I'm often asked why particular strings fail the IdnToAscii function. The answer is "because its not a legal IDN name, that's why" :-) But why aren't some strings legal IDN names?
Some rules act on the "label" level. In www.microsoft.com www, microsoft & com are each separate labels.
For more information about IDN, you can look at the RFCs and sources: