On 12/27/18 9:01 AM, Barry Margolin wrote:
The alternative is to have a separate zone for each address, and delegate each of them to your server. So the parent zone would have:
It does not require a separate zone for each address. But it does require some creative zone work.
; 1.0.192.in-addr.arpa.zone on parent nameservers ns{1,2}.parent.example.
$ORIGIN 1.0.192.in-addr.arpa.
0 IN NS ns1.yourdomain.com.
IN NS ns2.yourdomain.com.
1 IN NS ns1.yourdomain.com.
IN NS ns2.yourdomain.com.
...
128 IN PTR host128.example.net.
129 IN PTR host129.example.net.
...
Yes. This works perfectly from everything I've tested. I've had issues
in the past with Classless IN-ADDR.ARPA delegation. (Particularly with
not-small-name RBL providers not liking it 15+ years ago.)
Either way, the parent zone needs to have specific records for each of the addresses in the subnet. The client always tries to look up w.x.y.z.in-addr.arpa, and only supports delegation at "." boundaries in the name. There's no way for it to know automatically that different "w" values are delegated to different servers.
This is simply re-using the same standard delegation we use for (sub)domains elsewhere in the hierarchy.
As for the zones themselves: 1) The parent zone needs to have the delegation like Barry depicted above.2) The child zone needs to have records for the name being looked up. Nothing specifically translates to them needing to be in separate zones.
I could easily create a zone like this:
; 1.0.192.in-addr.arpa.zone on local nameservers ns{1,2}.yourdomain.com
$ORIGIN 1.0.192.in-addr.arpa.
0 IN PTR web.yourdomain.com.
1 IN PTR ftp.yourdomain.com.
...
128 IN NS ns1.parent.example.
IN NS ns2.parent.example.
129 IN NS ns1.parent.example.
IN NS ns2.parent.example.
...
In essence, you end up with two independent zones for the same domain
name, 1.0.192.in-addr.arpa, cross delegating /different/ records to each
other. Thus, both are perfectly happy to answer authoritatively with
PTR records for the IPs that they are ""responsible for, while
""delegating (redirecting) to the other name servers for the IPs that
they aren't locally responsible for.
IMHO it's a neat trick and avoids needing to have 10s, 100s, 1,000s of little tiny zone files on a DNS server.
I have yet to find any reason that this won't work. I'm confident that you could even make it work with DNSSEC /if/ there is proper coordination between consenting parties.
-- Grant. . . . unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
