[dns-operations] [Ext] Signing on the fly and UltraDNS

[Andrew Sullivan]

Geez, it's a long time since I had to take a lot of care on IDNA and
non-IDNA protocol cases.  But here's my take.

On Wed, Jan 06, 2021 at 01:38:43PM -0500, Dave Lawrence wrote:
>I'm not really following your logic, Andrew (or Mark), for how
>applying IDNA rules is relevant to interpreting the labels in
>question.

My reading of the dig man page leads me to believe that IDN support basically turns domain name slots in dig (see 5890 §2.3.2.6) into IDNA-aware domain name slots.  Now, 5890 §2.3.2.1 says, 'For IDNA-aware applications, the three types of valid labels are "A-labels", "U-labels", and "NR-LDH labels",' and that constrains what labels are permitted.  5890 §2.3.2.2 says an NR-LDH label can be neither an IDN, nor a reserved LDH label (R-LDH), but it can be otherwise anything permitted by §2.3.1.  But §2.3.1 defines LDH label according to what is in RFC 952, and RFC 1034 §3.5 as modified by RFC 1123.  Most assuredly, that does not permit a label that begins with "-".

So, I think what it means is that, with the IDN support turned on, dig is IDNA-aware and therefore shouldn't accept any NON-LDH label.  As it happens, it accepts some NON-LDH labels but not others, which maybe _is_ a bug, but not the one people were complaining about. ;-)

I think there is good reason to blame the reviewers of 5890 for this being as confusing as it is in the text.  In my defence, I will say it was worse in earlier drafts!

Best regards,

A

-- 
Andrew Sullivan
ajs at anvilwalrusden.com