check-names fail

Bob Vance bobvance at alumni.caltech.edu
Tue Jan 16 23:29:14 UTC 2001


Thanks, Mark.

-------------------------------------------------
Tks        | <mailto:BVance at sbm.com>
BV         | <mailto:BobVance at alumni.caltech.edu>
Sr. Technical Consultant,  SBM, A Gates/Arrow Co.
Vox 770-623-3430           11455 Lakefield Dr.
Fax 770-623-3429           Duluth, GA 30097-1511
=================================================

-----Original Message-----
From: bind-users-bounce at isc.org [mailto:bind-users-bounce at isc.org]On
Behalf Of Mark.Andrews at nominum.com
Sent: Tuesday, January 16, 2001 6:00 PM
To: bobvance at alumni.caltech.edu
Cc: bind-users at isc.org
Subject: Re: check-names fail



>
> Obviously, there is some disagreement on this issue :)
>
> As I noted elsewhere, RFC2181, which
>     "Updates: 1034, 1035, 1123",
> specifically says:
>
>    "A DNS server may be configurable to issue warnings when loading,
>     or even to refuse to load, a primary zone containing labels that
>     might be considered questionable, however
>        *** this should not happen by default ***.
>    "
> This has no relevance to the reject-the-entire-zone issue, but since
we
> pay such obeisance to the RFCs, shouldn't the default not be REJECT.

	Given that the library also rejects such names.  We would have
	many more reports of "You allowed us to enter the name but
	the library rejects it".

	Yes, we deliberatly ignore the recommend default setting.  It
	is done with thought and only on master zones where you have
	control to change the value.

>
> I know that this is nit-picky, but I was just curious as to the
> evolution
> of this code.
>
> As you say, from RFC1035:
>
>    "When a master file is used to load a zone, the operation should be
>     suppressed if any errors are encountered in the master file.  The
>     rationale for this is that a single error can have widespread
>     consequences.
>    "
> But, of course this was written long before BIND 8 was even a gleam.
> So why the sudden change in philosophy in 8.2.3 to start rejecting the
> entire zone?

	Primary reason: better error behaviour.
	Secondary reason: so you can't ignore errors as easily.
	Tertiary reason: BIND 9 rejects zones outright on error.

	RFC 103[45] is in there as well.

> And, BTW, why did previous versions respond non-authoritatively after
> deciding to continue with the zone load, rejecting only the offending
> record?

	Mark


--
Mark Andrews, Nominum Inc.
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET:
Mark.Andrews at nominum.com






More information about the bind-users mailing list