Reverse Zone, Can It Be One Big Class B?

[Tony Finch]

Ray Bellis <ray at isc.org> wrote:
>
> The main thing you may wish to consider is whether you ever wish to
> DNSSEC sign your reverse zones.
>
> If you do, the zone cut on the parent name servers (which is where the
> DS records would be) must match the zone cut on your own servers, which
> would contain the DNSKEY records.

Not just DNSSEC - it's also important for negative responses.

If your authoritative server has a zone for 0.192.in-addr.arpa but a
resolver is expecting the zone cut to belong to 2.0.192.in-addr.arpa
then it won't be able to parse negative responses according to RFC 2308.
In this situation the BIND resolver will treat it as a FORMERR and reject
the response.

> So, if your RIR has delegated a single /16 part of .in-addr.arpa to you,
> and you currently split that into /24 zones yourself, you'd be fine.
> If, OTOH, your RIR can only delegate at the /24 boundary, you'd have to
> maintain your zone cuts at that boundary too.

You can use DNAME to consolidate the PTR records into one big zone - see
https://tools.ietf.org/html/draft-fanf-dnsop-rfc2317bis

This works best if you can put the DNAME records in the parent zone, but
if you can't, you might still prefer to have several nearly-empty static
zones and one big active zone, rather than lots of little active zones.

Tony.
-- 
f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/  -  I xn--zr8h punycode
Thames: Northeast 5 to 7, becoming variable 3 or 4 later. Moderate or rough,
becoming slight or moderate. Squally showers. Good, occasionally moderate.