How to delegate public IP zone internally

Greg Chavez greg.chavez at gmail.com
Wed Sep 7 01:54:27 UTC 2005


On 9/6/05, Mark Andrews <Mark_Andrews at isc.org> wrote:
>=20
> >
> > An admin for one of these units has decided that he doesn't want to
> > let us - the DNS mothership -  do zone transfers anymore, negating the
> > stealth zone idea.  As it stands, nobody outside of their unit can see
> > their 156.xxx.yyy.0 zone.  The admin for the rogue unit is being
> > intransigent... or am I?
> >
> > Is there any other way I can delegate these zones without claiming
> > authority for 156.in-addr.arpa and breaking many public lookups?  It
> > seems to me that the stealth slave route is the simplest,
> > hardest-to-break route here.  If you can, please tell me otherwise.
> >
>         Is there a reason why you don't follow the obvious?  Get
>         the /16's delegated from ARIN then delegate the /24 from
>         them.  Everyone can then just follow the normal delegation
>         path.

Yes, there is a reason and it's name is both politics and
institutional inertia.  I am a contractor, behind enemy lines, and the
barbed wire is thick.   But first, let me correct a false impression I
made as I ineptly tried to obscure my client's otherwise public IP
blocks: the rogue unit acts authoritatively for a /16, not a /24.  So,
using just enough pointless obscurity to not get fired, we use
fourteen /16 IP blocks internally:

1x8.156.in-addr.arpa to 1x2.156.in-addr.arpa

The rogue unit acts authoritatively for 1x6.156.in-addr.arpa.  When I
came on the job, "we" (the root internal name servers) were configured
as a stealth slave; it is now apparent however that "we" are being
denied zone transfers, breaking any attempt by other units to resolve
this zone.  The rogue admin insists that there is some way I can
delegate this to him without acting as a slave, but I don't see how
and he seems unwilling to directly advise me (making me wonder if he
actually knows).

So, again, my question - my embarrassing but urgent question: is there
a way to delegate 1x6.156.in-addr.arpa without involving ARIN or
claiming authority for 156.in-addr.arpa?

Thanks - I know how nutty this question is, believe me.
--Greg Chavez



More information about the bind-users mailing list