Spurious failures in a dynamically updated to a sub /24 reverse DNS domain

Mirsad Goran Todorovac mirsad.todorovac at alu.unizg.hr
Wed Dec 29 18:09:26 UTC 2021 

On 12/29/2021 6:57 PM, Tony Finch wrote:

> Mirsad Goran Todorovac <mirsad.todorovac at alu.unizg.hr> wrote:
>> I have recently implemented dynamic updates to a sub /24 reverse DNS
>> domain, 193.198.186.192/27.
>> I had upstream domain 192/27.186.198.193.in-addr.arpa. delegated from
>> authoritative servers.
>>
>> However, something still isn't right. In some reverse PTR addresses, the
>> resolver sees first redirection, and the second redirection, but somehow
>> fails to connect them in a reverse lookup:
> It looks to me like someone forgot to update the serial number on the zone
> 198.193.in-addr.arpa so your new delegation failed to propagate as it
> should have,
>
> The servers for 198.193.in-addr.arpa are:
>
> dns1.carnet.hr
> dns2.carnet.hr
> ns.ripe.net
>
> The first two know about the delegation for your zone
> 192/27.186.198.193.in-addr.arpa but ns.ripe.net does not.
> This is the cause of the inconsistencies that you observed.
>
> The SOA serial number for 198.193.in-addr.arpa is the same
> 2021052502 on all its nameservers.
>
> Tony.

Thank you, Tony, for this astute observation. Thank you for your time 
and expertise in debugging our configuration. :-)
It never occurred to me that the error might be upstream. I will notify 
the responsible admins first thing in the morning.

Once again, thank you and I hope we have found the culprit (wrong 
serial). This serial is certainly wrong as it is of standard CARNet 
format YYYYMMDDNN, and thereof 2nd change on 2021-05-25, and I've been 
passed delegation only this month.

Looking forward to improving quality of service for our road warriors 
who will benefit from the DHCP-updated forward and reverse domains. It 
is good to have a reliable reverse domain in case we spot some virus or 
security problem on a computer or handheld device attached dynamically 
to our wired or wireless network.

Our VPN will be much more reliable and secure with reliable reverse 
dynamically updated domain.

Kind regards,
Mirsad

--
Mirsad Todorovac
CARNet system engineer
Academy of Fine Arts
University of Zagreb
Republic of Croatia, the European Union

More information about the bind-users mailing list