designing man dns archit, ? about stub reverse lookup

Kevin Darcy kcd at daimlerchrysler.com
Thu Jun 30 22:25:56 UTC 2005 

mmccaws2 wrote:

>Using subdomains and dns stub capabilities, I am trying to create a DNS
>architecture that will satisfy the multiple subdomain requirements we
>have.  Of course this is a mixed legacy and M$ environment.  I have
>many sites with multiple departments, and of course each department
>with their own AD-forest domain. ( I inhereted this) Currently we're
>using public addressing and VLSM.  So we have user vlans with 23 to 28
>bit masks.  With the current ip addressing each dept doesn't necesarily
>have thier own CIDR block.
>
>So I'm trying to understand the limits of Stub DNS services.
>
>Can you create a reverse lookup range in a Stub server to resolve half
>a class C say 10.1.1.0-127 and have it forward queries beyond 128 to
>the primary DNS server?  I would think this is against the RFCs.  Even
>so, is there software that allows this to happen.
>
>The answer to that question will tell me if we have to re-address.
>
Simply put, all a stub zone does is replicate the NS records + the SOA 
record of a zone automatically from an authoritative -- though not 
necessarily *delegated* -- source. Defining a zone as "stub" on your 
server does not make it *authoritative* for the zone in any way shape or 
form. So, I don't see how stub zones are really relevant to your 
situation. What you seem to be looking for is to define part of a zone 
as authoritative (i.e. you'd be master for it), and part of it to be 
forwarded to some other server(s). Unfortunately, it's not possible 
within BIND to "split" authority over a zone in this way. The closest 
you can come is to define the zone as master, and then have CNAMEs (e.g. 
for each entry in the 128-255 range) in the zone for the "remote" part, 
where the targets of those aliases are in some other zone (possibly a 
delegated subzone of the main reverse zone) controlled by the other 
server(s). This is so-called "classless in-addr.arpa delegation" and RFC 
2317 covers it fairly well.

Of course, this "splitting" is only necessary for VLANs that are /25 or 
smaller, right? A /24 range stands as a reverse zone by itself, and a 
/23 is just 2 delegated /24's...

                                                                         
                                 - Kevin

P.S. Pet peeve of mine: "class C" and "/24" are not synonymous. 
10.1.1.0/24 is a subnet of a class *A* network.

More information about the bind-users mailing list