On Wed, 22 Dec 1999, Henrik Nordstrom wrote:
> Merton Campbell Crockett wrote:
>
> > Basically, you're saying that clients and non-authoritative servers are
> > not required to resolve names with invalid characters.
>
> A conditionally compliant implementation can select not to. A
> unconditionally compliant implementation must resolve them.
>
> > And, authoritative servers are required to discard, at a minimum, resource
> > records with invalid characters.
>
> True, but for the domains where the server is authoritative. Remember
> that a single DNS server can be both a authoritative server, and a
> non-authoritative cache/resolver, depending on the query.
I'm well aware of the two roles that are performed. BIND 8.2.2patch5 is
an unconditionally compliant implementation. It will reject records for
systems with names containing invalid characters. It will, also, attempt
to resolve queries for names containing invalid characters.
The bottom-line, however, is that an organization with a properly designed
DNS architecture should not see two different behaviours when presented
with a URL containing an invalid character in the server name. You should
never see the condition where NXDOMAIN is returned when the URL is
accessed through Squid but not when accessed directly.
That being said there is one race condition that occurs with BIND 4.9.7,
BIND 8.2.1, and Squid. If the dnsserver query reaches an authoritative
server during a "named restart", an NXDOMAIN response may be returned and
cached by Squid. Until the entry in the name cache expires, you will get
different behaviours.
Merton Campbell Crockett
Received on Wed Dec 22 1999 - 11:08:12 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:50:05 MST