Description of problem: BIND only supports IDNA 2003 but not IDNA 2008 as it seems: $ host -t A straße.de strasse.de has address 72.52.4.90 $ Uhm? Okay, let's have a look: $ idn straße.de strasse.de $ $ host -t A strasse.de strasse.de has address 72.52.4.90 $ But using IDNA 2008: $ idn2 straße.de xn--strae-oqa.de $ $ host -t A xn--strae-oqa.de xn--strae-oqa.de has address 109.234.109.21 xn--strae-oqa.de has address 109.234.109.20 xn--strae-oqa.de has address 213.128.138.236 $ Version-Release number of selected component (if applicable): bind-9.9.5-3.fc21 How reproducible: Everytime, see above and below. Actual results: $ host -t A straße.de strasse.de has address 72.52.4.90 $ Expected results: $ host -t A straße.de xn--strae-oqa.de has address 109.234.109.21 xn--strae-oqa.de has address 109.234.109.20 xn--strae-oqa.de has address 213.128.138.236 $ Additional info: Why was IDNA 2003 rather 2008 implemented? Did I overlook something? See also: http://www.icann.org/en/resources/idn/idn-guidelines-02sep11-en.htm
Hi. Thank you for the report. The reason is mostly that nobody complained about BIND not using IDNA2008 before.
Tomas, thank you for the feedback. I am of course also happy to support/test things not only to complain :) So please let me know if I can support things.
(In reply to Robert Scheck from comment #2) > Tomas, thank you for the feedback. I am of course also happy to support/test > things not only to complain :) So please let me know if I can support things. No problem. I just found out that the IDN support using libidn is hard-coded in BIND, so it will take some time. But I'll let you know and update the bug status once I finish. I see that you are the owner of libidn(2). Do you track the packages still using libidn instead of libidn2? Maybe it would be useful to migrate all packages (if it makes sense) to the newer IDNA2008. For example I also own wget and it still uses libidn. Maybe you could submit a Fedora Feature for that... Just a thought :)
I meanwhile did some analysis which raises new issues as it seems: libidn was integrated into the GLIBC, however libidn2 not. Thus just replacing at all places libidn by libidn2 in regular userland doesn't seem to solve it completely. Additionally it seems like libidn has IDN -> ACE and ACE -> IDN - while at libidn2 has only IDN -> ACE - at least if I am not mistaken. This could be a show-stopper for e-mail clients (where ACE -> IDN is required, everybody wants to see the shiny fancy IDN domain for received e-mails, I guess). As it is also affecting e.g. reverse DNS (you could put an IDN domain to PTR), I need to discuss that with libidn2 upstream. I remember I talked to Simon Josefsson face to face some years ago about that but I do not really recall the result anymore :-(
I see. Well in the worst case scenario the libidn would have to be used for ACE -> IDN conversion. However I don't know how this would work. Since the use of libidn is Fedora specific, I asked ISC if they are be willing to incorporate the functionality into BIND and make it compile-time option. Hope they will be not against it. I would solve two issue with this! For the record, the Feature request is: [ISC-Bugs #36101] IDN support in host/dig/nslookup using GNU libidn(2)
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
This bug appears to have been reported against 'rawhide' during the Fedora 23 development cycle. Changing version to '23'. (As we did not run this process for some time, it could affect also pre-Fedora 23 development cycle bugs. We are very sorry. It will help us with cleanup during Fedora 23 End Of Life. Thank you.) More information and reason for this action is here: https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora23
Created attachment 1076263 [details] patch #1 sent to upstream revorking the IDN code and adding support for libidn Thanks to Jakub Luzny for helping me with this!
Created attachment 1076264 [details] patch #2 sent to upstream adding support for libidn2 Thanks to Jakub Luzny for helping me with this!
Just a small note for Robert. Unfortunately the libidn2 does not support translation from punycode to Unicode. This is a showstopper for having this by default in Fedora. However we will at least try to get the support to upstream, so you can compile your own version if you need to. Sorry for that.
moving to POST to reflect that the changes as pending upstream acceptance.
This bug appears to have been reported against 'rawhide' during the Fedora 24 development cycle. Changing version to '24'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora24#Rawhide_Rebase
This bug was accidentally moved from POST to MODIFIED via an error in automation, please see mmccune with any questions
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'.
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
If I got Nikos Mavrogiannopoulos right, the issue raised in comment #4 and comment #10 (lack of translation from punycode to unicode) should be addressed with future libidn2 versions which are even API compatible to libidn (did not verify or test this myself yet).
*** Bug 1449151 has been marked as a duplicate of this bug. ***
Hi, Not sure what is the upstream status, but as the parent bug mentions all the deficiencies of libidn2 (punicode->ACE missing) have been addressed in Fedora. It is now even possible to switch a libidn application to libidn2 by changing the header idna.h -> idn2.h.
Created attachment 1312153 [details] Modified libidn2 patch for bind master Removes iconv usage, translates directly into ACE names. Fixes tests/system/nslookup
Thanks. Looks good to me.
This bug appears to have been reported against 'rawhide' during the Fedora 27 development cycle. Changing version to '27'.
Since Bind bugs are now open to public, a link to bug is available: https://bugs.isc.org/Public/Bug/Display.html?id=36101
(In reply to Petr Menšík from comment #20) > Created attachment 1312153 [details] > Modified libidn2 patch for bind master > > Removes iconv usage, translates directly into ACE names. Fixes > tests/system/nslookup Did you post this rebased patch to the upstream?
Thanks for posting the link. Note however that the following text from the bug report: > As noted before, the behavior with libidn2 is expected, since libidn2 does not support translation from punycode to Unicode. is not accurate. Since libidn2 2.0.0, it supports translation from punycode to unicode (with exactly the same API as libidn).
Created attachment 1314258 [details] Improved libidn2 for bind master Fixed few issues with previous patch. Better auto detection for older libidn2, turning off +idnout for old versions. This patch was actually sent to upstream. Reports also decoding failures directly on console. Add option to turn off idn decoding by +noidnin parameter, removes previous IDN_DISABLE environment variable support.
Does attachment #1314258 [details] handle both ways like comment #25 mentions?
I haven't done any testing but going through it, it looks very good, and does many simplifications. I'd drop completely the libidn support (who needs IDNA2003 today), but I guess that's up to upstream to decide.
You are right, no other communication was made. I made another request [ISC-Bugs #46788]. I am afraid it will not be part of upcoming 9.12 release.
Created upstream merge request at gitlab [1]. It requires some tests for verifying implementation is not broken. Have you any good examples that should be tested as part of dig? Read discussion on gitlab for more. [1] https://gitlab.isc.org/isc-projects/bind9/merge_requests/56/diffs
Followed up there with a potential test suite.
Merge request was accepted upstream, patch in Fedora package replaces old libidn support for libidn2 support.
bind-9.11.3-4.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-c92d7a2d4e
bind-9.11.3-4.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-c92d7a2d4e
bind-dyndb-ldap-11.1-10.fc27 dnsperf-2.1.0.0-14.fc27 bind-9.11.3-2.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-0b6bcf4f5b
bind-9.11.3-2.fc27, bind-dyndb-ldap-11.1-10.fc27, dnsperf-2.1.0.0-14.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-0b6bcf4f5b
bind-9.11.3-2.fc27, bind-dyndb-ldap-11.1-10.fc27, dnsperf-2.1.0.0-14.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
bind-9.11.3-4.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Actually I think this is now broken for the above usecase. Looks like a simple dependency update was missed in the spec when the patch landed: -BuildRequires: libidn-devel, libxml2-devel, GeoIP-devel +BuildRequires: libidn2-devel, libxml2-devel, GeoIP-devel A "rpm -qR bind-utils" against bind-utils-9.11.3-4.fc28 shows no idn (libidn or libidn2) dependencies at all. Petr I think this was just an oversight?
Sure, I forgot enabling libidn2 correctly in spec, used patch is insufficient. Fixing it and disabling again +idnout translation by default to keep backward compatibility.
bind-9.11.3-5.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-d4206a8c61
bind-9.11.3-3.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-8276446105
bind-9.11.3-3.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-8276446105
bind-9.11.3-5.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-d4206a8c61
Found another issue with IDN. Libidn2 is not intentionally propagated to exported libraries including libisc, that are reported by isc-config.sh --libs isc. Fix pending on https://gitlab.isc.org/isc-projects/bind9/merge_requests/170
bind-9.11.3-5.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
Reopening, all bind subpackages got linked to libidn2, which it should not. echo libs-lite: && rpm -q --requires bind-libs-lite | grep libidn2 libidn2.so.0()(64bit) but should be empty.
bind-9.11.3-4.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-9bec30fe9a
bind-9.11.3-6.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e22373ab30
bind-9.11.3-3.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.
bind-9.11.3-4.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-9bec30fe9a
bind-9.11.3-6.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e22373ab30
bind-9.11.3-6.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report.
bind-9.11.3-4.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report.