BIND 9.4.x and check-names
Ben-Eliezer, Tal (ITS)
Tal.Ben-Eliezer at its.ny.gov
Thu Apr 18 12:35:00 UTC 2013
>Isn't it time to upgrade?
Yes, it is. In fact, adding these statements to the options clause is in preparation for our migration to a later version.
It seems from my testing that while BIND 9.4 was very passive about these type of records, and would load a zone despite "illegal chars", later versions of BIND would actually fail to start. This is a fundamental difference between BIND 9.4 and 9.7.3, for example.
I am dealing with about 14 BIND servers so the more preparation steps I can take prior to cutover, the better.
> bind 9.4 has also "check-names response";
Ok, I'm reading up on that now. Should I be able to suppress the logging using:
"check-names response ignore;" ?
Thanks
-----Original Message-----
Date: Wed, 17 Apr 2013 17:58:30 +0200
From: Matus UHLAR - fantomas <uhlar at fantomas.sk>
To: bind-users at lists.isc.org
Subject: Re: BIND 9.4.x and check-names
Message-ID: <20130417155830.GA14058 at fantomas.sk>
Content-Type: text/plain; charset=us-ascii; format=flowed
On 17.04.13 06:39, Ben-Eliezer, Tal (ITS) wrote:
>Subject: BIND 9.4.x and check-names
Isn't it time to upgrade?
>I recently implemented a change in our DNS environment with the
>intention of suppressing the log events related to AD-integrated
>zones, and their Non-RFC compliant nature.
>
>check-names slave ignore;
>check-names master ignore;
bind 9.4 has also "check-names response";
>However, I still see these entries appear in the logs. Could someone
>please chime in and let me know if my expectation or implementation
>was incorrect? Many thanks!!
>
>default.log:12-Apr-2013 00:45:37.447 general: warning: zone
>****************/IN: gc._msdcs.************/A: bad owner name
>(check-names)
>default.log:12-Apr-2013 00:45:37.447 general: warning: zone
>****************/IN: gc._msdcs.************/A: bad owner name
>(check-names)
Hmm, aren't those supposed to be SRV records?
--
Matus UHLAR - fantomas, uhlar at fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Windows found: (R)emove, (E)rase, (D)elete
------------------------------
Message: 2
Date: Wed, 17 Apr 2013 09:02:44 -0700
From: Chris Buxton <clists at buxtonfamily.us>
To: Matus UHLAR - fantomas <uhlar at fantomas.sk>
Cc: bind-users at lists.isc.org
Subject: Re: BIND 9.4.x and check-names
Message-ID: <9A8B8BF0-E675-4959-97AC-C9CF2007A01A at buxtonfamily.us>
Content-Type: text/plain; charset=us-ascii
On Apr 17, 2013, at 8:58 AM, Matus UHLAR - fantomas wrote:
> On 17.04.13 06:39, Ben-Eliezer, Tal (ITS) wrote:
>> default.log:12-Apr-2013 00:45:37.447 general: warning: zone ****************/IN: gc._msdcs.************/A: bad owner name (check-names)
>> default.log:12-Apr-2013 00:45:37.447 general: warning: zone ****************/IN: gc._msdcs.************/A: bad owner name (check-names)
>
> Hmm, aren't those supposed to be SRV records?
No, they are the addresses of the global catalog servers. If they were SRV records, check-names would not complain.
Chris Buxton
------------------------------
Message: 3
Date: Wed, 17 Apr 2013 12:07:07 -0400
From: Barry Margolin <barmar at alum.mit.edu>
To: comp-protocols-dns-bind at isc.org
Subject: Re: “Foreign” name in the reverse lookup zone
Message-ID: <barmar-C85EFA.12070717042013 at news.eternal-september.org>
In article <mailman.146.1366210213.20661.bind-users at lists.isc.org>,
PAVLOV Misha <Misha.Pavlov at socgen.com> wrote:
> Folks,
>
> Wonder if someone can kindly confirm that there is nothing wrong with having
> a PTR record in one of the subnet zone file (we are authorative for) with PTR
> to the name owned by another office (domain). A server
> exchange.north.our.company (owned and registered in north.our.company domain)
> installed here, on the same network as all local south.our.company machines.
> We own, are authorative and maintain the db.1.2.3 subnet reverse zone, but
> not the north.our.company name registered far away.
There's nothing wrong with it, and it's done all the time. Consider the
case where www.company.com server is hosted at a third party. The A
record will be in the company's domain, but the PTR record will be in
the hosting service's reverse domain.
Just make sure that there is a corresponding A record. Some software
will check for this before believing the PTR record. This is mostly done
in software that uses reverse lookups in security checks; for instance,
if a hosts.allow file allows access from *.company.com, it can't just
believe the PTR record because anyone can put "<some-addr> PTR
foo.company.com." in their reverse zone.
--
Barry Margolin
Arlington, MA
------------------------------
_______________________________________________
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
End of bind-users Digest, Vol 1502, Issue 1
*******************************************
More information about the bind-users
mailing list