dnscontrol icon indicating copy to clipboard operation
dnscontrol copied to clipboard

Published 20 hours ago verified publisher icon StackExchange

INWX: Punycode not supported?

Open killerbees19 opened this issue 1 year ago • 10 comments

It seems IDN domains are only supported without punycode format at v4.1.1.

D("xn--exmple-cua.at", … throws an error at dnscontrol push:

WARNING: Error creating domain: (2302) Object exists. Reason: (Error_DomainAlreadyInDNS) The domain is already in the DNS.

Only D("exämple.at", … works. I think this is not the intended behavior?

/cc @patschi

killerbees19 avatar Jun 20 '23 19:06 killerbees19

I've never been using such domains and I actually try to avoid them :D

@TomOnTime Can you confirm that this is expected behavior?

I can see Punycode() function being called centrally not-provider specific here:

https://github.com/StackExchange/dnscontrol/blob/9741d3c5279c5701de49e9e005a4c096fe8a9ab3/pkg/zonerecs/zonerecords.go#L33

https://github.com/StackExchange/dnscontrol/blob/9741d3c5279c5701de49e9e005a4c096fe8a9ab3/commands/previewPush.go#L168

So it should work with all providers the same way?

patschi avatar Jun 21 '23 11:06 patschi

In theory all providers should handle this the same way. Sadly they are inconsistent.

I think the problem is that we haven't clearly decided how we should handle these domains. Thus it is difficult to decide what the right thing to do should be.

Here's one option:

  • dnsconfig.js accepts Unicode names in domains, labels, and targets.
  • At the first opportunity, all unicode should be converted to IDN (those xn--redacted sequences)
  • After that, all providers should treat everything as IDN.
  • Retain the original UTF8 for APIs expect UTF8
  • What should preview/push do? Display both?

TomOnTime avatar Jun 21 '23 13:06 TomOnTime

I'm not an expert when it comes to encoding, like punycode/unicode or what amplifications it might have.

My high-level thought: As dnscontrol is designed to be managed by users (manually), showing the exämple.at-representation is the better, more user-friendly approach. That's what we could/should use primarily in the dnscontrol code base, and also shown at preview/push accordingly.

Depending on the provider and its API, we might then decide (a new capability flag for it?) if a special processing is needed - like converting to/from punycode before interacting with the API.

patschi avatar Jun 21 '23 16:06 patschi

What should preview/push do? Display both?

I'd display what'd actually would be sent to the API. If the provider doesn't support UTF-8, then show the IDN format. I'm a low level techie and would really want for the diff not to lie to me or give me alternative data, to what actually ends up on the nameservers. Masking this in user representation might lead to harder to debug situations.

kordianbruck avatar Jul 18 '23 22:07 kordianbruck

I'd display what'd actually would be sent to the API. If the provider doesn't support UTF-8, then show the IDN format.

An issue I've ran into is when the registrar uses punycode, but the DSP uses the UTF-8. So having dnscontrol be opinionated and change as needed for the API could actually be preferable.

adamus1red avatar Sep 03 '23 01:09 adamus1red

Seems like IDN is completely broken at INWX now? 😟

I know it worked at v4.1.1 with unicode format. Now at v4.6.0 it's broken for both formats:

$ dnscontrol preview --domains xn--schrtter-q4a.co.at
******************** Domain: xn--schrtter-q4a.co.at
WARNING: Zone 'xn--schrtter-q4a.co.at' does not exist in the 'inwx' profile and will be added automatically.
Done. 0 corrections.

$ dnscontrol preview --domains schrötter.co.at       
******************** Domain: schrötter.co.at
WARNING: Zone 'schrötter.co.at' does not exist in the 'inwx' profile and will be added automatically.
Done. 0 corrections.

But it exists at my INWX account:

Screenshot 2023-11-15 at 06-13-37 Nameserver

/cc @patschi

killerbees19 avatar Nov 15 '23 05:11 killerbees19

(Last reply deleted.)

Seems like it's a pure cosmetic issue at preview:

$ dnscontrol version
dnscontrol "4.7.2" ("cbccbbeb8d981bcd688de1ee6ef8efe8df8a56d9") built 04 Dec 23 23:48 CET

$ dnscontrol preview --domains schrötter.co.at --providers inwx
******************** Domain: schrötter.co.at
WARNING: Zone 'schrötter.co.at' does not exist in the 'bind' profile and will be added automatically.
WARNING: Zone 'schrötter.co.at' does not exist in the 'inwx' profile and will be added automatically.
Done. 0 corrections.

dnscontrol@hsz:~/dnscontrol$ dnscontrol push --domains schrötter.co.at --providers inwx
******************** Domain: schrötter.co.at
Done. 0 corrections.

But it's still an issue to mix providers with different IDN formats. Now my local BIND zone file gets always updated, because it supports only the punycode format. ^^

@patschi It's possible to add a test IDN to your INWX account without buying it! Just go to Nameserver and click at the Add domain button in the top right corner. Now enter something like xn--dnscontrol-exmple-debug-77b.at (dnscontrol-exämple-debug.at). Afaik they will delete zones for non-existing domains after some time, but that's not a real problem for such test scenarios.

killerbees19 avatar Dec 06 '23 05:12 killerbees19

DNSControl is an opinionated system. Is there an "opinion" about how IDN domains should be handled that would help?

(I don't own any such domains and have nearly zero experience here)

TomOnTime avatar Dec 06 '23 14:12 TomOnTime

I would say this RFC covers the "opinions" about how IDN should be handled in applications. https://datatracker.ietf.org/doc/rfc3490/

More about IDN can be found by this author: https://datatracker.ietf.org/person/[email protected]

dkim1970 avatar Dec 09 '23 22:12 dkim1970

This discussion is happening on many providers. The global issue is tracked here: https://github.com/StackExchange/dnscontrol/issues/2097

tlimoncelli avatar Dec 14 '23 18:12 tlimoncelli