# [SOLVED] Bind DNS for AD long names don't resolve

## humbletech99

I have a Bind DNS server (well more than one) and I'm trying to give them all the records of the active directory. I put in all the records and tested, but it seems that only the short ones work and non of the long ones work:

```
$ dig _ldap._tcp.mydomain.com srv

; <<>> DiG 9.3.2 <<>> _ldap._tcp.mydomain.com srv

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18246

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3

;; QUESTION SECTION:

;_ldap._tcp.mydomain.com.                IN      SRV

;; ANSWER SECTION:

_ldap._tcp.mydomain.com. 259200  IN      SRV     0 0 389 server01.mydomain.com.

;; AUTHORITY SECTION:

mydomain.com.            259200  IN      NS      dns.mydomain.com.

mydomain.com.            259200  IN      NS      dns2.mydomain.com.

;; ADDITIONAL SECTION:

server01.mydomain.com.       259200  IN      A       x.x.x.x

dns.mydomain.com.        259200  IN      A       x.x.x.x

dns2.mydomain.com.       259200  IN      A       x.x.x.x

;; Query time: 1 msec

;; SERVER: x.x.x.x

;; WHEN: Tue Jan 16 17:08:32 2007

;; MSG SIZE  rcvd: 161

```

 returns correctly but anything longer

```
$ dig _ldap._tcp.pdc._msdcs.mydomain.com srv

; <<>> DiG 9.3.2 <<>> _ldap._tcp.pdc._msdcs.mydomain.com srv

;; global options:  printcmd

;; Got answer:

;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 65344

;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:

;_ldap._tcp.pdc._msdcs.mydomain.com. IN  SRV

;; AUTHORITY SECTION:

mydomain.com.            259200  IN      SOA     mydomain.com. postmaster.mydomain.com. 2006120401 86400 18000 3600000 604800

;; Query time: 1 msec

;; SERVER: x.x.x.x

;; WHEN: Tue Jan 16 17:08:21 2007

;; MSG SIZE  rcvd: 98

```

always fails

I suspect this is because "_names" like that don't extend the dns namespace and hence are answered but "names" without the illegal "_" character cause the server to try to resolve the subdomain which doesn't exist.

I'm not really sure how microsoft gets around this but it's quite annoying for me trying to get this to work with bind.

Can anybody help me out on this?

----------

## Dan

If you enable debug logging you will see 

 *Quote:*   

> 16-Jan-2007 13:18:55.989 general: master/domain.com:23: _ldap._tcp.pdc._msdcs.domain.com: bad owner name (check-names)

 

which from what i just read is because bind9 later than 9.2.2 is more restrictive about names. Im guessing you are using a variant above 9.2.2 ?

I think you can fix it using the check-names directive.

 *Quote:*   

> check-names
> 
>     This option is used to restrict the character set and syntax of certain domain names in master files and/or DNS responses received from the network. The default varies according to usage area. For master zones the default is fail. For slave zones the default is warn. For answer received from the network (response) the default is ignore.
> 
>     The rules for legal hostnames / mail domains are derived from RFC 952 and RFC 821 as modified by RFC 1123.
> ...

 

----------

## humbletech99

but the records in question aren't A records, they are SRV records, does this still hold true?

I guess it's worth trying to switch off the check names and see if it makes a difference.

Thanks, I'll give that a try.

----------

## Dan

http://www.microsoft.com/technet/archive/interopmigration/linux/mvc/cfgbind.mspx#E1EAC

----------

## humbletech99

thanks for that link. It turns out that check-names thing didn't work so watching the logs and reloading I stumbled across a stupid thing. The file I had added to store all the AD records was owned by root but bind was run as named so I chowned the files and it worked.

I can now dig successfully without the check-names anywhere in named.conf and it just works. Seems check-names isn't needed in this case (although it sounds like it should be!). Perhaps it only applies to A records and not SRV records...

----------

