-
-
Notifications
You must be signed in to change notification settings - Fork 597
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add IDN TLD support #2278
Add IDN TLD support #2278
Conversation
publicsuffix-go's Find expects suffixes to be in unicode rather than punycode, causing IDN TLDs to be rejected. Convert domains to unicode prior to checking whether the domain ends in an ICANN suffix.
Further testing revealed that the rate-limiting code in
However, it fails for suffixes with multiple IDN labels (
(This is not too bad, since there aren't exactly too many multi-label IDN suffixes on the list and the only effect would be that rate limiting scope is applied too strictly, but we might as well get it right everywhere.) Converting to unicode would fix this issue as well (though we'd have to convert back to punycode for storage in order for the rate-limit identifier to remain backwards-compatible), but I'm wondering whether handling this conversion (and preserving the encoding for the return values, I guess?) should be done in |
Please merge this. I was excited by the announcement of IDN support. But when I tried it, it give me:
thx |
My preference would be for |
I agree with @jsha. U-labels are less likely to be supported by other tools, so it is more reasonable to define host names with ASCII characters inside ENV variables and configs. If Letsencrypt expects Unicode, some developers will end up having the same thing defined twice. |
@PatF regarding the |
Hi @PatF - thanks for putting this together. I really appreciate that you took the time to arrive with a solution in addition to a problem. You can't beat that! ❤️ That said I think we're all in agreement that upstream support is better than special-casing in Boulder. I'm going to close this PR and would love if you could give #2339 a 🔍 |
publicsuffix-go
'sFind
expects suffixes to be in unicode rather than punycode, causing IDN TLDs to be rejected. Convert domains to unicode prior to checking whether the domain ends in an ICANN suffix.Fixes #2277.