What's the REAL DEAL with Underscores in BIND8.X?
Bill Manning
bmanning at ISI.EDU
Sat Oct 16 06:47:36 UTC 1999
> > The long-term solution is to rename the systems using hyphens
> > instead of underscores and create aliases with the underscore.
> > Then you can age the aliases off your DNS gradually over time.
>
> What cost-justifications could there possibly be for such a forced
> migration? "RFC compliance" doesn't mean a hell of a lot to a beancounter;
> where's the money? And we're not talking chump change either: we have over
> 7,000+ underscored names in our DNS database here, thanks to BIND's longstanding
> permissiveness.
>
> Separating underscore-checks from other kinds of name-checking within BIND would
> seem to be a far more practical solution to this "problem", at least until
> RFC 1035's ban on underscores can be officially obsoleted on the basis that the
> stated justification for it -- migration from the HOSTS.TXT file -- has long
> since passed.
>
>
> - Kevin
There were several other reasons for tightening down this
error in early implementations. This change has been in the
works for -years- since 1996, if memory serves. It is not
even forced.
However, more and more sites are dis-allowing the underscore
in host names (check-names fail;) If your offsite slave sites
have this option, then they are not particularly useful as
slaves for your zones. If you take this all internal, then
your are leaving yourself open to other failure modes.
For the beancounters, it boils down to risk management.
A program of gradual migration over several years at small
incremental cost, vs the high risk of server hijacking
has proven a useful discussion point in the past.
--
--bill
More information about the bind-users
mailing list