Allowing Illegal Characters in Domain Names

3.5.1 Problem

You need to configure a BIND 8 name server to allow one or more domain names that include illegal characters in your zone.

3.5.2 Solution

Use the check-names substatement within the zone's zone statement in named.conf. For example:

zone "foo.example" { type master; file "db.foo.example"; check-names warn; };

warn tells the name server to alert you to illegal domain names with messages sent to syslog, by default. You can also choose ignore, which tells the name server to shut up and say nothing about illegal domain names.

3.5.3 Discussion

The whole notion of "illegal" domain names disappeared in BIND 9, which did away with name checking. You can include underscores, punctuation, and almost anything else in a domain name and load it on a BIND 9 name server. That's not a particularly good idea in most cases, but you can.

Many of you still run BIND 8 name servers, though, and they check domain names. In fact, they won't load primary master zones with illegal domain names in them, by default, so you may need to change these settings.

You can set BIND 8's name-checking behavior for all zones by using check-names as an options substatement. As an options substatement, check-names also specifies the context in which an illegal domain name is found:

Primary

In a zone the name server is the primary master for

Slave

In a zone the name server is a slave for

Response

In a response from a remote name server

For example, you could allow illegal domain names in all primary master zones with:

options { directory "/var/named"; check-names primary warn; };

It's a bad idea to allow illegal characters in responses from remote name servers, since it could subject your name server and your resolvers to certain attacks.

3.5.4 See Also

"Host Name Checking (BIND 4.9.4 and Later Versions)" in Chapter 4 of DNS and BIND.

Категории