Subject: Re: switching from bind8 to bind9
To: NetBSD Networking Technical Discussion List <>
From: Robert Elz <kre@munnari.OZ.AU>
List: tech-net
Date: 11/19/2002 15:48:54
    Date:        Mon, 18 Nov 2002 12:42:47 -0500 (EST)
    From: (Greg A. Woods)
    Message-ID:  <>

  | Which is exactly what "check-names" does in BIND-8, to the best of my
  | understanding -- it allows you to control what is done with names that
  | are illegal.

You didn't read what I said, I said nothing about what to do with names that
are illegal, but how to decide what names are so in the first place.  There is
no configuration at all for that.

  | Perhaps its definition of "illegal" doesn't match yours,
  | but it's been quite sufficient for our purposes.

That's fine, and you're lucky - but bind should just handle the names the
DNS RFCs say are legal, not the subset you happen to decide that you want
in your zone files (unless it had some config by which you could tell it).

  | There are plenty of completely illegal names in the public DNS.

I doubt it, as the DNS protocols have no way to transport any DNS illegal 
names.  Beyond that there are the names that you'd prefer not exist for
one reason or other.  That's fine, in your zones you get to decide what
names should and should not exist - which can be based upon any criteria
you see fit (from the binary values of the characters, to meanings that
you can expand out of what look like acronyms and dislike).   And if
bind was your private software, you could have it enforce your likes.  But
as software aimed at everyone to use, it should not have any built in idea
of what is a good name, and what is not.

  | As I'm sure you know there are very clear rules about what names are legal
  | in the DNS, and which are not.

Yes, I do know.   The rules are that labels must be at least one character
(octet really) long, and no more than 63 octets, and the full domain name
must be no longer than 255 octets.   The end.   That is the rules.   Beyond
that there's just advice as to what makes good names that can be used in all
the other protocols that impose tighter restrictions.

  | My understanding, based on reading documentation, code, and from
  | practical experience, suggests that BIND-9 does in fact forces
  | "check-names master fail;", but with a more lenient view of what
  | character values are legal in a given domain name,

OK, given the correct "more lenient" that's what it should be doing.  It
can't allow names that violate the rules that exist, as there's no way in the
DNS to encode a 0 length label (except the unnamed root - ie: the 0 length
label always terminates the domain name, so can't occur anywhere else), or
a label longer than 63 octets (the label length field is 6 bits).   The 255
full domain name limit could be checked when zones are loaded, but there's
no real need for it to be, and I doubt that bind bothers (now or ever).  That
one is most likely only checked when names are being looked up.

  | However "check-names" does a lot more than just character value
  | validation.

No, in BIND8 that is what it did - check character values.   That's all it
ever did.   I have ripped the code out often enough (till I learned how to
have CVS do all that for me every time....) to know what it was doing.

  | > (until recently, '_' was illegal in SMTP names, but that one was
  | > mostly allowed in BIND).
  | "until recently" -- can you please point to an IETF STD document which
  | changes this fact?

No, I seemed to remember 2821 deciding that _ would be legal.  I certainly
recall discussion of it, but it is entirely possible that I mis-remembered
the result.   If 2821/2822 don't allow it, then it remains illegal (for mail).

2181 certainly has nothing to do with that, it updates 1034/5 only, and has
nothing to do with e-mail at all.