Reverse lookup for classless networks

Grant Taylor gtaylor at tnetconsulting.net
Thu Dec 27 18:03:36 UTC 2018 

On 12/27/18 9:01 AM, Barry Margolin wrote:
> The alternative is to have a separate zone for each address, and delegate 
> each of them to your server. So the parent zone would have:

It does not require a separate zone for each address.  But it does 
require some creative zone work.

; 1.0.192.in-addr.arpa.zone on parent nameservers ns{1,2}.parent.example.
$ORIGIN 1.0.192.in-addr.arpa.
0   IN NS  ns1.yourdomain.com.
     IN NS  ns2.yourdomain.com.
1   IN NS  ns1.yourdomain.com.
     IN NS  ns2.yourdomain.com.
...
128 IN PTR host128.example.net.
129 IN PTR host129.example.net.
...

Yes.  This works perfectly from everything I've tested.  I've had issues 
in the past with Classless IN-ADDR.ARPA delegation.  (Particularly with 
not-small-name RBL providers not liking it 15+ years ago.)

> Either way, the parent zone needs to have specific records for each 
> of the addresses in the subnet. The client always tries to look up 
> w.x.y.z.in-addr.arpa, and only supports delegation at "." boundaries 
> in the name. There's no way for it to know automatically that different 
> "w" values are delegated to different servers.

This is simply re-using the same standard delegation we use for 
(sub)domains elsewhere in the hierarchy.

As for the zones themselves:

1)  The parent zone needs to have the delegation like Barry depicted above.
2)  The child zone needs to have records for the name being looked up. 
Nothing specifically translates to them needing to be in separate zones.

I could easily create a zone like this:

; 1.0.192.in-addr.arpa.zone on local nameservers ns{1,2}.yourdomain.com
$ORIGIN 1.0.192.in-addr.arpa.
0   IN PTR web.yourdomain.com.
1   IN PTR ftp.yourdomain.com.
...
128 IN NS  ns1.parent.example.
     IN NS  ns2.parent.example.
129 IN NS  ns1.parent.example.
     IN NS  ns2.parent.example.
...

In essence, you end up with two independent zones for the same domain 
name, 1.0.192.in-addr.arpa, cross delegating /different/ records to each 
other.  Thus, both are perfectly happy to answer authoritatively with 
PTR records for the IPs that they are ""responsible for, while 
""delegating (redirecting) to the other name servers for the IPs that 
they aren't locally responsible for.

IMHO it's a neat trick and avoids needing to have 10s, 100s, 1,000s of 
little tiny zone files on a DNS server.

I have yet to find any reason that this won't work.  I'm confident that 
you could even make it work with DNSSEC /if/ there is proper 
coordination between consenting parties.



-- 
Grant. . . .
unix || die

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4008 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20181227/b31d807f/attachment.bin>

More information about the bind-users mailing list