Knowledgebase

Situation

Resolution

Several RFC's govern valid DNS record names. Some system administrators have named objects, zones, records, services and computers with invalid names. These names often contain invalid or illegal characters such as "_", which were previously ignored. A recent upstream patch of BIND (named) has changed the default behavior of ignoring these invalid names to failing preventing BIND from loading normally.

This issue is typically seen on OES 1 SP2 servers and clustered resources.

There are several options that can be taken to resolve this issu

option 1: remove invalid dns record names

For servers which are internet facing or have high security requirement, removing the invalid DNS names is recommended. This process will require planning in order to implement. If you elect to alter the invalid DNS names, records or zones, you can implement option 2 as a stop-gap procedure.

option 2: turn off name checking

BIND include a "check-name" option to remove name checking for DNS names, records and zones. In your named.conf (traditionally in /etc), place the following:

check-names master ignore;
check-names slave ignore; 
check-names response ignore;

This will instruct BIND to ignore any invalid names, zones or records allowing DNS to load normally. The other options are "warn" or "fail."  If you elect to rename records, names or zones, you can use the "warn" option to help find records and services to rename.

OES 2 and LDAP configured DNS caveaut: OES 2 DNS servers can pull the information from LDAP or eDirectory. The options have been reported to not work correctly when they are added via iManager. As a result, it is recommended that you put the options external to LDAP and then "include" the options.

1. On each DNS server, create a file called "/etc/named.conf.options"
2. Populate the "check-names" options above
3. Add "/etc/named.conf.options" as an include, for example:
   include /etc/named.conf.options;