Re: [DNSOP] new draft about idn tld variants implementation

Thu, 15 Oct 2009 15:03:51 -0700 

In message <of239d6e1e.8748c878-on80257650.004a25fe-80257650.004b6...@nominet.o
rg.uk>, ray.bel...@nominet.org.uk writes:
> > comments are welcome. thanks. 
> 
> There are, in my opinion, two problems with the DNAME method that affect 
> the application layer that are rarely mentioned.  Perhaps this is because 
> I am wrong about them and they are not real problems, so feedback would be 
> useful.
> 
> 1.  "Host:" headers
> 
> If a registry (or other parent zone) unilaterally adds DNAME records that 
> alias a new IDN label to a current ccTLD style ASCII label, application 
> servers which are only configured to accept requests for the ASCII form of 
> the label will reject requests made using the IDN form.
> 
> i.e. if your Apache server is configured with:
> 
>   ServerName www.cnnic.cn
> 
> it will reject requests for www.cnnic.$BCf9q(B unless the appropriate 
> ServerAlias is also configured.

        So what?  And for www.cnnic.xn--xxxxx.  Once the DNAME is
        in place operators will put the alias in place. 

> 2.  SSL Subject Names
> 
> Similarly an SSL request for the IDN version of a domain name will fail 
> unless the SSL certificate also includes a "Subject Alternate Name" for 
> the IDN version.
> 
> Whilst the same problems can also occur with the NS method, I believe that 
> the risk for confusion is much reduced if the creation of each IDN label 
> is controlled by the domain owner, and not done automatically by the 
> parent.
> 
> The domain owner can then make the choice for themselves whether to 
> support both IDNs and ASCII labels, and configure their web servers etc 
> appropriately.

        Again, so what?

        Mark
 
> kind regards,
> 
> Ray
> 
> -- 
> Ray Bellis, MA(Oxon) MIET
> Senior Researcher in Advanced Projects, Nominet
> e: r...@nominet.org.uk, t: +44 1865 332211
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: ma...@isc.org
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop

Reply via email to