Underscores in DNS


	Other Information
-	News
-	Documentation
-	SourceForge Project Info
-	DomainKeys Implementors mailing list
-	DomainKeys Message Board

	MTAs using DomainKeys
-	Sendmail DomainKey Milter
-	Qmail
-	MS Exchange 2003
-	qpsmtpd
-	Port 25's PowerMTA
-	Etype.net's acSMTP
-	ActivSoftware's XMServer
-	OmniTI Ecelerity
-	StrongMail
-	DRCC no.Spam.java
-	Exim 4.51
-	Alt-N Technologies MDaemon MTA
-	Postfix
-	BorderWare MXtreme
-	Communigate Pro
-	IronPort
-	Merak Mail
-	L-Soft Listserv
-	Mailtraq
-	SocketLabs Hurricane MTA Server

Underscores in DNS

Last Updated: April 10, 2006

Background
	There is a bit of industry confusion surrounding the ability to use underscores ("_") in DNS "subdomain" entries (DNS labels), which is specified by DomainKeys. There have been several reports of DNS hosters refusing to publish DomainKey records because the selectors are published under the "_domainkey" label. Typically, the provider notes that underscores are prohibited from use in DNS.
Underscores allowed, except in host names
	Host names are not allowed to have underscores in them. In DNS, host names are the name fields of A or MX records or the data fields of the SOA and NS records. Thus, there are many DNS entries that are not hostnames. RFC 2872 is a perfect counter to the myth that "_" is non-standard. The RFC is a standards track RFC, and describes SRV records. One of the authors is Paul Vixie, the original programmer of BIND. The RFC contains this paragraph: `Proto The symbolic name of the desired protocol, with an underscore (_) prepended to prevent collisions with DNS labels that occur in nature. _TCP and _UDP are at present the most useful values for this field, though any name defined by Assigned Numbers or locally may be used (as for Service). The Proto is case insensitive.` and this example: `_foobar._tcp SRV 0 1 9 old-slow-box.example.com.` Thus, the "_" is purposedly used to disambiguate hosts from other attributes in the DNS. In fact that's the very reason that the "_" prefix was chosen to differentiate selectors and to avoid collisions with existing namespace. Similarly, O'Reilly's DNS and Bind states in Chapter 4, section 5, 'Names that are not host names can consist of any printable ASCII character.'
Examples of underscores in RFCs and in use
	Several well known Internet and technology companies have DNS records that use the underscore: $ dig _domainkey.yahoo.com TXT _domainkey.yahoo.com. 2H IN TXT "t=y; o=~; n=http://antispam.yahoo.com/domainkeys" $ dig beta._domainkey.google.com TXT beta._domainkey.google.com. 1D IN TXT "g=; k=rsa; t=y; p=MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAMs93oc95ObA7OEQEbqjIy6YvRj1u3yVGTzQ3wkwRQTWx1fhvNQenPNFklaL+Tw9XFYUc3f8eY0hs3WUNQ+t+I0CAwEAAQ==" $ dig _domainkey.ebay.com TXT _domainkey.ebay.com. 1H IN TXT "t=y; o=~; n=http://pages.ebay.com/securitycenter" $ dig _spf-a.microsoft.com TXT _spf-a.microsoft.com. 1H IN TXT "v=spf1 ip4:213.199.128.139 ip4:213.199.128.145 ip4:207.46.50.72 ip4:207.46.50.82 ip4:131.107.3.116 ip4:131.107.3.117 ip4:131.107.3.100 ip4:131.107.3.108 a:delivery.pens.microsoft.com a:mh.microsoft.m0.net mx:microsoft.com ~all" $ dig _domainkey.cern.ch TXT _domainkey.cern.ch. 3H IN TXT "t=y; o=~; n=CERN DomainKeys, see http://www.cern.ch/mmms/AntiSpam; r=CERN.DomainKeys@cern.ch" $ dig _domainkey.sendmail.com TXT _domainkey.sendmail.com. 300 IN TXT "t=y\; o=~" $ dig _domainkey.earthlink.com TXT _domainkey.sendmail.com. 1800 IN TXT "t=y\; o=~"
Conclusion
	Underscores are allowed in certain DNS entries. In fact, they are specified to be used in a DNS RFC, written by a DNS guru. They are used in DNS labels by major Internet and technology companies.