INWX: Punycode not supported?

[killerbees19]

It seems IDN domains are only supported without punycode format at v4.1.1.

D("xn--exmple-cua.at", … throws an error at dnscontrol push:

WARNING: Error creating domain: (2302) Object exists. Reason: (Error_DomainAlreadyInDNS) The domain is already in the DNS.

Only D("exämple.at", … works. I think this is not the intended behavior?

/cc @patschi

[patschi]

I've never been using such domains and I actually try to avoid them :D

@TomOnTime Can you confirm that this is expected behavior?

I can see Punycode() function being called centrally not-provider specific here:

dnscontrol/pkg/zonerecs/zonerecords.go

Line 33 in 9741d3c

dc.Punycode()

dnscontrol/commands/previewPush.go

Line 168 in 9741d3c

err = domain.Punycode()

So it should work with all providers the same way?

[TomOnTime]

In theory all providers should handle this the same way. Sadly they are inconsistent.

I think the problem is that we haven't clearly decided how we should handle these domains. Thus it is difficult to decide what the right thing to do should be.

Here's one option:

• dnsconfig.js accepts Unicode names in domains, labels, and targets.
• At the first opportunity, all unicode should be converted to IDN (those xn--redacted sequences)
• After that, all providers should treat everything as IDN.
• Retain the original UTF8 for APIs expect UTF8
• What should preview/push do? Display both?

[patschi]

I'm not an expert when it comes to encoding, like punycode/unicode or what amplifications it might have.

My high-level thought: As dnscontrol is designed to be managed by users (manually), showing the exämple.at-representation is the better, more user-friendly approach. That's what we could/should use primarily in the dnscontrol code base, and also shown at preview/push accordingly.

Depending on the provider and its API, we might then decide (a new capability flag for it?) if a special processing is needed - like converting to/from punycode before interacting with the API.

[kordianbruck]

What should preview/push do? Display both?

I'd display what'd actually would be sent to the API. If the provider doesn't support UTF-8, then show the IDN format. I'm a low level techie and would really want for the diff not to lie to me or give me alternative data, to what actually ends up on the nameservers. Masking this in user representation might lead to harder to debug situations.

[adamus1red]

I'd display what'd actually would be sent to the API. If the provider doesn't support UTF-8, then show the IDN format.

An issue I've ran into is when the registrar uses punycode, but the DSP uses the UTF-8. So having dnscontrol be opinionated and change as needed for the API could actually be preferable.

[killerbees19]

Seems like IDN is completely broken at INWX now? 😟

I know it worked at v4.1.1 with unicode format. Now at v4.6.0 it's broken for both formats:

$ dnscontrol preview --domains xn--schrtter-q4a.co.at
******************** Domain: xn--schrtter-q4a.co.at
WARNING: Zone 'xn--schrtter-q4a.co.at' does not exist in the 'inwx' profile and will be added automatically.
Done. 0 corrections.

$ dnscontrol preview --domains schrötter.co.at       
******************** Domain: schrötter.co.at
WARNING: Zone 'schrötter.co.at' does not exist in the 'inwx' profile and will be added automatically.
Done. 0 corrections.

But it exists at my INWX account:

/cc @patschi

[killerbees19]

(Last reply deleted.)

Seems like it's a pure cosmetic issue at preview:

$ dnscontrol version
dnscontrol "4.7.2" ("cbccbbeb8d981bcd688de1ee6ef8efe8df8a56d9") built 04 Dec 23 23:48 CET

$ dnscontrol preview --domains schrötter.co.at --providers inwx
******************** Domain: schrötter.co.at
WARNING: Zone 'schrötter.co.at' does not exist in the 'bind' profile and will be added automatically.
WARNING: Zone 'schrötter.co.at' does not exist in the 'inwx' profile and will be added automatically.
Done. 0 corrections.

dnscontrol@hsz:~/dnscontrol$ dnscontrol push --domains schrötter.co.at --providers inwx
******************** Domain: schrötter.co.at
Done. 0 corrections.

But it's still an issue to mix providers with different IDN formats. Now my local BIND zone file gets always updated, because it supports only the punycode format. ^^

@patschi It's possible to add a test IDN to your INWX account without buying it! Just go to Nameserver and click at the Add domain button in the top right corner. Now enter something like xn--dnscontrol-exmple-debug-77b.at (dnscontrol-exämple-debug.at). Afaik they will delete zones for non-existing domains after some time, but that's not a real problem for such test scenarios.

[TomOnTime]

DNSControl is an opinionated system. Is there an "opinion" about how IDN domains should be handled that would help?

(I don't own any such domains and have nearly zero experience here)

[dkim1970]

I would say this RFC covers the "opinions" about how IDN should be handled in applications.
https://datatracker.ietf.org/doc/rfc3490/

More about IDN can be found by this author: https://datatracker.ietf.org/person/paf@paftech.se

[tlimoncelli]

This discussion is happening on many providers. The global issue is tracked here: #2097