Hi, As per Mukund Sivaraman’s suggestion, I am reporting a bug in BIND. This name “sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.chinaboca.com” was successfully loaded into a RPZ zone. The label “uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp” is 64 bytes long (> label limit 63 bytes RFC 1035) The sample RPZ zone is listed below. $ORIGIN rpz.example.com. $TTL 1H @ SOA LOCALHOST. named-mgr.example.com (1 1h 15m 30d 2h) NS LOCALHOST. ; QNAME policy records. ; Note: There are no periods (.) after the (relativised) owner names. sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.chinaboca.com A 10.0.0.1 ; redirect to walled garden AAAA 2001:2::1 named-checkconf does not report any error about this name. I tested the name using 8.8.8.8 on both Centos 7 and Macbook Pro macOS Sierra. The dig version on Centos 7 is 9.9.4-RedHat-9.9.4-38.el7_3.2 and it always gives ‘NXDOMAIN’ no matter how long the label I changes (I tested 64, 65, 80 bytes long). The results from my Macbook Pro are listed below: The length of uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp is 64 bytes. $ dig @8.8.8.8 sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.chinaboca.com ; <<>> DiG 9.8.3-P1 <<>> @8.8.8.8 sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.chinaboca.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 59096 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp.chinaboca.com. IN A ;; AUTHORITY SECTION: chinaboca.com. 1799 IN SOA ns9.sinohosting.net. admin.cycomsupport.com. 2017020401 3600 7200 1209600 86400 ;; Query time: 108 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Jun 29 15:16:33 2017 ;; MSG SIZE rcvd: 195 The length of uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp66 is 66 bytes OIT-ZY33-ML2:~ zy33$ dig sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp66.chinaboca.com dig: 'sign.encoding.information.uzmzudseodc2fjpyi6mjcxndiymtuzmzufazdseyi6swh58fmodc2fjqxoc2fjp66.chinaboca.com' is not a legal name (label too long) dig should report the name is not a legal name when the label length is 64(>63 bytes), but it reports the issue when the label length is 65. Thanks, Jim On 6/29/17, 2:40 PM, "Mukund Sivaraman" wrote: Hi Jim On Thu, Jun 29, 2017 at 01:57:16PM +0000, Jim Yang wrote: > Hi, > > What is the DNS name label length limit? As per RFC 1035, it is 63 > characters. I tested a few DNS names that contains a label that is > longer than 63 characters, and found that these records were > successfully loaded in RPZ zone. I wonder if this is a BIND RPZ > feature or bug (it allows DNS name label that is longer than 63 > characters)? > > When I dig these DNS records using 8.8.8.8, which reports them as > ‘NXDOMAIN’. Can you send us a bug report with a sample RPZ zone that contains such a name? Mukund