Newbie? Reverse DNS

Kevin Darcy kcd at daimlerchrysler.com
Sat Feb 17 01:44:47 UTC 2001 

Jon Sellers wrote:

> In reguards to "reverse Zone Delegation" how does one accomplish this? I
> have recently been tasked with setting up Reverse DNS lookup on to new UNIX
> based servers and I am not sure how to get it to work. I have no upstream
> provider per say and that is the problem. Any input would be appreciated.

Hmmm, not much to go on there. "no upstream provider per say[sic]"? I'm
guessing that maybe you're trying to set this up on an intranet rather than
the Internet. If so, then you'll first need to decide how to handle the *apex*
of your reverse-address namespace (you might actually have more than one apex,
if you are horribly fragmented like us, with an A-class, 4 B-classes, etc.).
What do I mean by "apex"? Well, the highest level of the in-addr.arpa tree.
So, for example, if you are using the 10.*.*.* address space, the apex is
10.in-addr.arpa, if you are using the 196.168.*.* address space, the apex is
168.192.in-addr.arpa, and so on (reverse zones are just the non-zero-filled
network address with the octets reversed and "in-addr.arpa" tacked on the
end).

If your intranet has an internal-root DNS architecture, then just delegate the
apex from the root, from in-addr.arpa, or wherever is appropriate. If, on the
other hand, you have a forwarding architecture -- so that you can resolve
Internet names internally -- you'll probably have to define the apex
explicitly on all of your internal nameservers in order to "override" the
Internet delegation for that address space, or the conspicuous absence of
same, from the point of view of your internal clients. Make one nameserver the
master of each apex, and the rest slaves or stubs.

In either case, once you have established the apex (or multiple apexes), then
you can delegate chunks of your internal reverse-address space selectively to
any nameservers you want. Or, just throw everything into that one apex zone
(might not scale very well after the first 10,000 or so addresses).

If none of this makes any sense to you, get the _DNS_and_BIND_ O'Reilly book.
If you ever want to delegate update control _beyond_ the 24-bit (3rd
octet) level, then read the book *and* RFC 2317 *and* the archives of this
list, since that can get pretty tricky...


- Kevin

More information about the bind-users mailing list