[dns-operations] [Ext] Signing on the fly and UltraDNS

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Jan 5 09:17:36 UTC 2021

On Tue, Jan 05, 2021 at 09:45:33AM +0100, Vladimír Čunát wrote:

> Right, though my interest at this moment was more about how to *output* 
> a name: there's lots of freedom and apparently no "preferred" way (in 
> RFCs).  Maybe it's not bad; otherwise more tools might start relying on 
> one particular way of output.

Best practice for domain names (as owner names and as RDATA elements) is

    - Escape all literal '\' characters in each label as "\\"
    - Escape all literal '.' characters in each label as "\."
    - Leave all LDH characters, "*", "/" and "_" unescaped
    - Escape everything else as decimal triples "\DDD".
    - Then terminate each label with an unescaped "."

If the output is not an RR but a standalone domain name for application
use, generally leave out the final ".".

The reason to not escape "/" is that it is used in some common
PTR names, and escaping it would make the output less readable.

The remaining special characters are then controls, octets with the high
bit set and:


I can't think of compelling reasons to not escape most of the rest of
the above, but clearly "dig" is more relaxed, and leaves "!", "~" and
some other punctuation and symbol characters alone that are not special
in zone files.  It will escape at least:



More information about the dns-operations mailing list