<div dir="ltr">So, the short answer is that check-names is pretty granular, doing "check-names response fail" is just asking for trouble, for a resolver at the Internet edge, since there's too much squirrely stuff out there. Most folks just limit check-names "fail" to authoritative data (master or slave).<div><br></div><div>The longer answer is: this is an interesting standards-compliance question. The rule is that a "hostname" can't contain an underscore. Owner names that aren't "hostnames" are allowed to have underscores. I believe -- I could be mistaken -- that owner names for MX records, for instance, can have underscores. In some cases, underscores were *purposely* encoded into owner names, for certain record types, *because* that way, they could never collide with "hostnames". SRV records are an example of that.</div><div><br></div><div>But, in this case, the "hostname" is <a href="http://www.newegg.com">www.newegg.com</a> -- no underscore. For that matter, the owner name of the A record --
<a href="http://e5638.g.akamaiedge.net/" rel="noreferrer" target="_blank" style="color:rgb(17,85,204);font-size:12.8px;background-color:rgb(255,255,255)">e5638.g.akamaiedge.net</a><span style="font-size:12.8px"> -- </span>doesn't contain an underscore either. So, the only names that are involved in the resolution of this name, that contain underscores, are *intermediate* CNAMEs between the original name (<a href="http://www.newegg.com">www.newegg.com</a>) and the ultimate owner of the A record -- names that a user never sees or deals with when accessing the resource. Does it therefore violate the "hostnames can't contain underscores" rule or not? That's a very debatable question.</div><div><br></div><div>Having said that, however, Akamai violates a different rule by chaining CNAMEs <span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">("</span><span style="font-size:small;background-color:rgb(255,255,255);text-decoration-style:initial;text-decoration-color:initial;float:none;display:inline">Domain names in RRs which point at another name should always point at the primary name and not the alias" -- RFC 1034). </span>In fact, their whole business model is based on this standards-violation, and it's worked very well for them. </div><div><br></div><div>Now, I don't really have a fundamental problem with Akamai, as a company; we use them extensively, including their "Fast DNS" service, which basically consists of replicating our zones to their DNS-CDN. But the standards-purist in me still rankles at the fact that they're based on a standards-violation.</div><div><br></div><div> - Kevin</div></div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Aug 22, 2018 at 12:04 PM, Lee <span dir="ltr"><<a href="mailto:ler762@gmail.com" target="_blank">ler762@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Validating input is good & rejecting invalid data is the way to go..<br>
but has the Internet moved on and check-names is now too restrictive?<br>
<br>
I have this bit in named.conf<br>
check-names response fail;<br>
# restrict the character set and syntax of domain names<br>
# The rules for legal hostnames and mail domains are derived from<br>
RFC 952 and RFC 821 as modified by RFC 1123.<br>
<br>
which seems to be why I can't resolve <a href="http://www.newegg.com" rel="noreferrer" target="_blank">www.newegg.com</a> but 1.1.1.1 and 8.8.8.8 can<br>
<br>
C:\Users\Lee>dig <a href="http://www.newegg.com" rel="noreferrer" target="_blank">www.newegg.com</a>.<br>
<br>
; <<>> DiG 9.11.4 <<>> <a href="http://www.newegg.com" rel="noreferrer" target="_blank">www.newegg.com</a>.<br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 43232<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 4096<br>
; COOKIE: 97fd73f55fd163f250da7a315b7d7e<wbr>314d7b33f3eab3f468 (good)<br>
;; QUESTION SECTION:<br>
;<a href="http://www.newegg.com" rel="noreferrer" target="_blank">www.newegg.com</a>. IN A<br>
<br>
;; Query time: 62 msec<br>
;; SERVER: 127.0.0.1#53(127.0.0.1)<br>
;; WHEN: Wed Aug 22 11:16:01 Eastern Daylight Time 2018<br>
;; MSG SIZE rcvd: 71<br>
<br>
and this is what's logged<br>
security: error: client @000002112790F990 127.0.0.1#50079<br>
(<a href="http://www.newegg.com" rel="noreferrer" target="_blank">www.newegg.com</a>): check-names failure<br>
<a href="http://san_ssl-images.newegg.com.edgekey.net/A/IN" rel="noreferrer" target="_blank">san_ssl-images.newegg.com.<wbr>edgekey.net/A/IN</a><br>
<br>
<br>
8.8.8.8 and 1.1.1.1 don't have a problem with "_" in the name:<br>
<br>
C:\Users\Lee>dig <a href="http://www.newegg.com" rel="noreferrer" target="_blank">www.newegg.com</a>. @<a href="http://8.8.8.8" rel="noreferrer" target="_blank">8.8.8.8</a><br>
<br>
; <<>> DiG 9.11.4 <<>> <a href="http://www.newegg.com" rel="noreferrer" target="_blank">www.newegg.com</a>. @<a href="http://8.8.8.8" rel="noreferrer" target="_blank">8.8.8.8</a><br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 681<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 512<br>
;; QUESTION SECTION:<br>
;<a href="http://www.newegg.com" rel="noreferrer" target="_blank">www.newegg.com</a>. IN A<br>
<br>
;; ANSWER SECTION:<br>
<a href="http://www.newegg.com" rel="noreferrer" target="_blank">www.newegg.com</a>. 215 IN CNAME<br>
<a href="http://san_ssl-images.newegg.com.edgekey.net" rel="noreferrer" target="_blank">san_ssl-images.newegg.com.<wbr>edgekey.net</a>.<br>
<a href="http://san_ssl-images.newegg.com.edgekey.net" rel="noreferrer" target="_blank">san_ssl-images.newegg.com.<wbr>edgekey.net</a>. 3977 IN CNAME <a href="http://e5638.g.akamaiedge.net" rel="noreferrer" target="_blank">e5638.g.akamaiedge.net</a>.<br>
<a href="http://e5638.g.akamaiedge.net" rel="noreferrer" target="_blank">e5638.g.akamaiedge.net</a>. 19 IN A 23.46.201.81<br>
<br>
;; Query time: 15 msec<br>
;; SERVER: 8.8.8.8#53(8.8.8.8)<br>
;; WHEN: Wed Aug 22 11:16:16 Eastern Daylight Time 2018<br>
;; MSG SIZE rcvd: 143<br>
<br>
C:\Users\Lee>dig <a href="http://www.newegg.com" rel="noreferrer" target="_blank">www.newegg.com</a>. @<a href="http://8.8.8.8" rel="noreferrer" target="_blank">8.8.8.8</a><br>
<br>
; <<>> DiG 9.11.4 <<>> <a href="http://www.newegg.com" rel="noreferrer" target="_blank">www.newegg.com</a>. @<a href="http://8.8.8.8" rel="noreferrer" target="_blank">8.8.8.8</a><br>
;; global options: +cmd<br>
;; Got answer:<br>
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 681<br>
;; flags: qr rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 1<br>
<br>
;; OPT PSEUDOSECTION:<br>
; EDNS: version: 0, flags:; udp: 512<br>
;; QUESTION SECTION:<br>
;<a href="http://www.newegg.com" rel="noreferrer" target="_blank">www.newegg.com</a>. IN A<br>
<br>
;; ANSWER SECTION:<br>
<a href="http://www.newegg.com" rel="noreferrer" target="_blank">www.newegg.com</a>. 215 IN CNAME<br>
<a href="http://san_ssl-images.newegg.com.edgekey.net" rel="noreferrer" target="_blank">san_ssl-images.newegg.com.<wbr>edgekey.net</a>.<br>
<a href="http://san_ssl-images.newegg.com.edgekey.net" rel="noreferrer" target="_blank">san_ssl-images.newegg.com.<wbr>edgekey.net</a>. 3977 IN CNAME <a href="http://e5638.g.akamaiedge.net" rel="noreferrer" target="_blank">e5638.g.akamaiedge.net</a>.<br>
<a href="http://e5638.g.akamaiedge.net" rel="noreferrer" target="_blank">e5638.g.akamaiedge.net</a>. 19 IN A 23.46.201.81<br>
<br>
;; Query time: 15 msec<br>
;; SERVER: 8.8.8.8#53(8.8.8.8)<br>
;; WHEN: Wed Aug 22 11:16:16 Eastern Daylight Time 2018<br>
;; MSG SIZE rcvd: 143<br>
<br>
<br>
Thanks<br>
Lee<br>
______________________________<wbr>_________________<br>
Please visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/<wbr>listinfo/bind-users</a><br>
</blockquote></div><br></div>