Recently it came to my attention that arbitrary implementation of IDN can break existing networks.

Particularly on Intranets machine names have not always been restricted to ASCII.  In many of our markets it is quite common to have non-ASCII machine names.

So in some cases there are existing deployments that use ANSI or UTF-8 machine names directly without relying on Punycode.  Internal DNS services often return these names.  It is also possible (but not of much use and very much not recommended) to have sub-domains (like xxx in xxx.example.com) that respond to 8-bit encoded domain names on the Internet itself.