bad owner name (check-names)

Kevin Darcy kcd at daimlerchrysler.com
Tue Aug 31 00:34:21 UTC 2004 

Conosciani Mauro wrote:

>I'm moving dns server files from a server with BIND 9.2.2 to a new one
>with BIND 9.3.0rc2 the os is Linux 2.4.21-4.ELsmp .
>When I start the new bind server I get:
>
> 
>
>Aug 30 13:16:02 netservicea named[19922]: zone 'adr.it' allows updates
>by IP address, which is insecure
>
>Aug 30 13:16:02 netservicea named[19922]: zone '_msdcs.adr.it' allows
>updates by IP address, which is insecure
>
>Aug 30 13:16:02 netservicea named[19922]: zone '_sites.adr.it' allows
>updates by IP address, which is insecure
>
>Aug 30 13:16:02 netservicea named[19922]: zone '_tcp.adr.it' allows
>updates by IP address, which is insecure
>
>Aug 30 13:16:02 netservicea named: Avvio named succeeded
>
>Aug 30 13:16:02 netservicea named[19922]: zone '_udp.adr.it' allows
>updates by IP address, which is insecure
>
>Aug 30 13:16:02 netservicea named[19922]: command channel listening on
>127.0.0.1#953
>
>Aug 30 13:16:02 netservicea named[19922]: zone 0.0.127.in-addr.arpa/IN:
>loaded serial 1997022700
>
>Aug 30 13:16:02 netservicea named[19922]: adr.it.hosts:365:
>dsa_prn.adr.it: bad owner name (check-names)
>
>Aug 30 13:16:02 netservicea named[19922]: zone adr.it/IN: loading master
>file adr.it.hosts: bad owner name (check-names)
>
>Aug 30 13:16:02 netservicea named[19922]: zone _msdcs.adr.it/IN: loaded
>serial 193774
>
>Aug 30 13:16:02 netservicea named[19922]: zone _sites.adr.it/IN: loaded
>serial 193717
>
>Aug 30 13:16:02 netservicea named[19922]: zone _tcp.adr.it/IN: loaded
>serial 193735
>
>Aug 30 13:16:02 netservicea named[19922]: zone _udp.adr.it/IN: loaded
>serial 193716
>
>Aug 30 13:16:02 netservicea named[19922]: zone localhost/IN: loaded
>serial 42
>
>Aug 30 13:16:02 netservicea named[19922]: running
>
> 
>
>If I try a nslookup test on the new server I get
>
> 
>
>** server can't find rehost: NXDOMAIN
>
> 
>
> 
>
>It seem that special char like '_', '\032' give a kind of problem to the
>zone loading.....
>
Right. Underscores are now poisonous, by default, with the newly-exhumed 
"check-names" option. You'll need to either

1) Get rid of the name with the underscore
2) Turn off name-checking and therefore risk propagating truly nasty 
stuff to the Internet and/or your intranet (since check-names is not 
granular enough to allow underscores but at the same time disallow the 
RFC 952 violations that actually cause problems with applications),
3) Back off to an earlier version of BIND for some temporary relief,
4) Petition ISC to rethink their most recent flirt with RFC 952 
enforcement, or
5) Use something other than BIND for your DNS needs.

Lovely choices, eh?

                                                                         
                                                - Kevin

More information about the bind-users mailing list