check-names settings
Kevin Darcy
kcd at chrysler.com
Fri Sep 12 21:32:11 UTC 2008
If you have no "illegal" hostnames then it doesn't really matter what
you set "check-names" to on either the master or the slave(s), since
nothing will fail and nothing will get logged.
If you have "illegal" hostnames then you'll need to change the default
for your master to "warn" (if you like log noise) or "ignore". The
default for the slaves is already "warn" so the only reason to change
the default to "ignore" is to shut up the log noise.
If your master is being run by an "untrusted" (or "semi-trusted") entity
and you want to catch any "illegal" hostnames before they start being
served by your slaves, then you could, theoretically, set "check-names
slave fail". But understand, that you won't get any changes replicated
to you (even the "good" records in the zone), and you'll be racing
against the EXPIRE timer, if you don't detect such failures and act to
get them corrected, in a timely manner. Most organizations, I think,
would simply put the onus on the master to not propagate "illegal"
hostnames in the first place, absent a thorough understanding and
appreciation of the potential impact. As a practical matter, only a
vanishingly-small percentage of apps still cares about underscores in
hostnames, so it probably doesn't matter that much either way.
- Kevin
Peter,
Please understand that this is a bit of a "religious" question.
There is one set of (relatively-liberal) standards for what may appear
in a DNS label.
There is another set of (relatively-strict) standards for what may
appear in a "hostname".
For fields in DNS records that are expected to refer to "hostnames"
(e.g. the owner name of an A record, the target of an MX), it is
certainly *arguable* that the nameserver itself should be enforcing
*hostname* standards, even though they are not *DNS* standards _per_se_.
BIND makes this choice, by default, for authoritative data (master and
slave files), but allows the administrator to override it.
In contexts where a DNS name is *not* going to be interpreted as a
"hostname" (e.g. the owner name of a SRV record), BIND does not attempt
to force anything at all. Nor should it.
What will you "lose" by loosening these checks? If you have no "illegal
hostnames" on the master then you'll lose nothing at all. If you have
"check-names master fail" on the master, for instance, then there really
is no reason to enforce any check-names on the slaves. If you're worried
about illegal hostnames creeping into your master file and
- Kevin
Peter Laws wrote:
> Leonard Mills wrote:
>
>> check-names master ignore
>>
>> might well be what you're looking for. You lose name checking against the current standards :-).
>>
>
> *That's* the question: what are the standards as BIND sees them? The RFCs
> referenced in here and in the docs specify what's "official" (or what was
> official years ago) but that's not necessarily the same as what BIND does:
>
> "The rules for legal hostnames / mail domains are derived from RFC 952 and
> RFC 821 as modified by RFC 1123." (from BIND docs)
>
>
> OK, so just what is derived? Did they take the rules verbatim? Or do they
> allow some and not others? SRV records *require* the underbar, but they
> aren't mentioned in any of the RFCs above or any posted here today ...
>
> So the question stands - what do I lose if I choose "check-names slave
> ignore"?
>
>
>
More information about the bind-users
mailing list