Missing Reverse DNS Parent Zones

Kevin Darcy kcd at chrysler.com
Thu Jun 25 19:06:36 UTC 2009 

Raymond Popowich wrote:
> Hello,
>
> One of the reverse DNS zones that I am responsible for is 
> 95.69.in-addr.arpa. I have never created parent zones for any of them. 
> I create individual zones for each /24 within them. For example, I 
> don't have a 95.69.in-addr.arpa, but I do have 1.95.69.in-addr.arpa 
> 2.95.69.in-addr.arpa, 3.95.69.in-addr.arpa etc. Is this a problem? 
> I've never had an issue until a client recently mentioned that they 
> believe it's a problem. After some googling I'm still left wondering 
> if it really matters one way or the other. I can get them created, but 
> does it matter? Thanks!
>
I checked a few subdomains at random; it seems you have a zone defined 
for *every* possible legal numeric subdomain, from 0.95.69.in-addr.arpa 
through 255.95.69.in-addr.arpa. Is that correct?

If that's true, then this is a case of "it works, but it's not really 
the right thing to do". The fact that you have all of those subdomains 
set up as zones, means that all reverse lookups of addresses in that 
range will work as expected. But 96.69.in-addr.arpa *is* delegated to 
you, you should have a zone for it. It's the proper thing to do.

Also, the way you're set up, degenerate queries under 96.69.in-addr.arpa 
don't generate the responses they should:

$ dig aslkfj.95.69.in-addr.arpa

; <<>> DiG 9.3.0 <<>> aslkfj.95.69.in-addr.arpa
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 1461
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;aslkfj.95.69.in-addr.arpa.     IN      A

;; Query time: 55 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Thu Jun 25 14:52:15 2009
;; MSG SIZE  rcvd: 43

While there's no practical reason for anyone to query 
slkfj.95.69.in-addr.arpa, it's also true that they shouldn't get a 
SERVFAIL response. Permanent SERVFAIL is never justified -- the only 
time anything under your control should return SERVFAIL is if you're 
having some sort of _bona_fide_ outage, and should only be temporary.

95.69.in-addr.arpa itself also returns SERVFAIL, and that's much more 
likely to be a query target, for debugging or for someone trying to 
verify whether the address range allocated to your organization is 
actually in use.

                                                                         
                                 - Kevin

More information about the bind-users mailing list