How to Test Reverse Delegation?

Barry Margolin barmar at alum.mit.edu
Fri Jan 7 22:32:44 UTC 2005 

In article <crkqkt$2b40$1 at sf1.isc.org>,
 "Will" <DELETE_westes at earthbroadcast.com> wrote:

> We want to handle reverse delegation for 16 IPs in a /28 classless domain.
> Our ISP is willing to let us do this and will point their DNS to us as soon
> as we are ready.    The problem is I don't see how we can test our reverse
> delegation in advance of the ISP setting up their server.
> 
> As I understand it, the ISP will use a CNAME to rely on our server to
> resolve specific IP  addresses.    Resolvers on the Internet will still try
> to resolve any IP within the class C that contains our /28 range using the
> ISP, not us.     When the ISP gets the query, it then privately retrieves
> the answer from our server.

No, that's not how RFC 2317 works.  The CNAME record translates the 
reverse record's label from something in their zone to something in your 
zone.  When the ISP gets the query, they return the CNAME record, and 
(unless the ISP has the target in its cache, or they're a slave for your 
zone) then the client queries your server.

> 
> If we configure the /28 reverse lookup on our DNS, how do I test it?   Any
> attempt to resolve using nslookup or dig is going to go to the authoritative
> server, which in this case is the ISPs.    Even pointing at our local DNS
> server directly, the DNS server is just ignoring its own configuration
> information for the reverse IP and instead going upstream to the ISP.    I
> need to find a way a DNS testing tool that will bypass the authoritative
> server and instead try to get this information from the local server that
> has been configured to handle the reverse lookup.   Does such a tool exist?

You need to query the labels that the ISP is mapping to in the CNAME 
records.  For instance, if the ISP owns 192.168.10.0/24, and has 
assigned 192.168.10.16/28 to you, the reverse domain that's delegated to 
you might be 16/28.10.168.192.in-addr.arpa.  So you need to query 
something in that zone.  You can't do an ordinary reverse lookup until 
the ISP has created the CNAME records that translate to this domain.

-- 
Barry Margolin, barmar at alum.mit.edu
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

More information about the bind-users mailing list