Need clue: Underscore zones and hostnames

Gregory Hicks ghicks at
Mon Dec 6 18:05:41 UTC 2004

> Date: Mon, 6 Dec 2004 12:36:37 -0500 (EST)
> From: "nathan r. hruby" <nhruby at>
> To: bind-users at
> Subject: Need clue: Underscore zones and hostnames
> Hi,
> Can someone please thwack me with the requisite clue-by-four and point me
> at the RFC that Yea's or Nea's the use of the underscore character in
> host and/or zone names?  Google seems to not be helpful in finding a
> definitive answer.  Perhaps there is none?

Google on "Host naming convention" or "host names rfc".  One you will
get back is RFC 952 (Fairly short - about 4 pages).  A "grammar" for
host names is included.

RFC 819 specifically addresses domain names.  Appendix A to RFC819
supplies the BNF for the names.

An underscore in not allowed in a HOST name.

It would also appear that there is some talk about treating a hostname
as an "endpoint domain"...  I do not know if that ever took off.

However, by the RFCs you should NOT allow an underscore in a host
name...  (Besides, 'some' OSs, their applications and/or their
implementation of DNS may break if you allow an underscore...  However,
M$ DNS does not have these restrictions.)

Gregory hicks

> Here's why I ask:
> We current support Microsoft's Active Directory on our BIND nameservers,
> with check-names disabled on the BIND8 machines, so we *have* zones with
> underscore characters already working.
> Recently for some odd reason people have been requesting hostnames like
>  This "works" in as much as BIND doesn't
> reject the name and does serve it (thanks to some legacy names :).  We
> also know that it's not recommended per various RFC's so we've been
> rejecting these updates and manually going back to the user to get them to
> fix it.
> But since it works and we have zones that *depend* on this behavior, we're
> wondering:
> - Are we just missing an updated RFC that now allows this?
> - Is an underscore allowed just for zones and still not for a host?
> - Is this just an Microsoft-ism?
> - Do we (or perhpas: should we) care enough to not let users shoot
>    themselves in their feet?
> Note: I didn't setup the original AD-in-BIND infrastructure, and the
> person who did is not here anymore.  The docs we have fail to mention the
> underscore issue and we're presently looking at various DNS changes we
> want to make, including our request interface that can "fix" these before
> they get to the update stage, hence my desire to have a clue about it :)
> Thanks for any help anyone can give me.
> -n
> -- 
> -------------------------------------------
> nathan hruby <nhruby at>
> uga enterprise information technology services
> production systems support
> metaphysically wrinkle-free
> -------------------------------------------

Gregory Hicks                        | Principal Systems Engineer
Cadence Design Systems               | Direct:   408.576.3609
555 River Oaks Pkwy M/S 6B1          | Fax:      408.894.3400
San Jose, CA 95134                   | Internet: ghicks at

I am perfectly capable of learning from my mistakes.  I will surely
learn a great deal today.

"A democracy is a sheep and two wolves deciding on what to have for
lunch.  Freedom is a well armed sheep contesting the results of the
decision." - Benjamin Franklin

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

More information about the bind-users mailing list