Alternative to RFC2317 -- Classless Delegation

Mark Andrews Mark_Andrews at isc.org
Sat Dec 9 01:40:18 UTC 2006 

> Hey all,
> 
> Recently, we at work have had to delegate out some DNS records, and at the 
> request of the customer-being-delegated to, instead of doing the complex 
> rfc2317 intermediate-zone/cname/ns records, they simply asked us to drop 
> in NS records in place of the PTR records.
> 
> This works fine: reverse lookups for the affected IPS all work, and it 
> would appear that it doesn't violate anything.  Just as if I was going to 
> delegate lab.bar.com to my development lab, I would put in an NS record 
> for lab.bar.com to my lab's DNS servers.  At least it doesn't "feel" 
> wrong, but that's why I'm writing.
> 
> Further, with RFC2317, there exists the need to be in agreement with the 
> delegator about what domain to serve.  i.e. to delegate 192.168.1.0-7 
> (those are IPs, not the name of the zone) to my customer, I would need to 
> tell him to configure the zone
> 
> x.0-7.1.168.192.in-addr.arpa. (going by recipe 6.4 of the DNS & Bind 
> Cookbook)
> -or-
> x.0/29.1.168.192.in-addr.arpa. (going by RFC 2317)
> -or-
> x.customer1.168.192.in-addr.arpa (assuming a case where IPs were assigned 
> in random groups, i.e. not necessarily consecutive -- for example on a 
> block where the same customer has the first 8 and the last 8 -- this 
> would be done to have him able to save himself from having to set up a 
> zone for EVERY service).
> 
> Plus, there's the management of CNAMES.  We're in the process of switching 
> over to having all our zonefiles being DB-generated, so it's trivial to 
> change at this point, but it means much extra pain to those being 
> delegated to.
> 
> With the NS-only scheme, he is able to serve the zone "naturally"...i.e. 
> by using the normal PTR records, as any other DNS management software 
> (webmin, powerDNS, MS-DNS) would expect, instead of whatever variant is 
> above (further complicated by the fact that I'm sure we're not the only 
> ones doing delegation).
> 
> So, then the question (and I'm sure someone has a good answer for it) is:
> 
> What is wrong with the NS-only scheme of doing things?  Clearly RFC2317 is 
> as complex as it is for a reason, but I'm curious as to why.

	Because it is more work overall especially for the child.
	It also takes more resources.

	RFC 2317 is not complex. It's just "add a CNAME at the well
	known reverse name to somewhere else where the PTR record
	is (or will be)".
 
	Mark
> -Dan
> 
> --
> 
> "You're a nomad billygoat!"
> 
> -Juston, July 18th, 2002
> 
> --------Dan Mahoney--------
> Techie,  Sysadmin,  WebGeek
> Gushi on efnet/undernet IRC
> ICQ: 13735144   AIM: LarpGM
> Site:  http://www.gushi.org
> ---------------------------
> 
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org

More information about the bind-users mailing list