On Sun, Sep 08, 2002 at 01:06:55AM +0000, Adam M. Costello wrote: > > > If the relevant zone accepts dynamic updates that can add labels to > > the zone, we need to be absolutely sure that there are appropriate and > > unambiguous reply states for "that label isn't acceptable for this > > zone even though it meets all of the syntax rules". > > This is not an IDN issue; per-zone acceptable-name policies and dynamic > updates both existed before IDN. If anything, this is an issue for the > dynamic DNS update spec, not the IDN spec.
I think the issue is not only for Dynamic DNS spec, but also for all other thousands of RFCs which use hostnames in their protocols. Since IDN spec contains hostnames extension spec, that affects all RFCs. Sweeping. >From conservative security viewpoints, ACE-encoded IDNs are different than LDH ones in that they have amplified ambiguity/security problems behind the merits of backward compatibilty in networking. I cannot accept even comparing IDN ambiguity problems with '1' and 'l' problems. ASCII-tunneling accompanies unwarranted/improper trust by all parties. Going further, i think per-zone iDN registration policy is not enough, it is just about how to control the "source" of the problem. Receiving applications cannot detect IDNs from loosely-controlled-zone which policies and management the receiving sides may not accept or not be satisfied with if they happen to know that, even though those controls are correct and acceptable in the source side. Old Receiving applications can't do anything to ban "alien" improper IDNs. In short, IDN should be controlled, but it can't because it is ASCII tunneled. It seems sweeping on all RFC specs ,as you partly suggest.
