How to delegate public IP zone internally
Mark Andrews
Mark_Andrews at isc.org
Wed Sep 7 02:33:25 UTC 2005
> On 9/6/05, Mark Andrews <Mark_Andrews at isc.org> wrote:
> >=20
> > >
> > > An admin for one of these units has decided that he doesn't want to
> > > let us - the DNS mothership - do zone transfers anymore, negating the
> > > stealth zone idea. As it stands, nobody outside of their unit can see
> > > their 156.xxx.yyy.0 zone. The admin for the rogue unit is being
> > > intransigent... or am I?
> > >
> > > Is there any other way I can delegate these zones without claiming
> > > authority for 156.in-addr.arpa and breaking many public lookups? It
> > > seems to me that the stealth slave route is the simplest,
> > > hardest-to-break route here. If you can, please tell me otherwise.
> > >
> > Is there a reason why you don't follow the obvious? Get
> > the /16's delegated from ARIN then delegate the /24 from
> > them. Everyone can then just follow the normal delegation
> > path.
>
> Yes, there is a reason and it's name is both politics and
> institutional inertia. I am a contractor, behind enemy lines, and the
> barbed wire is thick. But first, let me correct a false impression I
> made as I ineptly tried to obscure my client's otherwise public IP
> blocks: the rogue unit acts authoritatively for a /16, not a /24. So,
> using just enough pointless obscurity to not get fired, we use
> fourteen /16 IP blocks internally:
>
> 1x8.156.in-addr.arpa to 1x2.156.in-addr.arpa
Ok that comfirms who you are working for.
> The rogue unit acts authoritatively for 1x6.156.in-addr.arpa. When I
> came on the job, "we" (the root internal name servers) were configured
> as a stealth slave; it is now apparent however that "we" are being
> denied zone transfers, breaking any attempt by other units to resolve
> this zone. The rogue admin insists that there is some way I can
> delegate this to him without acting as a slave, but I don't see how
> and he seems unwilling to directly advise me (making me wonder if he
> actually knows).
>
> So, again, my question - my embarrassing but urgent question: is there
> a way to delegate 1x6.156.in-addr.arpa without involving ARIN or
> claiming authority for 156.in-addr.arpa?
>
> Thanks - I know how nutty this question is, believe me.
> --Greg Chavez
The only way that works with *all* nameservers is to allow
the apex zones to be transfered to all the caching servers.
These can delegate the 256 /24's if they don't want the
PTR records to be transfers.
Other than that you need to use vendor extensions.
e.g.
forward / stub zones to direct the queries to the
correct servers in named.
Mark
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list