reverse DNS ?
phn at icke-reklam.ipsec.nu
phn at icke-reklam.ipsec.nu
Wed Jun 5 07:25:24 UTC 2002
Brian Bergin <see_footer at domain.com> wrote:
> Trying to figure out how Reverse DNS works on the Internet. We have
> connectivity from 3 providers and /24's from all of them. 2 of the providers
> allow us to provide RDNS using our internal DNS servers. The 3rd provider
> claims it's not possible to do what the first 2 are doing. So for example (IPs
> changed for security):
> Provider 1's /24 is: 28.11.11.0-28.11.11.254
> Provider 2's /24s are: 48.11.11.0-48.11.12.254
> Provider 3's /24's are: 88.11.11.0-88.11.12.254
> We provide RDNS for 1 & 2. 3 says it's not possible. Does it not work this
> way:
3 probably do not _want_ you to do this.
What they need to do is to mail a delegation change to arin/ripe/apnic
where the /24 is delegated to your nameservers instead of the ISP.
I would push this hard, up to the line that you drop the
3-rd provider if they do not comply !
> For any provider, they get addresses from ARIN, say 88.11.0.0-88.11.254.0 and
> tell ARIN the authoritative DNS servers for that block. Then, they can then
> setup DNS on their end for our 2 subnets that they've setup for us and point
> RDNS to us so that reverse resolution works like this:
For a fill /24 it's simplest to re-delegate.
For the (few) ISP that has a /16 they can delegate themself. Which
provider are you talking about ( we all want to know so we
can avoid them )
> A client computer makes RDNS request for 88.11.11.4, looks to root servers finds
> that somedns.domaid.com on 88.11.1.12 is authoritative for the parent block and
> sends the client there. somedns.domaid.com doesn't know what the RDNS is for
> 88.11.11.4 but knows that dns1.ourdomain.com on 88.11.11.2 is authoritative for
> 88.11.11.0 and sends the client there. dns1.ourdomain.com is then queried and
> returns: host.ourdomain.com.
> If that's not how it works, how are provider 1 & 2 doing this? I just don't
> want to provide unsecured zone transfers to the ISP for these blocks. We
> require secured updates, don't allow transfers to DNS servers not listed on the
> name servers page, and secondary servers hosted in another location transfer
> over a VPN link. Thanks...
> Thanks...
> Brian Bergin
> I can be reached via e-mail at
> cisco_dot_news_at_comcept_dot_net.
> Replace _word_ with the corresponding
> punctuation.
--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.
More information about the bind-users
mailing list