Underscores again

Jim Reid jim at rfc1035.com
Thu Apr 20 10:13:12 UTC 2000 

>>>>> "Ed" == Ed Sawicki <ed at alcpress.com> writes:

    Ed> I've been reading the numerous past threads regarding
    Ed> underscore characters in DNS names. It seems that most folks
    Ed> here agree that underscores are not allowed. However, RFC2181
    Ed> seems to say something different. Here's the paragraph that
    Ed> confuses me.

    Ed> "The DNS itself places only one restriction on the particular
    Ed> labels that can be used to identify resource records.  That
    Ed> one restriction relates to the length of the label and the
    Ed> full name.  The length of any one label is limited to between
    Ed> 1 and 63 octets.  A full domain name is limited to 255 octets
    Ed> (including the separators).  The zero length full name is
    Ed> defined as representing the root of the DNS tree, and is
    Ed> typically written and displayed as ".".  Those restrictions
    Ed> aside, any binary string whatever can be used as the label of
    Ed> any resource record.  Similarly, any binary string can serve
    Ed> as the value of any record that includes a domain name as some
    Ed> or all of its value (SOA, NS, MX, PTR, CNAME, and any others
    Ed> that may be added)."

    Ed> How should I interpret this?

Just as it is written. Most people would say that the text above is
crystal-clear. You should also have read the following paragraph in
RFC2181:

   Note however, that the various applications that make use of DNS data
   can have restrictions imposed on what particular values are
   acceptable in their environment.  For example, that any binary label
   can have an MX record does not imply that any binary name can be used
   as the host part of an e-mail address.  Clients of the DNS can impose
   whatever restrictions are appropriate to their circumstances on the
   values they use as keys for DNS lookup requests, and on the values
   returned by the DNS.  If the client has such restrictions, it is
   solely responsible for validating the data from the DNS to ensure
   that it conforms before it makes any use of that data.

   See also [RFC1123] section 6.1.3.5.

So what this all means is that the DNS protocol is very liberal in how
names for resource records are constructed. Other protocols are more
restrictive about the character sets that can be used for hostnames,
email addresses and the like. When these names are entered into the
DNS, they should conform to the relevant standards for that protocol
even though the DNS itself doesn't (need to) care about those
restrictions. Sometimes it can be less painful for the name server to
enforce those restrictions - checking for underscores in hostnames for
instance - than to try to get every resolver and legacy system in the
world to apply the those checks.

More information about the bind-users mailing list