Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 4 Nov 2016 12:48:55 +0100
From: Robert Scheck <>
To: Daniel Stenberg <>
Subject: Re: [SECURITY ADVISORY] IDNA 2003 makes curl use wrong host

On Fri, 04 Nov 2016, Daniel Stenberg wrote:
> DENIC alledgedly has rules that should prevent separate registrations like
> in the straß case. Still it seems that this particular host name is
> registered by two different entities unless there's some background juggling
> that we can't easily see from the outside.

It is possible (and also allowed by the DENIC), that e.g. "straß" and
"" have two different domain owners. I performed at least one
registration for a customer for a "ß"-domain after the "ß" sunrise period
was over, where the "ß"-domain owner is not the owner of the corresponding
"ss"-domain. Not sure which rules you refer to, but except the "ß"-sunrise
period in 2010, I'm able to register "ß"-domains on first come, first serve
basis at DENIC.

The DENIC FAQ ( mentions
also that e.g. "" and "mü" are two completely different
domain names (even "ue" is the German transcription of "ü") - and here the
argumentation is, that "" is not the same like "baü" (which is
from the non-technical perspective of a German native speaker obviously
true). From my understanding, the argumentation here is non-IDNA
vs. IDNA2003 mü, while now it is IDNA2003 vs. IDNA2008
straß - which might be slightly different, because it's a switch of the
IDNA version rather the introduction.

For those who didn't notice, Florian also started a German thread on the
public DENIC mailing list (
about exactly this topic (I'm not sure if there is a public archive).


Content of type "application/pgp-signature" skipped

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ