check-names settings

Kevin Darcy kcd at chrysler.com
Fri Sep 12 21:32:11 UTC 2008 

If you have no "illegal" hostnames then it doesn't really matter what 
you set "check-names" to on either the master or the slave(s), since 
nothing will fail and nothing will get logged.

If you have "illegal" hostnames then you'll need to change the default 
for your master to "warn" (if you like log noise) or "ignore". The 
default for the slaves is already "warn" so the only reason to change 
the default to "ignore" is to shut up the log noise.

If your master is being run by an "untrusted" (or "semi-trusted") entity 
and you want to catch any "illegal" hostnames before they start being 
served by your slaves, then you could, theoretically, set "check-names 
slave fail". But understand, that you won't get any changes replicated 
to you (even the "good" records in the zone), and you'll be racing 
against the EXPIRE timer, if you don't detect such failures and act to 
get them corrected, in a timely manner. Most organizations, I think, 
would simply put the onus on the master to not propagate "illegal" 
hostnames in the first place, absent a thorough understanding and 
appreciation of the potential impact. As a practical matter, only a 
vanishingly-small percentage of apps still cares about underscores in 
hostnames, so it probably doesn't matter that much either way.

                                                                         
                     - Kevin

Peter,
          Please understand that this is a bit of a "religious" question.

There is one set of (relatively-liberal) standards for what may appear 
in a DNS label.

There is another set of (relatively-strict) standards for what may 
appear in a "hostname".

For fields in DNS records that are expected to refer to "hostnames" 
(e.g. the owner name of an A record, the target of an MX), it is 
certainly *arguable* that the nameserver itself should be enforcing 
*hostname* standards, even though they are not *DNS* standards _per_se_. 
BIND makes this choice, by default, for authoritative data (master and 
slave files), but allows the administrator to override it.

In contexts where a DNS name is *not* going to be interpreted as a 
"hostname" (e.g. the owner name of a SRV record), BIND does not attempt 
to force anything at all. Nor should it.

What will you "lose" by loosening these checks? If you have no "illegal 
hostnames" on the master then you'll lose nothing at all. If you have 
"check-names master fail" on the master, for instance, then there really 
is no reason to enforce any check-names on the slaves. If you're worried 
about illegal hostnames creeping into your master file and

                                                                         
                        - Kevin

Peter Laws wrote:
> Leonard Mills wrote:
>   
>> check-names master ignore
>>
>> might well be what you're looking for.  You lose name checking against the current standards :-).
>>     
>
> *That's* the question:  what are the standards as BIND sees them?  The RFCs 
> referenced in here and in the docs specify what's "official" (or what was 
> official years ago) but that's not necessarily the same as what BIND does:
>
> "The rules for legal hostnames / mail domains are derived from RFC 952 and 
> RFC 821 as modified by RFC 1123." (from BIND docs)
>
>
> OK, so just what is derived?  Did they take the rules verbatim?  Or do they 
> allow some and not others?  SRV records *require* the underbar, but they 
> aren't mentioned in any of the RFCs above or any posted here today ...
>
> So the question stands - what do I lose if I choose "check-names slave 
> ignore"?
>
>
>

More information about the bind-users mailing list