[80907] in North American Network Operators' Group
Re: Underscores in host names
daemon@ATHENA.MIT.EDU (trainier@kalsec.com)
Wed May 18 12:42:25 2005
In-Reply-To: <38EF6673-2BE1-4663-88D9-50D13811E75C@nominum.com>
To: David Conrad <david.conrad@nominum.com>
Cc: Mark Andrews <Mark_Andrews@isc.org>, nanog@merit.edu,
owner-nanog@merit.edu
From: trainier@kalsec.com
Date: Wed, 18 May 2005 12:38:41 -0400
Errors-To: owner-nanog@merit.edu
This is a multipart message in MIME format.
--=_alternative 005BBF6785257005_=
Content-Type: text/plain; charset="US-ASCII"
There IS a patch available to "fix" the issue in squid which refuses to
pass/cache data from websites/domains with "_" in their name.
I'll also note that bind 4.9.4 also has issues with underscores in
host/domain names.
David Conrad <david.conrad@nominum.com>
Sent by: owner-nanog@merit.edu
05/18/2005 12:35 PM
To
Mark Andrews <Mark_Andrews@isc.org>
cc
nanog@merit.edu
Subject
Re: Underscores in host names
As a result of my late night rant (must learn not to read email late
at night after getting off an airplane), I have received input that
two applications that have issues with the "_" character:
1) Squid/Squid proxy from two people (although there wasn't any
indication of the actual issue, presumably Squid won't be able to
contact the host to cache the content?)
2) "Create a cert for a host with an _ in the name, install said
cert into apache/mod_ssl, try to surf (at least using IE)
to that server." -- Matthew Christopher
This is useful information and can help the original requester make
the business decision as to whether or not he will relax his
restriction against "_" in the character string that he'll allow his
customer to use in data sent to/received from domain name servers he
controls.
I suspect the rest of the jihad against heathen characters such as
"_" should probably be redirected to namedroppers so I won't comment
further.
Rgds,
-drc
On May 18, 2005, at 2:15 AM, Mark Andrews wrote:
> A hostname is not a domainname. It's all through RFC's 1033,
> RFC 1034 and RFC 1035. There are references that make it clear
> that a domain name is not the same as a hostname.
>
> I quoted one of them. I can find other references.
>
> Proctor&Gamble.com anyone? That is the logical concusion of
> saying hostnames are arbitary 8 bit strings.
>
>
>> The whole reason for check-names was because of very seriously broken
>> software that would allow shell meta-characters in in-addr.arpa
>> labels to do bad things. I have come to the opinion that if such
>> software still exists, then the people who run that software deserve
>> what they get. Check-names was a bad idea that might have been
>> justified at the time, but pretending it remains justified by
>> 952/1123 has got to stop sometime.
>>
>
> We tried hard to kill check-names. The only reason it still
> exists is that people wouldn't move from BIND 8 without it.
>
> I havn't run with "check-names answer" enabled in years.
>
>
>> However, that rant was mostly irrelevant. Can you point to _ANY_
>> application, operating system, or anything else that has any issues
>> whatsoever with an "_" of all characters?
>>
>
> The original query was about a OS / application that had
> problems with underscores.
>
> The point of RFC's is to promote interoperability. People
> who attempt to name there machines with underscores either
> don't know better or don't care about interoperability or
> both.
>
> The simplest way to fix this is for application that
> configure hostnames, real or virtual, to reject by default
> illegal hostnames. Apache should not allow virtual sites
> with illegal hostnames without explicit overrides. Similarly
> for your favourite MTA, DNS server etc. If people want to
> use them they need to know they are stepping out of the
> area where interoperability should occur.
>
> Note: SRV and Active Directory *both* depend on underscore
> not being legal in hostnames to keep their names spaces
> seperate from the hostname namespace.
>
> Half the anti-spam/DNS schemes depend upon underscore not
> being legal in a hostname.
>
> Mark
>
>
>> Rgds,
>> -drc
>>
>> On May 17, 2005, at 6:08 PM, Mark Andrews wrote:
>>
>>> RFC 952 and RFC 1123 describe what is currently legal
>>> in hostnames.
>>>
>>> Underscore is NOT a legal character in a hostname.
>>>
>>
>>
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews@isc.org
>
--=_alternative 005BBF6785257005_=
Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">There IS a patch available to "fix"
the issue in squid which refuses to pass/cache data from websites/domains
with "_" in their name.<br>
I'll also note that bind 4.9.4 also has issues with underscores in host/domain
names.</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>David Conrad <david.conrad@nominum.com></b>
</font>
<br><font size=1 face="sans-serif">Sent by: owner-nanog@merit.edu</font>
<p><font size=1 face="sans-serif">05/18/2005 12:35 PM</font>
<td width=59%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1 face="sans-serif">Mark Andrews <Mark_Andrews@isc.org></font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top><font size=1 face="sans-serif">nanog@merit.edu</font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">Re: Underscores in host names</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2><tt><br>
As a result of my late night rant (must learn not to read email late <br>
at night after getting off an airplane), I have received input that <br>
two applications that have issues with the "_" character:<br>
<br>
1) Squid/Squid proxy from two people (although there wasn't any <br>
indication of the actual issue, presumably Squid won't be able to <br>
contact the host to cache the content?)<br>
<br>
2) "Create a cert for a host with an _ in the name, install said<br>
cert into apache/mod_ssl, try to surf (at least using IE)<br>
to that server." -- Matthew Christopher<br>
<br>
This is useful information and can help the original requester make <br>
the business decision as to whether or not he will relax his <br>
restriction against "_" in the character string that he'll allow
his <br>
customer to use in data sent to/received from domain name servers he <br>
controls.<br>
<br>
I suspect the rest of the jihad against heathen characters such as <br>
"_" should probably be redirected to namedroppers so I won't
comment <br>
further.<br>
<br>
Rgds,<br>
-drc<br>
<br>
On May 18, 2005, at 2:15 AM, Mark Andrews wrote:<br>
> A hostname is not a domainname. It's all through
RFC's 1033,<br>
> RFC 1034 and RFC 1035. There are references that
make it clear<br>
> that a domain name is not the same as a hostname.<br>
<br>
<br>
><br>
> I quoted one of them. I can find other references.<br>
><br>
> Proctor&Gamble.com anyone? That is the logical
concusion of<br>
> saying hostnames are arbitary 8 bit strings.<br>
><br>
><br>
>> The whole reason for check-names was because of very seriously
broken<br>
>> software that would allow shell meta-characters in in-addr.arpa<br>
>> labels to do bad things. I have come to the opinion that
if such<br>
>> software still exists, then the people who run that software deserve<br>
>> what they get. Check-names was a bad idea that might have been<br>
>> justified at the time, but pretending it remains justified by<br>
>> 952/1123 has got to stop sometime.<br>
>><br>
><br>
> We tried hard to kill check-names. The only reason
it still<br>
> exists is that people wouldn't move from BIND 8 without
it.<br>
><br>
> I havn't run with "check-names answer" enabled
in years.<br>
><br>
><br>
>> However, that rant was mostly irrelevant. Can you point
to _ANY_<br>
>> application, operating system, or anything else that has any issues<br>
>> whatsoever with an "_" of all characters?<br>
>><br>
><br>
> The original query was about a OS / application that
had<br>
> problems with underscores.<br>
><br>
> The point of RFC's is to promote interoperability. People<br>
> who attempt to name there machines with underscores
either<br>
> don't know better or don't care about interoperability
or<br>
> both.<br>
><br>
> The simplest way to fix this is for application that<br>
> configure hostnames, real or virtual, to reject by default<br>
> illegal hostnames. Apache should not allow virtual
sites<br>
> with illegal hostnames without explicit overrides. Similarly<br>
> for your favourite MTA, DNS server etc. If people
want to<br>
> use them they need to know they are stepping out of
the<br>
> area where interoperability should occur.<br>
><br>
> Note: SRV and Active Directory *both* depend on underscore<br>
> not being legal in hostnames to keep their names spaces<br>
> seperate from the hostname namespace.<br>
><br>
> Half the anti-spam/DNS schemes depend upon underscore
not<br>
> being legal in a hostname.<br>
><br>
> Mark<br>
><br>
><br>
>> Rgds,<br>
>> -drc<br>
>><br>
>> On May 17, 2005, at 6:08 PM, Mark Andrews wrote:<br>
>><br>
>>> RFC 952 and RFC 1123 describe what is currently
legal<br>
>>> in hostnames.<br>
>>><br>
>>> Underscore is NOT a legal character in a hostname.<br>
>>><br>
>><br>
>><br>
> --<br>
> Mark Andrews, ISC<br>
> 1 Seymour St., Dundas Valley, NSW 2117, Australia<br>
> PHONE: +61 2 9871 4742
INTERNET: Mark_Andrews@isc.org<br>
><br>
<br>
</tt></font>
<br>
--=_alternative 005BBF6785257005_=--
