Alternative to RFC2317 -- Classless Delegation
Mark Andrews
Mark_Andrews at isc.org
Sat Dec 9 01:40:18 UTC 2006
> Hey all,
>
> Recently, we at work have had to delegate out some DNS records, and at the
> request of the customer-being-delegated to, instead of doing the complex
> rfc2317 intermediate-zone/cname/ns records, they simply asked us to drop
> in NS records in place of the PTR records.
>
> This works fine: reverse lookups for the affected IPS all work, and it
> would appear that it doesn't violate anything. Just as if I was going to
> delegate lab.bar.com to my development lab, I would put in an NS record
> for lab.bar.com to my lab's DNS servers. At least it doesn't "feel"
> wrong, but that's why I'm writing.
>
> Further, with RFC2317, there exists the need to be in agreement with the
> delegator about what domain to serve. i.e. to delegate 192.168.1.0-7
> (those are IPs, not the name of the zone) to my customer, I would need to
> tell him to configure the zone
>
> x.0-7.1.168.192.in-addr.arpa. (going by recipe 6.4 of the DNS & Bind
> Cookbook)
> -or-
> x.0/29.1.168.192.in-addr.arpa. (going by RFC 2317)
> -or-
> x.customer1.168.192.in-addr.arpa (assuming a case where IPs were assigned
> in random groups, i.e. not necessarily consecutive -- for example on a
> block where the same customer has the first 8 and the last 8 -- this
> would be done to have him able to save himself from having to set up a
> zone for EVERY service).
>
> Plus, there's the management of CNAMES. We're in the process of switching
> over to having all our zonefiles being DB-generated, so it's trivial to
> change at this point, but it means much extra pain to those being
> delegated to.
>
> With the NS-only scheme, he is able to serve the zone "naturally"...i.e.
> by using the normal PTR records, as any other DNS management software
> (webmin, powerDNS, MS-DNS) would expect, instead of whatever variant is
> above (further complicated by the fact that I'm sure we're not the only
> ones doing delegation).
>
> So, then the question (and I'm sure someone has a good answer for it) is:
>
> What is wrong with the NS-only scheme of doing things? Clearly RFC2317 is
> as complex as it is for a reason, but I'm curious as to why.
Because it is more work overall especially for the child.
It also takes more resources.
RFC 2317 is not complex. It's just "add a CNAME at the well
known reverse name to somewhere else where the PTR record
is (or will be)".
Mark
> -Dan
>
> --
>
> "You're a nomad billygoat!"
>
> -Juston, July 18th, 2002
>
> --------Dan Mahoney--------
> Techie, Sysadmin, WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144 AIM: LarpGM
> Site: http://www.gushi.org
> ---------------------------
>
>
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: Mark_Andrews at isc.org
More information about the bind-users
mailing list