Alternative to RFC2317 -- Classless Delegation
Dan Mahoney, System Admin
danm at prime.gushi.org
Sat Dec 9 00:27:50 UTC 2006
Hey all,
Recently, we at work have had to delegate out some DNS records, and at the
request of the customer-being-delegated to, instead of doing the complex
rfc2317 intermediate-zone/cname/ns records, they simply asked us to drop
in NS records in place of the PTR records.
This works fine: reverse lookups for the affected IPS all work, and it
would appear that it doesn't violate anything. Just as if I was going to
delegate lab.bar.com to my development lab, I would put in an NS record
for lab.bar.com to my lab's DNS servers. At least it doesn't "feel"
wrong, but that's why I'm writing.
Further, with RFC2317, there exists the need to be in agreement with the
delegator about what domain to serve. i.e. to delegate 192.168.1.0-7
(those are IPs, not the name of the zone) to my customer, I would need to
tell him to configure the zone
x.0-7.1.168.192.in-addr.arpa. (going by recipe 6.4 of the DNS & Bind
Cookbook)
-or-
x.0/29.1.168.192.in-addr.arpa. (going by RFC 2317)
-or-
x.customer1.168.192.in-addr.arpa (assuming a case where IPs were assigned
in random groups, i.e. not necessarily consecutive -- for example on a
block where the same customer has the first 8 and the last 8 -- this
would be done to have him able to save himself from having to set up a
zone for EVERY service).
Plus, there's the management of CNAMES. We're in the process of switching
over to having all our zonefiles being DB-generated, so it's trivial to
change at this point, but it means much extra pain to those being
delegated to.
With the NS-only scheme, he is able to serve the zone "naturally"...i.e.
by using the normal PTR records, as any other DNS management software
(webmin, powerDNS, MS-DNS) would expect, instead of whatever variant is
above (further complicated by the fact that I'm sure we're not the only
ones doing delegation).
So, then the question (and I'm sure someone has a good answer for it) is:
What is wrong with the NS-only scheme of doing things? Clearly RFC2317 is
as complex as it is for a reason, but I'm curious as to why.
-Dan
--
"You're a nomad billygoat!"
-Juston, July 18th, 2002
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
More information about the bind-users
mailing list