direct master reverse CIDR zone without $GENERATE?

Chris Buxton cbuxton at menandmice.com
Thu Jul 17 20:38:02 UTC 2008 

On Jul 17, 2008, at 1:19 PM, Justin Pryzby wrote:
> I was wondering if it was possible to have a master zone for a partial
> (sub-24 CIDR) reverse zone, without using $GENERATE.  The problem is
> that a master zone 3.2.1.in-addr.arpa for a /24 network like could be
> populated with ~256 PTRs, but if one has a /29 (say), and fills it
> with their ~8 PTRs, named will return NXDOMAIN for the other
> addresses.  I know that CIDR doesn't use the normal 3.2.1.in-addr.arpa
> but rather something like 128/29.2.1.in-addr.arpa, but that's not a
> master zone.

Yes it is. It's a master zone named 128/29.2.1.in-addr.arpa.  
(Actually, that name is wrong - not enough labels. It would more  
likely be something like 128/29.3.2.1.in-addr.arpa.)

However, it's up to your ISP to decide whether and how to do this. If  
they decide to use the method outlined in RFC 2317, then they get to  
make up an arbitrary label for your subnet - 128/29 is just one  
example. They could just as easily call the zone "justin.3.2.1.in- 
addr.arpa.", or "reverse.example.com.".

> It's possible to use a 3.2.1.in-addr.arpa zonefile with some $GENERATE
> lines [re]delegating everything besides the /29 back to the ISP, but
> then one has to hardcode their NS data, which is unfortunate.

It also doesn't work. Nobody in the outside world would ever ask your  
server for this information.

If you're just worried about local resolution, and if your ISP won't  
delegate anything to you, and if you care about the NXDOMAIN responses  
you would otherwise get for the rest of the /24, then...

> The
> only other alternative I can see is to create a separate zonefile for
> each IP.

... do that. Or get a new ISP, one that will delegate a CIDR subnet  
reverse zone to you.

> Is there a better way, or is it just accepted to let named do the
> lookups (at least the most significant octets' NS might well be
> cached), even for local IPs?

As long as there is delegation to your server, it's quite common to  
just let the name server find the delegation itself. From that point  
on (until the CNAME records expire), all lookups will complete locally.

Chris Buxton
Professional Services
Men & Mice

More information about the bind-users mailing list