Alternative to RFC2317 -- Classless Delegation

Dan Mahoney, System Admin danm at prime.gushi.org
Sat Dec 9 00:27:50 UTC 2006


Hey all,

Recently, we at work have had to delegate out some DNS records, and at the 
request of the customer-being-delegated to, instead of doing the complex 
rfc2317 intermediate-zone/cname/ns records, they simply asked us to drop 
in NS records in place of the PTR records.

This works fine: reverse lookups for the affected IPS all work, and it 
would appear that it doesn't violate anything.  Just as if I was going to 
delegate lab.bar.com to my development lab, I would put in an NS record 
for lab.bar.com to my lab's DNS servers.  At least it doesn't "feel" 
wrong, but that's why I'm writing.

Further, with RFC2317, there exists the need to be in agreement with the 
delegator about what domain to serve.  i.e. to delegate 192.168.1.0-7 
(those are IPs, not the name of the zone) to my customer, I would need to 
tell him to configure the zone

x.0-7.1.168.192.in-addr.arpa. (going by recipe 6.4 of the DNS & Bind 
Cookbook)
-or-
x.0/29.1.168.192.in-addr.arpa. (going by RFC 2317)
-or-
x.customer1.168.192.in-addr.arpa (assuming a case where IPs were assigned 
in random groups, i.e. not necessarily consecutive -- for example on a 
block where the same customer has the first 8 and the last 8 -- this 
would be done to have him able to save himself from having to set up a 
zone for EVERY service).

Plus, there's the management of CNAMES.  We're in the process of switching 
over to having all our zonefiles being DB-generated, so it's trivial to 
change at this point, but it means much extra pain to those being 
delegated to.

With the NS-only scheme, he is able to serve the zone "naturally"...i.e. 
by using the normal PTR records, as any other DNS management software 
(webmin, powerDNS, MS-DNS) would expect, instead of whatever variant is 
above (further complicated by the fact that I'm sure we're not the only 
ones doing delegation).

So, then the question (and I'm sure someone has a good answer for it) is:

What is wrong with the NS-only scheme of doing things?  Clearly RFC2317 is 
as complex as it is for a reason, but I'm curious as to why.

-Dan

--

"You're a nomad billygoat!"

-Juston, July 18th, 2002

--------Dan Mahoney--------
Techie,  Sysadmin,  WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144   AIM: LarpGM
Site:  http://www.gushi.org
---------------------------



More information about the bind-users mailing list