Using a Fake Parent domain to simplify delegations from ARIN?
Chris Buxton
cbuxton at menandmice.com
Wed Oct 3 22:42:51 UTC 2007
Yes, this is bad practice, because it has been known to poison the
cache of resolving name servers. Also, depending on your resolving
architecture, you might find yourself having trouble looking up PTR
records in the parts of this reverse zone that you don't own.
Furthermore, it won't work as you intend. When a resolver follows the
delegation from ARIN for a /24, it's expecting either an answer or a
delegation further down the namespace tree. The redelegation of the /
24 that you're talking about will be seen as a lame delegation and
rejected.
A better solution would be to have your central name servers act as
slaves for these zones. This allows the local admins to continue to
control the zone, yet have all the delegations from ARIN point to
your central servers.
An even better solution would be to implement a management system
that lets those departmental managers have limited access rights to
your central servers, allowing them to administer just their own
zones. This way, you could get rid of the departmental authoritative
name servers and truly consolidate everything to your centralized
servers. My company makes such software, and there are competing
solutions available as well.
Chris Buxton
Men & Mice
On Oct 3, 2007, at 2:50 PM, Dylan Ulis wrote:
> I recently began working for a very large company, that has a very
> fragmented IP space. In the past, many groups in our company got
> IP space
> directly from ARIN. Now, things are done through a central office
> that
> manages IP's (and Reverse DNS).
> The problem is our legacy space that is delegated from ARIN
> directly to our
> sub-groups. If someone with the legacy space wants to change DNS
> servers
> for their Reverse Zones, the change gets processed at 1)the central
> company
> IP office (for record keeping purposes) and then 2) ARIN (for the
> actual
> DNS change).
>
> I am looking to simplify this process so we dont have to go through
> ARIN for
> every change inside our company. I would like to change all ARIN
> delegations to point to our main company servers. Then, create a Fake
> Parent zone on our company's DNS servers, so we can delegate out to
> the
> groups that actually own the space. (Below is an example... I'm
> just using
> private IP space so I dont have to use our real IP's)
>
> Example current ARIN delegations:
> 5.168.192.in-addr.arpa. IN NS ns1.group1.company.com.
> 15.168.192.in-addr.arpa. IN NS ns1.group2.company.com.
> 25.168.192.in-addr.arpa. IN NS ns1.group3.company.com.
>
> Planned future ARIN delegations:
> 5.168.192.in-addr.arpa. IN NS ns1.company.com.
> 15.168.192.in-addr.arpa. IN NS ns1.company.com.
> 25.168.192.in-addr.arpa. IN NS ns1.company.com.
>
> NEW Zone Hosted n ns1.company.com.
> 168.192.in-addr.arpa. IN NS ns1.company.com.
>
>
> So my question:
> Is this bad Internet/DNS practice to have the 168.192.in-addr.arpa.
> zone on
> ns1.company.com, even though we don't own the whole /16?
> Will this taint cache's of other DNS servers if we now answer
> authoritatively for a zone we don't own?
>
> Thanks,
> --
> Dylan Ulis
> dylan.ulis at gmail.com
>
>
>
More information about the bind-users
mailing list