xref: /freebsd/crypto/heimdal/lib/wind/rfc3490.txt (revision cddbc3b40812213ff00041f79174cac0be360a2a)
1
2
3
4
5
6
7Network Working Group                                       P. Faltstrom
8Request for Comments: 3490                                         Cisco
9Category: Standards Track                                     P. Hoffman
10                                                              IMC & VPNC
11                                                             A. Costello
12                                                             UC Berkeley
13                                                              March 2003
14
15
16         Internationalizing Domain Names in Applications (IDNA)
17
18Status of this Memo
19
20   This document specifies an Internet standards track protocol for the
21   Internet community, and requests discussion and suggestions for
22   improvements.  Please refer to the current edition of the "Internet
23   Official Protocol Standards" (STD 1) for the standardization state
24   and status of this protocol.  Distribution of this memo is unlimited.
25
26Copyright Notice
27
28   Copyright (C) The Internet Society (2003).  All Rights Reserved.
29
30Abstract
31
32   Until now, there has been no standard method for domain names to use
33   characters outside the ASCII repertoire.  This document defines
34   internationalized domain names (IDNs) and a mechanism called
35   Internationalizing Domain Names in Applications (IDNA) for handling
36   them in a standard fashion.  IDNs use characters drawn from a large
37   repertoire (Unicode), but IDNA allows the non-ASCII characters to be
38   represented using only the ASCII characters already allowed in so-
39   called host names today.  This backward-compatible representation is
40   required in existing protocols like DNS, so that IDNs can be
41   introduced with no changes to the existing infrastructure.  IDNA is
42   only meant for processing domain names, not free text.
43
44Table of Contents
45
46   1. Introduction..................................................  2
47      1.1 Problem Statement.........................................  3
48      1.2 Limitations of IDNA.......................................  3
49      1.3 Brief overview for application developers.................  4
50   2. Terminology...................................................  5
51   3. Requirements and applicability................................  7
52      3.1 Requirements..............................................  7
53      3.2 Applicability.............................................  8
54         3.2.1. DNS resource records................................  8
55
56
57
58Faltstrom, et al.           Standards Track                     [Page 1]
59
60RFC 3490                          IDNA                        March 2003
61
62
63         3.2.2. Non-domain-name data types stored in domain names...  9
64   4. Conversion operations.........................................  9
65      4.1 ToASCII................................................... 10
66      4.2 ToUnicode................................................. 11
67   5. ACE prefix.................................................... 12
68   6. Implications for typical applications using DNS............... 13
69      6.1 Entry and display in applications......................... 14
70      6.2 Applications and resolver libraries....................... 15
71      6.3 DNS servers............................................... 15
72      6.4 Avoiding exposing users to the raw ACE encoding........... 16
73      6.5  DNSSEC authentication of IDN domain names................ 16
74   7. Name server considerations.................................... 17
75   8. Root server considerations.................................... 17
76   9. References.................................................... 18
77      9.1 Normative References...................................... 18
78      9.2 Informative References.................................... 18
79   10. Security Considerations...................................... 19
80   11. IANA Considerations.......................................... 20
81   12. Authors' Addresses........................................... 21
82   13. Full Copyright Statement..................................... 22
83
841. Introduction
85
86   IDNA works by allowing applications to use certain ASCII name labels
87   (beginning with a special prefix) to represent non-ASCII name labels.
88   Lower-layer protocols need not be aware of this; therefore IDNA does
89   not depend on changes to any infrastructure.  In particular, IDNA
90   does not depend on any changes to DNS servers, resolvers, or protocol
91   elements, because the ASCII name service provided by the existing DNS
92   is entirely sufficient for IDNA.
93
94   This document does not require any applications to conform to IDNA,
95   but applications can elect to use IDNA in order to support IDN while
96   maintaining interoperability with existing infrastructure.  If an
97   application wants to use non-ASCII characters in domain names, IDNA
98   is the only currently-defined option.  Adding IDNA support to an
99   existing application entails changes to the application only, and
100   leaves room for flexibility in the user interface.
101
102   A great deal of the discussion of IDN solutions has focused on
103   transition issues and how IDN will work in a world where not all of
104   the components have been updated.  Proposals that were not chosen by
105   the IDN Working Group would depend on user applications, resolvers,
106   and DNS servers being updated in order for a user to use an
107   internationalized domain name.  Rather than rely on widespread
108   updating of all components, IDNA depends on updates to user
109   applications only; no changes are needed to the DNS protocol or any
110   DNS servers or the resolvers on user's computers.
111
112
113
114Faltstrom, et al.           Standards Track                     [Page 2]
115
116RFC 3490                          IDNA                        March 2003
117
118
1191.1 Problem Statement
120
121   The IDNA specification solves the problem of extending the repertoire
122   of characters that can be used in domain names to include the Unicode
123   repertoire (with some restrictions).
124
125   IDNA does not extend the service offered by DNS to the applications.
126   Instead, the applications (and, by implication, the users) continue
127   to see an exact-match lookup service.  Either there is a single
128   exactly-matching name or there is no match.  This model has served
129   the existing applications well, but it requires, with or without
130   internationalized domain names, that users know the exact spelling of
131   the domain names that the users type into applications such as web
132   browsers and mail user agents.  The introduction of the larger
133   repertoire of characters potentially makes the set of misspellings
134   larger, especially given that in some cases the same appearance, for
135   example on a business card, might visually match several Unicode code
136   points or several sequences of code points.
137
138   IDNA allows the graceful introduction of IDNs not only by avoiding
139   upgrades to existing infrastructure (such as DNS servers and mail
140   transport agents), but also by allowing some rudimentary use of IDNs
141   in applications by using the ASCII representation of the non-ASCII
142   name labels.  While such names are very user-unfriendly to read and
143   type, and hence are not suitable for user input, they allow (for
144   instance) replying to email and clicking on URLs even though the
145   domain name displayed is incomprehensible to the user.  In order to
146   allow user-friendly input and output of the IDNs, the applications
147   need to be modified to conform to this specification.
148
149   IDNA uses the Unicode character repertoire, which avoids the
150   significant delays that would be inherent in waiting for a different
151   and specific character set be defined for IDN purposes by some other
152   standards developing organization.
153
1541.2 Limitations of IDNA
155
156   The IDNA protocol does not solve all linguistic issues with users
157   inputting names in different scripts.  Many important language-based
158   and script-based mappings are not covered in IDNA and need to be
159   handled outside the protocol.  For example, names that are entered in
160   a mix of traditional and simplified Chinese characters will not be
161   mapped to a single canonical name.  Another example is Scandinavian
162   names that are entered with U+00F6 (LATIN SMALL LETTER O WITH
163   DIAERESIS) will not be mapped to U+00F8 (LATIN SMALL LETTER O WITH
164   STROKE).
165
166
167
168
169
170Faltstrom, et al.           Standards Track                     [Page 3]
171
172RFC 3490                          IDNA                        March 2003
173
174
175   An example of an important issue that is not considered in detail in
176   IDNA is how to provide a high probability that a user who is entering
177   a domain name based on visual information (such as from a business
178   card or billboard) or aural information (such as from a telephone or
179   radio) would correctly enter the IDN.  Similar issues exist for ASCII
180   domain names, for example the possible visual confusion between the
181   letter 'O' and the digit zero, but the introduction of the larger
182   repertoire of characters creates more opportunities of similar
183   looking and similar sounding names.  Note that this is a complex
184   issue relating to languages, input methods on computers, and so on.
185   Furthermore, the kind of matching and searching necessary for a high
186   probability of success would not fit the role of the DNS and its
187   exact matching function.
188
1891.3 Brief overview for application developers
190
191   Applications can use IDNA to support internationalized domain names
192   anywhere that ASCII domain names are already supported, including DNS
193   master files and resolver interfaces.  (Applications can also define
194   protocols and interfaces that support IDNs directly using non-ASCII
195   representations.  IDNA does not prescribe any particular
196   representation for new protocols, but it still defines which names
197   are valid and how they are compared.)
198
199   The IDNA protocol is contained completely within applications.  It is
200   not a client-server or peer-to-peer protocol: everything is done
201   inside the application itself.  When used with a DNS resolver
202   library, IDNA is inserted as a "shim" between the application and the
203   resolver library.  When used for writing names into a DNS zone, IDNA
204   is used just before the name is committed to the zone.
205
206   There are two operations described in section 4 of this document:
207
208   -  The ToASCII operation is used before sending an IDN to something
209      that expects ASCII names (such as a resolver) or writing an IDN
210      into a place that expects ASCII names (such as a DNS master file).
211
212   -  The ToUnicode operation is used when displaying names to users,
213      for example names obtained from a DNS zone.
214
215   It is important to note that the ToASCII operation can fail.  If it
216   fails when processing a domain name, that domain name cannot be used
217   as an internationalized domain name and the application has to have
218   some method of dealing with this failure.
219
220   IDNA requires that implementations process input strings with
221   Nameprep [NAMEPREP], which is a profile of Stringprep [STRINGPREP],
222   and then with Punycode [PUNYCODE].  Implementations of IDNA MUST
223
224
225
226Faltstrom, et al.           Standards Track                     [Page 4]
227
228RFC 3490                          IDNA                        March 2003
229
230
231   fully implement Nameprep and Punycode; neither Nameprep nor Punycode
232   are optional.
233
2342. Terminology
235
236   The key words "MUST", "SHALL", "REQUIRED", "SHOULD", "RECOMMENDED",
237   and "MAY" in this document are to be interpreted as described in BCP
238   14, RFC 2119 [RFC2119].
239
240   A code point is an integer value associated with a character in a
241   coded character set.
242
243   Unicode [UNICODE] is a coded character set containing tens of
244   thousands of characters.  A single Unicode code point is denoted by
245   "U+" followed by four to six hexadecimal digits, while a range of
246   Unicode code points is denoted by two hexadecimal numbers separated
247   by "..", with no prefixes.
248
249   ASCII means US-ASCII [USASCII], a coded character set containing 128
250   characters associated with code points in the range 0..7F.  Unicode
251   is an extension of ASCII: it includes all the ASCII characters and
252   associates them with the same code points.
253
254   The term "LDH code points" is defined in this document to mean the
255   code points associated with ASCII letters, digits, and the hyphen-
256   minus; that is, U+002D, 30..39, 41..5A, and 61..7A. "LDH" is an
257   abbreviation for "letters, digits, hyphen".
258
259   [STD13] talks about "domain names" and "host names", but many people
260   use the terms interchangeably.  Further, because [STD13] was not
261   terribly clear, many people who are sure they know the exact
262   definitions of each of these terms disagree on the definitions.  In
263   this document the term "domain name" is used in general.  This
264   document explicitly cites [STD3] whenever referring to the host name
265   syntax restrictions defined therein.
266
267   A label is an individual part of a domain name.  Labels are usually
268   shown separated by dots; for example, the domain name
269   "www.example.com" is composed of three labels: "www", "example", and
270   "com".  (The zero-length root label described in [STD13], which can
271   be explicit as in "www.example.com." or implicit as in
272   "www.example.com", is not considered a label in this specification.)
273   IDNA extends the set of usable characters in labels that are text.
274   For the rest of this document, the term "label" is shorthand for
275   "text label", and "every label" means "every text label".
276
277
278
279
280
281
282Faltstrom, et al.           Standards Track                     [Page 5]
283
284RFC 3490                          IDNA                        March 2003
285
286
287   An "internationalized label" is a label to which the ToASCII
288   operation (see section 4) can be applied without failing (with the
289   UseSTD3ASCIIRules flag unset).  This implies that every ASCII label
290   that satisfies the [STD13] length restriction is an internationalized
291   label.  Therefore the term "internationalized label" is a
292   generalization, embracing both old ASCII labels and new non-ASCII
293   labels.  Although most Unicode characters can appear in
294   internationalized labels, ToASCII will fail for some input strings,
295   and such strings are not valid internationalized labels.
296
297   An "internationalized domain name" (IDN) is a domain name in which
298   every label is an internationalized label.  This implies that every
299   ASCII domain name is an IDN (which implies that it is possible for a
300   name to be an IDN without it containing any non-ASCII characters).
301   This document does not attempt to define an "internationalized host
302   name".  Just as has been the case with ASCII names, some DNS zone
303   administrators may impose restrictions, beyond those imposed by DNS
304   or IDNA, on the characters or strings that may be registered as
305   labels in their zones.  Such restrictions have no impact on the
306   syntax or semantics of DNS protocol messages; a query for a name that
307   matches no records will yield the same response regardless of the
308   reason why it is not in the zone.  Clients issuing queries or
309   interpreting responses cannot be assumed to have any knowledge of
310   zone-specific restrictions or conventions.
311
312   In IDNA, equivalence of labels is defined in terms of the ToASCII
313   operation, which constructs an ASCII form for a given label, whether
314   or not the label was already an ASCII label.  Labels are defined to
315   be equivalent if and only if their ASCII forms produced by ToASCII
316   match using a case-insensitive ASCII comparison.  ASCII labels
317   already have a notion of equivalence: upper case and lower case are
318   considered equivalent.  The IDNA notion of equivalence is an
319   extension of that older notion.  Equivalent labels in IDNA are
320   treated as alternate forms of the same label, just as "foo" and "Foo"
321   are treated as alternate forms of the same label.
322
323   To allow internationalized labels to be handled by existing
324   applications, IDNA uses an "ACE label" (ACE stands for ASCII
325   Compatible Encoding).  An ACE label is an internationalized label
326   that can be rendered in ASCII and is equivalent to an
327   internationalized label that cannot be rendered in ASCII.  Given any
328   internationalized label that cannot be rendered in ASCII, the ToASCII
329   operation will convert it to an equivalent ACE label (whereas an
330   ASCII label will be left unaltered by ToASCII).  ACE labels are
331   unsuitable for display to users.  The ToUnicode operation will
332   convert any label to an equivalent non-ACE label.  In fact, an ACE
333   label is formally defined to be any label that the ToUnicode
334   operation would alter (whereas non-ACE labels are left unaltered by
335
336
337
338Faltstrom, et al.           Standards Track                     [Page 6]
339
340RFC 3490                          IDNA                        March 2003
341
342
343   ToUnicode).  Every ACE label begins with the ACE prefix specified in
344   section 5.  The ToASCII and ToUnicode operations are specified in
345   section 4.
346
347   The "ACE prefix" is defined in this document to be a string of ASCII
348   characters that appears at the beginning of every ACE label.  It is
349   specified in section 5.
350
351   A "domain name slot" is defined in this document to be a protocol
352   element or a function argument or a return value (and so on)
353   explicitly designated for carrying a domain name.  Examples of domain
354   name slots include: the QNAME field of a DNS query; the name argument
355   of the gethostbyname() library function; the part of an email address
356   following the at-sign (@) in the From: field of an email message
357   header; and the host portion of the URI in the src attribute of an
358   HTML <IMG> tag.  General text that just happens to contain a domain
359   name is not a domain name slot; for example, a domain name appearing
360   in the plain text body of an email message is not occupying a domain
361   name slot.
362
363   An "IDN-aware domain name slot" is defined in this document to be a
364   domain name slot explicitly designated for carrying an
365   internationalized domain name as defined in this document.  The
366   designation may be static (for example, in the specification of the
367   protocol or interface) or dynamic (for example, as a result of
368   negotiation in an interactive session).
369
370   An "IDN-unaware domain name slot" is defined in this document to be
371   any domain name slot that is not an IDN-aware domain name slot.
372   Obviously, this includes any domain name slot whose specification
373   predates IDNA.
374
3753. Requirements and applicability
376
3773.1 Requirements
378
379   IDNA conformance means adherence to the following four requirements:
380
381   1) Whenever dots are used as label separators, the following
382      characters MUST be recognized as dots: U+002E (full stop), U+3002
383      (ideographic full stop), U+FF0E (fullwidth full stop), U+FF61
384      (halfwidth ideographic full stop).
385
386   2) Whenever a domain name is put into an IDN-unaware domain name slot
387      (see section 2), it MUST contain only ASCII characters.  Given an
388      internationalized domain name (IDN), an equivalent domain name
389      satisfying this requirement can be obtained by applying the
390
391
392
393
394Faltstrom, et al.           Standards Track                     [Page 7]
395
396RFC 3490                          IDNA                        March 2003
397
398
399      ToASCII operation (see section 4) to each label and, if dots are
400      used as label separators, changing all the label separators to
401      U+002E.
402
403   3) ACE labels obtained from domain name slots SHOULD be hidden from
404      users when it is known that the environment can handle the non-ACE
405      form, except when the ACE form is explicitly requested.  When it
406      is not known whether or not the environment can handle the non-ACE
407      form, the application MAY use the non-ACE form (which might fail,
408      such as by not being displayed properly), or it MAY use the ACE
409      form (which will look unintelligle to the user).  Given an
410      internationalized domain name, an equivalent domain name
411      containing no ACE labels can be obtained by applying the ToUnicode
412      operation (see section 4) to each label.  When requirements 2 and
413      3 both apply, requirement 2 takes precedence.
414
415   4) Whenever two labels are compared, they MUST be considered to match
416      if and only if they are equivalent, that is, their ASCII forms
417      (obtained by applying ToASCII) match using a case-insensitive
418      ASCII comparison.  Whenever two names are compared, they MUST be
419      considered to match if and only if their corresponding labels
420      match, regardless of whether the names use the same forms of label
421      separators.
422
4233.2 Applicability
424
425   IDNA is applicable to all domain names in all domain name slots
426   except where it is explicitly excluded.
427
428   This implies that IDNA is applicable to many protocols that predate
429   IDNA.  Note that IDNs occupying domain name slots in those protocols
430   MUST be in ASCII form (see section 3.1, requirement 2).
431
4323.2.1. DNS resource records
433
434   IDNA does not apply to domain names in the NAME and RDATA fields of
435   DNS resource records whose CLASS is not IN.  This exclusion applies
436   to every non-IN class, present and future, except where future
437   standards override this exclusion by explicitly inviting the use of
438   IDNA.
439
440   There are currently no other exclusions on the applicability of IDNA
441   to DNS resource records; it depends entirely on the CLASS, and not on
442   the TYPE.  This will remain true, even as new types are defined,
443   unless there is a compelling reason for a new type to complicate
444   matters by imposing type-specific rules.
445
446
447
448
449
450Faltstrom, et al.           Standards Track                     [Page 8]
451
452RFC 3490                          IDNA                        March 2003
453
454
4553.2.2. Non-domain-name data types stored in domain names
456
457   Although IDNA enables the representation of non-ASCII characters in
458   domain names, that does not imply that IDNA enables the
459   representation of non-ASCII characters in other data types that are
460   stored in domain names.  For example, an email address local part is
461   sometimes stored in a domain label (hostmaster@example.com would be
462   represented as hostmaster.example.com in the RDATA field of an SOA
463   record).  IDNA does not update the existing email standards, which
464   allow only ASCII characters in local parts.  Therefore, unless the
465   email standards are revised to invite the use of IDNA for local
466   parts, a domain label that holds the local part of an email address
467   SHOULD NOT begin with the ACE prefix, and even if it does, it is to
468   be interpreted literally as a local part that happens to begin with
469   the ACE prefix.
470
4714. Conversion operations
472
473   An application converts a domain name put into an IDN-unaware slot or
474   displayed to a user.  This section specifies the steps to perform in
475   the conversion, and the ToASCII and ToUnicode operations.
476
477   The input to ToASCII or ToUnicode is a single label that is a
478   sequence of Unicode code points (remember that all ASCII code points
479   are also Unicode code points).  If a domain name is represented using
480   a character set other than Unicode or US-ASCII, it will first need to
481   be transcoded to Unicode.
482
483   Starting from a whole domain name, the steps that an application
484   takes to do the conversions are:
485
486   1) Decide whether the domain name is a "stored string" or a "query
487      string" as described in [STRINGPREP].  If this conversion follows
488      the "queries" rule from [STRINGPREP], set the flag called
489      "AllowUnassigned".
490
491   2) Split the domain name into individual labels as described in
492      section 3.1.  The labels do not include the separator.
493
494   3) For each label, decide whether or not to enforce the restrictions
495      on ASCII characters in host names [STD3].  (Applications already
496      faced this choice before the introduction of IDNA, and can
497      continue to make the decision the same way they always have; IDNA
498      makes no new recommendations regarding this choice.)  If the
499      restrictions are to be enforced, set the flag called
500      "UseSTD3ASCIIRules" for that label.
501
502
503
504
505
506Faltstrom, et al.           Standards Track                     [Page 9]
507
508RFC 3490                          IDNA                        March 2003
509
510
511   4) Process each label with either the ToASCII or the ToUnicode
512      operation as appropriate.  Typically, you use the ToASCII
513      operation if you are about to put the name into an IDN-unaware
514      slot, and you use the ToUnicode operation if you are displaying
515      the name to a user; section 3.1 gives greater detail on the
516      applicable requirements.
517
518   5) If ToASCII was applied in step 4 and dots are used as label
519      separators, change all the label separators to U+002E (full stop).
520
521   The following two subsections define the ToASCII and ToUnicode
522   operations that are used in step 4.
523
524   This description of the protocol uses specific procedure names, names
525   of flags, and so on, in order to facilitate the specification of the
526   protocol.  These names, as well as the actual steps of the
527   procedures, are not required of an implementation.  In fact, any
528   implementation which has the same external behavior as specified in
529   this document conforms to this specification.
530
5314.1 ToASCII
532
533   The ToASCII operation takes a sequence of Unicode code points that
534   make up one label and transforms it into a sequence of code points in
535   the ASCII range (0..7F).  If ToASCII succeeds, the original sequence
536   and the resulting sequence are equivalent labels.
537
538   It is important to note that the ToASCII operation can fail.  ToASCII
539   fails if any step of it fails.  If any step of the ToASCII operation
540   fails on any label in a domain name, that domain name MUST NOT be
541   used as an internationalized domain name.  The method for dealing
542   with this failure is application-specific.
543
544   The inputs to ToASCII are a sequence of code points, the
545   AllowUnassigned flag, and the UseSTD3ASCIIRules flag.  The output of
546   ToASCII is either a sequence of ASCII code points or a failure
547   condition.
548
549   ToASCII never alters a sequence of code points that are all in the
550   ASCII range to begin with (although it could fail).  Applying the
551   ToASCII operation multiple times has exactly the same effect as
552   applying it just once.
553
554   ToASCII consists of the following steps:
555
556   1. If the sequence contains any code points outside the ASCII range
557      (0..7F) then proceed to step 2, otherwise skip to step 3.
558
559
560
561
562Faltstrom, et al.           Standards Track                    [Page 10]
563
564RFC 3490                          IDNA                        March 2003
565
566
567   2. Perform the steps specified in [NAMEPREP] and fail if there is an
568      error.  The AllowUnassigned flag is used in [NAMEPREP].
569
570   3. If the UseSTD3ASCIIRules flag is set, then perform these checks:
571
572     (a) Verify the absence of non-LDH ASCII code points; that is, the
573         absence of 0..2C, 2E..2F, 3A..40, 5B..60, and 7B..7F.
574
575     (b) Verify the absence of leading and trailing hyphen-minus; that
576         is, the absence of U+002D at the beginning and end of the
577         sequence.
578
579   4. If the sequence contains any code points outside the ASCII range
580      (0..7F) then proceed to step 5, otherwise skip to step 8.
581
582   5. Verify that the sequence does NOT begin with the ACE prefix.
583
584   6. Encode the sequence using the encoding algorithm in [PUNYCODE] and
585      fail if there is an error.
586
587   7. Prepend the ACE prefix.
588
589   8. Verify that the number of code points is in the range 1 to 63
590      inclusive.
591
5924.2 ToUnicode
593
594   The ToUnicode operation takes a sequence of Unicode code points that
595   make up one label and returns a sequence of Unicode code points.  If
596   the input sequence is a label in ACE form, then the result is an
597   equivalent internationalized label that is not in ACE form, otherwise
598   the original sequence is returned unaltered.
599
600   ToUnicode never fails.  If any step fails, then the original input
601   sequence is returned immediately in that step.
602
603   The ToUnicode output never contains more code points than its input.
604   Note that the number of octets needed to represent a sequence of code
605   points depends on the particular character encoding used.
606
607   The inputs to ToUnicode are a sequence of code points, the
608   AllowUnassigned flag, and the UseSTD3ASCIIRules flag.  The output of
609   ToUnicode is always a sequence of Unicode code points.
610
611   1. If all code points in the sequence are in the ASCII range (0..7F)
612      then skip to step 3.
613
614
615
616
617
618Faltstrom, et al.           Standards Track                    [Page 11]
619
620RFC 3490                          IDNA                        March 2003
621
622
623   2. Perform the steps specified in [NAMEPREP] and fail if there is an
624      error.  (If step 3 of ToASCII is also performed here, it will not
625      affect the overall behavior of ToUnicode, but it is not
626      necessary.)  The AllowUnassigned flag is used in [NAMEPREP].
627
628   3. Verify that the sequence begins with the ACE prefix, and save a
629      copy of the sequence.
630
631   4. Remove the ACE prefix.
632
633   5. Decode the sequence using the decoding algorithm in [PUNYCODE] and
634      fail if there is an error.  Save a copy of the result of this
635      step.
636
637   6. Apply ToASCII.
638
639   7. Verify that the result of step 6 matches the saved copy from step
640      3, using a case-insensitive ASCII comparison.
641
642   8. Return the saved copy from step 5.
643
6445. ACE prefix
645
646   The ACE prefix, used in the conversion operations (section 4), is two
647   alphanumeric ASCII characters followed by two hyphen-minuses.  It
648   cannot be any of the prefixes already used in earlier documents,
649   which includes the following: "bl--", "bq--", "dq--", "lq--", "mq--",
650   "ra--", "wq--" and "zq--".  The ToASCII and ToUnicode operations MUST
651   recognize the ACE prefix in a case-insensitive manner.
652
653   The ACE prefix for IDNA is "xn--" or any capitalization thereof.
654
655   This means that an ACE label might be "xn--de-jg4avhby1noc0d", where
656   "de-jg4avhby1noc0d" is the part of the ACE label that is generated by
657   the encoding steps in [PUNYCODE].
658
659   While all ACE labels begin with the ACE prefix, not all labels
660   beginning with the ACE prefix are necessarily ACE labels.  Non-ACE
661   labels that begin with the ACE prefix will confuse users and SHOULD
662   NOT be allowed in DNS zones.
663
664
665
666
667
668
669
670
671
672
673
674Faltstrom, et al.           Standards Track                    [Page 12]
675
676RFC 3490                          IDNA                        March 2003
677
678
6796. Implications for typical applications using DNS
680
681   In IDNA, applications perform the processing needed to input
682   internationalized domain names from users, display internationalized
683   domain names to users, and process the inputs and outputs from DNS
684   and other protocols that carry domain names.
685
686   The components and interfaces between them can be represented
687   pictorially as:
688
689                    +------+
690                    | User |
691                    +------+
692                       ^
693                       | Input and display: local interface methods
694                       | (pen, keyboard, glowing phosphorus, ...)
695   +-------------------|-------------------------------+
696   |                   v                               |
697   |          +-----------------------------+          |
698   |          |        Application          |          |
699   |          |   (ToASCII and ToUnicode    |          |
700   |          |      operations may be      |          |
701   |          |        called here)         |          |
702   |          +-----------------------------+          |
703   |                   ^        ^                      | End system
704   |                   |        |                      |
705   | Call to resolver: |        | Application-specific |
706   |              ACE  |        | protocol:            |
707   |                   v        | ACE unless the       |
708   |           +----------+     | protocol is updated  |
709   |           | Resolver |     | to handle other      |
710   |           +----------+     | encodings            |
711   |                 ^          |                      |
712   +-----------------|----------|----------------------+
713       DNS protocol: |          |
714                 ACE |          |
715                     v          v
716          +-------------+    +---------------------+
717          | DNS servers |    | Application servers |
718          +-------------+    +---------------------+
719
720   The box labeled "Application" is where the application splits a
721   domain name into labels, sets the appropriate flags, and performs the
722   ToASCII and ToUnicode operations.  This is described in section 4.
723
724
725
726
727
728
729
730Faltstrom, et al.           Standards Track                    [Page 13]
731
732RFC 3490                          IDNA                        March 2003
733
734
7356.1 Entry and display in applications
736
737   Applications can accept domain names using any character set or sets
738   desired by the application developer, and can display domain names in
739   any charset.  That is, the IDNA protocol does not affect the
740   interface between users and applications.
741
742   An IDNA-aware application can accept and display internationalized
743   domain names in two formats: the internationalized character set(s)
744   supported by the application, and as an ACE label.  ACE labels that
745   are displayed or input MUST always include the ACE prefix.
746   Applications MAY allow input and display of ACE labels, but are not
747   encouraged to do so except as an interface for special purposes,
748   possibly for debugging, or to cope with display limitations as
749   described in section 6.4..  ACE encoding is opaque and ugly, and
750   should thus only be exposed to users who absolutely need it.  Because
751   name labels encoded as ACE name labels can be rendered either as the
752   encoded ASCII characters or the proper decoded characters, the
753   application MAY have an option for the user to select the preferred
754   method of display; if it does, rendering the ACE SHOULD NOT be the
755   default.
756
757   Domain names are often stored and transported in many places.  For
758   example, they are part of documents such as mail messages and web
759   pages.  They are transported in many parts of many protocols, such as
760   both the control commands and the RFC 2822 body parts of SMTP, and
761   the headers and the body content in HTTP.  It is important to
762   remember that domain names appear both in domain name slots and in
763   the content that is passed over protocols.
764
765   In protocols and document formats that define how to handle
766   specification or negotiation of charsets, labels can be encoded in
767   any charset allowed by the protocol or document format.  If a
768   protocol or document format only allows one charset, the labels MUST
769   be given in that charset.
770
771   In any place where a protocol or document format allows transmission
772   of the characters in internationalized labels, internationalized
773   labels SHOULD be transmitted using whatever character encoding and
774   escape mechanism that the protocol or document format uses at that
775   place.
776
777   All protocols that use domain name slots already have the capacity
778   for handling domain names in the ASCII charset.  Thus, ACE labels
779   (internationalized labels that have been processed with the ToASCII
780   operation) can inherently be handled by those protocols.
781
782
783
784
785
786Faltstrom, et al.           Standards Track                    [Page 14]
787
788RFC 3490                          IDNA                        March 2003
789
790
7916.2 Applications and resolver libraries
792
793   Applications normally use functions in the operating system when they
794   resolve DNS queries.  Those functions in the operating system are
795   often called "the resolver library", and the applications communicate
796   with the resolver libraries through a programming interface (API).
797
798   Because these resolver libraries today expect only domain names in
799   ASCII, applications MUST prepare labels that are passed to the
800   resolver library using the ToASCII operation.  Labels received from
801   the resolver library contain only ASCII characters; internationalized
802   labels that cannot be represented directly in ASCII use the ACE form.
803   ACE labels always include the ACE prefix.
804
805   An operating system might have a set of libraries for performing the
806   ToASCII operation.  The input to such a library might be in one or
807   more charsets that are used in applications (UTF-8 and UTF-16 are
808   likely candidates for almost any operating system, and script-
809   specific charsets are likely for localized operating systems).
810
811   IDNA-aware applications MUST be able to work with both non-
812   internationalized labels (those that conform to [STD13] and [STD3])
813   and internationalized labels.
814
815   It is expected that new versions of the resolver libraries in the
816   future will be able to accept domain names in other charsets than
817   ASCII, and application developers might one day pass not only domain
818   names in Unicode, but also in local script to a new API for the
819   resolver libraries in the operating system.  Thus the ToASCII and
820   ToUnicode operations might be performed inside these new versions of
821   the resolver libraries.
822
823   Domain names passed to resolvers or put into the question section of
824   DNS requests follow the rules for "queries" from [STRINGPREP].
825
8266.3 DNS servers
827
828   Domain names stored in zones follow the rules for "stored strings"
829   from [STRINGPREP].
830
831   For internationalized labels that cannot be represented directly in
832   ASCII, DNS servers MUST use the ACE form produced by the ToASCII
833   operation.  All IDNs served by DNS servers MUST contain only ASCII
834   characters.
835
836   If a signaling system which makes negotiation possible between old
837   and new DNS clients and servers is standardized in the future, the
838   encoding of the query in the DNS protocol itself can be changed from
839
840
841
842Faltstrom, et al.           Standards Track                    [Page 15]
843
844RFC 3490                          IDNA                        March 2003
845
846
847   ACE to something else, such as UTF-8.  The question whether or not
848   this should be used is, however, a separate problem and is not
849   discussed in this memo.
850
8516.4 Avoiding exposing users to the raw ACE encoding
852
853   Any application that might show the user a domain name obtained from
854   a domain name slot, such as from gethostbyaddr or part of a mail
855   header, will need to be updated if it is to prevent users from seeing
856   the ACE.
857
858   If an application decodes an ACE name using ToUnicode but cannot show
859   all of the characters in the decoded name, such as if the name
860   contains characters that the output system cannot display, the
861   application SHOULD show the name in ACE format (which always includes
862   the ACE prefix) instead of displaying the name with the replacement
863   character (U+FFFD).  This is to make it easier for the user to
864   transfer the name correctly to other programs.  Programs that by
865   default show the ACE form when they cannot show all the characters in
866   a name label SHOULD also have a mechanism to show the name that is
867   produced by the ToUnicode operation with as many characters as
868   possible and replacement characters in the positions where characters
869   cannot be displayed.
870
871   The ToUnicode operation does not alter labels that are not valid ACE
872   labels, even if they begin with the ACE prefix.  After ToUnicode has
873   been applied, if a label still begins with the ACE prefix, then it is
874   not a valid ACE label, and is not equivalent to any of the
875   intermediate Unicode strings constructed by ToUnicode.
876
8776.5  DNSSEC authentication of IDN domain names
878
879   DNS Security [RFC2535] is a method for supplying cryptographic
880   verification information along with DNS messages.  Public Key
881   Cryptography is used in conjunction with digital signatures to
882   provide a means for a requester of domain information to authenticate
883   the source of the data.  This ensures that it can be traced back to a
884   trusted source, either directly, or via a chain of trust linking the
885   source of the information to the top of the DNS hierarchy.
886
887   IDNA specifies that all internationalized domain names served by DNS
888   servers that cannot be represented directly in ASCII must use the ACE
889   form produced by the ToASCII operation.  This operation must be
890   performed prior to a zone being signed by the private key for that
891   zone.  Because of this ordering, it is important to recognize that
892   DNSSEC authenticates the ASCII domain name, not the Unicode form or
893
894
895
896
897
898Faltstrom, et al.           Standards Track                    [Page 16]
899
900RFC 3490                          IDNA                        March 2003
901
902
903   the mapping between the Unicode form and the ASCII form.  In the
904   presence of DNSSEC, this is the name that MUST be signed in the zone
905   and MUST be validated against.
906
907   One consequence of this for sites deploying IDNA in the presence of
908   DNSSEC is that any special purpose proxies or forwarders used to
909   transform user input into IDNs must be earlier in the resolution flow
910   than DNSSEC authenticating nameservers for DNSSEC to work.
911
9127. Name server considerations
913
914   Existing DNS servers do not know the IDNA rules for handling non-
915   ASCII forms of IDNs, and therefore need to be shielded from them.
916   All existing channels through which names can enter a DNS server
917   database (for example, master files [STD13] and DNS update messages
918   [RFC2136]) are IDN-unaware because they predate IDNA, and therefore
919   requirement 2 of section 3.1 of this document provides the needed
920   shielding, by ensuring that internationalized domain names entering
921   DNS server databases through such channels have already been
922   converted to their equivalent ASCII forms.
923
924   It is imperative that there be only one ASCII encoding for a
925   particular domain name.  Because of the design of the ToASCII and
926   ToUnicode operations, there are no ACE labels that decode to ASCII
927   labels, and therefore name servers cannot contain multiple ASCII
928   encodings of the same domain name.
929
930   [RFC2181] explicitly allows domain labels to contain octets beyond
931   the ASCII range (0..7F), and this document does not change that.
932   Note, however, that there is no defined interpretation of octets
933   80..FF as characters.  If labels containing these octets are returned
934   to applications, unpredictable behavior could result.  The ASCII form
935   defined by ToASCII is the only standard representation for
936   internationalized labels in the current DNS protocol.
937
9388. Root server considerations
939
940   IDNs are likely to be somewhat longer than current domain names, so
941   the bandwidth needed by the root servers is likely to go up by a
942   small amount.  Also, queries and responses for IDNs will probably be
943   somewhat longer than typical queries today, so more queries and
944   responses may be forced to go to TCP instead of UDP.
945
946
947
948
949
950
951
952
953
954Faltstrom, et al.           Standards Track                    [Page 17]
955
956RFC 3490                          IDNA                        March 2003
957
958
9599. References
960
9619.1 Normative References
962
963   [RFC2119]    Bradner, S., "Key words for use in RFCs to Indicate
964                Requirement Levels", BCP 14, RFC 2119, March 1997.
965
966   [STRINGPREP] Hoffman, P. and M. Blanchet, "Preparation of
967                Internationalized Strings ("stringprep")", RFC 3454,
968                December 2002.
969
970   [NAMEPREP]   Hoffman, P. and M. Blanchet, "Nameprep: A Stringprep
971                Profile for Internationalized Domain Names (IDN)", RFC
972                3491, March 2003.
973
974   [PUNYCODE]   Costello, A., "Punycode: A Bootstring encoding of
975                Unicode for use with Internationalized Domain Names in
976                Applications (IDNA)", RFC 3492, March 2003.
977
978   [STD3]       Braden, R., "Requirements for Internet Hosts --
979                Communication Layers", STD 3, RFC 1122, and
980                "Requirements for Internet Hosts -- Application and
981                Support", STD 3, RFC 1123, October 1989.
982
983   [STD13]      Mockapetris, P., "Domain names - concepts and
984                facilities", STD 13, RFC 1034 and "Domain names -
985                implementation and specification", STD 13, RFC 1035,
986                November 1987.
987
9889.2 Informative References
989
990   [RFC2535]    Eastlake, D., "Domain Name System Security Extensions",
991                RFC 2535, March 1999.
992
993   [RFC2181]    Elz, R. and R. Bush, "Clarifications to the DNS
994                Specification", RFC 2181, July 1997.
995
996   [UAX9]       Unicode Standard Annex #9, The Bidirectional Algorithm,
997                <http://www.unicode.org/unicode/reports/tr9/>.
998
999   [UNICODE]    The Unicode Consortium. The Unicode Standard, Version
1000                3.2.0 is defined by The Unicode Standard, Version 3.0
1001                (Reading, MA, Addison-Wesley, 2000. ISBN 0-201-61633-5),
1002                as amended by the Unicode Standard Annex #27: Unicode
1003                3.1 (http://www.unicode.org/reports/tr27/) and by the
1004                Unicode Standard Annex #28: Unicode 3.2
1005                (http://www.unicode.org/reports/tr28/).
1006
1007
1008
1009
1010Faltstrom, et al.           Standards Track                    [Page 18]
1011
1012RFC 3490                          IDNA                        March 2003
1013
1014
1015   [USASCII]    Cerf, V., "ASCII format for Network Interchange", RFC
1016                20, October 1969.
1017
101810. Security Considerations
1019
1020   Security on the Internet partly relies on the DNS.  Thus, any change
1021   to the characteristics of the DNS can change the security of much of
1022   the Internet.
1023
1024   This memo describes an algorithm which encodes characters that are
1025   not valid according to STD3 and STD13 into octet values that are
1026   valid.  No security issues such as string length increases or new
1027   allowed values are introduced by the encoding process or the use of
1028   these encoded values, apart from those introduced by the ACE encoding
1029   itself.
1030
1031   Domain names are used by users to identify and connect to Internet
1032   servers.  The security of the Internet is compromised if a user
1033   entering a single internationalized name is connected to different
1034   servers based on different interpretations of the internationalized
1035   domain name.
1036
1037   When systems use local character sets other than ASCII and Unicode,
1038   this specification leaves the the problem of transcoding between the
1039   local character set and Unicode up to the application.  If different
1040   applications (or different versions of one application) implement
1041   different transcoding rules, they could interpret the same name
1042   differently and contact different servers.  This problem is not
1043   solved by security protocols like TLS that do not take local
1044   character sets into account.
1045
1046   Because this document normatively refers to [NAMEPREP], [PUNYCODE],
1047   and [STRINGPREP], it includes the security considerations from those
1048   documents as well.
1049
1050   If or when this specification is updated to use a more recent Unicode
1051   normalization table, the new normalization table will need to be
1052   compared with the old to spot backwards incompatible changes.  If
1053   there are such changes, they will need to be handled somehow, or
1054   there will be security as well as operational implications.  Methods
1055   to handle the conflicts could include keeping the old normalization,
1056   or taking care of the conflicting characters by operational means, or
1057   some other method.
1058
1059   Implementations MUST NOT use more recent normalization tables than
1060   the one referenced from this document, even though more recent tables
1061   may be provided by operating systems.  If an application is unsure of
1062   which version of the normalization tables are in the operating
1063
1064
1065
1066Faltstrom, et al.           Standards Track                    [Page 19]
1067
1068RFC 3490                          IDNA                        March 2003
1069
1070
1071   system, the application needs to include the normalization tables
1072   itself.  Using normalization tables other than the one referenced
1073   from this specification could have security and operational
1074   implications.
1075
1076   To help prevent confusion between characters that are visually
1077   similar, it is suggested that implementations provide visual
1078   indications where a domain name contains multiple scripts.  Such
1079   mechanisms can also be used to show when a name contains a mixture of
1080   simplified and traditional Chinese characters, or to distinguish zero
1081   and one from O and l.  DNS zone adminstrators may impose restrictions
1082   (subject to the limitations in section 2) that try to minimize
1083   homographs.
1084
1085   Domain names (or portions of them) are sometimes compared against a
1086   set of privileged or anti-privileged domains.  In such situations it
1087   is especially important that the comparisons be done properly, as
1088   specified in section 3.1 requirement 4.  For labels already in ASCII
1089   form, the proper comparison reduces to the same case-insensitive
1090   ASCII comparison that has always been used for ASCII labels.
1091
1092   The introduction of IDNA means that any existing labels that start
1093   with the ACE prefix and would be altered by ToUnicode will
1094   automatically be ACE labels, and will be considered equivalent to
1095   non-ASCII labels, whether or not that was the intent of the zone
1096   adminstrator or registrant.
1097
109811. IANA Considerations
1099
1100   IANA has assigned the ACE prefix in consultation with the IESG.
1101
1102
1103
1104
1105
1106
1107
1108
1109
1110
1111
1112
1113
1114
1115
1116
1117
1118
1119
1120
1121
1122Faltstrom, et al.           Standards Track                    [Page 20]
1123
1124RFC 3490                          IDNA                        March 2003
1125
1126
112712. Authors' Addresses
1128
1129   Patrik Faltstrom
1130   Cisco Systems
1131   Arstaangsvagen 31 J
1132   S-117 43 Stockholm  Sweden
1133
1134   EMail: paf@cisco.com
1135
1136
1137   Paul Hoffman
1138   Internet Mail Consortium and VPN Consortium
1139   127 Segre Place
1140   Santa Cruz, CA  95060  USA
1141
1142   EMail: phoffman@imc.org
1143
1144
1145   Adam M. Costello
1146   University of California, Berkeley
1147
1148   URL: http://www.nicemice.net/amc/
1149
1150
1151
1152
1153
1154
1155
1156
1157
1158
1159
1160
1161
1162
1163
1164
1165
1166
1167
1168
1169
1170
1171
1172
1173
1174
1175
1176
1177
1178Faltstrom, et al.           Standards Track                    [Page 21]
1179
1180RFC 3490                          IDNA                        March 2003
1181
1182
118313. Full Copyright Statement
1184
1185   Copyright (C) The Internet Society (2003).  All Rights Reserved.
1186
1187   This document and translations of it may be copied and furnished to
1188   others, and derivative works that comment on or otherwise explain it
1189   or assist in its implementation may be prepared, copied, published
1190   and distributed, in whole or in part, without restriction of any
1191   kind, provided that the above copyright notice and this paragraph are
1192   included on all such copies and derivative works.  However, this
1193   document itself may not be modified in any way, such as by removing
1194   the copyright notice or references to the Internet Society or other
1195   Internet organizations, except as needed for the purpose of
1196   developing Internet standards in which case the procedures for
1197   copyrights defined in the Internet Standards process must be
1198   followed, or as required to translate it into languages other than
1199   English.
1200
1201   The limited permissions granted above are perpetual and will not be
1202   revoked by the Internet Society or its successors or assigns.
1203
1204   This document and the information contained herein is provided on an
1205   "AS IS" basis and THE INTERNET SOCIETY AND THE INTERNET ENGINEERING
1206   TASK FORCE DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING
1207   BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION
1208   HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF
1209   MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
1210
1211Acknowledgement
1212
1213   Funding for the RFC Editor function is currently provided by the
1214   Internet Society.
1215
1216
1217
1218
1219
1220
1221
1222
1223
1224
1225
1226
1227
1228
1229
1230
1231
1232
1233
1234Faltstrom, et al.           Standards Track                    [Page 22]
1235
1236