[dns-operations] [Ext] Signing on the fly and UltraDNS

Mark Andrews marka at isc.org
Tue Jan 5 23:33:31 UTC 2021

> On 6 Jan 2021, at 08:01, John Levine <johnl at taugh.com> wrote:
> In article <20210105204121.C4D925829D80 at ary.qy> you write:
>> In article <853ECE14-271F-4E93-9473-D1DBDE8361C1 at icann.org> you write:
>>> On Jan 5, 2021, at 11:20 AM, Dave Lawrence <tale at dd.org> wrote:
>>>> Paul Hoffman writes:
>>>>> I am using tools that expect host names instead of domain names (in
>>>>> this case, dig);
>>>> I think I must be misunderstanding something, or at least haven't
>>>> imagined widely enough the possibilities of your meaning here.  dig
>>>> has a particular expectation for hostnames either owning or in the
>>>> rdata of an NSEC record?  That's surprising to me.  Not inconceivable,
>>>> of course, but definitely surprising.
>>> I started this thread with:
>>>  dig +dnssec +noidnout anynameyouwant.house.gov a
>>> Try that without the +noidnout option.
>> With DiG 9.16.10 I get the same result either way.  What do you get?
> Oh, OK, I tried a different name and got:
> dig: '-.house.gov.' is not a legal IDNA2008 name (string start/ends with forbidden hyphen), use +noidnout
> That's a dig bug.  It's a perfectly valid DNS name albeit a fairly ugly one.

dig by default is not built with IDN support.  If you request IDN support at build time
+[no]idnin and +[no]idnout are enabled which then expect valid IDN names on the command
line for +idnin and in the output for +idnout.

It is not a bug for a tool to tell you that you have not got valid IDN names in the
response or on the input.  It may be not the behaviour you desire but it is not a bug.

'IDN_DISABLE=1;export IDN_DISABLE’ or equivalent will disable IDN processing by default
in all versions of dig with IDN support.

Now if you feel that strict IDN processing is not the behaviour you want you are free to
submit a merge request with non-strict IDN behaviour.

> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org

More information about the dns-operations mailing list