Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
RPZ zone name label length limit
181 views
Skip to first unread message
Jim Yang
Jun 29, 2017, 9:57:26 AM6/29/17
to bind-...@lists.isc.org
Hi,
What is the DNS name label length limit? As per RFC 1035, it is 63 characters. I tested a few DNS names that contains a label that is longer than 63 characters, and found that these records were successfully loaded in RPZ zone. I wonder if this is a BIND RPZ feature or bug (it allows DNS name label that is longer than 63 characters)?
When I dig these DNS records using 8.8.8.8, which reports them as ‘NXDOMAIN’.
Thanks,
Jim
Tony Finch
Jun 29, 2017, 10:04:51 AM6/29/17
to Jim Yang, bind-...@lists.isc.org
Jim Yang <zy...@cornell.edu> wrote:
>
> What is the DNS name label length limit? As per RFC 1035, it is 63
> characters. I tested a few DNS names that contains a label that is
> longer than 63 characters, and found that these records were
> successfully loaded in RPZ zone.
On the wire the length limit is 63. In presentation format some characters
>
> What is the DNS name label length limit? As per RFC 1035, it is 63
> characters. I tested a few DNS names that contains a label that is
> longer than 63 characters, and found that these records were
> successfully loaded in RPZ zone.
have to be \escaped which can make the name up to four times longer.
Tony.
--
f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode
Plymouth: Northwest 5 to 7, occasionally gale 8 later. Moderate or rough,
occasionally very rough later in west. Occasional rain. Good, occasionally
moderate.
Tony Finch
Jun 29, 2017, 2:14:54 PM6/29/17
to Jim Yang, bind-...@isc.org
Jim Yang <zy...@cornell.edu> wrote:
>
> Thank you for your reply. When you mention “In presentation format some characters
https://tools.ietf.org/html/rfc1035#page-34
> If I want to check if the following name is legal or not, how many
> characters should I check for each label/section/part of the name?
63.
> (skip some labels).information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.(skip some labels)
Amusingly when I was trying this to see how long it is I found a bug in
iOS dig :-)
$ dig +noall +comment information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36667
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
$ dig +noall +comment information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjpx.com
dig: 'information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjpx.com' is not a legal name (label too long)
Lundy, Fastnet: Northwest 6 to gale 8. Moderate or rough, occasionally very
rough in far south. Occasional rain. Moderate or good.
>
> Thank you for your reply. When you mention “In presentation format some characters
> have to be \escaped which can make the name up to four times
> longer.”, where can I find the reference (which RFC)?
https://tools.ietf.org/html/rfc1035#page-34
> If I want to check if the following name is legal or not, how many
> characters should I check for each label/section/part of the name?
63.
> (skip some labels).information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.(skip some labels)
Amusingly when I was trying this to see how long it is I found a bug in
iOS dig :-)
$ dig +noall +comment information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.com
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36667
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
$ dig +noall +comment information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjpx.com
dig: 'information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjpx.com' is not a legal name (label too long)
Lundy, Fastnet: Northwest 6 to gale 8. Moderate or rough, occasionally very
rough in far south. Occasional rain. Moderate or good.
Mukund Sivaraman
Jun 29, 2017, 2:41:06 PM6/29/17
to Jim Yang, bind-...@lists.isc.org
Hi Jim
On Thu, Jun 29, 2017 at 01:57:16PM +0000, Jim Yang wrote:
> Hi,
name?
Mukund
On Thu, Jun 29, 2017 at 01:57:16PM +0000, Jim Yang wrote:
> Hi,
>
> What is the DNS name label length limit? As per RFC 1035, it is 63
> characters. I tested a few DNS names that contains a label that is
> longer than 63 characters, and found that these records were
> What is the DNS name label length limit? As per RFC 1035, it is 63
> characters. I tested a few DNS names that contains a label that is
> longer than 63 characters, and found that these records were
> successfully loaded in RPZ zone. I wonder if this is a BIND RPZ
> feature or bug (it allows DNS name label that is longer than 63
> characters)?
>
> When I dig these DNS records using 8.8.8.8, which reports them as
> ‘NXDOMAIN’.
Can you send us a bug report with a sample RPZ zone that contains such a
> feature or bug (it allows DNS name label that is longer than 63
> characters)?
>
> When I dig these DNS records using 8.8.8.8, which reports them as
> ‘NXDOMAIN’.
name?
Mukund
Jim Yang
Jun 29, 2017, 2:49:15 PM6/29/17
to Mukund Sivaraman, bind-...@lists.isc.org
Hi Mukund,
Yes, I will send the report with a sample RPZ zone that contains the name to bind...@isc.org.
Thanks,
Jim
Yes, I will send the report with a sample RPZ zone that contains the name to bind...@isc.org.
Thanks,
Jim
Ray Bellis
Jun 30, 2017, 11:25:43 AM6/30/17
to bind-...@lists.isc.org
On 29/06/2017 19:14, Tony Finch wrote:
> Amusingly when I was trying this to see how long it is I found a bug in
> iOS dig :-)
>
> $ dig +noall +comment information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.com
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36667
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> $ dig +noall +comment information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjpx.com
> dig: 'information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjpx.com' is not a legal name (label too long)
The iOS port of 'dig' uses the exact same underlying code as far as
> Amusingly when I was trying this to see how long it is I found a bug in
> iOS dig :-)
>
> $ dig +noall +comment information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.com
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 36667
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> $ dig +noall +comment information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjpx.com
> dig: 'information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjpx.com' is not a legal name (label too long)
possible. The UI spawns a separate thread in which dig's main()
function is invoked, and uses batch mode to pass search terms in on
stdin, and then traps the stdout (using `funopen`) to display it.
The command line version of 'dig' apparently does a forceable exit when
this condition is detected, treating this as a fatal error.
I found many of the cases in which an error can cause batch mode to die
(thereby killing the UI too) but apparently not all of them :(.
Ray
0 new messages