Using a Fake Parent domain to simplify delegations from ARIN?

Chris Buxton cbuxton at menandmice.com
Wed Oct 3 22:42:51 UTC 2007 

Yes, this is bad practice, because it has been known to poison the  
cache of resolving name servers. Also, depending on your resolving  
architecture, you might find yourself having trouble looking up PTR  
records in the parts of this reverse zone that you don't own.

Furthermore, it won't work as you intend. When a resolver follows the  
delegation from ARIN for a /24, it's expecting either an answer or a  
delegation further down the namespace tree. The redelegation of the / 
24 that you're talking about will be seen as a lame delegation and  
rejected.

A better solution would be to have your central name servers act as  
slaves for these zones. This allows the local admins to continue to  
control the zone, yet have all the delegations from ARIN point to  
your central servers.

An even better solution would be to implement a management system  
that lets those departmental managers have limited access rights to  
your central servers, allowing them to administer just their own  
zones. This way, you could get rid of the departmental authoritative  
name servers and truly consolidate everything to your centralized  
servers. My company makes such software, and there are competing  
solutions available as well.

Chris Buxton
Men & Mice

On Oct 3, 2007, at 2:50 PM, Dylan Ulis wrote:

> I recently began working for a very large company, that has a very
> fragmented IP space.  In the past, many groups in our company got  
> IP space
> directly from ARIN.  Now, things are done through a central office  
> that
> manages IP's (and Reverse DNS).
> The problem is our legacy space that is delegated from ARIN  
> directly to our
> sub-groups.  If someone with the legacy space wants to change DNS  
> servers
> for their Reverse Zones, the change gets processed at 1)the central  
> company
> IP office (for record keeping purposes)  and then 2) ARIN (for the  
> actual
> DNS change).
>
> I am looking to simplify this process so we dont have to go through  
> ARIN for
> every change inside our company.  I would like to change all ARIN
> delegations to point to our main company servers.  Then, create a Fake
> Parent zone on our company's DNS servers, so we can delegate out to  
> the
> groups that actually own the space.  (Below is an example... I'm  
> just using
> private IP space so I dont have to use our real IP's)
>
> Example current ARIN delegations:
> 5.168.192.in-addr.arpa.  IN NS ns1.group1.company.com.
> 15.168.192.in-addr.arpa. IN NS ns1.group2.company.com.
> 25.168.192.in-addr.arpa. IN NS ns1.group3.company.com.
>
> Planned future ARIN delegations:
> 5.168.192.in-addr.arpa.  IN NS ns1.company.com.
> 15.168.192.in-addr.arpa. IN NS ns1.company.com.
> 25.168.192.in-addr.arpa. IN NS ns1.company.com.
>
> NEW Zone Hosted n ns1.company.com.
> 168.192.in-addr.arpa. IN NS ns1.company.com.
>
>
> So my question:
> Is this bad Internet/DNS practice to have the 168.192.in-addr.arpa.  
> zone on
> ns1.company.com, even though we don't own the whole /16?
> Will this taint cache's of other DNS servers if we now answer
> authoritatively for a zone we don't own?
>
> Thanks,
> -- 
> Dylan Ulis
> dylan.ulis at gmail.com
>
>
>

More information about the bind-users mailing list