[avahi] Multicast DNS and the Unicast .local Domain
Carsten Strotmann (private)
carsten at strotmann.de
Mon Jul 13 01:14:56 PDT 2009
Hello Lennart,
> This is simply broken. Your DNS server should not return a working SOA
> for .local. If at all your DNS server should always return NXDOMAIN
> for all .local names, overriding the internet .local SOA.
to my knowledge every DNS zone configured on a DNS Server will need at
least a valid SOA record and one valid NS record. And the DNS Server
will return this records. To my knowledge there is no way to configure a
local DNS server to return NXDOMAIN without the DNS Server going out to
the Internet ROOT DNS Server or withour running an own internal ROOT
Zone (which would be a solution, but overkill to the problem).
Recent BIND 9 implementations create certain "virtual" zones even if no
zone of that name is specified in the DNS Servers configuration. These
zones are for example the zones for the loopback and RFC 1918 private IP
Address reverse zones.
When queried for the SOA of these zones, BIND returns a valid SOA with a
serial number of "0".
It might be a solution to configure a ".local" unicast domain that is
created to stop ".local" queries to leak out to the Internet with a
serial of '0' and have the Avahi startup script to check against this
SOA serial value.
A ".local" unicast domain used locally in a LAN would have a serial
number != 0.
So if Avahi detects a ".local" unicast zone, it can check against the
serial number. If serial is "0", Ahavi can start without creating an
issue for the ".local" DNS lookups. If the serial is != 0, Avahi can
stop with an warning message to not conflict with a ".local" unicast
zone in use.
I also came across this post on CircleID about the issue:
Most Popular Invalid TLDs Should Be Reserved
http://www.circleid.com/posts/20090618_most_popular_invalid_tlds_should_be_reserved/
Given that TLDs will be free to register (for a certain amount of money)
in the future, maybe Apple or some other company with interest in
MulticastDNS will register and delegate the ".local" domain in the
Internet.
Best regards
Carsten Strotmann
On 30.06.2009 4:27 Uhr, Lennart Poettering wrote:
> On Fri, 19.06.09 19:19, Carsten Strotmann (carsten at strotmann.de) wrote:
>
>> Hi,
>>
>> I stumbled over the topic I describe below when I updated an Ubuntu
>> System from Version 8.04 tro 9.04. Avahi refused to start because I have
>> a unicast ".local" domain in my network(s).
>>
>> This behavior is documented as recommended for distributions in the
>> Avahi Wiki at
>> http://avahi.org/wiki/AvahiAndUnicastDotLocal
>>
>> I think this is a not well thought out decision. It would be a good
>> decision if it would detect a "used" unicast ".local" domain, but in my
>> case, the ".local" domain is one of many "pseudo" domains that are
>> configured as "empty" DNS zones on all resolving DNS Servers on the
>> network edge (border to the Internet), to prevent any "pseudo TLD" like
>> ".local" to be leaked into the Internet and hitting the Root DNS Server
>> System.
>
> This is simply broken. Your DNS server should not return a working SOA
> for .local. If at all your DNS server should always return NXDOMAIN
> for all .local names, overriding the internet .local SOA.
>
> Lennart
>
More information about the avahi
mailing list