Spurious failures in a dynamically updated to a sub /24 reverse DNS domain
Mirsad Goran Todorovac
mirsad.todorovac at alu.unizg.hr
Wed Dec 29 18:09:26 UTC 2021
On 12/29/2021 6:57 PM, Tony Finch wrote:
> Mirsad Goran Todorovac <mirsad.todorovac at alu.unizg.hr> wrote:
>> I have recently implemented dynamic updates to a sub /24 reverse DNS
>> domain, 193.198.186.192/27.
>> I had upstream domain 192/27.186.198.193.in-addr.arpa. delegated from
>> authoritative servers.
>>
>> However, something still isn't right. In some reverse PTR addresses, the
>> resolver sees first redirection, and the second redirection, but somehow
>> fails to connect them in a reverse lookup:
> It looks to me like someone forgot to update the serial number on the zone
> 198.193.in-addr.arpa so your new delegation failed to propagate as it
> should have,
>
> The servers for 198.193.in-addr.arpa are:
>
> dns1.carnet.hr
> dns2.carnet.hr
> ns.ripe.net
>
> The first two know about the delegation for your zone
> 192/27.186.198.193.in-addr.arpa but ns.ripe.net does not.
> This is the cause of the inconsistencies that you observed.
>
> The SOA serial number for 198.193.in-addr.arpa is the same
> 2021052502 on all its nameservers.
>
> Tony.
Thank you, Tony, for this astute observation. Thank you for your time
and expertise in debugging our configuration. :-)
It never occurred to me that the error might be upstream. I will notify
the responsible admins first thing in the morning.
Once again, thank you and I hope we have found the culprit (wrong
serial). This serial is certainly wrong as it is of standard CARNet
format YYYYMMDDNN, and thereof 2nd change on 2021-05-25, and I've been
passed delegation only this month.
Looking forward to improving quality of service for our road warriors
who will benefit from the DHCP-updated forward and reverse domains. It
is good to have a reliable reverse domain in case we spot some virus or
security problem on a computer or handheld device attached dynamically
to our wired or wireless network.
Our VPN will be much more reliable and secure with reliable reverse
dynamically updated domain.
Kind regards,
Mirsad
--
Mirsad Todorovac
CARNet system engineer
Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union
More information about the bind-users
mailing list