Re: [DNSOP] [art] Another look - draft-ietf-dnsop-attrleaf-05.txt

John C Klensin <> Thu, 29 March 2018 22:02 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id A8DA3126DFB; Thu, 29 Mar 2018 15:02:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.909
X-Spam-Status: No, score=-1.909 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, T_RP_MATCHES_RCVD=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1R2IWZKfYzg3; Thu, 29 Mar 2018 15:02:53 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id F3BE0127136; Thu, 29 Mar 2018 15:02:45 -0700 (PDT)
Received: from [] (helo=PSB) by with esmtp (Exim 4.82 (FreeBSD)) (envelope-from <>) id 1f1fd5-0006OO-DL; Thu, 29 Mar 2018 18:02:43 -0400
Date: Thu, 29 Mar 2018 18:02:37 -0400
From: John C Klensin <>
To: Warren Kumari <>,
cc: Applications and Real-Time Area Discussion <>, dnsop <>
Message-ID: <305CF8969698D734073250E4@PSB>
In-Reply-To: <>
References: <> <> <> <> <> <alpine.OSX.2.21.1803211104210.9553@ary.local> <> <5F44FA5B42805C52479DE491@PSB> <> <1DF1564CC2B88726B2B54CF4@PSB> <> <32837C4DF5CB5BDD00DAD0FD@PSB> <> <C10EFF0FB6AC68625A75D485@PSB> <> <> <>
X-Mailer: Mulberry/4.0.8 (Win32)
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
Archived-At: <>
Subject: Re: [DNSOP] [art] Another look - draft-ietf-dnsop-attrleaf-05.txt
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 29 Mar 2018 22:02:57 -0000

--On Thursday, March 29, 2018 22:00 +0100 Warren Kumari
<> wrote:

> On Thu, Mar 29, 2018 at 9:52 PM, Dave Crocker
> <> wrote:
>> On 3/29/2018 1:45 PM, Warren Kumari wrote:
>>> I don't want to get into if this is the*right*  behavior or
>>> not, but it seems like worth mentioning in the draft as it
>>> has much background already...
>>> I can find nothing which states that A / AAAA cannot be
>>> associated with underscore names, but they sure don't seem
>>> to work in practice.

>> The current version is:
>> Please suggest specific text to use and where to put it.
> I'm hoping someone will pipe up with "Gee, RFCfoo, Section
> bar, Bullet N clearly says this, I can't believe you never
> knew that...."
> If that doesn't occur I'll craft text.

Warren, just to clarify where I'm coming from (and noting Paul
Vixie's recent comment).  I think there is no question that
putting a label starting with an underscore (or containing one)
on an RRSET that includes an address record would be
ill-advised, nor that some implementations (possibly because
they consider it ill-advised or just plain dumb) won't allow it
or won't make it easy.   I think there is no question that
underscores (leading or otherwise) have no more place in either
historical (e.g., RFC 952) host names or the "preferred syntax"
of RFC 1034/1035 than, e.g., "+", "$", "%", or "/" do.  I am
reasonably confident that you are not going to find a normative
statement that says that the term "host name" (with or without
an intervening space) is any label, or the left-most label,
associated with one or more address records, nor as statement
that host names in the DNS MUST conform to the preferred syntax.
Indeed, the description in RFC 7719 appears to me to be
consistent with what the specifications actually say and it
contains the same "any octet value" language that appears in
earlier, normative, documents including RFC 8121.

My objection was narrow.  The text, even at -06, reads

	'"host" (host name) are not allowed to use the
	underscore character, this distinguishes the underscore
	name from all legal host names [RFC1035]"'

That is objectionable for two reasons.  First and most
important, RFC 1035 just does not say that.  If the text had
referenced RFC 952 instead, it would have been correct, but
maybe not so useful.   Similarly, if it had said, more or less
following 7719, that generally-accepted domain names that
identify hosts ("host names") conform to the preferred syntax of
RFC 1034 (or 1035) and hence do not include underscores, there
would be no problem (if someone wants to take that as proposed
text, feel free).  

Second, as has been discussed many times before in the last
decade or two, "legal" is not a good term to use to describe
validity or conformance in RFCs.  Our standards are voluntary,
which makes it hard for them to assign legality or illegality
to, in this case, particular bits of syntax.  Moreover, the
concept of something being legal or illegal implies that, if the
latter is discovered, I should be able to call the Protocol
Police and have the offending label or its perpetrator arrested.
When last I tried, they were not answering their phone or even
their email.  The IESG has pushed back on that term in the past
and should, I believe, be pushing back on it today, regardless
or what might have been said in kinder and gentler times.

However, I believe that this discussion is, however
unintentionally, a distraction from a far more important issue.
The way the DNS, and particularly DNS queries, are defined makes
the idea of a namespace for all labels starting with "_" very
difficult and potentially a source of confusion.  While sorting
the registry by RRTYPE is an improvement over earlier versions,
the correct structure  is to have subregistries by RRTYPE, each
with whatever keywords (starting with underscore) are
appropriate for use with it listed.  I do not believe it is
appropriate to lose that distinction while we quibble about the
language used to describe the syntax of host names.