On Tue, 21 Dec 1999, Chris Dillon wrote:
CD} On Wed, 22 Dec 1999, Henrik Nordstrom wrote:
CD}
CD} > Chris Dillon wrote:
CD} >
CD} > > Uuuhm, since when did underscores become legal in DNS-land? Or are
CD} > > some administrators of DNS servers just showing their ignorance? And
CD} > > why are they running DNS servers that allow that kind of brokenness at
CD} > > all?
CD} >
CD} > If you read the relevant RFCs then the issue is rather clear. Translated
CD} > and abbreviated it says:
CD} > * DNS clients SHOULD resolve them
CD} > * Authorative servers MUST not define such names.
Basically, you're saying that clients and non-authoritative servers are
not required to resolve names with invalid characters.
And, authoritative servers are required to discard, at a minimum, resource
records with invalid characters.
CD} > Here we are talking about a DNS client, not server.
CD}
CD} I know, it just irritates me when administrators do things like that.
CD} If all servers followed the RFCs as they should, then there would be
CD} no need for clients to have to resolve those illegal names. Ditto for
CD} the administrators (but hey, even I can't claim to have read every RFC
CD} either, or even most of them). :-)
CD}
CD} Nevertheless, as you point out, the requestor should be lenient (in
CD} this case the resolver libraries), and the requestee (any DNS server)
CD} should be strict in its compliance with the RFC. It would be
CD} interesting to note, since the resolvers in FreeBSD are what brought
CD} this up, that BIND 8.2.2p5 was integrated into both the STABLE and
CD} CURRENT branches about a week ago and is thus available in FreeBSD
CD} 3.4-RELEASE. I don't know if this version of BIND and its resolver
CD} libraries allow resolving names with underscores or not, but it is
CD} worth a shot.
The default action of BIND 8.2.2 patch 5 is to discard resource records
with names containing invalid characters. Unfortunately, its still not
aggressive enough in handling queries that contain invalid characters.
One of our field offices decided to bring up a named implementation from
Microsoft. We have encountered tremendous DNS storms as these systems
began forwarding requests to resolve names such as \\image.gif. We keep
an IPFW rule to deny port 53 that can be enabled on a moments notice to
combat this type of problem.
Merton Campbell Crockett
+--------------------------------------------------------------------------+
| Manager, Network Operations & Services | Chief Network/Security Engineer |
| General Dynamics Electronic Systems | Naval Surface Warfare Center |
| Intelligence Systems Organization | Port Hueneme Division |
| Thousand Oaks, CA | Port Hueneme, CA |
+--------------------------------------------------------------------------+
Received on Wed Dec 22 1999 - 00:23:06 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:50:05 MST