Forward zone not working

Mark Andrews marka at isc.org
Mon May 16 22:30:08 UTC 2016 

In message <CAE8gLhnw1mO735RnPYtjh5Tw-t2j16x5yJfG7GjDNUCAXDim+Q at mail.gmail.com>, MegaBrutal writes:
> 2016-05-16 19:45 GMT+02:00 Alan Clegg <alan at clegg.com>:
> > On 5/16/16, 1:30 PM, "MegaBrutal" <bind-users-bounces at lists.isc.org on
> > behalf of megabrutal at gmail.com> wrote:
> >
> >>I want to have valid reverse & forward hostnames set up
> >>for this /64 subnet.
> >
> > This is silly.  Don't do this.
> 
> Why?
> 
> Most ISPs set up reverse & forward domain names for pool addresses.
> OK, I'm not an ISP, but it really seems to be a widely accepted and
> endorsed policy, to the point that addresses not having a reverse DNS
> often treated as suspicious.
> 
> 
> 2016-05-16 22:50 GMT+02:00 Mark Andrews <marka at isc.org>:
> >
> > If you want to delegate space to another server DELEGATE it.  Add
> > NS records for the other server.  Forward "zones" are NOT designed
> > to do this.  Doing actual delegations is *not* hard and works with
> > every server in the world.
> 
> What is the acceptable use case for forward zones, then?
> 
> See, ideally the zone should be served by my BIND server, it should be
> authoritative for the zone. Why I can't use it as the authoritative
> server for the zone is that BIND does not have a feature that the
> other DNS server has (on-the-fly generation of IPv6 reverse & forward
> records, without the need to store 2 * 2 ^ 64 records in zone files).

Ideally every machine should be registering its own PTR record in
the DNS and addresses without machines shouldn't have PTR records.
The only reason ISP did this is that they were too lazy to manage
PTR records for their customers.

We have had the tools for machines to be able to update their own
PTR records for nearly 2 decades now and only the reluctance of
ISP's to allow their clients to update the PTR records for their
own addresses has lead to this.

	zone 2.0.192.in-addr.arpa {
		type master;
		file "2.0.192.in-addr.arpa";
		update-policy {
			grant * tcp-self * PTR;
		};
	};

And on the client side a tool that does the equivalent of this
when a address is obtained.

	nsupdate -V << EOF
	local 192.0.2.1
	update delete 1.2.0.192.in-addr.arpa IN PTR
	update add 1.2.0.192.in-addr.arpa 3600 IN PTR host.example.net
	send
	EOF

Even better would be

	zone 2.0.192.in-addr.arpa {
		type master;
		file "2.0.192.in-addr.arpa";
		update-policy {
			grant * tcp-self * KEY;
			grant * selfsub *;
		};
	};

and then use SIG(0) to update the PTR record after installing a KEY
record.  This allows the client to cleanup records after it has
been renumbered.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list