Subnet reverse delagation, RFC 2317
Jukka Pakkanen
jukka.pakkanen at qnet.fi
Thu Jul 29 12:38:15 UTC 2010
29.7.2010 15:10, Mark Andrews kirjoitti:
> In message<4C516756.5060304 at qnet.fi>, Jukka Pakkanen writes:
>
>> 29.7.2010 14:23, Mark Andrews kirjoitti:
>>
>>> In message<4C5134AF.2080302 at qnet.fi>, Jukka Pakkanen writes:
>>>
>>>
>>>> Doing first time the RFC 2317 style subnet reverse DNS, and have a
>>>> problem with recursion. When doing a query like "dig @ns1.qnet.fi -x
>>>> 62.142.217.200" is succeeds from the local network, but outside I get
>>>> "recursion requested but not available". Our /24 reverse zones work
>>>> fine, the server knows it's the master and serves ok, like "dig
>>>> @ns1.qnet.fi -x 62.142.220.5".
>>>>
>>>>
>>> There is NOTHING wrong here. You are not testing the servers properly.
>>>
>>>
>> Uuh... NOW I'm confused :)
>>
> You were confused before but didn't know it. :-)
I knew it, but after your message I was more confused...
> You were asking the
> wrong question to the wrong server. When you ask the right questions
> to the right servers it works.
>
>
Well, the goal is to be able to administer the reverse DNS of that zone,
and at the moment it's not happening. So there is still something wrong.
Somewhere. I have to think about this from the endusers point of view as
well, and for them the reverse DNS is broken.
>> There's definitely something wrong somewhere, because reverse-DNS for
>> 62.142.217.128/25 is not working as it should.
>>
> The only thing wrong is your understanding of what should be happening.
>
I can't agree with that. Reverse DNS for IP address range
62.142.217.128-254 is not working as we wish. So something is wrong
somewhere. Maybe my terminology about address spaces & name spaces is
off, but I suppose everybody at the list understands what I'm after.
>> ns1.qnet.fi should be the authoritive reverse DNS server for that IP
>> range, but it's not serving. Getting "recursion requested but not
>> available".
>>
>
>>> While ns1.qnet.fi is authoritative for 128/25.217.142.62.IN-ADDR.ARPA,
>>> it is not authoritative for 217.142.62.IN-ADDR.ARPA. When you do
>>> "dig @ns1.qnet.fi -x 62.142.220.5" you are asking for
>>> PTR 5.217.142.62.IN-ADDR.ARPA which ns1.qnet.fi does not serve.
>>>
>> 62.142.220.0/24 has been delegated to out servers (qnet servers) and
>> have been working fine for years. And are working at them moment.
>> Mentioning 62.142.220.5 was just to inform that with similar
>> configuration, this /24 reverse dns works ok.
>>
>> The problem is the 62.142.217.128/25 network, which should be delegated
>> to out servers, but for some reason they respond with "recursion needed".
>>
> No. 128/25.217.142.62.IN-ADDR.ARPA has been delegated to your servers.
> If 62.142.217.128/25 was delegated to you servers you would have
> 128 zones, 128.217.142.62.IN-ADDR.ARPA ... 255.217.142.62.IN-ADDR.ARPA.
>
> The reverses for 62.142.217.128/25 is still served by the servers for
> 217.142.62.IN-ADDR.ARPA.
>
>
>>> Recursive server will ask the servers for 217.142.62.IN-ADDR.ARPA for PTR
>>> 5.217.142.62.IN-ADDR.ARPA, see the CNAME to 5.128/25.217.142.62.IN-ADDR.ARPA
>>>
I think you have missed the difference between the two cases/networks,
one network of IP address is 62.142.217.128/25, the other one on
62.142.220.0/24, otherwise I don't understand where you get the number
"5" in the messages refering to this problem?
>>> then ask the servers for 128/25.217.142.62.IN-ADDR.ARPA for the PTR
>>> record at 5.128/25.217.142.62.IN-ADDR.ARPA. It will then combine the
>>> two answers and send it back to the original client.
>>>
>>>
>> 62.142.217.5 is NOT supposed to be delegated to our servers.
>>
Like said, this IP has nothing to do with us.
>>>> Recursion is only allowed for the local networks, but why the server
>>>> thinks recursion is needed in the first place?
>>>>
>>>>
>>> Because you are asking the wrong server about 5.217.142.62.IN-ADDR.ARPA.
>>>
>> I'm not asking that.
>>
> But you are.
No I'm not :)
> Please read the question section of the answers you get back.
>
> ;<<>> DiG 9.3.6-P1<<>> @ns1.qnet.fi -x 62.142.220.5
>
> ;; QUESTION SECTION:
> ;5.220.142.62.in-addr.arpa. IN PTR
>
This is not the 62.142.217.128/25 network, where I have this problem.
This is 62.142.220.0/24 network. Which works fine, regarding the reverse
DNS.
>>> If ns1.qnet.fi is made a slave of 217.142.62.IN-ADDR.ARPA it would then
>>> have all the information required to answer the query without asking
>>> other services.
>>>
>>>
>> If it's a slave, how can I administer the zone?
>>
> You don't. You just have a copy of the zone locally. The administrator
> for 217.142.62.IN-ADDR.ARPA changes it.
>
So we gat back to my original problem again, how can I administer the
zone on our server? What needs to be done, in addition or differently
of what's been done now.
Of course I could have asked "how can I have reverse DNS delegated and
working for IP addresses 62.142.217.128-254 to our Bind servers so that
we can administer the reverse DNS of these IP addresses", but instead I
tried to be more specific, tell what's been done, and what happens. And
asked we I'm doing wrong when the goal is not achieved.
More information about the bind-users
mailing list