check-names fail

Bob Vance bobvance at alumni.caltech.edu
Mon Jan 15 22:04:09 UTC 2001


Thanks, Jim.

Ok.

RFC2181 continues beyond your quote :

   "A DNS server may be configurable to issue warnings when loading,
    or even to refuse to load, a primary zone containing labels that
    might be considered questionable, however
       *** this should not happen by default***.
   "

This RFC is from 1997.
So, I'm wondering why the following true for BIND (from online doco):

  Name Checking
    ...
    The defaults are:
      check-names master fail;
    ...

And, further, why does BIND decide to answer non-authoritatively when
it *does* continue to load the zone (at least for 8.2.2+ ) upon a
"fail".


Just idle questions arising in idle time on a holiday.



-------------------------------------------------
Tks        | <mailto:BVance at sbm.com>
BV         | <mailto:BobVance at alumni.caltech.edu>
Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
Vox 770-623-3430           11455 Lakefield Dr.
Fax 770-623-3429           Duluth, GA 30097-1511
=================================================





-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
Behalf Of Jim Reid
Sent: Monday, January 15, 2001 3:35 PM
To: bobvance at alumni.caltech.edu
Cc: bind-users at isc.org
Subject: Re: check-names fail


>>>>> "Bob" == Bob Vance <bobvance at alumni.caltech.edu> writes:

    Bob> With

    Bob>     check-names master fail;

    Bob> both 8.2.2-p5 and p7, simply reject an offending record and
    Bob> continue to load the zone and answer non-authoritatively for
    Bob> the rest of the names.  8.2.3T9B, however, rejects the entire
    Bob> zone!! Which is the correct behavior?

It depends on your definition of "correct". RFC2181 says that a server
should not refuse to load a zone containing "labels that might not be
acceptable to some DNS client programs". So 8.2.2P[57] are probably
correct for following RFC2181. However it could be argued that the
check-names option you've selected means you've decided to override
that RFC. If that's the case, then the 8.2.2 versions are not
correct. The BIND8 documentation says that when the fail option is
chosen the offending records are logged and the data rejected. So
according to the documentation a zone containing illegal names should
still be loaded. That would indicate 8.2.3T9B is not correct.

The name checking behaviour of 8.2.3T9B and 8.2.2 should probably be
consistent, so it might be an idea to file a bug report.






More information about the bind-users mailing list