Need clue: Underscore zones and hostnames

Discussion:

nathan r. hruby

2004-12-06 17:36:37 UTC

Hi,

Can someone please thwack me with the requisite clue-by-four and point me
at the RFC that Yea's or Nea's the use of the underscore character in
host and/or zone names? Google seems to not be helpful in finding a
definitive answer. Perhaps there is none?

Here's why I ask:
We current support Microsoft's Active Directory on our BIND nameservers,
with check-names disabled on the BIND8 machines, so we *have* zones with
underscore characters already working.

Recently for some odd reason people have been requesting hostnames like
martha_stewart.jailhouse.uga.edu. This "works" in as much as BIND doesn't
reject the name and does serve it (thanks to some legacy names :). We
also know that it's not recommended per various RFC's so we've been
rejecting these updates and manually going back to the user to get them to
fix it.

But since it works and we have zones that *depend* on this behavior, we're
wondering:
- Are we just missing an updated RFC that now allows this?
- Is an underscore allowed just for zones and still not for a host?
- Is this just an Microsoft-ism?
- Do we (or perhpas: should we) care enough to not let users shoot
themselves in their feet?

Note: I didn't setup the original AD-in-BIND infrastructure, and the
person who did is not here anymore. The docs we have fail to mention the
underscore issue and we're presently looking at various DNS changes we
want to make, including our request interface that can "fix" these before
they get to the update stage, hence my desire to have a clue about it :)

Thanks for any help anyone can give me.

-n

--
-------------------------------------------
nathan hruby <***@uga.edu>
uga enterprise information technology services
production systems support
metaphysically wrinkle-free
-------------------------------------------

Gregory Hicks

2004-12-06 18:05:41 UTC

Permalink

Date: Mon, 6 Dec 2004 12:36:37 -0500 (EST)
Subject: Need clue: Underscore zones and hostnames
Hi,
Can someone please thwack me with the requisite clue-by-four and point me
at the RFC that Yea's or Nea's the use of the underscore character in
host and/or zone names? Google seems to not be helpful in finding a
definitive answer. Perhaps there is none?

Google on "Host naming convention" or "host names rfc". One you will
get back is RFC 952 (Fairly short - about 4 pages). A "grammar" for
host names is included.

RFC 819 specifically addresses domain names. Appendix A to RFC819
supplies the BNF for the names.

An underscore in not allowed in a HOST name.

It would also appear that there is some talk about treating a hostname
as an "endpoint domain"... I do not know if that ever took off.

However, by the RFCs you should NOT allow an underscore in a host
name... (Besides, 'some' OSs, their applications and/or their
implementation of DNS may break if you allow an underscore... However,
M$ DNS does not have these restrictions.)

Regards,
Gregory hicks

We current support Microsoft's Active Directory on our BIND nameservers,
with check-names disabled on the BIND8 machines, so we *have* zones with
underscore characters already working.
Recently for some odd reason people have been requesting hostnames like
martha_stewart.jailhouse.uga.edu. This "works" in as much as BIND doesn't
reject the name and does serve it (thanks to some legacy names :). We
also know that it's not recommended per various RFC's so we've been
rejecting these updates and manually going back to the user to get them to
fix it.
But since it works and we have zones that *depend* on this behavior, we're
- Are we just missing an updated RFC that now allows this?
- Is an underscore allowed just for zones and still not for a host?
- Is this just an Microsoft-ism?
- Do we (or perhpas: should we) care enough to not let users shoot
themselves in their feet?
Note: I didn't setup the original AD-in-BIND infrastructure, and the
person who did is not here anymore. The docs we have fail to mention the
underscore issue and we're presently looking at various DNS changes we
want to make, including our request interface that can "fix" these before
they get to the update stage, hence my desire to have a clue about it :)
Thanks for any help anyone can give me.
-n
--
-------------------------------------------
uga enterprise information technology services
production systems support
metaphysically wrinkle-free
-------------------------------------------

-------------------------------------------------------------------
Gregory Hicks | Principal Systems Engineer
Cadence Design Systems | Direct: 408.576.3609
555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3400
San Jose, CA 95134 | Internet: ***@cadence.com

I am perfectly capable of learning from my mistakes. I will surely
learn a great deal today.

"A democracy is a sheep and two wolves deciding on what to have for
lunch. Freedom is a well armed sheep contesting the results of the
decision." - Benjamin Franklin

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

SilentRage

2004-12-06 18:07:18 UTC

Permalink

It seems you're already informed on the issue. Supposedly yeah, there are
some resolvers that might choke on hostnames with characters that don't
follow the standards for internet host names. Most especially you shouldn't
create mail domains or mail server domains with invalid characters, cause
that's a whole new suite of applications that might choke.

The dns protocol places no restriction on 'name' content, which is why BIND
supports it, and why it works just fine in practice. For my service I allow
clients to create hostnames with whatever characters they want. If they
want binary characters, go for it. Limiting what they create limits
creativity and proprietary usage. If they manage to shoot themself in the
foot, I'll hand them the gun, bullets, and all. If they come to me asking
why some of their clients can't visit their underscore site, I'll educate
them. :)

Dave

----- Original Message -----
From: "nathan r. hruby" <***@uga.edu>
To: <bind-***@isc.org>
Sent: Monday, December 06, 2004 12:36 PM
Subject: Need clue: Underscore zones and hostnames

Post by nathan r. hruby
Hi,
Can someone please thwack me with the requisite clue-by-four and point me
at the RFC that Yea's or Nea's the use of the underscore character in
host and/or zone names? Google seems to not be helpful in finding a
definitive answer. Perhaps there is none?
We current support Microsoft's Active Directory on our BIND nameservers,
with check-names disabled on the BIND8 machines, so we *have* zones with
underscore characters already working.
Recently for some odd reason people have been requesting hostnames like
martha_stewart.jailhouse.uga.edu. This "works" in as much as BIND doesn't
reject the name and does serve it (thanks to some legacy names :). We
also know that it's not recommended per various RFC's so we've been
rejecting these updates and manually going back to the user to get them to
fix it.
But since it works and we have zones that *depend* on this behavior, we're
- Are we just missing an updated RFC that now allows this?
- Is an underscore allowed just for zones and still not for a host?
- Is this just an Microsoft-ism?
- Do we (or perhpas: should we) care enough to not let users shoot
themselves in their feet?
Note: I didn't setup the original AD-in-BIND infrastructure, and the
person who did is not here anymore. The docs we have fail to mention the
underscore issue and we're presently looking at various DNS changes we
want to make, including our request interface that can "fix" these before
they get to the update stage, hence my desire to have a clue about it :)
Thanks for any help anyone can give me.
-n
--
-------------------------------------------
uga enterprise information technology services
production systems support
metaphysically wrinkle-free
-------------------------------------------

Gregory Hicks

2004-12-06 18:22:42 UTC

Permalink

Subject: Re: Need clue: Underscore zones and hostnames
Date: Mon, 6 Dec 2004 13:07:18 -0500
It seems you're already informed on the issue. Supposedly yeah, there are
some resolvers that might choke on hostnames with characters that don't
follow the standards for internet host names. Most especially you shouldn't
create mail domains or mail server domains with invalid characters, cause
that's a whole new suite of applications that might choke.
The dns protocol places no restriction on 'name' content, which is why BIND
supports it, and why it works just fine in practice. For my service I allow
clients to create hostnames with whatever characters they want. If they
want binary characters, go for it. Limiting what they create limits
creativity and proprietary usage. If they manage to shoot themself in the
foot, I'll hand them the gun, bullets, and all. If they come to me asking
why some of their clients can't visit their underscore site, I'll educate
them. :)

Given that I, and my cohorts, administer a 30,000 host domain (fairly
small by some standards but large enough), if I can educate my users
when they ask to have names created, then that reduces support costs
for me. This is a Good Thing.

Yes, limiting what they "create" limits creativity and proprietary
usage. But it also reduces my potential support costs. Which is a
Good Thing.

Besides, if asked, the reason they want the underscore is because that
allows the names to show up as separate "words" in a web link. A
'dash' does not do this "neat" formatting.

Regards,
Gregory hicks

Dave
----- Original Message -----
Sent: Monday, December 06, 2004 12:36 PM
Subject: Need clue: Underscore zones and hostnames

zeek

2004-12-06 18:28:30 UTC

Permalink

I'm just skimming the thread but this may help

zone "_tcp.firecorporate.com" IN {
type master;
file "_tcp.firecorporate.com";
check-names ignore;
allow-update {ADservers;};
};

I got this from the AD+BIND howto.

However, I am also getting this in my log:

Dec 6 10:04:32 elvis named[23566]: /etc/named.conf:92: option 'check-names'
is not implemented

Cheers,
-zeek

-----Original Message-----
Sent: Monday, December 06, 2004 1:23 PM
Subject: Re: Need clue: Underscore zones and hostnames

Subject: Re: Need clue: Underscore zones and hostnames
Date: Mon, 6 Dec 2004 13:07:18 -0500
It seems you're already informed on the issue. Supposedly

yeah, there

are some resolvers that might choke on hostnames with

characters that

don't follow the standards for internet host names. Most

especially

you shouldn't create mail domains or mail server domains

with invalid

characters, cause that's a whole new suite of applications

that might choke.

The dns protocol places no restriction on 'name' content,

which is why

BIND supports it, and why it works just fine in practice. For my
service I allow clients to create hostnames with whatever

characters

they want. If they want binary characters, go for it.

Limiting what

they create limits creativity and proprietary usage. If

they manage

to shoot themself in the foot, I'll hand them the gun, bullets, and
all. If they come to me asking why some of their clients

can't visit

their underscore site, I'll educate them. :)

Given that I, and my cohorts, administer a 30,000 host domain
(fairly small by some standards but large enough), if I can
educate my users when they ask to have names created, then
that reduces support costs for me. This is a Good Thing.
Yes, limiting what they "create" limits creativity and
proprietary usage. But it also reduces my potential support
costs. Which is a Good Thing.
Besides, if asked, the reason they want the underscore is
because that allows the names to show up as separate "words"
in a web link. A 'dash' does not do this "neat" formatting.
Regards,
Gregory hicks

Dave
----- Original Message -----
Sent: Monday, December 06, 2004 12:36 PM
Subject: Need clue: Underscore zones and hostnames

be helpful

Post by nathan r. hruby
in finding a definitive answer. Perhaps there is none?
We current support Microsoft's Active Directory on our BIND
nameservers, with check-names disabled on the BIND8

machines, so we

Post by nathan r. hruby
*have* zones with underscore characters already working.
Recently for some odd reason people have been requesting

hostnames

Post by nathan r. hruby
like martha_stewart.jailhouse.uga.edu. This "works" in

as much as

Post by nathan r. hruby
BIND doesn't reject the name and does serve it (thanks to some
legacy names :). We also know that it's not recommended

per various

Post by nathan r. hruby
RFC's so we've been rejecting these updates and manually

going back

Post by nathan r. hruby
to the user to get them to fix it.
But since it works and we have zones that *depend* on

this behavior,

Post by nathan r. hruby
we're
- Are we just missing an updated RFC that now allows this?
- Is an underscore allowed just for zones and still not

for a host?

Post by nathan r. hruby
- Is this just an Microsoft-ism?
- Do we (or perhpas: should we) care enough to not let users shoot
themselves in their feet?
Note: I didn't setup the original AD-in-BIND

infrastructure, and the

Post by nathan r. hruby
person who did is not here anymore. The docs we have fail to
mention the underscore issue and we're presently looking

at various

Post by nathan r. hruby
DNS changes we want to make, including our request interface that
can "fix" these before they get to the update stage,

hence my desire

Post by nathan r. hruby
to have a clue about it :)
Thanks for any help anyone can give me.
-n
--
-------------------------------------------
uga enterprise information technology services production systems
support metaphysically wrinkle-free
-------------------------------------------

-------------------------------------------------------------------
Gregory Hicks | Principal Systems Engineer
Cadence Design Systems | Direct: 408.576.3609
555 River Oaks Pkwy M/S 6B1 | Fax: 408.894.3400
I am perfectly capable of learning from my mistakes. I will surely
learn a great deal today.
"A democracy is a sheep and two wolves deciding on what to have for
lunch. Freedom is a well armed sheep contesting the results of the
decision." - Benjamin Franklin
"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

p***@icke-reklam.ipsec.nu

2004-12-06 18:38:41 UTC

Permalink

Post by Gregory Hicks

Given that I, and my cohorts, administer a 30,000 host domain (fairly
small by some standards but large enough), if I can educate my users
when they ask to have names created, then that reduces support costs
for me. This is a Good Thing.
Yes, limiting what they "create" limits creativity and proprietary
usage. But it also reduces my potential support costs. Which is a
Good Thing.
Besides, if asked, the reason they want the underscore is because that
allows the names to show up as separate "words" in a web link. A
'dash' does not do this "neat" formatting.

Your users has a choice : use a name that will work always and everywhere,
or use names that _might_ work(and might fail to work the next day.

Or you can act as the "specialist" and "good maintainer" and tell them
that you refuse to let them shoot themself in their feet.

--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.

Mark Andrews

2004-12-06 20:38:25 UTC

Permalink

As you would have already seen underscores are not permitted
by RFC 952. The are also not permitted by RFC 1034 which say:

The idea is that the name of any
existing object can be expressed as a domain name with minimal changes.
However, when assigning a domain name for an object, the prudent user
will select a name which satisfies both the rules of the domain system
and any existing rules for the object, whether these rules are published
or implied by existing programs.

In this case the rules were published.

AD itself uses underscores to create heirachies in the namesepace
that do not clash with hostnames. It does this by using underscores.

SRV uses underscored so as to not clash with hostnames.

Other services also use underscore to avoid clashing with hostnames.

Be aware thay _gc contains a A record so if you are running a version
of bind which supports hostname checks (BIND 8, 9.3.0) you will need
to disable the checks atleast for this name.

Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ***@isc.org

nathan r. hruby

2004-12-06 21:18:20 UTC

Permalink

Post by Mark Andrews
As you would have already seen underscores are not permitted
The idea is that the name of any
existing object can be expressed as a domain name with minimal changes.
However, when assigning a domain name for an object, the prudent user
will select a name which satisfies both the rules of the domain system
and any existing rules for the object, whether these rules are published
or implied by existing programs.
In this case the rules were published.
AD itself uses underscores to create heirachies in the namesepace
that do not clash with hostnames. It does this by using underscores.
SRV uses underscored so as to not clash with hostnames.
Other services also use underscore to avoid clashing with hostnames.
Be aware thay _gc contains a A record so if you are running a version
of bind which supports hostname checks (BIND 8, 9.3.0) you will need
to disable the checks atleast for this name.

As always, succinct and to the point. My thanks Mark this is exactly the
info I needed (eg: the _ is a convention used by AD, and allowing that to
creep into the rest of the namespace is not technically allowed,
regardless of one's ability to actually do it.)

As to the people who were for or against user shooting themselves, it's
kinda hard across a large campus to manage user education DNS be really
nice about it. We have a very nice web front end that parses requests,
does error checking and makes them easily digestible for admins to insert.
The question is if this interface should reject things with an _ in them
(and present the user an error) before sending them to us (which then
causes work for us to contact, explain, etc..).

Thanks to everyone for their input, it's been very helpful!

-n