What's the REAL DEAL with Underscores in BIND8.X?
Mark_Andrews at isc.org
Mark_Andrews at isc.org
Mon Oct 18 02:34:43 UTC 1999
> Scott Morizot wrote:
>
> > On Fri, 15 Oct 1999, Ray Galuszka wrote:
> > > On page 77 in Albitz/Liu's DNS & BIND 3rd Edition, the authors state tha
> t
> > > underscores are not allowed in hostnames. However, on the next page the
> y
> > > talk about how you can specify either fail, warn or ignore on the
> > > check-names option.
> > >
> > > I have LOTS of underscores in my BIND4.x environment now and we're migra
> ting
> > > to BIND8. I set up our test server to "ignore" on the check-names optio
> n
> > > and the thing is resolving these names with no problem!
> > >
> > > The question is: if I set this ignore option and use underscores in
> > > hostnames and aliases, what might I break?? It sure beats putting out
> > > fires later because some server on my network somewhere expects an
> > > underscore that I changed to a hyphen in a hostname.
> >
> > Underscores in hostnames have always been illegal per RFC 952.
> > Versions of BIND before about 4.9.3 simply didn't enforce the
> > requirement at all. (Actually, BIND 4.8 pretty much accepted
> > anything.)
> >
> > Allowing underscores will cause a problem with any software or
> > device that expects names to be compliant with RFC952. Since
> > you apparently aren't having a problem now, you may not have
> > any at the moment.
> >
> > The long-term solution is to rename the systems using hyphens
> > instead of underscores and create aliases with the underscore.
> > Then you can age the aliases off your DNS gradually over time.
>
> What cost-justifications could there possibly be for such a forced
> migration? "RFC compliance" doesn't mean a hell of a lot to a beancounter;
> where's the money? And we're not talking chump change either: we have over
> 7,000+ underscored names in our DNS database here, thanks to BIND's longstan
> ding
> permissiveness.
>
> Separating underscore-checks from other kinds of name-checking within BIND w
> ould
> seem to be a far more practical solution to this "problem", at least until
> RFC 1035's ban on underscores can be officially obsoleted on the basis that
> the
> stated justification for it -- migration from the HOSTS.TXT file -- has long
> since passed.
>
>
> - Kevin
>
>
>
It's not forced migration. It's enforced compliance. There is
zero cost to those sites that actually took the time to find out
what is a legal hostname. RFC 1035 said "go look up what is a
legal hostname and use that".
This is not being done in the name of RFC compliance, though you
should be RFC compliant if you wish to interoperate, it is being
done to eleminate security threats that result from NOT enforcing
RFC compliance.
BIND's gethostbyaddr() ensures that only RFC compliant hostnames
are returned because there were attempts made to break into
systems when this returned whatever was in the PTR record. We
had to choose what this should be returning and there was only
one clearly correct answer. Hostnames as described by RFC 952
as modified by RFC 1123. This was that only thing that *all*
applications could be expecting.
Now if we are not allowing non-compliant names through in the
library we should also ensure that the can't be entered into
PTR records. If we don't allow them in PTR records, then we
should not allow them in A records. This last chain is simple
the result of applying the principle of least suprise.
If we didn't apply these checks we would be getting "You allow
us to put this name in but gethostbyaddr() does not work with
it" complaints. We also had to supply a mechanism that could
be used when you could not update the libraries to safe version.
Strictly its not BIND's job to enforce this. It should be done
when the hostnames are being selected however the OS vendors were
not doing this.
As for those who say make "_" special. I've see '$', '/' and ':'
all used in a similar fashion. Would you make the "special" as
well. This way leads to a very slippery slope.
Mark
--
Mark Andrews, Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the bind-users
mailing list