Windows 2000 - Active Directory & underscores

Mark.Andrews at nominum.com Mark.Andrews at nominum.com
Fri Feb 11 00:42:20 UTC 2000 

> Brian,
> 
> Thanks for this answer.  It is what I was looking for.
> 
> But it does open something for discussion...
> 
> BIND supports RFC2136, but not RFC2181.  

	BIND does support RFC 2181.  Most of the clarifications came out
	of the BIND work.  BIND *does* support underscores.  It happily
	accepts (by default) them except from zones it is a master for
	where the default is to reject them if and only if they are used
	in the context of a hostname / mailname.  The only difference here
	is we default "on" not "off" for this checking.  Yes such checking
	is in RFC 2181.

	There are some parts of RFC 2181 that BIND 4 and BIND 8 cannot do
	due to internal design decisions taken well before RFC 2181 was	
	even contemplated.  BIND 9 does not have those restrictions.

	If you want to know why we default "on", it is due to the "Principle
	of Least Astonisment".  The DNS is a (potentially) hostile database
	to retrieve data from.  Gethostbyaddr protects it's clients by
	enforcing RFC 952 + RFC 1123.  If we didn't default to "on" all we
	would be doing is responding to complaints that "you allowed us
	to enter these names but you don't accept them".

	The administrator of the server can change the default any time
	they like, however they should then be aware that they are stepping
	outside of agreed interoperablity guarentees. 

	Mark
> 
>    RFC2136 is about "Dynamic Updates",
>    RFC2181 is about "Clarifications to the DNS Specification".
> 
> Both of these RFCs are "an Internet standards track protocol", which I gather
> is basically "work in progress" to stimulate the community and IETF into 
> producing a new standard.
> 
> There are people in the DNS community who are ready to shoot any one down whe
> n
> they ask why BIND doesn't support the underscore.  They say it's not covered
> in RFC952 & RFC1123 (but would be OK if RFC2181 was included).
> 
> Then when other people ask if BIND supports Dynamic Updates they proudly
> say that it supports RFC2136.
> 
> Neither of these look to be finalised standards, so how does one get included
> ,
> and another not?
> 
> I know that something like RFC2181 is going to happen, even if it is so the D
> NS
> can support names in other languages than English; especially for those langu
> ages
> that use two bytes foreach character.
> 
> I also know about the "check-names master ignore;" hack to get around my
> current problem, but I think I'll push our Win2000 people into a Registry
> hack to fix the problem (MS KB Q241973).  It's strange how MS say that
> underscores are invalid DNS characters (in non-MS name servers) in both
> Q199011 and Q222823, and even partially force this upon its users in the
> naming of a Win2000 host.
> 
> Brian
> 
> 
> "Brian W. Keller" wrote:
> > 
> > We have also been working with non-Microsoft implementations of BIND for ou
> r
> > DNS and ran into the same problems.  In Microsoft's Knowledge Base article
> > Q199011, they indicate that they used RFC 2181 as the standard, which does
> > indicate that the underscore is legal in A records (it wasn't specifically
> > forbidden in SRV or CNAME).  Unfortunately, RFC 2131 is only a "standards
> > track" proposal, not yet accepted as part of the standard.  Microsoft
> > doesn't seem to understand that everything in the RFCs is not a standard,
> > hence PPTP, DDNS, SRV records, etc...
> > 
> > There are two resolutions to this.  In Microsoft's Knowledge Base article
> > Q241973, they point out the work-arounds.  It seems that the A record is no
> t
> > required and can be omitted.  The 2000 machine can be instructed not to sen
> d
> > the DDNS A record registration by adding a key to the registry.  Go to:
> > 
> > HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
> > 
> > and create the Value Name:
> > RegisterDnsARecords
> > as Data Type REG_DWORD, with Value of 0.
> > 
> > Alternatively, most implementations of BIND will allow you to ignore syntax
> > checking on names through the:
> > 
> > options {check-names master ignore};
> > 
> > line in the named.conf file.  You might not actually want to ignore all
> > names in the master file, but change that so that you only ignore errors in
> > your dynamic zone.
> > 
> > A couple of useful points.  To check things, nslookup on most systems will
> > fail if you give it underscores in the name.  You'll have to use Microsoft'
> s
> > nslookup to check the nameserver, since it doesn't object to the
> > underscores.  Also, if you really want to,  you can run a static DNS and
> > copy the entries for your AD servers in by hand.  If there's no DDNS
> > present, Windows 2000 will write a file in the %systemroot%\System32\Config
> > directory called netlogon.dns which will contain all of the entries that
> > would have been registered to the DDNS.  It isn't dynamic anymore, but it
> > does work.  For a detailed description of each of the entries, see article
> > Q178169 in the Knowledge Base.
> > 
> > Brian.
> > -----
> > Brian Keller - keller.4 at osu.edu
> > Physics Computer Facility
> > The Ohio State University
> > -----
> > "Brian Miller" <bmiller at telstra.com.au> wrote in message
> > news:389FB58D.302CA827 at telstra.com.au...
> > > Yes, it's another question about the two most common BIND problems.
> > >
> > > We are starting to look at using BIND for our Active Directory
> > > used by Windows 2000. (I look after BIND, others are looking at
> > > Active Directory.)
> > >
> > > I have set up a  dynamic zone (dyn-test.in.telstra.com.au -
> > > an internal zone, so don't even bother trying to look at it)
> > > which I can happily update with "nsupdate".
> > >
> > > The Win2000 boxes are configured to use this domain for their Active
> > > Directory and stuff is added.  A few "A" types, some "CNAME" types
> > > and a lot of "SRV" types.
> > >
> > > The evil comes in when:
> > >
> > >    gc._msdcs.testad-03.dyn-test.in.telstra.com.au. 600 IN A 172.57.38.136
> > >
> > > is attempted to be added.  BIND rejects this in /var/adm/messages with a:
> > >
> > >    named[5756]: owner name
> > "gc._msdcs.testad-03.dyn-test.in.telstra.com.au"
> > >       IN (primary) is invalid - rejecting
> > >
> > > I have read RFCs 921/952/1123 and confirmed that the evil "_" is the caus
> e
> > > of the problem.
> > >
> > > Has any one else seen Microsoft dynamically create these zones with
> > > underscores in them?  Are they configurable from Win2000? Can Win2000
> > > be told to be RFC compliant?
> > >
> > > The group doing the Active Directory testing have already tried
> > > using Cisco's Network Registrar, which they say doesn't work; and
> > > the Microsoft DNS server which worked for them.
> > >
> > > Thanks in advance,
> > >
> > > Brian
> > > --
> > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> > > Brian Miller                                 Telstra
> > > WAN Products                                 30/242 Exhibition Street
> > > Network & Technology Group                   Melbourne, VIC 3000
> > > bmiller at telstra.com.au                       Australia
> > > Tel: +61-3-9632-3883                         FAX: +61-3-9632-3884
> > > -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> 
> -- 
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> Brian Miller                                 Telstra
> WAN Products                                 30/242 Exhibition Street
> Network & Technology Group                   Melbourne, VIC 3000
> bmiller at telstra.com.au                       Australia
> Tel: +61-3-9632-3883                         FAX: +61-3-9632-3884
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
> 
> 
--
Mark Andrews, Nominum Inc. / Internet Software Consortium
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark.Andrews at nominum.com

More information about the bind-users mailing list