Re: Delegating in reverse lookup zones

Kevin Darcy Tue, 15 Dec 2009 11:39:25 -0800


Simon Dodd wrote:

I'm having a problem configuring a delegation. We have various /24sfor which we provide PTR records. If I create a zone file for188.134.63.in-addr.arpa and add PTR records, they resolve just fine.In other words, if this is my zone, I can resolve 63.134.188.13<http://63.134.188.13>:
$TTL   6h
@ 345600 IN SOA dauth1.joink.com <http://dauth1.joink.com>.noc.joink.com <http://noc.joink.com>. (
                                 2009121524    ; Serial number
                                 86400         ; Refresh
                                 3600          ; Retry
                                 777600        ; Expire
                                 3600        ) ; Minimum TTL
               IN      NS      dauth1.joink.com <http://dauth1.joink.com>.
               IN      NS      dauth2.joink.com <http://dauth2.joink.com>.
13     IN      PTR     midwest1st.com <http://midwest1st.com>.
But that isn't what we want to do for this particular zone. We want todelegate all queries concerning 188.134.63.in-addr.arpa tons1.midwestfirst.com <http://ns1.midwestfirst.com> andns2.midwestfirst.com <http://ns2.midwestfirst.com>. Albitz & Liu 4thsays that's fair game, so here's how I configured the zone:
$TTL   6h
@ 345600 IN SOA dauth1.joink.com <http://dauth1.joink.com>.noc.joink.com <http://noc.joink.com>. (
                                 2009121524    ; Serial number
                                 86400         ; Refresh
                                 3600          ; Retry
                                 777600        ; Expire
                                 3600        ) ; Minimum TTL
IN NS ns1.midwestfirst.com<http://ns1.midwestfirst.com>.IN NS ns2.midwestfirst.com<http://ns2.midwestfirst.com>.
Mutatis mutandis, that's the configuration that Albitz & Liu show fordelegating forward lookup zones (p. 232). It isn't quite how they showreverse lookup zones (more on this in a moment), and unfortunately, itdoesn't work:
[r...@linux1 joink-domains]# dig -x 63.134.188.13 +trace

; <<>> DiG 9.2.1 <<>> -x 63.134.188.13 +trace
;; global options:  printcmd
. 3600000 IN NS B.ROOT-SERVERS.NET<http://B.ROOT-SERVERS.NET>.. 3600000 IN NS M.ROOT-SERVERS.NET<http://M.ROOT-SERVERS.NET>.. 3600000 IN NS K.ROOT-SERVERS.NET<http://K.ROOT-SERVERS.NET>.. 3600000 IN NS E.ROOT-SERVERS.NET<http://E.ROOT-SERVERS.NET>.. 3600000 IN NS L.ROOT-SERVERS.NET<http://L.ROOT-SERVERS.NET>.. 3600000 IN NS A.ROOT-SERVERS.NET<http://A.ROOT-SERVERS.NET>.. 3600000 IN NS J.ROOT-SERVERS.NET<http://J.ROOT-SERVERS.NET>.. 3600000 IN NS G.ROOT-SERVERS.NET<http://G.ROOT-SERVERS.NET>.. 3600000 IN NS C.ROOT-SERVERS.NET<http://C.ROOT-SERVERS.NET>.. 3600000 IN NS F.ROOT-SERVERS.NET<http://F.ROOT-SERVERS.NET>.. 3600000 IN NS H.ROOT-SERVERS.NET<http://H.ROOT-SERVERS.NET>.. 3600000 IN NS I.ROOT-SERVERS.NET<http://I.ROOT-SERVERS.NET>.. 3600000 IN NS D.ROOT-SERVERS.NET<http://D.ROOT-SERVERS.NET>.
;; Received 272 bytes from 12.109.94.5#53(12.109.94.5) in 1 ms
63.in-addr.arpa. 86400 IN NS DILL.ARIN.NET<http://DILL.ARIN.NET>.63.in-addr.arpa. 86400 IN NS Y.ARIN.NET<http://Y.ARIN.NET>.63.in-addr.arpa. 86400 IN NS INDIGO.ARIN.NET<http://INDIGO.ARIN.NET>.63.in-addr.arpa. 86400 IN NS Z.ARIN.NET<http://Z.ARIN.NET>.63.in-addr.arpa. 86400 IN NS BASIL.ARIN.NET<http://BASIL.ARIN.NET>.63.in-addr.arpa. 86400 IN NS HENNA.ARIN.NET<http://HENNA.ARIN.NET>.63.in-addr.arpa. 86400 IN NS X.ARIN.NET<http://X.ARIN.NET>.;; Received 180 bytes from 192.228.79.201#53(B.ROOT-SERVERS.NET<http://B.ROOT-SERVERS.NET>) in 76 ms
188.134.63.in-addr.arpa. 86400 IN NS DAUTH1.JOINK.COM<http://DAUTH1.JOINK.COM>.188.134.63.in-addr.arpa. 86400 IN NS DAUTH2.JOINK.COM<http://DAUTH2.JOINK.COM>.;; Received 95 bytes from 192.35.51.32#53(DILL.ARIN.NET<http://DILL.ARIN.NET>) in 75 ms
188.134.63.in-addr.arpa. 3600 IN SOA dauth1.joink.com<http://dauth1.joink.com>. noc.joink.com <http://noc.joink.com>.2009121525 86400 3600 777600 3600;; Received 100 bytes from 63.134.128.150#53(DAUTH1.JOINK.COM<http://DAUTH1.JOINK.COM>) in 0 ms
As I said, this isn't quite how Albitz & Liu show delegation forreverse lookup zones. Nevertheless, the only difference that I seebetween what I have configured and what they show is that I'm workingwith 188.134.63.in-addr.arpa, while they're working one level higher,at the equivalent of 134.63.in-addr.arpa. Accordingly, they have tospecify name servers for 188 within the zone, whereas I can (I hadthought) inhereit that data from the zone. Maybe not, though, since itisn't working!
I even tried adding the "generate" command that they propose:

$TTL   6h
@ 345600 IN SOA dauth1.joink.com <http://dauth1.joink.com>.noc.joink.com <http://noc.joink.com>. (
                                 2009121526    ; Serial number
                                 86400         ; Refresh
                                 3600          ; Retry
                                 777600        ; Expire
                                 3600        ) ; Minimum TTL
IN NS ns1.midwestfirst.com<http://ns1.midwestfirst.com>.IN NS ns2.midwestfirst.com<http://ns2.midwestfirst.com>.$GENERATE 1-255 IN NS ns1.midwestfirst.com<http://ns1.midwestfirst.com>.$GENERATE 1-255 IN NS ns2.midwestfirst.com<http://ns2.midwestfirst.com>.

That would only work if the midwestfirst.com nameservers had every PTRcontained in its own zone (with associated NS, SOA records etc.) Thisdoes not appear to be the case:


$ dig -x 63.134.188.57 soa +noquest +noadd +nostats @ns1.midwestfirst.com

; <<>> DiG 9.4.3-P3 <<>> -x 63.134.188.57 soa +noquest +noadd +nostats@ns1.midwestfirst.com

;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1180
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; AUTHORITY SECTION:

188.134.63.in-addr.arpa. 86400 IN SOA ns1.midwestfirst.com.joshfell.midwestfirst.com. 2009121401 86400 3600 777600

Note that it is referring upwards to the parent zone(188.134.63.in-addr.arpa). This implies that it doesn't have57.188.134.63.in-addr.arpa configured as a zone.

I picked 57 randomly as the last octet, but I'd assume the same was truefor all of the others.

But no dice:

; <<>> DiG 9.2.1 <<>> -x 63.134.188.13 +trace
;; global options:  printcmd
. 3600000 IN NS I.ROOT-SERVERS.NET<http://I.ROOT-SERVERS.NET>.. 3600000 IN NS A.ROOT-SERVERS.NET<http://A.ROOT-SERVERS.NET>.. 3600000 IN NS E.ROOT-SERVERS.NET<http://E.ROOT-SERVERS.NET>.. 3600000 IN NS G.ROOT-SERVERS.NET<http://G.ROOT-SERVERS.NET>.. 3600000 IN NS M.ROOT-SERVERS.NET<http://M.ROOT-SERVERS.NET>.. 3600000 IN NS L.ROOT-SERVERS.NET<http://L.ROOT-SERVERS.NET>.. 3600000 IN NS D.ROOT-SERVERS.NET<http://D.ROOT-SERVERS.NET>.. 3600000 IN NS B.ROOT-SERVERS.NET<http://B.ROOT-SERVERS.NET>.. 3600000 IN NS F.ROOT-SERVERS.NET<http://F.ROOT-SERVERS.NET>.. 3600000 IN NS H.ROOT-SERVERS.NET<http://H.ROOT-SERVERS.NET>.. 3600000 IN NS J.ROOT-SERVERS.NET<http://J.ROOT-SERVERS.NET>.. 3600000 IN NS K.ROOT-SERVERS.NET<http://K.ROOT-SERVERS.NET>.. 3600000 IN NS C.ROOT-SERVERS.NET<http://C.ROOT-SERVERS.NET>.
;; Received 228 bytes from 12.109.94.5#53(12.109.94.5) in 1 ms
63.in-addr.arpa. 86400 IN NS HENNA.ARIN.NET<http://HENNA.ARIN.NET>.63.in-addr.arpa. 86400 IN NS BASIL.ARIN.NET<http://BASIL.ARIN.NET>.63.in-addr.arpa. 86400 IN NS DILL.ARIN.NET<http://DILL.ARIN.NET>.63.in-addr.arpa. 86400 IN NS X.ARIN.NET<http://X.ARIN.NET>.63.in-addr.arpa. 86400 IN NS INDIGO.ARIN.NET<http://INDIGO.ARIN.NET>.63.in-addr.arpa. 86400 IN NS Z.ARIN.NET<http://Z.ARIN.NET>.63.in-addr.arpa. 86400 IN NS Y.ARIN.NET<http://Y.ARIN.NET>.;; Received 180 bytes from 192.36.148.17#53(I.ROOT-SERVERS.NET<http://I.ROOT-SERVERS.NET>) in 65 ms
188.134.63.in-addr.arpa. 86400 IN NS DAUTH2.JOINK.COM<http://DAUTH2.JOINK.COM>.188.134.63.in-addr.arpa. 86400 IN NS DAUTH1.JOINK.COM<http://DAUTH1.JOINK.COM>.;; Received 95 bytes from 192.26.92.32#53(HENNA.ARIN.NET<http://HENNA.ARIN.NET>) in 35 ms
188.134.63.in-addr.arpa. 3600 IN SOA dauth1.joink.com<http://dauth1.joink.com>. noc.joink.com <http://noc.joink.com>.2009121523 86400 3600 777600 3600;; Received 100 bytes from 63.134.128.151#53(DAUTH2.JOINK.COM<http://DAUTH2.JOINK.COM>) in 0 ms
What really baffles me is that this worked for several hoursyesterday, and apparently quit overnight. One option is just to changethe delegation at ARIN, but we want to avoid that and in any event I'dlike to know what the issue is. Any ideas on what I'm doing wrong?

You may have "poisoned" people's caches temporarily with themidwestfirst.com NS records, but once those entries timed out, thequeries came back to you and you answered with NXDOMAIN, which thenitself was cached for some period of time. So it will work, stopworking, work, stop working, etc. You can't make "sideways delegation"work reliably. That's just not how delegation is designed.

- Kevin

_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Delegating in reverse lookup zones

Reply via email to