INWX: Punycode not supported?

killerbees19 commented 1 year ago

It seems IDN domains are only supported without punycode format at v4.1.1.

D("xn--exmple-cua.at", … throws an error at dnscontrol push:

WARNING: Error creating domain: (2302) Object exists. Reason: (Error_DomainAlreadyInDNS) The domain is already in the DNS.

Only D("exämple.at", … works. I think this is not the intended behavior?

/cc @patschi

patschi commented 1 year ago

I've never been using such domains and I actually try to avoid them :D

@TomOnTime Can you confirm that this is expected behavior?

I can see Punycode() function being called centrally not-provider specific here:

https://github.com/StackExchange/dnscontrol/blob/9741d3c5279c5701de49e9e005a4c096fe8a9ab3/pkg/zonerecs/zonerecords.go#L33

https://github.com/StackExchange/dnscontrol/blob/9741d3c5279c5701de49e9e005a4c096fe8a9ab3/commands/previewPush.go#L168

So it should work with all providers the same way?

TomOnTime commented 1 year ago

In theory all providers should handle this the same way. Sadly they are inconsistent.

I think the problem is that we haven't clearly decided how we should handle these domains. Thus it is difficult to decide what the right thing to do should be.

Here's one option:

dnsconfig.js accepts Unicode names in domains, labels, and targets.
At the first opportunity, all unicode should be converted to IDN (those xn--redacted sequences)
After that, all providers should treat everything as IDN.
Retain the original UTF8 for APIs expect UTF8
What should preview/push do? Display both?

patschi commented 1 year ago

I'm not an expert when it comes to encoding, like punycode/unicode or what amplifications it might have.

My high-level thought: As dnscontrol is designed to be managed by users (manually), showing the exämple.at-representation is the better, more user-friendly approach. That's what we could/should use primarily in the dnscontrol code base, and also shown at preview/push accordingly.

Depending on the provider and its API, we might then decide (a new capability flag for it?) if a special processing is needed - like converting to/from punycode before interacting with the API.

kordianbruck commented 1 year ago

What should preview/push do? Display both?

I'd display what'd actually would be sent to the API. If the provider doesn't support UTF-8, then show the IDN format. I'm a low level techie and would really want for the diff not to lie to me or give me alternative data, to what actually ends up on the nameservers. Masking this in user representation might lead to harder to debug situations.

adamus1red commented 1 year ago

I'd display what'd actually would be sent to the API. If the provider doesn't support UTF-8, then show the IDN format.

An issue I've ran into is when the registrar uses punycode, but the DSP uses the UTF-8. So having dnscontrol be opinionated and change as needed for the API could actually be preferable.

killerbees19 commented 9 months ago

Seems like IDN is completely broken at INWX now? 😟

I know it worked at v4.1.1 with unicode format. Now at v4.6.0 it's broken for both formats:

$ dnscontrol preview --domains xn--schrtter-q4a.co.at
******************** Domain: xn--schrtter-q4a.co.at
WARNING: Zone 'xn--schrtter-q4a.co.at' does not exist in the 'inwx' profile and will be added automatically.
Done. 0 corrections.

$ dnscontrol preview --domains schrötter.co.at       
******************** Domain: schrötter.co.at
WARNING: Zone 'schrötter.co.at' does not exist in the 'inwx' profile and will be added automatically.
Done. 0 corrections.

But it exists at my INWX account:

Screenshot 2023-11-15 at 06-13-37 Nameserver

/cc @patschi

killerbees19 commented 9 months ago

(Last reply deleted.)

Seems like it's a pure cosmetic issue at preview:

$ dnscontrol version
dnscontrol "4.7.2" ("cbccbbeb8d981bcd688de1ee6ef8efe8df8a56d9") built 04 Dec 23 23:48 CET

$ dnscontrol preview --domains schrötter.co.at --providers inwx
******************** Domain: schrötter.co.at
WARNING: Zone 'schrötter.co.at' does not exist in the 'bind' profile and will be added automatically.
WARNING: Zone 'schrötter.co.at' does not exist in the 'inwx' profile and will be added automatically.
Done. 0 corrections.

dnscontrol@hsz:~/dnscontrol$ dnscontrol push --domains schrötter.co.at --providers inwx
******************** Domain: schrötter.co.at
Done. 0 corrections.

But it's still an issue to mix providers with different IDN formats. Now my local BIND zone file gets always updated, because it supports only the punycode format. ^^

@patschi It's possible to add a test IDN to your INWX account without buying it! Just go to Nameserver and click at the Add domain button in the top right corner. Now enter something like xn--dnscontrol-exmple-debug-77b.at (dnscontrol-exämple-debug.at). Afaik they will delete zones for non-existing domains after some time, but that's not a real problem for such test scenarios.

TomOnTime commented 9 months ago

DNSControl is an opinionated system. Is there an "opinion" about how IDN domains should be handled that would help?

(I don't own any such domains and have nearly zero experience here)

dkim1970 commented 9 months ago

I would say this RFC covers the "opinions" about how IDN should be handled in applications. https://datatracker.ietf.org/doc/rfc3490/

More about IDN can be found by this author: https://datatracker.ietf.org/person/paf@paftech.se

tlimoncelli commented 8 months ago

This discussion is happening on many providers. The global issue is tracked here: https://github.com/StackExchange/dnscontrol/issues/2097

StackExchange / dnscontrol

INWX: Punycode not supported? #2450