How to delegate public IP zone internally
Greg Chavez
greg.chavez at gmail.com
Wed Sep 7 01:54:27 UTC 2005
On 9/6/05, Mark Andrews <Mark_Andrews at isc.org> wrote:
>=20
> >
> > An admin for one of these units has decided that he doesn't want to
> > let us - the DNS mothership - do zone transfers anymore, negating the
> > stealth zone idea. As it stands, nobody outside of their unit can see
> > their 156.xxx.yyy.0 zone. The admin for the rogue unit is being
> > intransigent... or am I?
> >
> > Is there any other way I can delegate these zones without claiming
> > authority for 156.in-addr.arpa and breaking many public lookups? It
> > seems to me that the stealth slave route is the simplest,
> > hardest-to-break route here. If you can, please tell me otherwise.
> >
> Is there a reason why you don't follow the obvious? Get
> the /16's delegated from ARIN then delegate the /24 from
> them. Everyone can then just follow the normal delegation
> path.
Yes, there is a reason and it's name is both politics and
institutional inertia. I am a contractor, behind enemy lines, and the
barbed wire is thick. But first, let me correct a false impression I
made as I ineptly tried to obscure my client's otherwise public IP
blocks: the rogue unit acts authoritatively for a /16, not a /24. So,
using just enough pointless obscurity to not get fired, we use
fourteen /16 IP blocks internally:
1x8.156.in-addr.arpa to 1x2.156.in-addr.arpa
The rogue unit acts authoritatively for 1x6.156.in-addr.arpa. When I
came on the job, "we" (the root internal name servers) were configured
as a stealth slave; it is now apparent however that "we" are being
denied zone transfers, breaking any attempt by other units to resolve
this zone. The rogue admin insists that there is some way I can
delegate this to him without acting as a slave, but I don't see how
and he seems unwilling to directly advise me (making me wonder if he
actually knows).
So, again, my question - my embarrassing but urgent question: is there
a way to delegate 1x6.156.in-addr.arpa without involving ARIN or
claiming authority for 156.in-addr.arpa?
Thanks - I know how nutty this question is, believe me.
--Greg Chavez
More information about the bind-users
mailing list