[dns-operations] [Ext] Signing on the fly and UltraDNS

Andrew Sullivan ajs at anvilwalrusden.com
Wed Jan 6 16:01:47 UTC 2021

On Tue, Jan 05, 2021 at 10:11:48PM -0500, John Levine wrote:
>If it's validating IDNs it makes sense to complain about something
>like xn--1234 which has an IDN prefix but isn't an A-label. But a
>label that is just a hyphen isn't a hostname just like _foo isn't a
>hostname.  Why does it complain about one but not the other?

Because if you're doing IDNA you have to permit only A-labels and NR-LDH labels, according to RFC 5890.  NR-LDH labels are defined in §, but refer to §2.3.1.  In there is this text:

    [An LDH label] is the classical label form used, albeit with some additional
    restrictions, in hostnames [RFC0952].  Its syntax is identical to
    that described as the "preferred name syntax" in Section 3.5 of RFC
    1034 [RFC1034] as modified by RFC 1123 [RFC1123].  Briefly, it is a
    string consisting of ASCII letters, digits, and the hyphen with the
    further restriction that the hyphen cannot appear at the beginning or
    end of the string.  Like all DNS labels, its total length must not
    exceed 63 octets.

The restriction on the hyphen not appearing at the beginning is actually not new: RFC 952 says a hostname has to begin with a letter, and 1123 relaxed that to allow either a letter or a digit (what Bob Braden once told me he called "the 3Com exception", apparently due to the reason for the change).  The "preferred name syntax" never permitted a hyphen-minus in the initial position of a label, though of course DNS does in principle.  So, if dig is in the mode of not doing IDNA, it's reasonable it can return anything; but if it _is_ in the mode of doing IDNA, it has to follow all the other rules too. 

Best regards,

A (as usual, only for myself.)

Andrew Sullivan
ajs at anvilwalrusden.com

More information about the dns-operations mailing list