[dns-operations] /24 Reverse DNS delegation using the IP Address 4th octet?

Mark Andrews marka at isc.org
Wed Mar 17 10:28:30 UTC 2010 

In message <OF220EBF68.BF1FD4F8-ON802576E9.00379899-802576E9.0037F5AB at nominet.org.uk>, Ray.Bellis at nominet.org.uk writes:
> This is a multipart message in MIME format.
> --===============4055579071531226812==
> Content-Type: multipart/alternative;
> 	boundary="=_alternative 0037F5A9802576E9_="
> 
> This is a multipart message in MIME format.
> --=_alternative 0037F5A9802576E9_=
> Content-Type: text/plain; charset="US-ASCII"
> 
> > Ok, so I asked for a reverse DNS delegation of a /24.  Let's call it 
> > "10.1.2.0/24" for the sake of discussion.  I was expecting to get the 
> > following in their (parent) zone:
> > 
> > 2.1.10.in-addr.arpa. 86400   IN   NS   my-master-1.example.com.
> > 2.1.10.in-addr.arpa. 86400   IN   NS   my-master-2.example.com.
> > 
> > Instead, what they gave me was this:
> > 
> > 0.2.1.10.in-addr.arpa. 86400   IN   NS   my-master-1.example.com.
> > 0.2.1.10.in-addr.arpa. 86400   IN   NS   my-master-2.example.com.
> >
> > ...
> > 
> > 255.2.1.10.in-addr.arpa. 86400   IN   NS   my-master-1.example.com.
> > 255.2.1.10.in-addr.arpa. 86400   IN   NS   my-master-2.example.com.
> > 
> > Is that workable?  It seems silly to me.  Can I still just set up a 
> > single zone file like so?
> > 
> > $TTL 86400
> > $ORIGIN 2.1.10.in-addr.arpa.
> > @       IN      SOA     my-master-1.example.com. 
> > hostmaster.example.com. ( 7 3600 600 3600000 86400 )
> > 
> > @   IN   NS   my-master-1.example.com.
> >    IN   NS   my-master-2.example.com.
> > 
> > 0   IN   A   zero.example.com.
> > 1   IN   A   one.example.com.
> > 2   IN   A   two.example.com.
> > ...
> > etc.
> 
> [should be "PTR", of course, not "A"]
> 
> > My gut feeling is that this isn't going to work and that they really 
> > need to delegate 2.1.10.in-addr.arpa directly, correct?
> 
> It should actually work if you implemented as described - some ENUM trees 
> are delegated that way.
> 
> However it'll break if you ever want to implement DNSSEC.  There is a 
> mis-alignment between the zone cut as seen by the parent and that seen by 
> the child, hence there's no place to put the DS records.
> 
> Ray

Plain DNS also breaks for some queries.
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list