@@ -, +, @@ 
    rejection
--- a/services/univention-bind/bind.py	
+++ a/services/univention-bind/bind.py	
@@ -45,6 +45,7 @@ import time
 import errno
 import signal
 import grp
+import re
 
 name = 'bind'
 description = 'Update BIND zones'
@@ -62,6 +63,7 @@ SIGNAL = dict([(getattr(signal, _), _) for _ in dir(signal) if _.startswith('SIG
 
 __zone_created_or_removed = False
 
+reZoneName = re.compile('^([a-zA-Z0-9]([a-zA-Z0-9-]{0,63}[a-zA-Z0-9])?)([.]([a-zA-Z0-9]([a-zA-Z0-9-]{0,63}[a-zA-Z0-9])?))*$')
 
 def initialize():
 	"""Initialize module on first run."""
@@ -92,18 +94,27 @@ def handler(dn, new, old):
 	try:
 		if new and not old:
 			# Add
-			_new_zone(listener.configRegistry, new['zoneName'][0], dn)
+			if reZoneName.match(new['zoneName'][0]):
+				_new_zone(listener.configRegistry, new['zoneName'][0], dn)
+			else:
+				ud.debug(ud.LISTENER, ud.WARN, 'Ignoring addition of invalid zoneName %r' % (new['zoneName'][0], ))
 		elif old and not new:
 			# Remove
-			_remove_zone(old['zoneName'][0])
+			if reZoneName.match(old['zoneName'][0]):
+				_remove_zone(old['zoneName'][0])
+			else:
+				ud.debug(ud.LISTENER, ud.WARN, 'Ignoring removal of invalid zoneName %r' % (old['zoneName'][0], ))
 		if new.get('zoneName'):
 			# Change
-			# Create an empty file to trigger the postrun()
-			zonefile = os.path.join(PROXY_CACHE_DIR, "%s.zone" % (new['zoneName'][0],))
-			proxy_cache = open(zonefile, 'w')
-			proxy_cache.close()
-			os.chmod(zonefile, 0o640)
-			chgrp_bind(zonefile)
+			if reZoneName.match(new.get('zoneName')[0]):
+				# Create an empty file to trigger the postrun()
+				zonefile = os.path.join(PROXY_CACHE_DIR, "%s.zone" % (new['zoneName'][0],))
+				proxy_cache = open(zonefile, 'w')
+				proxy_cache.close()
+				os.chmod(zonefile, 0o640)
+				chgrp_bind(zonefile)
+			else:
+				ud.debug(ud.LISTENER, ud.WARN, 'Ignoring change of invalid zoneName %r' % (new.get('zoneName')[0], ))
 	finally:
 		listener.unsetuid()