Check zones with underscores in host names (A Records)
Mark_Andrews at isc.org
Wed Feb 13 00:09:30 UTC 2008
> Mark Andrews wrote:
> >>> Date: Tue, 12 Feb 2008 13:11:55 +0200
> >>> From: "Haim [Howard] Roman" <roman at jct.ac.il>
> >>> To: Jack Tavares <j.tavares at f5.com>, bind-users at isc.org
> >>> Subject: Re: Check zones with underscores in host names (A Records)
> >>> X-JCT-Whitelist: NO
> >>> We also have to allow underscores (good old Microsoft!). Here is what
> >>> we have in our /etc/named.conf:
> >> Underscore in DOMAIN names seem to be OK.
> > Underscores are illegal in hostnames. You store hostnames
> > in the DNS. You also store other types of names in the DNS.
> > For some of those other types of names underscores are legal.
> > !#@!#%$!@#.example.com is a legal domain name.
> > Does anyone here think that !#@!#%$!@#.example.com is a legal
> > hostname?
> That's a bit of a straw man argument.
> The real question is not "are some hostnames illegal?" (obviously some
> are) or even "is the set of legal hostnames a *subset* of legal domain
> names?". It's "why is BIND even trying to enforce hostname rules when
> it's supposed to be a DNS implementation, and the names in question are
> legal in DNS?"
Because there are some resolvers that do check and named
*is* the data entry point. If named isn't the data entry
point then turn check-names off.
> I say, leave it to the OS or app layers to distinguish legal from
> illegal hostnames. It's none of BINDs business and only adds extra
> baggage to the code and configuration, that BIND and its admins don't
> need and -- at least for the majority of us, I'd wager -- don't want.
Then turn it off. We had plenty of requests to re-implement
check-names for BIND 9. Some adminstrators *like* check-names.
Some adminstrators wouldn't shift from BIND 8 until BIND 9
check-names master ignore;
check-names slave ignore;
check-names has no negative impact on those that actually want
to follow the RFC requirements for hostnames and protects them
from accidently stepping out of the legal namespace.
> For that matter, how does BIND even know that a given A or AAAA record
> is ever going to be *used* as a hostname? Maybe someone is just using
> the DNS database as a way to store arbitrary 32-bit or 128-bit chunks of
99.999% of the time a A or AAAA record will be a hostname.
For the 0.001% of cases where it isn't then turn you can
turn the checks off.
Named, by default, does not stop the records being delivered
or served. It prevents them being loaded on the master
server where there should be someone checking and be able to
adjust the policy knob if required.
> - Kevin
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users