Re: check-names settings - DNS

This is a discussion on Re: check-names settings - DNS ; If you have no "illegal" hostnames then it doesn't really matter what you set "check-names" to on either the master or the slave(s), since nothing will fail and nothing will get logged. If you have "illegal" hostnames then you'll need ...

+ Reply to Thread
Results 1 to 2 of 2

Thread: Re: check-names settings

  1. Re: check-names settings

    If you have no "illegal" hostnames then it doesn't really matter what
    you set "check-names" to on either the master or the slave(s), since
    nothing will fail and nothing will get logged.

    If you have "illegal" hostnames then you'll need to change the default
    for your master to "warn" (if you like log noise) or "ignore". The
    default for the slaves is already "warn" so the only reason to change
    the default to "ignore" is to shut up the log noise.

    If your master is being run by an "untrusted" (or "semi-trusted") entity
    and you want to catch any "illegal" hostnames before they start being
    served by your slaves, then you could, theoretically, set "check-names
    slave fail". But understand, that you won't get any changes replicated
    to you (even the "good" records in the zone), and you'll be racing
    against the EXPIRE timer, if you don't detect such failures and act to
    get them corrected, in a timely manner. Most organizations, I think,
    would simply put the onus on the master to not propagate "illegal"
    hostnames in the first place, absent a thorough understanding and
    appreciation of the potential impact. As a practical matter, only a
    vanishingly-small percentage of apps still cares about underscores in
    hostnames, so it probably doesn't matter that much either way.


    - Kevin

    Peter,
    Please understand that this is a bit of a "religious" question.

    There is one set of (relatively-liberal) standards for what may appear
    in a DNS label.

    There is another set of (relatively-strict) standards for what may
    appear in a "hostname".

    For fields in DNS records that are expected to refer to "hostnames"
    (e.g. the owner name of an A record, the target of an MX), it is
    certainly *arguable* that the nameserver itself should be enforcing
    *hostname* standards, even though they are not *DNS* standards _per_se_.
    BIND makes this choice, by default, for authoritative data (master and
    slave files), but allows the administrator to override it.

    In contexts where a DNS name is *not* going to be interpreted as a
    "hostname" (e.g. the owner name of a SRV record), BIND does not attempt
    to force anything at all. Nor should it.

    What will you "lose" by loosening these checks? If you have no "illegal
    hostnames" on the master then you'll lose nothing at all. If you have
    "check-names master fail" on the master, for instance, then there really
    is no reason to enforce any check-names on the slaves. If you're worried
    about illegal hostnames creeping into your master file and


    - Kevin

    Peter Laws wrote:
    > Leonard Mills wrote:
    >
    >> check-names master ignore
    >>
    >> might well be what you're looking for. You lose name checking against the current standards :-).
    >>

    >
    > *That's* the question: what are the standards as BIND sees them? The RFCs
    > referenced in here and in the docs specify what's "official" (or what was
    > official years ago) but that's not necessarily the same as what BIND does:
    >
    > "The rules for legal hostnames / mail domains are derived from RFC 952 and
    > RFC 821 as modified by RFC 1123." (from BIND docs)
    >
    >
    > OK, so just what is derived? Did they take the rules verbatim? Or do they
    > allow some and not others? SRV records *require* the underbar, but they
    > aren't mentioned in any of the RFCs above or any posted here today ...
    >
    > So the question stands - what do I lose if I choose "check-names slave
    > ignore"?
    >
    >
    >




  2. Re: check-names settings

    which thing can show that we are having illegal host name ?? please explain
    Jessica Luis
    HP Servers and HP Integrity

+ Reply to Thread