RFC 2317 Delegation Problems

Wed Jun 23 00:01:31 UTC 2004

I just got one of my ISP's to delegate 209.189.102.192/27  to my DNS servers 
by setting up CNAME records eg:

200.103.198.209.in-addr-arpa.	CNAME	200.192.103.198.209.in-addr-arpa.

and delegated the zone 192.103.198.209.in-addr-arpa to my servers.

If I got to an outside server and try 

$ dig -x 209.189.103.200 +trace

; <<>> DiG 9.2.2-P3 <<>> -x 209.189.103.200 +trace
;; global options:  printcmd
.                       514079  IN      NS      K.ROOT-SERVERS.NET.
.                       514079  IN      NS      L.ROOT-SERVERS.NET.
.                       514079  IN      NS      M.ROOT-SERVERS.NET.
.                       514079  IN      NS      A.ROOT-SERVERS.NET.
.                       514079  IN      NS      B.ROOT-SERVERS.NET.
.                       514079  IN      NS      C.ROOT-SERVERS.NET.
.                       514079  IN      NS      D.ROOT-SERVERS.NET.
.                       514079  IN      NS      E.ROOT-SERVERS.NET.
.                       514079  IN      NS      F.ROOT-SERVERS.NET.
.                       514079  IN      NS      G.ROOT-SERVERS.NET.
.                       514079  IN      NS      H.ROOT-SERVERS.NET.
.                       514079  IN      NS      I.ROOT-SERVERS.NET.
.                       514079  IN      NS      J.ROOT-SERVERS.NET.
;; Received 436 bytes from 192.168.1.1#53(192.168.1.1) in 2 ms

209.in-addr.arpa.       86400   IN      NS      chia.arin.net.
209.in-addr.arpa.       86400   IN      NS      dill.arin.net.
209.in-addr.arpa.       86400   IN      NS      henna.arin.net.
209.in-addr.arpa.       86400   IN      NS      indigo.arin.net.
209.in-addr.arpa.       86400   IN      NS      epazote.arin.net.
209.in-addr.arpa.       86400   IN      NS      figwort.arin.net.
209.in-addr.arpa.       86400   IN      NS      ginseng.arin.net.
;; Received 199 bytes from 193.0.14.129#53(K.ROOT-SERVERS.NET) in 182 ms

103.189.209.in-addr.arpa. 86400 IN      NS      ns0.verio.net.
103.189.209.in-addr.arpa. 86400 IN      NS      ns1.verio.net.
103.189.209.in-addr.arpa. 86400 IN      NS      ns2.verio.net.
103.189.209.in-addr.arpa. 86400 IN      NS      ns3.verio.net.
103.189.209.in-addr.arpa. 86400 IN      NS      ns4.verio.net.
;; Received 145 bytes from 192.5.6.32#53(chia.arin.net) in 115 ms

200.103.189.209.in-addr.arpa. 14400 IN  NS      t.ns.verio.net.
200.103.189.209.in-addr.arpa. 14400 IN  NS      b.ns.verio.net.
;; Received 122 bytes from 129.250.15.61#53(ns0.verio.net) in 71 ms

200.103.189.209.in-addr.arpa. 86400 IN  CNAME   
200.192.103.189.209.in-addr.arpa.
192.103.189.209.in-addr.arpa. 86400 IN  NS      dns.totalflood.com.
192.103.189.209.in-addr.arpa. 86400 IN  NS      dns2.totalflood.com.
;; Received 151 bytes from 129.250.35.32#53(b.ns.verio.net) in 71 ms

That looks right to me but if I try a dig -x it fails:

$ dig -x 209.189.103.200

; <<>> DiG 9.2.2-P3 <<>> -x 209.189.103.200
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 47252
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;200.103.189.209.in-addr.arpa.  IN      PTR

;; Query time: 178 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Tue Jun 22 16:41:42 2004
;; MSG SIZE  rcvd: 46

If I specifiy one of the two dns servers, I get the correct answer:

dig @dns.totalflood.com -x 209.189.103.200

; <<>> DiG 9.2.2-P3 <<>> @dns.totalflood.com -x 209.189.103.200
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16015
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;200.103.189.209.in-addr.arpa.  IN      PTR

;; ANSWER SECTION:
200.103.189.209.in-addr.arpa. 86400 IN  CNAME   
200.192.103.189.209.in-addr.arpa.
200.192.103.189.209.in-addr.arpa. 3600 IN PTR   v200.totalflood.com.

;; AUTHORITY SECTION:
192.103.189.209.in-addr.arpa. 3600 IN   NS      dns.totalflood.com.
192.103.189.209.in-addr.arpa. 3600 IN   NS      dns2.totalflood.com.
192.103.189.209.in-addr.arpa. 3600 IN   NS      dns3.totalflood.com.

;; ADDITIONAL SECTION:
dns.totalflood.com.     3600    IN      A       12.47.198.108
dns2.totalflood.com.    3600    IN      A       65.223.121.228
dns3.totalflood.com.    3600    IN      A       209.189.103.200

;; Query time: 938 msec
;; SERVER: 12.47.198.108#53(dns.totalflood.com)
;; WHEN: Tue Jun 22 16:42:25 2004
;; MSG SIZE  rcvd: 205

My ISP seesm to be set up correctly and I seem to be set up correctly but the 
two aren't working together.

My named.conf entry for the zone is straight-forward:

zone "192.103.189.209.in-addr.arpa" {
        type master;
        file "209.189.103.192.db";
};

and the data file record is equally unremarkable.

$TTL     3600
@        IN SOA dns.totalflood.com. domainadmin.totalflood.com. (
         8
         3H
         15M
         1W
         3600 )
                             IN NS      dns.totalflood.com.
                             IN NS      dns2.totalflood.com.
                             IN NS      dns3.totalflood.com.

@                            IN TXT     "Tue Jun 22 15:32:02 2004"
193                          IN PTR     v193.totalflood.com.
etc...

I'm using version 9.2.1

Reading thru the archvies I see I am not the only person who has had problems 
with RFC 2317 delegation.  I don't feel so bad but I'd feel a whole lot 
better if someone could tell where my mistake is :-)

-- 
Stephen Carville
Unix and Network Adminstrator
DPSI
6033 W.Century Blvd.
Los Angeles, CA 90045
310-342-3602