Underscores in Host Names
Bill Larson
wllarso at swcp.com
Thu May 19 15:55:58 UTC 2005
On May 19, 2005, at 8:45 AM, Thomas Schulz wrote:
> In article <d6fubl$2fgu$1 at sf1.isc.org>, R.D. <rdwyer at quick-link.com>
> wrote:
>> Hello all.
>> We have a client containing an underscore in the email address domain
>> name. Our email server rejects it because of it's violation of the
>> RFC
>> standard. This individuals claim is that he doesn't have problems
>> anywhere else and if this is going to be a problem he's "going to take
>> his business elsewhere"!
>>
>> I understand it's a violation of the standard, but does it pose a
>> security hole to the email server to allow this sort of mail?
>> Shouldn't this individual be experiencing probelms elsewhere. . . . I
>> doubt I am the only one.
>>
>> Thanks
>
> If I recall correctly, the reason for the restriction on the use of an
> underscore is that there was a concern that it could be confused with a
> dsah. This could possibly cause a lot of frustration with mistyped
> names
> and possibly a security problem if two names differed by only an
> underscore
> verses a dash.
> This would not be much of a security hole. I would not loose business
> over it.
If "computer security" is defined as "a computer is secure if you can
depend on it and its software to behave as you expect", the definition
give by Garfinkel and Spafford in "Practical Unix & Internet Security",
then you have to think about what "you expect".
If you do not follow the rules of the Internet, as defined by the RFCs,
then your expectations will not be the same as the rest of the worlds.
This is the purpose of RFCs, to make sure that computers play nicely
with each other. As such, I ***WOULD*** expect to loose business over
it. For this reason I would consider this a security problem.
Both Mark and Brad have identified the RFCs that deal with the use of
underscores in host names. If you want to insure that your
customers(s) are able to communicate with other systems on the
Internet, I would suggest that you may want to reconfigure your server
to allow host names with underscores to be liberal in what you accept,
but don't name your systems with this character.
And yes, this customer should expect to see problems with other systems
on the Internet, even if they don't at the immediate moment. They will
sometime. Or, even better, tell them that there are people, maybe
paying customers, right now trying to communicate with them but are
unable to because of their naming scheme and that they are completely
unaware of them because they "don't think that this is a problem".
Your customer needs to play by the rules also. Your role is to help
teach them this.
But, this topic is now getting into the realm of mail server
configuration rather than DNS and BIND issues. Maybe a different forum
would be able to provide you a better answer.
Bill Larson
More information about the bind-users
mailing list