[rescue] DNS questions
Loomis, Rip
rescue at sunhelp.org
Mon Oct 22 10:39:59 CDT 2001
[On reverse DNS lookups for CIDR /29 spaces...]
Hrm.
Actually, there will need to be some coordination, but
not necessarily "send all the PTR RRs to the ISP".
It *is* possible to do your own reverse DNS with less
than a /24.
See
http://www.isc.org/ml-archives/bind-users/2001/02/msg01007.html
for an example of how some ISPs use the $GENERATE
directive to delegate reverse lookups of CIDR info.
(It actually discusses both what the ISP needs to do,
and how you then handle the "real" PTRs on your
authoritative server.)
For our situation here, though, we have several /24s,
plus a /28 for a perimeter network, all from Verio. The
/24s were no problem to get delegated, but the /28 was
much more of a challenge. After many sessions on the
phone trying to explain (teach) how Verio could do
reverse delegations of CIDR blocks, we gave up and sent
our RRs to them for inclusion. We can live with it
because hostnames on that perimeter are obfuscated
anyway. YMMV.
In terms of "finding out whether you really have
authoritity", just do a lookup on the existing RRs
and see what happens. If (for example) my ISP
told me that I had 10.1.2.0/29 (6 fully usable
addresses from 10.1.2.1-10.1.2.6), I would then
check the relevant PTR and SOA records using
dig or nslookup. Let me know if you want more
specific info on how to do this (dig -x is your
friend...) Depending on the ISP, they might
already have delegated them the way the URL above
discusses, or you might still need to send them
PTR RRs.
--
Rip Loomis
Senior Systems Security Engineer, SAIC CIST
Brainbench MVP for Internet Security
http://www.brainbench.com [Transcript 1923411]
> -----Original Message-----
> From: Kevin Loch [mailto:kloch at gurunet.net]
> Sent: Monday, 22 October, 2001 10:28
> Well, you most certainly don't have "direct" authority (i.e. hosting
> the zone on your server) for reverse dns, because that authority is
> divided on octet boundries. YOu must have at least a /24 to
> "do your own" reverse dns. You will have to send your PTR entries
> to your ISP.
>
> KL
>
> "Michael S. Schiller" wrote:
> >
> > Hi All:
> >
> > I just got a block of 8 IPs from my ISP (after maybe 3
> weeks of talking to
> > almost everyone there), and I supposedly have full
> authority (reverse as well
> > as forward) over them. My question is 2 fold: 1. How do I
> know if I really have
> > authority over the reverse DNS & 2. If I do, is there an
> easy way to set it
> > up? I've looked at the classless stuff, but I find it
> confusing. Thanks.
>
More information about the rescue
mailing list