[dns-operations] [Ext] Signing on the fly and UltraDNS

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Jan 6 23:10:58 UTC 2021

On Wed, Jan 06, 2021 at 03:59:04PM -0500, Andrew Sullivan wrote:

> So, I think what it means is that, with the IDN support turned on, dig
> is IDNA-aware and therefore shouldn't accept any NON-LDH label.  As it
> happens, it accepts some NON-LDH labels but not others, which maybe
> _is_ a bug, but not the one people were complaining about. ;-)

This is a mistake that confuses input processing with output processing.
In the case in question, dig(1) is NOT reading textual labels to
interpret as domain names, it has a *wire* domain name inside a DNS
packet, that it needs to display to the user.  That wire domain name
(with <length> prefixes) is:


When converting the first label to presentation form, which does not
since it does NOT start "xn--", applying IDNA rules makes no sense at
all.  The ONLY correct thing to do there is escaping of special
characters ("\" escape or "\DDD" encoding).

The implementation is correct, but the context is wrong.  Doing the
wrong thing correctly is still a bug.


More information about the dns-operations mailing list