Reverse Zones - Subnets?

Joseph S D Yao jsdy at center.osis.gov
Fri Jul 7 22:04:16 UTC 2006 

On Fri, Jul 07, 2006 at 03:09:47PM -0400, Matt wrote:
> Ok,
> I *am* the ISP.  We just recently migrated from Windows DNS to Bind.
> We were given a class /29 to reverse, and I'm trying to figure out the
> syntax in the named.conf file and in the zone record.  So I already
> have an upstream pointing the records at us for reversal.. I just need
> to make sure I've got the actual reveral correct, but only for a /29
> not the whole /24.

There are lots of ways to do this, so the two of you need to agree on a
"base" domain for them to use.  It's easiest if it's either a domain
they already use or one that you can readily delegate, such as a
subdomain of your reverse domain.

Since there is no /29 network that starts with 192.168.1.1, let's use
192.168.1.8/29 as our example.

Let's say that you agree with them that they will use
"8-29.1.168.192.in-addr.arpa" as their "base" domain.  This has the
added advantage of packaging the network start address and mask length
in the name.

You will add the following to your "zone.192.168.1" zone file, which you
have declared for zone "1.168.192.in-addr.arpa".  Note that I will be
aliasing "8" and "15", and fully expect a number of people to declare
that this is a waste.  But they're part of the subnet, and personally I
like to label them with "network.foo.example" and
"broadcast.foo.example" type labels.  You should give your customer this
option, IMHO.

8-29	NS	ns1.customer.isp.com.
8-29	NS	ns2.customer.isp.com.
8	CNAME	8.8-29
9	CNAME	9.8-29
10	CNAME	10.8-29
11	CNAME	11.8-29
12	CNAME	12.8-29
13	CNAME	13.8-29
14	CNAME	14.8-29
15	CNAME	15.8-29

This can also be done with the following, which is very useful,
especially in a larger subnet:

8-29	NS	ns1.customer.isp.com.
8-29	NS	ns2.customer.isp.com.
$GENERATE	8-15	$	CNAME	$.8-29

(Cf. <http://www.isc.org/sw/bind/arm93/Bv9ARM.ch06.html#id2566761>.)

The customer will have the following in their "zone.192.168.1.8-29"
file, which they will have bound on their name servers to the zone
"8-29.1.168.192.in-addr.arpa".

$TTL	1d
@	SOA	...
	NS	ns1.customer.isp.com.
	NS	ns2.customer.isp.com.
8	PTR	network.foo.example.
9	PTR	matt.foo.example.
10	PTR	nicolas.foo.example.
11	PTR	joseph.foo.example.
; 12, 13, and 14 are not used yet
15	PTR	broadcast.foo.example.
@	TXT	"@(#)$Id:$"	; Anyone know why I do this?  ;-)

Now let's see what happens when someone at dial-in-1-2-3.aol.com looks
up the reverse DNS for "192.168.1.9".

They discover that you have the zone "1.168.192.in-addr.arpa".  They ask
you for a PTR record for "9.1.168.192.in-addr.arpa".

You respond that the Canonical NAME for this is really
"9.8-29.1.168.192.in-addr.arpa".

They ask who the Name Servers are for "8-29.1.168.192.in-addr.arpa".
You tell them "ns1.customer.isp.com." and "ns2.customer.isp.com.".

They go get the IP address for one of these name servers, and then asks
it for the PTR record for "9.8-29.1.168.192.in-addr.arpa".  And that
name server tells them, "matt.foo.example.".

Capisce?


-- 
Joe Yao
-----------------------------------------------------------------------
   This message is not an official statement of OSIS Center policies.

More information about the bind-users mailing list