Date: Thu, 4 Oct 2001 20:43:30 +1000 From: "Jan Mikkelsen" <janm@transactionware.com> To: =?iso-8859-1?Q?David_Sieb=F6rger?= <drs-stable@rucus.ru.ac.za>, "Ingeborg Hellemo" <Ingeborg.Hellemo@cc.uit.no> Cc: <freebsd-stable@FreeBSD.ORG> Subject: Re: Reverse delegation of CIDR addresses (was: sdflkj) Message-ID: <013201c14cc1$68b05430$0a01a8c0@mosm1> References: <200110041003.f94A3ex15230@boyd.cc.uit.no>
next in thread | previous in thread | raw e-mail | index | archive | help
"Ingeborg Hellemo" <Ingeborg.Hellemo@cc.uit.no> wrote: > drs-stable@rucus.ru.ac.za said: > > On Thu 2001-10-04 (08:59), Ceri wrote: > > > On Wed, Oct 03, 2001 at 05:16:20PM -0700, Michael Sierchio said: > > > > > > > My apologies. My ISP's absolute refusal to delegate reverse entries > > > > for my domain and /29 net is the problem. They gave me CNAME > > > entries > > > > instead of PTR records > > > > > > Umm, you can't delegate reverse DNS for a /29 _without_ using CNAMEs. > > > Not true. While the use of CNAMEs is suggested by RFC 2317, NS > > records can be used too. The technique is described at: > > > http://homepages.tesco.net./~J.deBoynePollard/FGA/avoid-rfc-2317-delega > > tion.html > > Do _not_ use this technique! > > Cite from <URL:http://marc.theaimsgroup.com/?l=bind-users&m=99948971616624&w=2>; > > "The document does NOT describe a valid DNS setup. It is simply illegal. > Please, completely ignore this setup. > > Following the ignorant example on your site would lead to that machine > being authoritative for the in-addr.arpa. domain. Only the > [a-i].root-servers.net. should be authoritative for those. > > This set-up will leak incorrect/dangerous/poisonous info through > authoritative & additional sections. For a provider with old caches (those > that will cache authoritative/additional section) that happen to have > cached yours, has the rest of the reverse name-space unavailable during > TTL of the RR's in the sections. > > Bad. Very very bad. > > Roy Arends > Nominum " While the example from the original URL is wrong, as is pointed out in this quote, that doesn't mean that you must use CNAMEs to accept reverse delegation. There is a better way. (There may be BIND syntax errors here; I use djbdns now, where everything is much better). For example, on the parent server: 4.3.2.1.in-addr.arpa. IN NS a.ns.4.3.2.1.in-addr.arpa. 4.3.2.1.in-addr.arpa. IN NS b.ns.4.3.2.1.in-addr.arpa. a.ns.4.3.2.1.in-addr.arpa. IN A 5.6.7.8 b.ns.4.3.2.1.in-addr.arpa. IN A 5.6.7.9 and on the child server: 4.3.2.1.in-addr.arpa. IN SOA blah blah ; see, syntax error right there 4.3.2.1.in-addr.arpa. IN NS a.ns.4.3.2.1.in-addr.arpa. 4.3.2.1.in-addr.arpa. IN NS b.ns.4.3.2.1.in-addr.arpa. a.ns.4.3.2.1.in-addr.arpa. IN A 5.6.7.8 b.ns.4.3.2.1.in-addr.arpa. IN A 5.6.7.9 4.3.2.1.in-addr.arpa. IN PTR 4.3.2.1 Add additional nameservers as required. Jan Mikkelsen janm@transactionware.com To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?013201c14cc1$68b05430$0a01a8c0>