| Internet-Draft | IDNA: Registry Restrictions | October 2024 |
| Klensin & Freytag | Expires 7 April 2025 | [Page] |
The IDNA specifications for internationalized domain names combine rules that determine the labels that are allowed in the DNS without violating the protocol itself and an assignment of responsibility, consistent with earlier specifications, for determining the labels that are allowed in particular zones. Conformance to IDNA by registries and other implementations requires both parts. Experience strongly suggests that the language describing those responsibilities was insufficiently clear to promote safe and interoperable use of the specifications and that more details and discussion of circumstances would have been helpful. Without making any substantive changes to IDNA, this specification updates two of the core IDNA documents (RFCs 5890 and 5891) and the IDNA explanatory document (RFC 5894) to provide that guidance and to correct some technical errors in the descriptions.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 7 April 2025.¶
Copyright (c) 2024 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Revised BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Revised BSD License.¶
Parts of the specifications for Internationalized Domain Names in Applications (IDNA) [RFC5890] [RFC5891] [RFC5894] (collectively known, along with RFC 5892 [RFC5892], RFC 5893 [RFC5893] and updates to them, as "IDNA2008" or just "IDNA") impose a requirement that domain name system (DNS) registries restrict the characters they allow in domain name labels (see Section 2 below), and the contents and structure of those labels. That requirement and restriction are consistent with the "duty to serve the community" described in the original specification for DNS naming and authority [RFC1591]. The restrictions are intended to protect against security problems and confusion about and between names by limiting the permitted characters and strings to those for which the registries or their advisers have a thorough understanding and for which they are willing to take responsibility.¶
That provision is centrally important because it recognized that historical relationships and variations among scripts and writing systems, the continuing evolution of those systems, differences in the uses of characters among languages (and locations) that use the same script, and so on make it impossible to generate a guideline consisting of a single list of characters and/or simple rules that would provide a completely adequate guideline with the character of "if we use these rules, we will be safe from confusion and attacks".¶
The algorithm and rules of RFCs 5891 and 5892 eliminate many of the most dangerous and otherwise problematic cases, but they cannot eliminate the need for registries and registrars to take additional steps to mitigate security risks and confusion by suitably restricting the repertoire and structure of labels they permit. This, in turn, requires that they or their advisers have a thorough understanding of the issues associated with for a given set of characters or writing system, that they understand what they are doing and that they take responsibility for the decisions that are made.¶
The way in which the IDNA2008 specifications expressed these requirements may have underemphasized the intention that they actually be treated as requirements. Section 2.3.2.3 of the Definitions document [RFC5890] mentions the need for the restrictions, indicates that they are mandatory, and points the reader to section 4.3 of the Protocol document [RFC5891]. That document, in turn, points to Section 3.2 of the Rationale document [RFC5894], with each document providing further detail, discussion, and clarification.¶
At the same time, the Internet has evolved significantly since the management assumptions for the DNS were established with RFC 1591 and earlier. In particular, the management and use of domain names have gone through several transformations. Recounting of those changes is beyond the scope of this document but one of them has had significant practical impact on the degree to which the requirement for registry knowledge and responsibility is observed in practice. When RFC 1591 was written, the assumption was that domains at all levels of the DNS would be operated in the best interest of the registrants in the domain and of the Internet as a whole. There were no notions about domains being operated as a profitable service, much less with a business model that made them more profitable the more names that could be registered (or even, under some circumstances, reserved and not registered). At the time RFC 1591 was written, there was also no notion that domains would be considered more successful based on the number of names registered and delegated from them. While rarely reflected in the DNS protocols, the distinction between domains operated primarily as a revenue source for the organizations operating the registry and ones that are operated for, e.g., use within an enterprise or otherwise as a service, have become very important today. See Section 4 for a discussion on how those issues affect this specification.¶
This specification is intended to unify and clarify these requirements for registry decisions and responsibility and to emphasize the importance of registry restrictions at all levels of the DNS. It also makes a specific recommendation for character repertoire subsetting that is intermediate between the code points allowed by RFCs 5891 and 5892 and those allowed by individual registries. It does not alter the basic IDNA2008 protocols and rules themselves in any way.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [RFC2119] and RFC 8174 [RFC8174].¶
As mentioned above, IDNA2008 specifies that the registries for each zone in the DNS that supports IDN labels are required to develop and apply their own rules to restrict the allowable labels, including limiting characters they allow to be used in labels in that zone. The chosen list MUST be a subset of the collection of code points specified as "PVALID", "CONTEXTJ", and "CONTEXTO" by the rules established by the protocols themselves. Labels containing any characters from the two CONTEXT categories or any characters that are normally part of a script written right to left [RFC5893] require that additional rules, specified in the protocols and known as "contextual rules" and "bidi rules", be applied. The entire collection of rules and restrictions required by the IDNA2008 protocols themselves are known as "protocol restrictions".¶
Registries may apply (and generally are required to apply) additional rules to further restrict the list of permitted code points, contextual rules (perhaps applied to normally PVALID code points) that apply additional restrictions, and/or restrictions on labels as distinct from code points. In particular, safe and secure use of any of a large number of widely-used scripts or writing systems require the addition of contextual rules that go beyond the very limited restrictions implemented in by "CONTEXTJ" and "CONTEXTO" at the protocol level, but which are otherwise functionally equivalent in that they constitute limitations on where allowable code points may be placed in a label.¶
In contrast, protocol restrictions are by necessity somewhat generic, having to cater both to the union of the needs for all zones and to the fact that some zones are naturally more permissive than others. That must be done without negative impact on the DNS.¶
Other restrictions that are necessary, perhaps obviously so, include provisions for restricting suggested new registrations based on conflicts with labels already registered in the zone, so as to avoid homograph attacks [Gabrilovich2002] and other issues. The specifications of what constitutes such conflicts, as well as the definition of "conflict" based on the properties of the labels in question, is the responsibility of each registry. They further include prohibitions on code points and labels that are not consistent with the intended function of the zone, the subtree in which the zone is embedded (see Section 3), and consequent differences in the stringency of security-related measures.¶
These per-registry (or per-zone) rules are commonly known as "registry restrictions" to distinguish them from the protocol restrictions described above. Such registry restrictions are essential to provide for the necessary security in the face of the tremendous variations and differences in writing systems and their ongoing evolution and development, as well as the human ability to recognize and distinguish characters in different scripts around the world and under different circumstances.¶
The algorithm and rules of RFCs 5891 and 5892 determine the set of code points that are possible for inclusion in domain name labels; registries MUST NOT permit code points in labels unless they are part of that set. In addition, labels MUST NOT contain code points in positions where they violate the "CONTEXTJ" or "CONTEXTO" rules or other restrictions defined in the protocol. Labels that contain code points that are normally written from right to left MUST also conform to the requirements of RFC 5893. Each registry that intends to allow IDN registrations MUST then determine the strict subset of that set of code points that will be allowed by that registry. It SHOULD also consider additional rules, including contextual and whole label restrictions that provide further protection for registrants and users. For example, the widely-used principle that bars labels containing characters from more than one script is not an IDNA2008 requirement. It has been adopted by many registries but there may be circumstances in which that limitation is not required or not appropriate.¶
In formulating their own rules, registries should normally consult carefully developed consensus recommendations about maximum repertoires to be used for each script. The important example for the root zone is the ICANN Maximal Starting Repertoire 5 (MSR-5) for the Development of Label Generation Rules for the Root Zone [ICANN-MSR5] (or its successor documents). The RFC Series includes specific recommendations about particular scripts or languages, including RFCs for Cyrillic [RFC5992], Arabic Language [RFC5564]. Additional recommendations for script-based repertoires based on the approved ICANN Root Zone Label Generation Rules (LGR-5) [ICANN-RZLGR-5] (or its successor documents) are discussed in Section 6 below. Many of these recommendations, most of which are focused on a repertoire of characters in actual wide-spread common everyday use, also cover rules about relationships among code points that may be particularly important for complex scripts. They also interact with recommendations about how labels that appear to be the same should be handled.¶
It is the responsibility of the registry to determine which, if any, of those recommendations are applicable and to further subset or extend them as needed. For example, several of the recommendations are designed for the root zone and therefore exclude digits and U+002D HYPHEN-MINUS; this restriction is not generally appropriate for other zones. On the other hand, some zones may be designed to not cater for all users of a given script, but perhaps only for the needs of selected languages, in which case a more selective repertoire may be appropriate.¶
In making these determinations, a registry SHOULD follow the IAB guidance in RFC 6912 [RFC6912]. Those guidelines include a number of principles for use in making decisions about allowable code points. In addition, that document notes that the closer a particular zone is to the root, the more restrictive the space of permitted labels should be. RFC 5894 provides some suggestions for any registry that may decide to reduce opportunities for confusion or attacks by constructing policies that disallow characters used in historic writing systems (whether these be archaic scripts or extensions of modern scripts for historic or obsolete orthographies) or characters whose use is restricted to specialized, or highly technical contexts. These suggestions were among the principles guiding the design of ICANN's Maximal Starting Repertoires (MSR) [LGR-Procedure]. ICANN has continued that work into development of a set of suggested prototype Label Generation Rules (LGRs) for the second level (and, presumably, for consideration for zones at additional levels). That work has not been reviewed by the IETF and is not part of the set of IDNA Standards that this document updates. The ICANN work in this area is ongoing and it, and the context and methods involved, are described in a separate document [LGR-forward-reference].¶
A registry decision to allow only those code points in the full repertoire of the MSR (plus digits and hyphen) would already avoid a number of issues inherent in a more permissive policy such as "use anything permitted by IDNA2008", while still supporting the native languages and scripts for the vast majority of users today. However, it is unlikely, by itself, to fully satisfy the mandate set out above for three reasons.¶
It was recognized that many scripts require contextual rules for many more code points than are covered by CONTEXTO or CONTEXTJ rules defined in IDNA2008. This is particularly true for combining marks that are typically used to encode diacritics, tone marks, vowel signs and the like. While, theoretically, any combining mark may occur in any context in Unicode, in practice rendering and other software that users rely on in viewing or entering labels will not support arbitrary combining sequences, or indeed arbitrary combinations of code points, in the case of complex scripts.¶
Contextual rules are needed in order to limit allowable code point sequences to those that can be expected to be rendered reliably. Identifying those requires knowledge about the way code points are used in a script, whence the mandate for registries to only support code points they understand. In this, some of the other recommendations, such as the Informational RFCs for specific scripts (e.g., Cyrillic [RFC5992]) or languages (e.g., Arabic [RFC5564] or Chinese [RFC4713]), or the Root Zone LGRs and other LGRs developed by ICANN, may provide useful guidance.¶
Registries choosing to make exceptions -- allow code points that the recommendations mentioned above and/or discussed in the descriptions of the ICANN efforts [LGR-forward-reference] -- should make such decisions only with great care and only if they have considerable understanding of, and great confidence in, their appropriateness. The obvious exception from the MSR would be to allow digits and the hyphen. Neither were allowed by the MSR, but only because they are not allowed in the Root Zone.¶
Nothing in this document permits a registry to allow code points or labels that are disallowed or otherwise prohibited by IDNA2008. Conversely, nothing in this document should be construed as changing what is permissible under IDNA 2008.¶
As discussed in the Introduction (Section 1), the distributed administrative structure of the DNS today can be described by dividing zones into two categories depending on how they are administered and for whom. These categories are not precise -- some zones may not fall neatly into one category or the other -- but are useful in understanding the practical applicability of this specification. They are:¶
Rules requiring strict registry responsibility, including either thorough understanding of scripts and related issues in domain name labels being considered for registration or local naming rules that have the same effect, typically come naturally to registries for zones of the first type. Registration of labels that would prove problematic for any reason hurts the relevant organization or enterprise or its customers or users within the relevant country and more broadly. More generally, there are strong incentives to be extremely conservative about labels that might be registered and few, if any, incentives favoring adventures into labels that might be considered clever, much less ones that are hard to type, render, or, where it is relevant to users, remember correctly.¶
By contrast, in a zone in which the revenues are derived exclusively, or almost exclusively, from selling or reserving (including "blocking") as many names as possible, there may be perceived incentives to register whatever names would-be registrants "want" or fears that any restrictions will cut into the available namespace. In such situations, restrictions are unlikely to be applied unless they meet at least one of two criteria: (i) they are easy to apply and can be applied algorithmically or otherwise automatically and/or (ii) there is clear evidence that the particular label would cause harm.¶
As suggested above, the two categories above are not precise. In particular, there may be domains that, despite being set up to operate to produce revenue above actual costs, are sufficiently conservative about their operations to more closely resemble the first group in practice than the second one.¶
The requirement of IDNA that is discussed at length elsewhere in this specification stands: IDNA (and IDNs generally) would work better and Internet users would be better protected and more secure if registries and registrars (of any type) confined their registrations to scripts and code point sequences that they understood thoroughly. While the IETF rarely gives advice to those who choose to violate IETF Standards, some advice to zones in the second category above may be in order. That advice is that significant conservatism in what is allowed to be registered, even for reservation purposes, and even more conservatism about what labels are actually entered into zones and delegated, is the best option for the Internet and its users. If practical considerations do not allow that much conservatism, then it is desirable to consult and utilize the many lists and tables that have been, and continue to be, developed to advise on what might be sensible for particular scripts and languages. Some of those lists, tables, and recommendations are described in Section 6 below.¶
After the initial IDNA2008 documents were published (and RFC 5892 was updated for Unicode 6.0 by RFC 6452 [RFC6452] and for Unicode 12.0 RFC 9233 [RFC9233]) several errors or instances of confusing text were noted. For the convenience of the community, the relevant corrections for RFCs 5890 and 5891 are noted below and update the corresponding documents. There are no errata for RFC 5893 or 5894 as of the date this document was published. Because further updates to RFC 5892 would require addressing other pending issues, the outstanding erratum for that document is not considered here. For consistency with the original documents, references to Unicode 5.0 are preserved in this document.¶
All but one of the outstanding errata against RFC 5890 (Errata IDs 4695, 4696, 4823, 4824, and 5484 [RFC-Editor-5890Errata]) are associated with the same issue, the number of Unicode characters that can be associated with a maximum-length (63 octet) A-label. In retrospect and contrary to some of the suggestions in the errata, that value should not be expressed in octets because RFC 5890 and the other IDNA 2008 documents are otherwise careful to not specify Unicode encoding forms but, instead, work exclusively with Unicode code points. Consequently, the relevant material in RFC 5890 should be corrected as follows:¶
Errata ID 7291 identifies RFC 5890 as updating RFC 4343. The RFC Editor's metadata has been updated to make that correction. Readers of RFC 5890 should note the correction and any replacement for RFC 5890 should address it as appropriate.¶
There is only one outstanding erratum for RFC 5891, Errata ID 3969 [RFC5891Erratum] on improving the reference for combining marks. Combining marks are explained in the cited section, but not, as the text indicates, exactly defined.¶
As discussed in IAB recommendations about internationalized domain names [RFC4690], [RFC6912], and elsewhere, poor choices of strings for DNS labels can lead to opportunities for attacks, user confusion, and other issues less directly related to security. This document clarifies the importance of registries carefully establishing design policies for the labels they will allow and that having such policies and taking responsibility for them is a requirement, not an option. If that clarification is useful in practice, the result should be an improvement in security.¶
Many thanks to Patrik Faltstrom who provided an important review on the initial version, to Jaap Akkerhuis, Don Eastlake, Barry Leiba, John Levine, and Alessandro Vesely who did reviews that improved the text and to Pete Resnick who acted as document shepherd and did an additional careful review of the 2020 version of this specification.¶
Thanks also to Murray Kucherawy and Orie Steele who managed to get it moving again in 2024 after an extended delay after the initial IETF Last Call was completed in August 2019 without problems being identified by the community.¶
RFC Editor: Please remove this section before publication.¶
This memo includes no requests to or actions for IANA. In particular, it does not contain any provisions that would alter any IDNA-related registries or tables.¶
RFC Editor: Please remove this appendix before publication.¶
After a pause of nearly 34 months due to inability to get this draft processed, including nearly a year waiting for a new directorate to actually do anything of substance about fundamental IDNA issues, the -02 version was posted in the hope of getting a new start. Specific changes include:¶
Other than some small editorial adjustments, these changes made after, and reflect, IESG post-last-call review and comments. To the extent it was possible to do so without making this document inconsistent with the other IDNA documents, established IETF, Unicode, and ICANN community i18n terminology, or well-established IDNA or i18n practices, the first author believes that the document responds to all previously-outstanding IESG substantive comments.¶