Explore how unified SASE architecture can revolutionise network infrastructure, delivering on the promise of enhanced security, streamlined operations, and accelerated deployments.
Punycodes in DNS – How to use them, The good and the bad.
One of the requests that came across my desk this week was to add a DNS name which included a Māori name, and it included a macron in the name. They wanted both with and without the macron but adding a DNS name with a macron is not something that I had come across before and I wanted to share my learnings.
The request is to add a DNS sub domain, for the blog’s sake I’ll use Māori.svbgroup.co.nz but how do we add that little dash above the a… well that where a Punycode comes in.
I don’t want to go into the History of ASCII or DNS and how computers convert from essentially binary into alpha numerical and Unicode values. But the basic issue here is that DNS is limited to ASCII characters at text level and so to get around this we need to use a Punycode to generate the Unicode value that we require.
In the example of Māori.svbgroup.co.nz the Punycode for this domain name would look like this:
xn--mori-qsa.svbgroup.co.nz
My reaction to seeing this was What... how does this work? it doesn’t have an ‘a’ in there where I expect it, and there is nothing round where the ‘a’ would be so how do I even read this?
xn-- is basically a little code which tells your browser that there is a code in the following line of text
The parts that come after that are the Unicode characters which tell you the letters, and the -qsa has the position and character – and because the Unicode conversion is different is shows a different code.
There are online tools that can do this, but there is also another little way it can be done. If you have the Māori keyboard installed, you can type the vowels by pressing the till (`) and the vowel at the same time āēīōū so now we have that we can type that directly into any modern browser. Because modern browsers are Unicode compliant this will work so for example in edge type āēīōū.svbgroup.co.nz Now that is in your browser you can just copy and paste that off to notepad, which gives you your Punycode for you DNS registrar http://xn--yda0b4dqg4f.svbgroup.co.nz/ there is your A or CNAME record.
The next challenge is that your DNS registra needs to be Unicode compliant as well, and this is actually where I got stuck with my client. In their case, their registra doesn't support the “--“ required for the the “xn--“ and so it fails validation checks and i cant add the domain. You will need to check this with your registra or DNS Manager to confirm compatibility.
So awesome we can now support the clients who need this legitimately but how could this be a bad thing? Punycodes give us the ability to register domains with Unicode characters what’s stopping me from registering āēīōū.svbgȓoup.co.nz or āēīōū.svbgrǫup.co.nz or āēīōū.svbgroưƿ.co.nz
These domains might look at a quick glance fine, and you can hide the hyperlink behind any alt text on a link in an email but when you check the puny code it looks like this:
āēīōū.svbgȓoup.co.nz à xn--yda0b4dqg4f.xn--svbgoup-iwc.co.nz
āēīōū.svbgrǫup.co.nz à xn--yda0b4dqg4f.xn--svbgrup-enc.co.nz
āēīōū.svbgroưƿ.co.nz à xn--yda0b4dqg4f.xn--svbgro-8zb4j.co.nz
This is a real problem for mobile devices, the smaller screens can make it much harder to see the little dashes or dots next to the letters in the URL. Its just another reason to make sure that users are regularly trained to look out for these sorts of things, and to never click on a link in an email.
I hope this has helped your legitimate need for Macrons in Māori domain names if they are ever required.
SCOTT PARKIN
Nov 2023