Thanks for the replies, everyone; I think the consensus is that having ARIN redelegate is the correct solution, and that's fine by me. (As mentioned, my marching orders were to do this without redelegating, but if that's the correct way to do it, I can make that case.)<div>
<br></div><div>-Simon<br><br><div class="gmail_quote">On Tue, Dec 15, 2009 at 3:18 PM, Chris Thompson <span dir="ltr"><<a href="mailto:cet1@cam.ac.uk">cet1@cam.ac.uk</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div><div></div><div class="h5">On Dec 15 2009, Simon Dodd wrote:<br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
I'm having a problem configuring a delegation. We have various /24s for<br>
which we provide PTR records. If I create a zone file for<br>
188.134.63.in-addr.arpa and add PTR records, they resolve just fine. In<br>
other words, if this is my zone, I can resolve <a href="http://63.134.188.13" target="_blank">63.134.188.13</a>:<br>
<br>
$TTL 6h<br>
@ 345600 IN SOA <a href="http://dauth1.joink.com" target="_blank">dauth1.joink.com</a>. <a href="http://noc.joink.com" target="_blank">noc.joink.com</a>. (<br>
2009121524 ; Serial number<br>
86400 ; Refresh<br>
3600 ; Retry<br>
777600 ; Expire<br>
3600 ) ; Minimum TTL<br>
IN NS <a href="http://dauth1.joink.com" target="_blank">dauth1.joink.com</a>.<br>
IN NS <a href="http://dauth2.joink.com" target="_blank">dauth2.joink.com</a>.<br>
13 IN PTR <a href="http://midwest1st.com" target="_blank">midwest1st.com</a>.<br>
<br>
But that isn't what we want to do for this particular zone. We want to<br>
delegate all queries concerning 188.134.63.in-addr.arpa to<br>
<a href="http://ns1.midwestfirst.com" target="_blank">ns1.midwestfirst.com</a> and <a href="http://ns2.midwestfirst.com" target="_blank">ns2.midwestfirst.com</a>. Albitz & Liu 4th says that's<br>
fair game, so here's how I configured the zone:<br>
<br>
$TTL 6h<br>
@ 345600 IN SOA <a href="http://dauth1.joink.com" target="_blank">dauth1.joink.com</a>. <a href="http://noc.joink.com" target="_blank">noc.joink.com</a>. (<br>
2009121524 ; Serial number<br>
86400 ; Refresh<br>
3600 ; Retry<br>
777600 ; Expire<br>
3600 ) ; Minimum TTL<br>
IN NS <a href="http://ns1.midwestfirst.com" target="_blank">ns1.midwestfirst.com</a>.<br>
IN NS <a href="http://ns2.midwestfirst.com" target="_blank">ns2.midwestfirst.com</a>.<br>
</blockquote>
<br></div></div>
You can't "delegate" the *whole* of a zone like that. You are claiming<br>
to have an authoritative version of the zone, which contains no PTR<br>
records ... and incidentally, that the official servers are those in<br>
at ns*.<a href="http://midwestern.com" target="_blank">midwestern.com</a>. So you are in fact claiming to be something<br>
like a "stealth slave" for the zone, but you are still authoritative,<br>
and the rest of the world is going to believe your responses saying<br>
that the PTR records don't exist.<div><div></div><div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Mutatis mutandis, that's the configuration that Albitz & Liu show for<br>
delegating forward lookup zones (p. 232). It isn't quite how they show<br>
reverse lookup zones (more on this in a moment), and unfortunately, it<br>
doesn't work:<br>
<br>
[root@linux1 joink-domains]# dig -x 63.134.188.13 +trace<br>
<br>
; <<>> DiG 9.2.1 <<>> -x 63.134.188.13 +trace<br>
;; global options: printcmd<br>
. 3600000 IN NS <a href="http://B.ROOT-SERVERS.NET" target="_blank">B.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://M.ROOT-SERVERS.NET" target="_blank">M.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://K.ROOT-SERVERS.NET" target="_blank">K.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://E.ROOT-SERVERS.NET" target="_blank">E.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://L.ROOT-SERVERS.NET" target="_blank">L.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://A.ROOT-SERVERS.NET" target="_blank">A.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://J.ROOT-SERVERS.NET" target="_blank">J.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://G.ROOT-SERVERS.NET" target="_blank">G.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://C.ROOT-SERVERS.NET" target="_blank">C.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://F.ROOT-SERVERS.NET" target="_blank">F.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://H.ROOT-SERVERS.NET" target="_blank">H.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://I.ROOT-SERVERS.NET" target="_blank">I.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://D.ROOT-SERVERS.NET" target="_blank">D.ROOT-SERVERS.NET</a>.<br>
;; Received 272 bytes from 12.109.94.5#53(12.109.94.5) in 1 ms<br>
<br>
63.in-addr.arpa. 86400 IN NS <a href="http://DILL.ARIN.NET" target="_blank">DILL.ARIN.NET</a>.<br>
63.in-addr.arpa. 86400 IN NS <a href="http://Y.ARIN.NET" target="_blank">Y.ARIN.NET</a>.<br>
63.in-addr.arpa. 86400 IN NS <a href="http://INDIGO.ARIN.NET" target="_blank">INDIGO.ARIN.NET</a>.<br>
63.in-addr.arpa. 86400 IN NS <a href="http://Z.ARIN.NET" target="_blank">Z.ARIN.NET</a>.<br>
63.in-addr.arpa. 86400 IN NS <a href="http://BASIL.ARIN.NET" target="_blank">BASIL.ARIN.NET</a>.<br>
63.in-addr.arpa. 86400 IN NS <a href="http://HENNA.ARIN.NET" target="_blank">HENNA.ARIN.NET</a>.<br>
63.in-addr.arpa. 86400 IN NS <a href="http://X.ARIN.NET" target="_blank">X.ARIN.NET</a>.<br>
;; Received 180 bytes from 192.228.79.201#53(<a href="http://B.ROOT-SERVERS.NET" target="_blank">B.ROOT-SERVERS.NET</a>) in 76 ms<br>
<br>
188.134.63.in-addr.arpa. 86400 IN NS <a href="http://DAUTH1.JOINK.COM" target="_blank">DAUTH1.JOINK.COM</a>.<br>
188.134.63.in-addr.arpa. 86400 IN NS <a href="http://DAUTH2.JOINK.COM" target="_blank">DAUTH2.JOINK.COM</a>.<br>
;; Received 95 bytes from 192.35.51.32#53(<a href="http://DILL.ARIN.NET" target="_blank">DILL.ARIN.NET</a>) in 75 ms<br>
<br>
188.134.63.in-addr.arpa. 3600 IN SOA <a href="http://dauth1.joink.com" target="_blank">dauth1.joink.com</a>.<br>
<a href="http://noc.joink.com" target="_blank">noc.joink.com</a>.<br>
200<br>
9121525 86400 3600 777600 3600<br>
;; Received 100 bytes from 63.134.128.150#53(<a href="http://DAUTH1.JOINK.COM" target="_blank">DAUTH1.JOINK.COM</a>) in 0 ms<br>
<br>
As I said, this isn't quite how Albitz & Liu show delegation for reverse<br>
lookup zones. Nevertheless, the only difference that I see between what I<br>
have configured and what they show is that I'm working with<br>
188.134.63.in-addr.arpa, while they're working one level higher, at the<br>
equivalent of 134.63.in-addr.arpa. <br>
</blockquote>
<br></div></div>
Big difference. Big BIG difference. NS records only indicate a delegation<br>
when they are *not* at the zone apex.<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
Accordingly, they have to specify name<br>
servers for 188 within the zone, whereas I can (I had thought) inhereit that<br>
data from the zone. Maybe not, though, since it isn't working!<br>
<br>
I even tried adding the "generate" command that they propose:<br>
<br>
$TTL 6h<br>
@ 345600 IN SOA <a href="http://dauth1.joink.com" target="_blank">dauth1.joink.com</a>. <a href="http://noc.joink.com" target="_blank">noc.joink.com</a>. (<br>
2009121526 ; Serial number<br>
86400 ; Refresh<br>
3600 ; Retry<br>
777600 ; Expire<br>
3600 ) ; Minimum TTL<br>
IN NS <a href="http://ns1.midwestfirst.com" target="_blank">ns1.midwestfirst.com</a>.<br>
IN NS <a href="http://ns2.midwestfirst.com" target="_blank">ns2.midwestfirst.com</a>.<br>
$GENERATE 1-255 IN NS <a href="http://ns1.midwestfirst.com" target="_blank">ns1.midwestfirst.com</a>.<br>
$GENERATE 1-255 IN NS <a href="http://ns2.midwestfirst.com" target="_blank">ns2.midwestfirst.com</a>.<br>
</blockquote>
<br></div>
That looks like a syntax error. If you had<br>
<br>
$GENERATE 0-255 $ IN NS <a href="http://ns1.widwestern.com" target="_blank">ns1.widwestern.com</a>.<br>
$GENERATE 0-255 $ IN NS <a href="http://ns2.midwestern.com" target="_blank">ns2.midwestern.com</a>.<br>
<br>
that would be a correct delegation of 256 different sub-zones, each<br>
of which would presumably contain just one PTR record, and you would<br>
have to configure the ns*.<a href="http://midwestern.com" target="_blank">midwestern.com</a> servers accordingly. Which<br>
would work, but I'm fairly sure you would come to regret doing it<br>
like that...<div><div></div><div class="h5"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
But no dice:<br>
<br>
; <<>> DiG 9.2.1 <<>> -x 63.134.188.13 +trace<br>
;; global options: printcmd<br>
. 3600000 IN NS <a href="http://I.ROOT-SERVERS.NET" target="_blank">I.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://A.ROOT-SERVERS.NET" target="_blank">A.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://E.ROOT-SERVERS.NET" target="_blank">E.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://G.ROOT-SERVERS.NET" target="_blank">G.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://M.ROOT-SERVERS.NET" target="_blank">M.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://L.ROOT-SERVERS.NET" target="_blank">L.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://D.ROOT-SERVERS.NET" target="_blank">D.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://B.ROOT-SERVERS.NET" target="_blank">B.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://F.ROOT-SERVERS.NET" target="_blank">F.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://H.ROOT-SERVERS.NET" target="_blank">H.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://J.ROOT-SERVERS.NET" target="_blank">J.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://K.ROOT-SERVERS.NET" target="_blank">K.ROOT-SERVERS.NET</a>.<br>
. 3600000 IN NS <a href="http://C.ROOT-SERVERS.NET" target="_blank">C.ROOT-SERVERS.NET</a>.<br>
;; Received 228 bytes from 12.109.94.5#53(12.109.94.5) in 1 ms<br>
<br>
63.in-addr.arpa. 86400 IN NS <a href="http://HENNA.ARIN.NET" target="_blank">HENNA.ARIN.NET</a>.<br>
63.in-addr.arpa. 86400 IN NS <a href="http://BASIL.ARIN.NET" target="_blank">BASIL.ARIN.NET</a>.<br>
63.in-addr.arpa. 86400 IN NS <a href="http://DILL.ARIN.NET" target="_blank">DILL.ARIN.NET</a>.<br>
63.in-addr.arpa. 86400 IN NS <a href="http://X.ARIN.NET" target="_blank">X.ARIN.NET</a>.<br>
63.in-addr.arpa. 86400 IN NS <a href="http://INDIGO.ARIN.NET" target="_blank">INDIGO.ARIN.NET</a>.<br>
63.in-addr.arpa. 86400 IN NS <a href="http://Z.ARIN.NET" target="_blank">Z.ARIN.NET</a>.<br>
63.in-addr.arpa. 86400 IN NS <a href="http://Y.ARIN.NET" target="_blank">Y.ARIN.NET</a>.<br>
;; Received 180 bytes from 192.36.148.17#53(<a href="http://I.ROOT-SERVERS.NET" target="_blank">I.ROOT-SERVERS.NET</a>) in 65 ms<br>
<br>
188.134.63.in-addr.arpa. 86400 IN NS <a href="http://DAUTH2.JOINK.COM" target="_blank">DAUTH2.JOINK.COM</a>.<br>
188.134.63.in-addr.arpa. 86400 IN NS <a href="http://DAUTH1.JOINK.COM" target="_blank">DAUTH1.JOINK.COM</a>.<br>
;; Received 95 bytes from 192.26.92.32#53(<a href="http://HENNA.ARIN.NET" target="_blank">HENNA.ARIN.NET</a>) in 35 ms<br>
<br>
188.134.63.in-addr.arpa. 3600 IN SOA <a href="http://dauth1.joink.com" target="_blank">dauth1.joink.com</a>.<br>
<a href="http://noc.joink.com" target="_blank">noc.joink.com</a>. 2009121523 86400 3600 777600 3600<br>
;; Received 100 bytes from 63.134.128.151#53(<a href="http://DAUTH2.JOINK.COM" target="_blank">DAUTH2.JOINK.COM</a>) in 0 ms<br>
<br>
What really baffles me is that this worked for several hours yesterday, and<br>
apparently quit overnight.<br>
</blockquote>
<br></div></div>
Probably because when the delegation NS records for 188.134.63.in-addr.arpa<br>
disagree with the in-zone ones, different caching servers may be remembering<br>
and using either set.<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
One option is just to change the delegation at<br>
ARIN, but we want to avoid that <br>
</blockquote>
<br></div>
Why? You will have to bite the bullet eventually.<br>
<br>
There are more elaborate things you could do to transfer the PTR records<br>
to the ns*.<a href="http://midwestern.com" target="_blank">midwestern.com</a> servers, e.g. use CNAMEs or DNAMEs a la RFC2317,<br>
but as long as the delegation points to dauth*.<a href="http://joink.com" target="_blank">joink.com</a> those servers<br>
are involved in getting to the data. And ... <br>
$ dig +norec +short txt chaos version.bind @<a href="http://dauth1.joink.com" target="_blank">dauth1.joink.com</a><br>
"8.3.3-REL-NOESW"<br>
$ dig +norec +short txt chaos version.bind @<a href="http://dauth2.joink.com" target="_blank">dauth2.joink.com</a><br>
"8.3.3-REL-NOESW"<br>
<br>
... if that's right you truely, truely want to turn them off REAL SOON NOW<br>
(or upgrade). BIND 8 is passed on, has ceased to be, is expired and gone<br>
to meet its maker, etc. etc. It is an ex-BIND.<div class="im"><br>
<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
and in any event I'd like to know what the<br>
issue is. Any ideas on what I'm doing wrong?<br>
</blockquote>
<br></div>
Did the above help?<br><font color="#888888">
<br>
-- <br>
Chris Thompson<br>
Email: <a href="mailto:cet1@cam.ac.uk" target="_blank">cet1@cam.ac.uk</a><br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Regards,<br><br>Simon Dodd<br>Systems engineer<br>Joink Internet // <a href="http://www.joink.com">www.joink.com</a><br><br>e: <a href="mailto:simon.dodd@joinkllc.com">simon.dodd@joinkllc.com</a><br>
t: 812.2345100 ext. 116<br>f: 812.2342144<br><br>"In critical and baffling situations, it is always best to return to first principle and simple action" - Sir Winston Churchill<br>
</div>