability of IDNA440to DNS resource records; it depends entirely on the CLASS, and not on441the TYPE. This will remain true, even as new types are defined,442unless there is a compelling reason for a new type to complicate443matters by imposing type-specific rules.444445446447448449Faltstrom, et al. Standards Track [Page 8]450451RFC 3490 IDNA March 20034524534543.2.2. Non-domain-name data types stored in domain names455456Although IDNA enables the representation of non-ASCII characters in457domain names, that does not imply that IDNA enables the458representation of non-ASCII characters in other data types that are459stored in domain names. For example, an email address local part is460sometimes stored in a domain label ([email protected] would be461represented as hostmaster.example.com in the RDATA field of an SOA462record). IDNA does not update the existing email standards, which463allow only ASCII characters in local parts. Therefore, unless the464email standards are revised to invite the use of IDNA for local465parts, a domain label that holds the local part of an email address466SHOULD NOT begin with the ACE prefix, and even if it does, it is to467be interpreted literally as a local part that happens to begin with468the ACE prefix.4694704. Conversion operations471472An application converts a domain name put into an IDN-unaware slot or473displayed to a user. This section specifies the steps to perform in474the conversion, and the ToASCII and ToUnicode operations.475476The input to ToASCII or ToUnicode is a single label that is a477sequence of Unicode code points (remember that all ASCII code points478are also Unicode code points). If a domain name is represented using479a character set other than Unicode or US-ASCII, it will first need to480be transcoded to Unicode.481482Starting from a whole domain name, the steps that an application483takes to do the conversions are:4844851) Decide whether the domain name is a "stored string" or a "query486string" as described in [STRINGPREP]. If this conversion follows487the "queries" rule from [STRINGPREP], set the flag called488"AllowUnassigned".4894902) Split the domain name into individual labels as described in491section 3.1. The labels do not include the separator.4924933) For each label, decide whether or not to enforce the restrictions494on ASCII characters in host names [STD3]. (Applications already495faced this choice before the introduction of IDNA, and can496continue to make the decision the same way they always have; IDNA497makes no new recommendations regarding this choice.) If the498restrictions are to be enforced, set the flag called499"UseSTD3ASCIIRules" for that label.500501502503504505Faltstrom, et al. Standards Track [Page 9]506507RFC 3490 IDNA March 20035085095104) Process each label with either the ToASCII or the ToUnicode511operation as appropriate. Typically, you use the ToASCII512operation if you are about to put the name into an IDN-unaware513slot, and you use the ToUnicode operation if you are displaying514the name to a user; section 3.1 gives greater detail on the515applicable requirements.5165175) If ToASCII was applied in step 4 and dots are used as label518separators, change all the label separators to U+002E (full stop).519520The following two subsections define the ToASCII and ToUnicode521operations that are used in step 4.522523This description of the protocol uses specific procedure names, names524of flags, and so on, in order to facilitate the specification of the525protocol. These names, as well as the actual steps of the526procedures, are not required of an implementation. In fact, any527implementation which has the same external behavior as specified in528this document conforms to this specification.5295304.1 ToASCII531532The ToASCII operation takes a sequence of Unicode code points that533make up one label and transforms it into a sequence of code points in534the ASCII range (0..7F). If ToASCII succeeds, the original sequence535and the resulting sequence are equivalent labels.536537It is important to note that the ToASCII operation can fail. ToASCII538fails if any step of it fails. If any step of the ToASCII operation539fails on any label in a domain name, that domain name MUST NOT be540used as an internationalized domain name. The method for dealing541with this failure is application-specific.542543The inputs to ToASCII are a sequence of code points, the544AllowUnassigned flag, and the UseSTD3ASCIIRules flag. The output of545ToASCII is either a sequence of ASCII code points or a failure546condition.547548ToASCII never alters a sequence of code points that are all in the549ASCII range to begin with (although it could fail). Applying the550ToASCII operation multiple times has exactly the same effect as551applying it just once.552553ToASCII consists of the following steps:5545551. If the sequence contains any code points outside the ASCII range556(0..7F) then proceed to step 2, otherwise skip to step 3.557558559560561Faltstrom, et al. Standards Track [Page 10]562563RFC 3490 IDNA March 20035645655662. Perform the steps specified in [NAMEPREP] and fail if there is an567error. The AllowUnassigned flag is used in [NAMEPREP].5685693. If the UseSTD3ASCIIRules flag is set, then perform these checks:570571(a) Verify the absence of non-LDH ASCII code points; that is, the572absence of 0..2C, 2E..2F, 3A..40, 5B..60, and 7B..7F.573574(b) Verify the absence of leading and trailing hyphen-minus; that575is, the absence of U+002D at the beginning and end of the576sequence.5775784. If the sequence contains any code points outside the ASCII range579(0..7F) then proceed to step 5, otherwise skip to step 8.5805815. Verify that the sequence does NOT begin with the ACE prefix.5825836. Encode the sequence using the encoding algorithm in [PUNYCODE] and584fail if there is an error.5855867. Prepend the ACE prefix.5875888. Verify that the number of code points is in the range 1 to 63589inclusive.5905914.2 ToUnicode592593The ToUnicode operation takes a sequence of Unicode code points that594make up one label and returns a sequence of Unicode code points. If595the input sequence is a label in ACE form, then the result is an596equivalent internationalized label that is not in ACE form, otherwise597the original sequence is returned unaltered.598599ToUnicode never fails. If any step fails, then the original input600sequence is returned immediately in that step.601602The ToUnicode output never contains more code points than its input.603Note that the number of octets needed to represent a sequence of code604points depends on the particular character encoding used.605606The inputs to ToUnicode are a sequence of code points, the607AllowUnassigned flag, and the UseSTD3ASCIIRules flag. The output of608ToUnicode is always a sequence of Unicode code points.6096101. If all code points in the sequence are in the ASCII range (0..7F)611then skip to step 3.612613614615616617Faltstrom, et al. Standards Track [Page 11]618619RFC 3490 IDNA March 20036206216222. Perform the steps specified in [NAMEPREP] and fail if there is an623error. (If step 3 of ToASCII is also performed here, it will not624affect the overall behavior of ToUnicode, but it is not625necessary.) The AllowUnassigned flag is used in [NAMEPREP].6266273. Verify that the sequence begins with the ACE prefix, and save a628copy of the sequence.6296304. Remove the ACE prefix.6316325. Decode the sequence using the decoding algorithm in [PUNYCODE] and633fail if there is an error. Save a copy of the result of this634step.6356366. Apply ToASCII.6376387. Verify that the result of step 6 matches the saved copy from step6393, using a case-insensitive ASCII comparison.6406418. Return the saved copy from step 5.6426435. ACE prefix644645The ACE prefix, used in the conversion operations (section 4), is two646alphanumeric ASCII characters followed by two hyphen-minuses. It647cannot be any of the prefixes already used in earlier documents,648which includes the following: "bl--", "bq--", "dq--", "lq--", "mq--",649"ra--", "wq--" and "zq--". The ToASCII and ToUnicode operations MUST650recognize the ACE prefix in a case-insensitive manner.651652The ACE prefix for IDNA is "xn--" or any capitalization thereof.653654This means that an ACE label might be "xn--de-jg4avhby1noc0d", where655"de-jg4avhby1noc0d" is the part of the ACE label that is generated by656the encoding steps in [PUNYCODE].657658While all ACE labels begin with the ACE prefix, not all labels659beginning with the ACE prefix are necessarily ACE labels. Non-ACE660labels that begin with the ACE prefix will confuse users and SHOULD661NOT be allowed in DNS zones.662663664665666667668669670671672673Faltstrom, et al. Standards Track [Page 12]674675RFC 3490 IDNA March 20036766776786. Implications for typical applications using DNS679680In IDNA, applications perform the processing needed to input681internationalized domain names from users, display internationalized682domain names to users, and process the inputs and outputs from DNS683and other protocols that carry domain names.684685The components and interfaces between them can be represented686pictorially as:687688+------+689| User |690+------+691^692| Input and display: local interface methods693| (pen, keyboard, glowing phosphorus, ...)694+-------------------|-------------------------------+695| v |696| +-----------------------------+ |697| | Application | |698| | (ToASCII and ToUnicode | |699| | operations may be | |700| | called here) | |701| +-----------------------------+ |702| ^ ^ | End system703| | | |704| Call to resolver: | | Application-specific |705| ACE | | protocol: |706| v | ACE unless the |707| +----------+ | protocol is updated |708| | Resolver | | to handle other |709| +----------+ | encodings |710| ^ | |711+-----------------|----------|----------------------+712DNS protocol: | |713ACE | |714v v715+-------------+ +---------------------+716| DNS servers | | Application servers |717+-------------+ +---------------------+718719The box labeled "Application" is where the application splits a720domain name into labels, sets the appropriate flags, and performs the721ToASCII and ToUnicode operations. This is described in section 4.722723724725726727728729Faltstrom, et al. Standards Track [Page 13]730731RFC 3490 IDNA March 20037327337346.1 Entry and display in applications735736Applications can accept domain names using any character set or sets737desired by the application developer, and can display domain names in738any charset. That is, the IDNA protocol does not affect the739interface between users and applications.740741An IDNA-aware application can accept and display internationalized742domain names in two formats: the internationalized character set(s)743supported by the application, and as an ACE label. ACE labels that744are displayed or input MUST always include the ACE prefix.745Applications MAY allow input and display of ACE labels, but are not746encouraged to do so except as an interface for special purposes,747possibly for debugging, or to cope with display limitations as748described in section 6.4.. ACE encoding is opaque and ugly, and749should thus only be exposed to users who absolutely need it. Because750name labels encoded as ACE name labels can be rendered either as the751encoded ASCII characters or the proper decoded characters, the752application MAY have an option for the user to select the preferred753method of display; if it does, rendering the ACE SHOULD NOT be the754default.755756Domain names are often stored and transported in many places. For757example, they are part of documents such as mail messages and web758pages. They are transported in many parts of many protocols, such as759both the control commands and the RFC 2822 body parts of SMTP, and760the headers and the body content in HTTP. It is important to761remember that domain names appear both in domain name slots and in762the content that is passed over protocols.763764In protocols and document formats that define how to handle765specification or negotiation of charsets, labels can be encoded in766any charset allowed by the protocol or document format. If a767protocol or document format only allows one charset, the labels MUST768be given in that charset.769770In any place where a protocol or document format allows transmission771of the characters in internationalized labels, internationalized772labels SHOULD be transmitted using whatever character encoding and773escape mechanism that the protocol or document format uses at that774place.775776All protocols that use domain name slots already have the capacity777for handling domain names in the ASCII charset. Thus, ACE labels778(internationalized labels that have been processed with the ToASCII779operation) can inherently be handled by those protocols.780781782783784785Faltstrom, et al. Standards Track [Page 14]786787RFC 3490 IDNA March 20037887897906.2 Applications and resolver libraries791792Applications normally use functions in the operating system when they793resolve DNS queries. Those functions in the operating system are794often called "the resolver library", and the applications communicate795with the resolver libraries through a programming interface (API).796797Because these resolver libraries today expect only domain names in798ASCII, applications MUST prepare labels that are passed to the799resolver library using the ToASCII operation. Labels received from800the resolver library contain only ASCII characters; internationalized801labels that cannot be represented directly in ASCII use the ACE form.802ACE labels always include the ACE prefix.803804An operating system might have a set of libraries for performing the805ToASCII operation. The input to such a library might be in one or806more charsets that are used in applications (UTF-8 and UTF-16 are807likely candidates for almost any operating system, and script-808specific charsets are likely for localized operating systems).809810IDNA-aware applications MUST be able to work with both non-811internationalized labels (those that conform to [STD13] and [STD3])812and internationalized labels.813814It is expected that new versions of the resolver libraries in the815future will be able to accept domain names in other charsets than816ASCII, and application developers might one day pass not only domain817names in Unicode, but also in local script to a new API for the818resolver libraries in the operating system. Thus the ToASCII and819ToUnicode operations might be performed inside these new versions of820the resolver libraries.821822Domain names passed to resolvers or put into the question section of823DNS requests follow the rules for "queries" from [STRINGPREP].8248256.3 DNS servers826827Domain names stored in zones follow the rules for "stored strings"828from [STRINGPREP].829830For internationalized labels that cannot be represented directly in831ASCII, DNS servers MUST use the ACE form produced by the ToASCII832operation. All IDNs served by DNS servers MUST contain only ASCII833characters.834835If a signaling system which makes negotiation possible between old836and new DNS clients and servers is standardized in the future, the837encoding of the query in the DNS protocol itself can be changed from838839840841Faltstrom, et al. Standards Track [Page 15]842843RFC 3490 IDNA March 2003844845846ACE to something else, such as UTF-8. The question whether or not847this should be used is, however, a separate problem and is not848discussed in this memo.8498506.4 Avoiding exposing users to the raw ACE encoding851852Any application that might show the user a domain name obtained from853a domain name slot, such as from gethostbyaddr or part of a mail854header, will need to be updated if it is to prevent users from seeing855the ACE.856857If an application decodes an ACE name using ToUnicode but cannot show858all of the characters in the decoded name, such as if the name859contains characters that the output system cannot display, the860application SHOULD show the name in ACE format (which always includes861the ACE prefix) instead of displaying the name with the replacement862character (U+FFFD). This is to make it easier for the user to863transfer the name correctly to other programs. Programs that by864default show the ACE form when they cannot show all the characters in865a name label SHOULD also have a mechanism to show the name that is866produced by the ToUnicode operation with as many characters as867possible and replacement characters in the positions where characters868cannot be displayed.869870The ToUnicode operation does not alter labels that are not valid ACE871labels, even if they begin with the ACE prefix. After ToUnicode has872been applied, if a label still begins with the ACE prefix, then it is873not a valid ACE label, and is not equivalent to any of the874intermediate Unicode strings constructed by ToUnicode.8758766.5 DNSSEC authentication of IDN domain names877878DNS Security [RFC2535] is a method for supplying cryptographic879verification information along with DNS messages. Public Key880Cryptography is used in conjunction with digital signatures to881provide a means for a requester of domain information to authenticate882the source of the data. This ensures that it can be traced back to a883trusted source, either directly, or via a chain of trust linking the884source of the information to the top of the DNS hierarchy.885886IDNA specifies that all internationalized domain names served by DNS887servers that cannot be represented directly in ASCII must use the ACE888form produced by the ToASCII operation. This operation must be889performed prior to a zone being signed by the private key for that890zone. Because of this ordering, it is important to recognize that891DNSSEC authenticates the ASCII domain name, not the Unicode form or892893894895896897Faltstrom, et al. Standards Track [Page 16]898899RFC 3490 IDNA March 2003900901902the mapping between the Unicode form and the ASCII form. In the903presence of DNSSEC, this is the name that MUST be signed in the zone904and MUST be validated against.905906One consequence of this for sites deploying IDNA in the presence of907DNSSEC is that any special purpose proxies or forwarders used to908transform user input into IDNs must be earlier in the resolution flow909than DNSSEC authenticating nameservers for DNSSEC to work.9109117. Name server considerations912913Existing DNS servers do not know the IDNA rules for handling non-914ASCII forms of IDNs, and therefore need to be shielded from them.915All existing channels through which names can enter a DNS server916database (for example, master files [STD13] and DNS update messages917[RFC2136]) are IDN-unaware because they predate IDNA, and therefore918requirement 2 of section 3.1 of this document provides the needed919shielding, by ensuring that internationalized domain names entering920DNS server databases through such channels have already been921converted to their equivalent ASCII forms.922923It is imperative that there be only one ASCII encoding for a924particular domain name. Because of the design of the ToASCII and925ToUnicode operations, there are no ACE labels that decode to ASCII926labels, and therefore name servers cannot contain multiple ASCII927encodings of the same domain name.928929[RFC2181] explicitly allows domain labels to contain octets beyond930the ASCII range (0..7F), and this document does not change that.931Note, however, that there is no defined interpretation of octets93280..FF as characters. If labels containing these octets are returned933to applications, unpredictable behavior could result. The ASCII form934defined by ToASCII is the only standard representation for935internationalized labels in the current DNS protocol.9369378. Root server considerations938939IDNs are likely to be somewhat longer than current domain names, so940the bandwidth needed by the root servers is likely to go up by a941small amount. Also, queries and responses for IDNs will probably be942somewhat longer than typical queries today, so more queries and943responses may be forced to go to TCP instead of UDP.944945946947948949950951952953Faltstrom, et al. Standards Track [Page 17]954955RFC 3490 IDNA March 20039569579589. References9599609.1 Normative References961962[RFC2119] Bradner, S., "Key words for use in RFCs to Indicate963Requirement Levels", BCP 14, RFC 2119, March 1997.964965[STRINGPREP] Hoffman, P. and M. Blanchet, "Preparation of966Internationalized Strings ("stringprep")", RFC 3454,967December 2002.968969[NAMEPREP] Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep970Profile for Internationalized Domain Names (IDN)", RFC9713491, March 2003.972973[PUNYCODE] Costello, A., "Punycode: A Bootstring encoding of974Unicode for use with Internationalized Domain Names in975Applications (IDNA)", RFC 3492, March 2003.976977[STD3] Braden, R., "Requirements for Internet Hosts --978Communication Layers", STD 3, RFC 1122, and979"Requirements for Internet Hosts -- Application and980Support", STD 3, RFC 1123, October 1989.981982[STD13] Mockapetris, P., "Domain names - concepts and983facilities", STD 13, RFC 1034 and "Domain names -984implementation and specification", STD 13, RFC 1035,985November 1987.9869879.2 Informative References988989[RFC2535] Eastlake, D., "Domain Name System Security Extensions",990RFC 2535, March 1999.991992[RFC2181] Elz, R. and R. Bush, "Clarifications to the DNS993Specification", RFC 2181, July 1997.994995[UAX9] Unicode Standard Annex #9, The Bidirectional Algorithm,996<http://www.unicode.org/unicode/reports/tr9/>.997998[UNICODE] The Unicode Consortium. The Unicode Standard, Version9993.2.0 is defined by The Unicode Standard, Version 3.01000(Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),1001as amended by the Unicode Standard Annex #27: Unicode10023.1 (http://www.unicode.org/reports/tr27/) and by the1003Unicode Standard Annex #28: Unicode 3.21004(http://www.unicode.org/reports/tr28/).10051006100710081009Faltstrom, et al. Standards Track [Page 18]10101011RFC 3490 IDNA March 2003101210131014[USASCII] Cerf, V., "ASCII format for Network Interchange", RFC101520, October 1969.1016101710. Security Considerations10181019Security on the Internet partly relies on the DNS. Thus, any change1020to the characteristics of the DNS can change the security of much of1021the Internet.10221023This memo describes an algorithm which encodes characters that are1024not valid according to STD3 and STD13 into octet values that are1025valid. No security issues such as string length increases or new1026allowed values are introduced by the encoding process or the use of1027these encoded values, apart from those introduced by the ACE encoding1028itself.10291030Domain names are used by users to identify and connect to Internet1031servers. The security of the Internet is compromised if a user1032entering a single internationalized name is connected to different1033servers based on different interpretations of the internationalized1034domain name.10351036When systems use local character sets other than ASCII and Unicode,1037this specification leaves the the problem of transcoding between the1038local character set and Unicode up to the application. If different1039applications (or different versions of one application) implement1040different transcoding rules, they could interpret the same name1041differently and contact different servers. This problem is not1042solved by security protocols like TLS that do not take local1043character sets into account.10441045Because this document normatively refers to [NAMEPREP], [PUNYCODE],1046and [STRINGPREP], it includes the security considerations from those1047documents as well.10481049If or when this specification is updated to use a more recent Unicode1050normalization table, the new normalization table will need to be1051compared with the old to spot backwards incompatible changes. If1052there are such changes, they will need to be handled somehow, or1053there will be security as well as operational implications. Methods1054to handle the conflicts could include keeping the old normalization,1055or taking care of the conflicting characters by operational means, or1056some other method.10571058Implementations MUST NOT use more recent normalization tables than1059the one referenced from this document, even though more recent tables1060may be provided by operating systems. If an application is unsure of1061which version of the normalization tables are in the operating1062106310641065Faltstrom, et al. Standards Track [Page 19]10661067RFC 3490 IDNA March 2003106810691070system, the application needs to include the normalization tables1071itself. Using normalization tables other than the one referenced1072from this specification could have security and operational1073implications.10741075To help prevent confusion between characters that are visually1076similar, it is suggested that implementations provide visual1077indications where a domain name contains multiple scripts. Such1078mechanisms can also be used to show when a name contains a mixture of1079simplified and traditional Chinese characters, or to distinguish zero1080and one from O and l. DNS zone adminstrators may impose restrictions1081(subject to the limitations in section 2) that try to minimize1082homographs.10831084Domain names (or portions of them) are sometimes compared against a1085set of privileged or anti-privileged domains. In such situations it1086is especially important that the comparisons be done properly, as1087specified in section 3.1 requirement 4. For labels already in ASCII1088form, the proper comparison reduces to the same case-insensitive1089ASCII comparison that has always been used for ASCII labels.10901091The introduction of IDNA means that any existing labels that start1092with the ACE prefix and would be altered by ToUnicode will1093automatically be ACE labels, and will be considered equivalent to1094non-ASCII labels, whether or not that was the intent of the zone1095adminstrator or registrant.1096109711. IANA Considerations10981099IANA has assigned the ACE prefix in consultation with the IESG.1100110111021103110411051106110711081109111011111112111311141115111611171118111911201121Faltstrom, et al. Standards Track [Page 20]11221123RFC 3490 IDNA March 200311241125112612. Authors' Addresses11271128Patrik Faltstrom1129Cisco Systems1130Arstaangsvagen 31 J1131S-117 43 Stockholm Sweden11321133EMail: [email protected]113411351136Paul Hoffman1137Internet Mail Consortium and VPN Consortium1138127 Segre Place1139Santa Cruz, CA 95060 USA11401141EMail: [email protected]114211431144Adam M. Costello1145University of California, Berkeley11461147URL: http://www.nicemice.net/amc/114811491150115111521153115411551156115711581159116011611162116311641165116611671168116911701171117211731174117511761177Faltstrom, et al. Standards Track [Page 21]11781179RFC 3490 IDNA March 200311801181118213. Full Copyright Statement11831184Copyright (C) The Internet Society (2003). All Rights Reserved.11851186This document and translations of it may be copied and furnished to1187others, and derivative works that comment on or otherwise explain it1188or assist in its implementation may be prepared, copied, published1189and distributed, in whole or in part, without restriction of any1190kind, provided that the above copyright notice and this paragraph are1191included on all such copies and derivative works. However, this1192document itself may not be modified in any way, such as by removing1193the copyright notice or references to the Internet Society or other1194Internet organizations, except as needed for the purpose of1195developing Internet standards in which case the procedures for1196copyrights defined in the Internet Standards process must be1197followed, or as required to translate it into languages other than1198English.11991200The limited permissions granted above are perpetual and will not be1201revoked by the Internet Society or its successors or assigns.12021203This document and the information contained herein is provided on an1204"AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING1205TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING1206BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION1207HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF1208MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.12091210Acknowledgement12111212Funding for the RFC Editor function is currently provided by the1213Internet Society.12141215121612171218121912201221122212231224122512261227122812291230123112321233Faltstrom, et al. Standards Track [Page 22]1234123512361237