Check zones with underscores in host names (A Records)

Mark Andrews Mark_Andrews at
Wed Feb 13 00:09:30 UTC 2008

> Mark Andrews wrote:
> >>> Date: Tue, 12 Feb 2008 13:11:55 +0200
> >>> From: "Haim [Howard] Roman" <roman at>
> >>> To: Jack Tavares <j.tavares at>, bind-users at
> >>> Subject: Re: Check zones with underscores in host names (A Records)
> >>> X-JCT-Whitelist: NO
> >>>
> >>> We also have to allow underscores (good old Microsoft!).  Here is what
> >>> we have in our /etc/named.conf:
> >>>       
> >> Underscore in DOMAIN names seem to be OK.
> >>     
> >
> > 	Underscores are illegal in hostnames.  You store hostnames
> > 	in the DNS.  You also store other types of names in the DNS.
> > 	For some of those other types of names underscores are legal.
> >  
> > 	!#@!#%$! is a legal domain name.
> > 	Does anyone here think that !#@!#%$! is a legal
> > 	hostname?
> >
> >   
> That's a bit of a straw man argument.
> The real question is not "are some hostnames illegal?" (obviously some 
> are) or even "is the set of legal hostnames a *subset* of legal domain 
> names?". It's "why is BIND even trying to enforce hostname rules when 
> it's supposed to be a DNS implementation, and the names in question are 
> legal in DNS?"

	Because there are some resolvers that do check and named
	*is* the data entry point.  If named isn't the data entry
	point then turn check-names off.
> I say, leave it to the OS or app layers to distinguish legal from 
> illegal hostnames. It's none of BINDs business and only adds extra 
> baggage to the code and configuration, that BIND and its admins don't 
> need and -- at least for the majority of us, I'd wager -- don't want.

	Then turn it off.  We had plenty of requests to re-implement
	check-names for BIND 9.  Some adminstrators *like* check-names.
	Some adminstrators wouldn't shift from BIND 8 until BIND 9
	implemented check-names.

		check-names master ignore;
		check-names slave ignore;

	check-names has no negative impact on those that actually want
	to follow the RFC requirements for hostnames and protects them
	from accidently stepping out of the legal namespace.
> For that matter, how does BIND even know that a given A or AAAA record 
> is ever going to be *used* as a hostname? Maybe someone is just using 
> the DNS database as a way to store arbitrary 32-bit or 128-bit chunks of 
> information...

	99.999% of the time a A or AAAA record will be a hostname.
	For the 0.001% of cases where it isn't then turn you can
	turn the checks off.

	Named, by default, does not stop the records being delivered
	or served.  It prevents them being loaded on the master
	server where there should be someone checking and be able to
	adjust the policy knob if required.
>                            - Kevin
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at

More information about the bind-users mailing list