Bug 176736 - Named failed to load valid zone file due to underscore
Summary: Named failed to load valid zone file due to underscore
Alias: None
Product: Fedora
Classification: Fedora
Component: bind   
(Show other bugs)
Version: 4
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Jason Vas Dias
QA Contact: Ben Levenson
Depends On:
TreeView+ depends on / blocked
Reported: 2005-12-31 12:50 UTC by John Bass
Modified: 2007-11-30 22:11 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-01-09 16:20:02 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description John Bass 2005-12-31 12:50:56 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.12) Gecko/20050923 Fedora/1.7.12-1.5.1

Description of problem:
http://www.faqs.org/rfcs/rfc2181.html states:  11. Name syntax

The DNS itself places only one restriction on the particular labels
   that can be used to identify resource records.  That one restriction
   relates to the length of the label and the full name.  The length of
   any one label is limited to between 1 and 63 octets.  A full domain
   name is limited to 255 octets (including the separators).  The zero
   length full name is defined as representing the root of the DNS tree,
   and is typically written and displayed as ".".  Those restrictions
   aside, any binary string whatever can be used as the label of any
   resource record.  Similarly, any binary string can serve as the value
   of any record that includes a domain name as some or all of its value
   (SOA, NS, MX, PTR, CNAME, and any others that may be added).
   Implementations of the DNS protocols must not place any restrictions
   on the labels that can be used.  In particular, DNS servers must not
   refuse to serve a zone because it contains labels that might not be
   acceptable to some DNS client programs.  A DNS server may be
   configurable to issue warnings when loading, or even to refuse to
   load, a primary zone containing labels that might be considered
   questionable, however this should not happen by default.

This document, dated 1997 supercedes the ancient 1984  RFC-952 Dod document,
by specifically allowing any valid binary string for a domain name.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. create hostname with underscore in name "_"
2. service named restart

Actual Results:  bind fails to load that zone, with bad name (check-names) error

Expected Results:  zone should be allowed to load with underscore, as per rfc2181 as ANY BINARY string is allowed in hostname, and should not refuse to load a "questionable" primary zone containing such labels by default per the RFC.

Additional info:

silently failing to load zones following a normal upgrade or update SHOULD NOT OCCUR, as it silently takes multiple hosts and servers off the net. Particularly when these hosts have been operating on the net with these names for some time.

Comment 1 David Keegel 2006-01-04 23:11:16 UTC

Do you have any settings for check-names in your named.conf options block?

BIND 9 ships with a default/implied
    check-names master fail;
(see http://isc.org/sw/bind/arm93/Bv9ARM.ch06.html#options - under check-names)

So you should be able to work around this by adding:
    check-names master warn;
within the options { } block in your /etc/named.conf.

Or change "warn" to "ignore" if you don't want the warnings reported 
in your /var/log/messages file.

I'm a little surprised this has only become a problem for you recently, 
I understand that ISC have been shipping BIND this way for many years.

Comment 2 Jason Vas Dias 2006-01-09 16:20:02 UTC
RE: Comment #1 from David Keegel (djk@cyber.com.au) on 2006-01-04 18:11 EST:
> BIND 9 ships with a default/implied
>     check-names master fail;
> (see http://isc.org/sw/bind/arm93/Bv9ARM.ch06.html#options - check-names)

Yes, BIND 9.3.0+ started the 'check-names master fail;' default ;
the 'check-names' option was not fully implemented in previous releases.

While the DNS RFC name format specifications are only recommendations,
it is considered bad practice to ignore them, hence the check-names 
option and its default .

As suggested in Comment #1, change 'check-names' to something like :
  'check-names master ignore;' or
  'check-names master warn;' 
or remove the offending underscores to overcome this issue.

Note You need to log in before you can comment on or make changes to this bug.