$GENERATE forwarding problem

Mark Andrews Mark_Andrews at isc.org
Tue Jan 4 22:06:43 UTC 2005 

> Here's the deal:
> 
> We have been assigned our addresses from ARIN.  We suballocate (I think
> that's the proper term) some of our addresses to other companies in our =
> AS,
> which then again suballocate to their customers.
> 
> Our nameserver is running BIND 9.2.1.
> 
> Our colleagues nameserver is running BIND 9.2.1.
> 
> So, in one of our subnets, I have the following config:
> 
> 
> 
> $TTL    1h
> 245.21.64.in-addr.arpa. IN      SOA     ns.stellarnet.com.
> hostmaster.stellarnet.com. (
>                                 2               ; Serial
>                                 10800           ; Refresh 3 hours
>                                 3600            ; Retry   1 hour
>                                 604800          ; Expire  1 week
>                                 86400 )         ; Minimum 24 hours
> ;------------------------------------------------------------------------=
> -
> ; Name Servers
> ;------------------------------------------------------------------------=
> -
>         IN      NS      ns.stellarnet.com.
>         IN      NS      ns1.stellarnet.com.
>         IN      NS      ns2.stellarnet.com.
> ;------------------------------------------------------------------------=
> -
> ; Host Addresses point to canonical name
> ;------------------------------------------------------------------------=
> -
> 245/24  IN      NS      ns1.itgdata.net.
> 245/24  IN      NS      ns2.itgdata.net.
> $GENERATE       0-255   $       NS      ns1.itgdata.net.
> $GENERATE       0-255   $       NS      ns2.itgdata.net.
> 
> 
> 
> Now, our colleagues have the following:
> 
> 
> 
> ;
> ; Authoritative data for 245.21.64.in-addr.arpa (ORIGIN assumed
> 245.21.64.in-addr.arpa)
> ;
> $TTL    5m
> 245.21.64.in-addr.arpa. IN      SOA     ns1.itgdata.net.
> hostmaster.ideaone.net. (
>                                 2005010304      ; Serial
>                                 10800           ; Refresh 3 hours
>                                 3600            ; Retry   1 hour
>                                 604800          ; Expire  1 week
>                                 86400 )         ; Minimum 24 hours
> ;------------------------------------------------------------------------=
> -
> ; Name Servers (The name '@' is implied)
> ;------------------------------------------------------------------------=
> -
>         IN      NS      ns1.itgdata.net.
>         IN      NS      ns2.itgdata.net.
> ;------------------------------------------------------------------------=
> -
> ; Addresses point to canonical name
> ;------------------------------------------------------------------------=
> -
> 1       IN      PTR     ideaone-245-1.ideaone.net.
> 2       IN      PTR     ideaone-245-2.ideaone.net.
> ---snip----
> 126     IN      PTR     ideaone-245-126.ideaone.net.
> 127     IN      PTR     ideaone-245-127.ideaone.net.
> ; SUN DOT Communications Forwarding=20
> 128/26  IN      NS      ns2.sdnets.com.
> $GENERATE       128-191 $       NS      ns2.sdnets.com.
> ;
> 192     IN      PTR     ideaone-245-192.ideaone.net.
> 193     IN      PTR     ideaone-245-193.ideaone.net.
> ---snip to end of class "c"---
> 
> 
> 
> Locally at the ideaone server, the ip addresses in the $GENERATE subset
> resolve properly.  However, our nameserver reports a "server failed":
> 
> 
> 
> dig 64.21.245.156
> 
> ; <<>> DiG 9.2.1 <<>> 64.21.245.156
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 34566
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;64.21.245.156.                 IN      A
> ;; AUTHORITY SECTION:
> .                       8356    IN      SOA     A.ROOT-SERVERS.NET.
> NSTLD.VERISIGN-GRS.COM. 2005010400 1800 900 604800 86400
> ;; Query time: 3 msec
> ;; SERVER: 66.163.129.19#53(66.163.129.19)
> ;; WHEN: Tue Jan  4 09:06:27 2005
> ;; MSG SIZE  rcvd: 106
> 
> 
> 
> However, outside of the $GENERATEd subset, it works fine:
> 
> 
> 
> dig 64.21.245.127=20
> ; <<>> DiG 9.2.1 <<>> 64.21.245.127
> ;; global options:  printcmd
> ;; Got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 17032
> ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
> ;; QUESTION SECTION:
> ;64.21.245.127.                 IN      A
> ;; AUTHORITY SECTION:
> .                       9911    IN      SOA     A.ROOT-SERVERS.NET.
> NSTLD.VERISIGN-GRS.COM. 2005010400 1800 900 604800 86400
> ;; Query time: 3 msec
> ;; SERVER: 66.163.129.19#53(66.163.129.19)
> ;; WHEN: Tue Jan  4 09:07:02 2005
> ;; MSG SIZE  rcvd: 106
> 
> 
> 
> Also, dnsstuff gives the following information:
> 
> 
> 
> Country: UNITED STATES
> 
> Preparation:
> The  reverse DNS entry for an IP is found by reversing the IP, adding it =
> to
> "in-addr.arpa", and looking up the PTR record.
> So, the reverse DNS entry for 64.21.245.156 is found by looking up the =
> PTR
> record for 156.245.21.64.in-addr.arpa.
> All DNS requests start by asking the root servers, and they let us know =
> what
> to do next.
> See How Reverse DNS Lookups Work for more information.
> 
> How I am searching:
> Asking f.root-servers.net for 156.245.21.64.in-addr.arpa PTR record: =20
>        f.root-servers.net says to go to figwort.arin.net. (zone:
> 64.in-addr.arpa.)
> Asking figwort.arin.net. for 156.245.21.64.in-addr.arpa PTR record: =20
>        figwort.arin.net [192.42.93.32] says to go to ns2.stellarnet.com.
> (zone: 245.21.64.in-addr.arpa.)
> Asking ns2.stellarnet.com. for 156.245.21.64.in-addr.arpa PTR record: =20
>        ns2.stellarnet.com [66.163.128.15] says to go to ns2.itgdata.net.
> (zone: 156.245.21.64.in-addr.arpa.)
> Asking ns2.itgdata.net. for 156.245.21.64.in-addr.arpa PTR record: =20
>        ns2.itgdata.net [64.21.232.3] says to go to ns2.sdnets.com. =
> (zone:
> 156.245.21.64.in-addr.arpa.)
> 
> WARNING: Duplicate zone found (156.245.21.64.in-addr.arpa. is repeated).
> This can prevent the lookup from continuing
>          (BIND8 and BIND9 will cause a 'server failure' response).  =
> Although
> I will continue, be aware that
>          most DNS servers will not see your reverse DNS entry.
> 
> Asking ns2.sdnets.com. for 156.245.21.64.in-addr.arpa PTR record:  =
> Reports
> ns1.scheelssports.com. [from 66.97.248.17]
> 
> Answer:
> 64.21.245.156 PTR record: ns1.scheelssports.com. [TTL 400s]
> [A=3D64.21.245.156]
> 
> 
> 
> So what did I misconfigure???  Thanks for any suggestions or ideas, I'm
> stumped.
> 
> Alex Moen
> Operations Technology Specialist
> NDTC=20

North Dakota Telephone Co. NDTEL-2-NDTC (NET-64-21-224-0-1)
                                  64.21.224.0 - 64.21.255.255
IdeaOne Telecom IDEAONE-1 (NET-64-21-232-0-1)
                                  64.21.232.0 - 64.21.247.255
Sun Dot Communications, LLC IDEAONE-64-21-245-0 (NET-64-21-245-128-1)
                                  64.21.245.128 - 64.21.245.255


	Delegations in the DNS are strictly heirarchical.  Sideways 
	delegations DO NOT WORK.

	You need need to tell ARIN that IdeaOne Telecom's nameservers
	are the reverse servers for 64.21.232.0 - 64.21.247.255.  You
	can do this by updating NET-64-21-232-0-1.  ARIN and all RIRs
	are setup to handle this.

	IdeaOne Telecom and Sun Dot Communications then use a RFC 2317
	style delegation for 64.21.245.128 - 64.21.245.255 as it is
	smaller than a /24.

	If the final delegation was a /24 (64.21.245.0 - 64.21.245.255) then
	ARIN would have Agri ImaGIS's nameservers listed for this range
	not IdeaOne Telecom's.

	This is done because address space can be delegated on boundaries
	other than /8, /16 or /24.  The DNS is delegated on /8, /16 and /24.

	If you had a /16 (or larger) then you would be sub-delegating
	the /24's below your /16's.  As you don't the owner of the /16
	above you delegates the IN-ADDR.ARPA zones for the /24's below you
	directly.

	The delegations should look something like.
	
.			379550	IN	NS	A.ROOT-SERVERS.NET.
.			379550	IN	NS	B.ROOT-SERVERS.NET.
.			379550	IN	NS	C.ROOT-SERVERS.NET.
.			379550	IN	NS	D.ROOT-SERVERS.NET.
.			379550	IN	NS	E.ROOT-SERVERS.NET.
.			379550	IN	NS	F.ROOT-SERVERS.NET.
.			379550	IN	NS	G.ROOT-SERVERS.NET.
.			379550	IN	NS	H.ROOT-SERVERS.NET.
.			379550	IN	NS	I.ROOT-SERVERS.NET.
.			379550	IN	NS	J.ROOT-SERVERS.NET.
.			379550	IN	NS	K.ROOT-SERVERS.NET.
.			379550	IN	NS	L.ROOT-SERVERS.NET.
.			379550	IN	NS	M.ROOT-SERVERS.NET.

64.in-addr.arpa.	86400	IN	NS	chia.ARIN.NET.
64.in-addr.arpa.	86400	IN	NS	dill.ARIN.NET.
64.in-addr.arpa.	86400	IN	NS	BASIL.ARIN.NET.
64.in-addr.arpa.	86400	IN	NS	henna.ARIN.NET.
64.in-addr.arpa.	86400	IN	NS	indigo.ARIN.NET.
64.in-addr.arpa.	86400	IN	NS	epazote.ARIN.NET.
64.in-addr.arpa.	86400	IN	NS	figwort.ARIN.NET.

156.245.21.64.in-addr.arpa. 3600 IN	NS	ns1.itgdata.net.
156.245.21.64.in-addr.arpa. 3600 IN	NS	ns2.itgdata.net.

128-255.245.21.64.in-addr.arpa.	400	IN	NS	ns2.sdnets.com.
128-255.245.21.64.in-addr.arpa.	400	IN	NS	ns1.sundotcom.net.
$GENERATE 128-255 $ CNAME $.128-255.245.21.64.in-addr.arpa.

	The name of the final zone may differ.  Some common alternates are.

128/17.245.21.64.in-addr.arpa.	400	IN	NS	ns2.sdnets.com.
128/17.245.21.64.in-addr.arpa.	400	IN	NS	ns1.sundotcom.net.
$GENERATE 128-255 $ CNAME $.128/17.245.21.64.in-addr.arpa.

128.245.21.64.in-addr.arpa.	400	IN	NS	ns2.sdnets.com.
128.245.21.64.in-addr.arpa.	400	IN	NS	ns1.sundotcom.net.
$GENERATE 129-255 $ CNAME $.128.245.21.64.in-addr.arpa.

	Or the PTR's may be put in a forward zone. e.g.

$GENERATE 128-255 $ CNAME $.245.21.64.sundotcom.com.

	Or use a traditional delegation to individual zones for each of
	the addresses in the range.

$GENERATE 128-255 $ NS ns2.sdnets.com.
$GENERATE 128-255 $ NS ns1.sundotcom.net.

--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list