Classless in-addr.arpa delegation.

Kevin Darcy kcd at daimlerchrysler.com
Mon Aug 28 23:03:26 UTC 2000 

Okay, so in your copy of the C-class zone, you list *only* your ISP's nameservers,
right? And you keep your SOA in synch with theirs at all times, right? Unless you
do both of those things, then you could be propagating Authority Section data
which differs from the "real" zone data and might be taken as genuine by other
nameservers. That's the Rock. The Hard Place is that if you do that, more paranoid
server implementations may note that the Authority Section of your response is not
the same as the delegation they followed, and may discard your response as being
suspect. If that doesn't break now, it almost certainly will break if and when
DNSSEC is implemented, unless your ISP is lax enough to let you have a copy of
their zone key.

Personally, I don't see why people dislike RFC 2317 so much that they would
constantly struggle to find alternatives. IT'S JUST ALIASING, PEOPLE! Nothing more
complicated than that, unless you get into byzantine naming conventions. Aliasing
names across organizational boundaries is something that folks have been doing for
"forward" DNS for eons ("www.foo.com in cname www.bar.com"): just apply that logic
now to *reverse* DNS.

How hard is it for you or your provider to create delegations for the zone that
will contain the PTR's? Beyond that, it's only the difference in how you name the
container zone and whether the provider adds one NS per address or one CNAME (and
if you want to provide redundancy for the container zone, it's actually
*less* work for your provider: one CNAME versus 2 or more NS'es per address).


- Kevin
Jay Nugent wrote:

> Greetings,
>
> On Mon, 28 Aug 2000, Kevin Darcy wrote:
>
> >
> > Wait a minute! What zone are those PTR's contained in? The C-class
> > zone? That's *bad*news*. Not only are you blinding your own clients to other
> > PTR's in that same C-class range, but you're propagating bogus Authority
> > Section data, thus potentially blinding *other*people's* nameservers to other
> > PTR's in that same C-class range, not to mention misdirecting traffic to your
> > nameservers.
> >
> > There's a reason that RFC 2317 is a BCP.
>
>    You are only partially correct.  Yes, I am indeed blinding my clients
> from a *small* piece of the Internet, precicesly the other half of the
> class-C that I'm on.  Should my customers need to resolve those other 128
> hosts, then I'll look for a more elegant solution.  Thuis far that has not
> been a problem.
>
>    As for "propagating bogus Authority Section data".... Absolutely not!
> The ISP is authoratative for the class-C.  Then only send the 128
> addresses *I* use to *me* to reverse resolve.  The rest of the block the
> ISP does with as they would any other block, usually entering their
> customers hosts names into the DNS for them.  I am NOT providing bogus
> data.
>
>    However, if there is a better way, I'd certainly like to see some
> sample zone files... :-)
>
>       --- Jay
>
> > Jay Nugent wrote:
> >
> > > Greetings,
> > >
> > > On Mon, 28 Aug 2000, Kevin Darcy wrote:
> > >
> > > >
> > > > Doing RFC 2317 on a non-bit-boundary is a little unusual, but certainly
> > > > workable.  That's why I say that "classless delegation" is somewhat of a
> > > > misnomer -- it's really *aliasing* rather than "delegation" _per_se_.
> > > > All your ISP needs to do is add 10 CNAMEs to the
> > > > 192.204.212.in-addr.arpa zone:
> > > >
> > > > 51    in    cname    51.rev.jdimedia.nl.
> > > > 52    in    cname    52.rev.jdimedia.nl.
> > > > 53    in    cname    53.rev.jdimedia.nl.
> > > > (etc.)
> > > >
> > > > I've used "rev.jdimedi.nl" here as the "container" zone for the PTR
> > > > records, but you could use *anything* mutually-acceptable between your
> > > > and your ISP, as long as it's a zone delegated to, and controlled by
> > > > you.
> > >
> > >    Or just have the ISP do the following which will send all PTR lookups
> > > to YOUR nameserver.  Then on your nameserver you use conventional PTR
> > > records to do the final resolve.
> > >
> > > At the ISP:
> > > -----------
> > > 51    IN     NS     ns1.yourserver.com.
> > > 52    IN     NS     ns1.yourserver.com.
> > > 53    IN     NS     ns1.yourserver.com.
> > >
> > > In your nameserver:
> > > -------------------
> > > 51    IN     PTR    larry.yourdomain.com.
> > > 52    IN     PTR    moe.yourdomain.com.
> > > 53    IN     PTR    curley.yourdomain.com.
> > >
> > >    I do this for my 128-host address block.  My ISP didn't even know it
> > > could be done.  They learn something new from their customers every day
> > >   :-)
> > >
> > >       --- Jay
>
>
>              /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/~~\
>             |  Jay Nugent                 jjn at nuge.com |____|
>             |  Nugent Telecommunications  www.nuge.com |
>             |  Web-Pegasus          www.webpegasus.com |
>             |  (734)971-1076        (734)971-4529 /Fax |
>             |                                          |
>             | ISP & Modem Performance Monitoring Svcs. |
>             | Discount Reseller of 123.Net ISP Services|
>             | Internet Consulting / Linux SysAdmin     |
>             | Web Hosting / DNS Hosting / Shell Accts. |
>             | Embedded Controllers / Engr. & Design    |
>          /~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~/   |
>          \_________________________________________\__/
>
>   6:00pm  up 110 days, 7 min,  6 users,  load average: 0.00, 0.00, 0.00

More information about the bind-users mailing list