Alternative to RFC2317 -- Classless Delegation

Kevin Darcy kcd at daimlerchrysler.com
Sat Dec 9 00:57:52 UTC 2006


Dan Mahoney, System Admin wrote:
> Hey all,
>
> Recently, we at work have had to delegate out some DNS records, and at the 
> request of the customer-being-delegated to, instead of doing the complex 
> rfc2317 intermediate-zone/cname/ns records, they simply asked us to drop 
> in NS records in place of the PTR records.
>
> This works fine: reverse lookups for the affected IPS all work, and it 
> would appear that it doesn't violate anything.  Just as if I was going to 
> delegate lab.bar.com to my development lab, I would put in an NS record 
> for lab.bar.com to my lab's DNS servers.  At least it doesn't "feel" 
> wrong, but that's why I'm writing.
>
> Further, with RFC2317, there exists the need to be in agreement with the 
> delegator about what domain to serve.  i.e. to delegate 192.168.1.0-7 
> (those are IPs, not the name of the zone) to my customer, I would need to 
> tell him to configure the zone
>
> x.0-7.1.168.192.in-addr.arpa. (going by recipe 6.4 of the DNS & Bind 
> Cookbook)
> -or-
> x.0/29.1.168.192.in-addr.arpa. (going by RFC 2317)
> -or-
> x.customer1.168.192.in-addr.arpa (assuming a case where IPs were assigned 
> in random groups, i.e. not necessarily consecutive -- for example on a 
> block where the same customer has the first 8 and the last 8 -- this 
> would be done to have him able to save himself from having to set up a 
> zone for EVERY service).
>
> Plus, there's the management of CNAMES.  We're in the process of switching 
> over to having all our zonefiles being DB-generated, so it's trivial to 
> change at this point, but it means much extra pain to those being 
> delegated to.
>
> With the NS-only scheme, he is able to serve the zone "naturally"...i.e. 
> by using the normal PTR records, as any other DNS management software 
> (webmin, powerDNS, MS-DNS) would expect, instead of whatever variant is 
> above (further complicated by the fact that I'm sure we're not the only 
> ones doing delegation).
>
> So, then the question (and I'm sure someone has a good answer for it) is:
>
> What is wrong with the NS-only scheme of doing things?  Clearly RFC2317 is 
> as complex as it is for a reason, but I'm curious as to why.
>   
That's perfectly valid too, and I'm surprised that RFC 2317 doesn't even 
mention that approach (had to re-read it just to make sure).

I think there are multiple reasons why most people shy away from this:
1) More records in the parent zone, since of course all zones are 
required to have at least 2 nameservers, versus only 1 CNAME per IP 
address under RFC 2317 (of course $GENERATE eases this)
2) More zone definitions overall
3) Zone-apex PTR records. Many if not most folks are used to thinking of 
PTRs as "leaf" nodes and aren't very comfortable with seeing them at the 
apex of a zone.

- Kevin



More information about the bind-users mailing list