RPZ zone name label length limit

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RPZ zone name label length limit

Jim Yang

Hi,

 

What is the DNS name label length limit? As per RFC 1035, it is 63 characters.  I tested a few DNS names that contains a label that is longer than 63 characters, and found that these records were successfully loaded in RPZ zone. I wonder if this is a BIND RPZ feature or bug (it allows DNS name label that is longer than 63 characters)?

 

When I dig these DNS records using 8.8.8.8, which reports them as ‘NXDOMAIN’.

 

Thanks,

Jim


_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RPZ zone name label length limit

Tony Finch
Jim Yang <[hidden email]> wrote:
>
> What is the DNS name label length limit? As per RFC 1035, it is 63
> characters.  I tested a few DNS names that contains a label that is
> longer than 63 characters, and found that these records were
> successfully loaded in RPZ zone.

On the wire the length limit is 63. In presentation format some characters
have to be \escaped which can make the name up to four times longer.

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/  -  I xn--zr8h punycode
Plymouth: Northwest 5 to 7, occasionally gale 8 later. Moderate or rough,
occasionally very rough later in west. Occasional rain. Good, occasionally
moderate.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RPZ zone name label length limit

Tony Finch
Jim Yang <[hidden email]> wrote:
>
> Thank you for your reply. When you mention “In presentation format some characters
>    have to be \escaped which can make the name up to four times
>    longer.”, where can I find the reference (which RFC)?

https://tools.ietf.org/html/rfc1035#page-34

> If I want to check if the following name is legal or not, how many
> characters should I check for each label/section/part of the name?

63.

> (skip some labels).information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.(skip some labels)

Amusingly when I was trying this to see how long it is I found a bug in
iOS dig :-)

$ dig +noall +comment information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36667
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
$ dig +noall +comment information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjpx.com
dig: 'information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjpx.com' is not a legal name (label too long)

Tony.
--
f.anthony.n.finch  <[hidden email]>  http://dotat.at/  -  I xn--zr8h punycode
Lundy, Fastnet: Northwest 6 to gale 8. Moderate or rough, occasionally very
rough in far south. Occasional rain. Moderate or good.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RPZ zone name label length limit

Mukund Sivaraman
In reply to this post by Jim Yang
Hi Jim

On Thu, Jun 29, 2017 at 01:57:16PM +0000, Jim Yang wrote:

> Hi,
>
> What is the DNS name label length limit? As per RFC 1035, it is 63
> characters.  I tested a few DNS names that contains a label that is
> longer than 63 characters, and found that these records were
> successfully loaded in RPZ zone. I wonder if this is a BIND RPZ
> feature or bug (it allows DNS name label that is longer than 63
> characters)?
>
> When I dig these DNS records using 8.8.8.8, which reports them as
> ‘NXDOMAIN’.

Can you send us a bug report with a sample RPZ zone that contains such a
name?

                Mukund
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RPZ zone name label length limit

Jim Yang
Hi Mukund,

Yes, I will send the report with a sample RPZ zone that contains the name to [hidden email].

Thanks,
Jim

On 6/29/17, 2:40 PM, "Mukund Sivaraman" <[hidden email]> wrote:

    Hi Jim
   
    On Thu, Jun 29, 2017 at 01:57:16PM +0000, Jim Yang wrote:
    > Hi,
    >
    > What is the DNS name label length limit? As per RFC 1035, it is 63
    > characters.  I tested a few DNS names that contains a label that is
    > longer than 63 characters, and found that these records were
    > successfully loaded in RPZ zone. I wonder if this is a BIND RPZ
    > feature or bug (it allows DNS name label that is longer than 63
    > characters)?
    >
    > When I dig these DNS records using 8.8.8.8, which reports them as
    > ‘NXDOMAIN’.
   
    Can you send us a bug report with a sample RPZ zone that contains such a
    name?
   
    Mukund
   

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RPZ zone name label length limit

Ray Bellis
In reply to this post by Tony Finch
On 29/06/2017 19:14, Tony Finch wrote:

> Amusingly when I was trying this to see how long it is I found a bug in
> iOS dig :-)
>
> $ dig +noall +comment information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.com
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36667
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> $ dig +noall +comment information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjpx.com
> dig: 'information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjpx.com' is not a legal name (label too long)

The iOS port of 'dig' uses the exact same underlying code as far as
possible.   The UI spawns a separate thread in which dig's main()
function is invoked, and uses batch mode to pass search terms in on
stdin, and then traps the stdout (using `funopen`) to display it.

The command line version of 'dig' apparently does a forceable exit when
this condition is detected, treating this as a fatal error.

I found many of the cases in which an error can cause batch mode to die
(thereby killing the UI too) but apparently not all of them :(.

Ray
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users
Loading...