Breaking up RFC 1918 reverse space

Chris Buxton chris.p.buxton at gmail.com
Tue Jul 26 07:14:23 UTC 2011


On Jul 25, 2011, at 2:53 PM, Peter Laws wrote:

> On 07/23/11 22:08, Karl Auer wrote:
> 
> 
>> Maybe this is an overly naive approach, but can't you set up one zone
>> for 10.0.0.0/8 and delegate as necessary from that single zone file?
>> Anything that you don't have an answer for will get NXDOMAIN, which is
>> presumably what you want.
> 
>> So:
>> 
>>    zone "10.IN-ADDR.ARPA" {
>>            type master;
>>            file "internal/db.10.rev";
>>            allow-query { network_internal; };
>>    };
>> 
>> Then in the zone file internal/db.0.rev:
>> 
>>    $ORIGIN 10.in-addr.arpa.
>>    [...]
>>    0 3600 IN NS ns00.mydomain.
>>    1 3600 IN NS ns01.mydomain.
>>    ... etc
>> 
> 
> 
> I thought of that, too.  Were I delegating all slivers of the 10/8 space (it's actually 4 10/10 spaces), then I'd have done it long ago and not asked the question.  I'm more confused than that - read on.  :-)
> 
> What I think I didn't make clear in my first post was that I actually want to do two things:
> 
> 1) I want to break 10/8 space into 4 10/10 zones (actual, independent zones).
> 
> 10.0.0.0/10
> 10.64.0.0/10
> 10.128.0.0/10
> 10.192.0.0/10

You could use DNAME records to achieve this division into exactly 4 subzones, although this is conceptually difficult for many people to understand. The practice is remarkably simple.

> 2) Serve one resulting zone myself, delegate all of two others, then delegate parts of the last one.

You must be authoritative for the /8 reverse zone, the first of the /10s, and the last of the /10s. Delegate the other two /10 zones elsewhere.

In the /8, you must delegate all four /10s. For the first and last, delegate to yourself.

In the last /10 reverse zone, delegate parts as needed.

> So my initial question was incomplete.
> 
> 
> I've read about $GENERATEing CNAME records for chunks and then delegating the chunks, for example
> 
> 0	IN	CNAME	0-63.10.in-addr.arpa.
> 1	IN	CNAME	0-63.10.in-addr.arpa.
> 2	IN	CNAME	0-63.10.in-addr.arpa.
> etc

These would be DNAME records, not CNAME. Also, the rdata would typically start with the network address. For example:

0	DNAME	0.0-63.10.in-addr.arpa.
1	DNAME	1.0-63.10.in-addr.arpa.

This is the trick that allows you to divide the /8 into 4 child zones, rather than 256.

> but done with $GENERATE and then actually delegating with

This might work (untested):

$GENERATE 0-63 $.10.in-addr.arpa. DNAME $.0-63.10.in-addr.arpa.

Feel free to remove each instance of ".10.in-addr.arpa.", as this is the current $ORIGIN. For example, this should be equivalent:

$GENERATE 0-63 $ DNAME $.0-63

> 0-63.10.in-addr.arpa.	IN	NS	ns1.edu.
> 64-127.10.in-addr.arpa.	IN	NS	ns2.edu.
> etc

Yes, this is the delegation, which divides the /8 into 4 /10s. Try to have multiple NS records for each zone name:

0-63	NS	ns1.ou.edu.
0-63	NS	ns2.ou.edu.

64-127	NS	some.other.name.server.
64-127	NS	and.another.name.server.

> Where I'm confused (or have confused myself) is the part about wanting to actually break the zone up (I want to break it up for the usual reasons - size and limiting damage)

Are you still confused? If so, try to explain where you're confused.

Chris Buxton
BlueCat Networks


More information about the bind-users mailing list