Reverse Zone/subZone delegation
Barry Margolin
barmar at alum.mit.edu
Sun Mar 7 15:38:29 UTC 2004
In article <c2edko$1mk7$1 at sf1.isc.org>,
"Fredrich P. S. Maney" <maney at maney.org> wrote:
> I've posted this to both bind9-users and bind-users, hope that's ok.
> I've also fudged the IPs and domains to protect the guilty and keep
> the security weenies off my back.
>
> I've been tasked with handing DNS administration off to a different
> group that doesn't really know Unix or command line interfaces. So I
> have been trying to clean everything up and make maintenance of the
> zone files as simple as possible. Part of that is putting each subnet
> (192.168.0.0/24) in our class B (192.168.0.0/16) into it's own zonefile
> (but only for the reverse zones since the entire class B is in one
> namespace -- so the forward zone is one big file).
>
> I believe that I know the answer to this question (thanks to a very
> fine response that I stumbled across in the bind9-users archive from
> 2001-07-25 by Jim Reid), but since his response dealt with forward
> zones, I'd like to verify it before I implement it in a production
> environment.
>
> I think I need something similiar to the following in the "root" class
> B zone file:
> ================= Class B Reverse Zonefile ===========================
> $ORIGIN .
> $TTL 3600 ; 1 hour
> 168.192.in-addr.arpa. IN SOA domain.org. dns.admin\@domain.org. (
> 2004030600 ; serial
> 900 ; refresh (15 minutes)
> 300 ; retry (5 minutes)
> 86400 ; expire (1 day)
> 3600 ; minimum (1 hour)
> )
> NS ns1.domain.org.
> NS ns2.domain.org.
> $ORIGIN 1.168.192.in-addr.arpa.
> 1 PTR ns1.domain.org.
> 2 PTR ns2.domain.org.
> $ORIGIN 2.168.192.in-addr.arpa.
> 1 PTR ns1.domain.org.
> 2 PTR ns2.domain.org.
> $ORIGIN 3.168.192.in-addr.arpa.
> 1 PTR ns1.domain.org.
> 2 PTR ns2.domain.org.
> ================= Class B Reverse Zonefile ===========================
This doesn't look right at all. If you're delegating the subzones, you
should have NS records in the parent zone, not PTR records. The parent
zone should contain:
$ORIGIN 168.192.in-addr.arpa.
1 NS ns1.domain.org.
NS ns2.domain.org.
2 NS ns1.domain.org.
NS ns2.domain.org.
and so on.
And why do all your PTR records point to the same two hostnames?
> And then in each of the "delegated" class C zonefiles, I need something
> similiar to the following:
Maybe the fact that you put "quotes" around "delegated" is a clue to the
fact that you're not trying to do ordinary delegation? But if so,
nothing in your original post suggests the special nature of it.
There's nothing special about delegation in reverse zones when it
happens at octet boundaries (you only have to use special tricks like
RFC 2317 when delegating smaller blocks).
> ================= Delegated Class C Reverse Zonefile =================
> $ORIGIN .
> $TTL 3600 ; 1 hour
> 1.168.192.in-addr.arpa. IN SOA domain.org. dns.admin\@domain.org. (
> 2004030600 ; serial
> 900 ; refresh (15 minutes)
> 300 ; retry (5 minutes)
> 86400 ; expire (1 day)
> 3600 ; minimum (1 hour)
> )
> NS ns1.domain.org.
> NS ns2.domain.org.
> $ORIGIN 1.168.192.in-addr.arpa.
> 1 PTR ns1.domain.org.
> 2 PTR ns2.domain.org.
> ================= Delegated Class C Reverse Zonefile =================
>
> Does that look correct? Does anyone see any gotchas that I should look
> out for? Do I need to create stanzas and zone files for all possible
> networks in the class B, or just the ones that we are using? What about
You only need the subnets that you're actually using, although you may
be able to make things simpler for the clueless admins by setting up the
whole structure ahead of time. Mostly-empty zones don't cost much.
> for name servers outside our control that may be caching or secondarying
> our zones. Anything to worry about there?
Caching servers shouldn't need any changes, they'll just follow the
delegations. Slave servers may need to be updated; if you want them to
slave the subzones, they'll need statements for each of them.
--
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***
More information about the bind-users
mailing list