Subject: Re: switching from bind8 to bind9
To: None <tech-net@netbsd.org>
From: Greg A. Woods <woods@weird.com>
List: tech-net
Date: 11/18/2002 12:42:47
[ On Monday, November 18, 2002 at 15:10:05 (+1100), Robert Elz wrote: ]
> Subject: Re: switching from bind8 to bind9
>
> Because it has no way to be told what names (that are legal in the DNS,
> it should certainly reject the ones that really are illegal
Which is exactly what "check-names" does in BIND-8, to the best of my
understanding -- it allows you to control what is done with names that
are illegal. Perhaps its definition of "illegal" doesn't match yours,
but it's been quite sufficient for our purposes.
> - but there
> aren't many of those) you happen to dislike, and which you don't.
There are plenty of completely illegal names in the public DNS. Perhaps
I could give you a shock introduction to the real world with even a
small sample of the daily logs from one of the caching nameservers I run
using:
# don't allow any fooling around here!
check-names master fail;
check-names slave fail;
check-names response fail;
... or perhaps you just choose to ignore these kinds of problems and the
problems they precipitate on naive users.
> If it
> had a way that you could configure it with a list of bad names (or bad
> name patterns, or something), I'd object less, but it doesn't.
Why bother with a feature that could only be misinterpreted and misused
in exactly the ways you seem to fear check-names is being misused? As
I'm sure you know there are very clear rules about what names are legal
in the DNS, and which are not.
The controls available in BIND-8 are about as flexible as could possibly
be meaningful, and though we could argue until the cows come home about
what default settings they have, they are clearly useful.
My understanding, based on reading documentation, code, and from
practical experience, suggests that BIND-9 does in fact forces
"check-names master fail;", but with a more lenient view of what
character values are legal in a given domain name, which as you might
guess is something I find quite acceptable as a default, though perhaps
not as restrictive as it could safely be.
However "check-names" does a lot more than just character value
validation. I'm not yet sure how much of that extra checking is
implemented in BIND-9, even for master files, let alone responses which
I know it doesn't check sufficiently.
> That your server can even be configured to test my names and reject them
> (even if that isn't the default way it is configured as shipped) is obscene.
You have a strange view of how other people should be allowed to run
their computers. Perhaps you'd like to dictate my network security
policies too?
> (until recently, '_' was illegal in SMTP names, but that one was
> mostly allowed in BIND).
"until recently" -- can you please point to an IETF STD document which
changes this fact?
(Even the as yet "proposed standard" 2821 still disallows underscore in
SMTP names, and I don't see any mention of underscore in your RFC 2181.)
--
Greg A. Woods
+1 416 218-0098; <g.a.woods@ieee.org>; <woods@robohack.ca>
Planix, Inc. <woods@planix.com>; VE3TCP; Secrets of the Weird <woods@weird.com>