bdkmcgl Absent Member.
Absent Member.
8881 views

Named/bind and the Underscore

After applying a series of patches I found our DNS server failing to resolve names. Research lead me to discover an issue with named/bind and the underscore character. Reviewing the patches that were applied that are relative to bind I find patch-11717 and patch-12060.

Could someone tell me which patch implemented this new security "feature?" Also, is there a valid workaround? I've read briefly about being able to curcumvent the checking that looks for the underscore and causes the zone to not load, but I've also read bits about the workaround not working long term.

Any thoughts?

Thank you.
Labels (2)
0 Likes
11 Replies
Brunold Rainer Absent Member.
Absent Member.

Re: Named/bind and the Underscore

bdkmcgl,

I assume that you have patched a oes 1 server which was on sp2 before ?

I think you know that underscore is not a valid dns character ?

I think the easiest way to bring it back to work would be to remove all bind packages and install them from a oes 1 sp2 media.

Regarding which patch it was I checked the change log of the bind packages in those patches but there was no direct information about the underscore in. So if you are really interested in it you have to install the one from the patch 11717 and see if it works at that time.

Rainer
0 Likes
bdkmcgl Absent Member.
Absent Member.

Re: Named/bind and the Underscore

brunold;1556501 wrote:
bdkmcgl,

I assume that you have patched a oes 1 server which was on sp2 before ?

Yes

I think you know that underscore is not a valid dns character ?

This is what I've now discovered.

I think the easiest way to bring it back to work would be to remove all bind packages and install them from a oes 1 sp2 media.

I'll give it a try.

Regarding which patch it was I checked the change log of the bind packages in those patches but there was no direct information about the underscore in. So if you are really interested in it you have to install the one from the patch 11717 and see if it works at that time.

I understand what you're getting at.

What is of greatest concern to me is if there is a way around this? I've discovered this issue in a test environment, so no harm done. In production, thought, I have servers with underscores in their names, so there is going to be an issue. Do I have any options?

Thank you!


Rainer
0 Likes
Brunold Rainer Absent Member.
Absent Member.

Re: Named/bind and the Underscore

bdkmcgl,

I patched a oes 1 server with the patch 12060 and created a domain with entries using underscores. When I start the named I get the following entries in /var/log/messages.

named[10325]: master/domain.AT.zone:11: LX_XXXX01.domain.at: bad owner name (check-names)
named[10325]: zone domain.at/IN: loading master file master/domain.at.zone: bad owner name (check-names)


The zone loads but the dns entries with the underscore cannot be resolved.
Is this exact what you see ?

Rainer
0 Likes
Brunold Rainer Absent Member.
Absent Member.

Re: Named/bind and the Underscore

bdkmcgl,

I'll ask support about this behavior and come back with more information.

Rainer
0 Likes
MarkCRobinson Absent Member.
Absent Member.

Re: Named/bind and the Underscore

On Wed, 14 May 2008 19:06:01 +0000, brunold wrote:

>
> bdkmcgl,
>
> I patched a oes 1 server with the patch 12060 and created a domain with
> entries using underscores. When I start the named I get the following
> entries in /var/log/messages.
>
>
> Code:
> --------------------
> named[10325]: master/domain.AT.zone:11: LX_XXXX01.domain.at: bad owner
> name (check-names)
> named[10325]: zone domain.at/IN: loading master file
> master/domain.at.zone: bad owner name (check-names)
> --------------------
>
>
> The zone loads but the dns entries with the underscore cannot be resolved.
> Is this exact what you see ?


In SLES10 this is also the default behaviour, but there is a flag you can
set to go back to the old behaviour. Maybe this is also true with the
patched SLES9 version. This may help http://tinyurl.com/3r3p68

--
Mark Robinson
Novell Volunteer SysOp
www.nds8.co.uk
One by one the penguins steal my sanity...


Novell Volunteer SysOp www.nds8.co.uk One by one the penguins steal my sanity...
0 Likes
bdkmcgl Absent Member.
Absent Member.

Re: Named/bind and the Underscore

Thank you all.

If I can address this as the TID suggests in OES2 then that should be sufficient. We're not going to apply the patch that causes the "problem" to our OES 1 servers.

Thanks again.
0 Likes
bdkmcgl Absent Member.
Absent Member.

Re: Named/bind and the Underscore

For any who may want to know, it is possible to add the check-names ignore to named.conf in the OES 1 implemenation of BIND/DNS to address the issue there. You add it to the zone definition.
0 Likes
MarkCRobinson Absent Member.
Absent Member.

Re: Named/bind and the Underscore

On Fri, 16 May 2008 13:26:02 +0000, bdkmcgl wrote:

>
> For any who may want to know, it is possible to add the check-names ignore
> to named.conf in the OES 1 implemenation of BIND/DNS to address the issue
> there. You add it to the zone definition.


Thanks for the feedback

--
Mark Robinson
Novell Volunteer SysOp
www.nds8.co.uk
One by one the penguins steal my sanity...


Novell Volunteer SysOp www.nds8.co.uk One by one the penguins steal my sanity...
0 Likes
tfe Absent Member.
Absent Member.

Re: Named/bind and the Underscore

Hi,

the correct Syntax for the entry in named.conf is:


check-names master ignore;


TFe


MarkCRobinson;1559124 wrote:
On Fri, 16 May 2008 13:26:02 +0000, bdkmcgl wrote:

>
> For any who may want to know, it is possible to add the check-names ignore
> to named.conf in the OES 1 implemenation of BIND/DNS to address the issue
> there. You add it to the zone definition.


Thanks for the feedback

--
Mark Robinson
Novell Volunteer SysOp
www.nds8.co.uk
One by one the penguins steal my sanity...
0 Likes
annnnnnne Absent Member.
Absent Member.

Re: Named/bind and the Underscore

bdkmcgl;1556234 wrote:
After applying a series of patches I found our DNS server failing to resolve names. Research lead me to discover an issue with named/bind and the underscore character. Reviewing the patches that were applied that are relative to bind I find patch-11717 and patch-12060.

Could someone tell me which patch implemented this new security "feature?" Also, is there a valid workaround? I've read briefly about being able to curcumvent the checking that looks for the underscore and causes the zone to not load, but I've also read bits about the workaround not working long term.

Any thoughts?

Thank you.
0 Likes
Brunold Rainer Absent Member.
Absent Member.

Re: Named/bind and the Underscore

annnnnnne,

what is this for a post ?
Do you have problems with underscores and need some help ?

Rainer
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.