Re: Reverse DNS Dig returning PTR results only with trace option

---

• From: Raj Adhikari <raj@xxxxxxxxx>
• Date: Tue, 10 Nov 2009 18:29:09 -0600

---

Kevin Wrote: {QUOTE} There is no "BIND way" versus "Windows way". For a
range smaller than /24 you either need to host all the records in the
/24 zone, delegate each entry individually (as /32 zones), or use
CNAMEs. This is determined by the protocol, regardless of whether you're
using Microsoft DNS, BIND or any other implementation.

Note that many thousands (tens of thouands? hundreds of thousands?) or
organizations use RFC 2317 for their reverse DNS without issues. So, on
what do you base your assessment of this approach as having "lots of
problems"? The folks who published RFC 2317 actually know what they're
talking about. People complaining on forums about having botched their
RFC 2317 configs, probably *don't*.
{QUOTE}

Ok, moving to RFC 2317, I may not have configured them correctly. If RFC
2317 will work for me then that would be great. This time I took the
subnet 64.253.134.176/28. This block needs to be delegated from
ns1.cyzap.net to ns1.moneytreesystems.com
I followed this for the configuration and naming convention from
http://support.microsoft.com/kb/174419.
I configured at ns1.cyzap.net as:
; Database file 134.254.63.in-addr.arpa.dns for 134.254.63.in-addr.arpa
zone.
; Zone version: ................
;

@ IN SOA ns1.cyzap.net. .............. (
....
...
;
; Zone NS records
;

@ NS ns1.cyzap.net.
@ NS ns2.cyzap.net.

; Delegated sub-zone: 176-28.134.254.63.in-addr.arpa.
;
176-28 NS ns1.moneytreesystems.com.
ns1.moneytreesystems.com. A 63.254.134.213
ns1.moneytreesystems.com. A 63.254.134.214
; End delegation
177 CNAME 177.176-28.134.254.63.in-addr.arpa.

========================================================================
And at ns1.moneytreesystems.com, the configuration is as:
;
; Database file 176-28.134.254.63.in-addr.arpa.dns for
176-28.134.254.63.in-addr.arpa zone.
; Zone version: xxxxxx
;

@ IN SOA ns1.moneytreesystems.com.
hostmaster.moneytreesystems.com. (
.....
.....
;
; Zone NS records
;

@ NS ns1.moneytreesystems.com.
ns1.moneytreesystems.com. A 63.254.134.213

;
; Zone records
;

177 PTR testnew177.cyzap.net.

========================================================================
My dig output for this are:
$ dig @ns1.cyzap.net -x 63.254.134.177

; <<>> DiG 9.4.2 <<>> @ns1.cyzap.net -x 63.254.134.177
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 50666
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;177.134.254.63.in-addr.arpa. IN PTR

;; ANSWER SECTION:
177.134.254.63.in-addr.arpa. 3600 IN CNAME
177.176-28.134.254.63.in-addr.arpa.
177.176-28.134.254.63.in-addr.arpa. 60 IN PTR testnew177.cyzap.net.

;; Query time: 3 msec
;; SERVER: 172.30.111.3#53(172.30.111.3)
;; WHEN: Tue Nov 10 18:06:59 2009
;; MSG SIZE rcvd: 104
============================
$ dig @ns2.cyzap.net -x 63.254.134.177

; <<>> DiG 9.4.2 <<>> @ns2.cyzap.net -x 63.254.134.177
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58836
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;177.134.254.63.in-addr.arpa. IN PTR

;; ANSWER SECTION:
177.134.254.63.in-addr.arpa. 3600 IN CNAME
177.176-28.134.254.63.in-addr.arpa.
177.176-28.134.254.63.in-addr.arpa. 55 IN PTR testnew177.cyzap.net.

;; Query time: 0 msec
;; SERVER: 172.30.111.53#53(172.30.111.53)
;; WHEN: Tue Nov 10 18:20:13 2009
;; MSG SIZE rcvd: 104



==========================
$ dig -x 63.254.134.177

; <<>> DiG 9.4.2 <<>> -x 63.254.134.177
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60512
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;177.134.254.63.in-addr.arpa. IN PTR

;; ANSWER SECTION:
177.134.254.63.in-addr.arpa. 2985 IN CNAME
177.176-28.134.254.63.in-addr.arpa.

;; Query time: 0 msec
;; SERVER: 172.30.111.254#53(172.30.111.254)
;; WHEN: Tue Nov 10 18:07:18 2009
;; MSG SIZE rcvd: 70
===================================
$ dig -x 63.254.134.177 +trace

; <<>> DiG 9.4.2 <<>> -x 63.254.134.177 +trace
;; global options: printcmd
.. 54948 IN NS j.root-servers.net.
.. 54948 IN NS c.root-servers.net.
.. 54948 IN NS k.root-servers.net.
.. 54948 IN NS b.root-servers.net.
.. 54948 IN NS l.root-servers.net.
.. 54948 IN NS h.root-servers.net.
.. 54948 IN NS f.root-servers.net.
.. 54948 IN NS m.root-servers.net.
.. 54948 IN NS e.root-servers.net.
.. 54948 IN NS d.root-servers.net.
.. 54948 IN NS a.root-servers.net.
.. 54948 IN NS g.root-servers.net.
.. 54948 IN NS i.root-servers.net.
;; Received 449 bytes from 172.30.111.254#53(172.30.111.254) in 1 ms

63.in-addr.arpa. 86400 IN NS X.ARIN.NET.
63.in-addr.arpa. 86400 IN NS Y.ARIN.NET.
63.in-addr.arpa. 86400 IN NS INDIGO.ARIN.NET.
63.in-addr.arpa. 86400 IN NS DILL.ARIN.NET.
63.in-addr.arpa. 86400 IN NS HENNA.ARIN.NET.
63.in-addr.arpa. 86400 IN NS Z.ARIN.NET.
63.in-addr.arpa. 86400 IN NS BASIL.ARIN.NET.
;; Received 181 bytes from 192.36.148.17#53(i.root-servers.net) in 60 ms

254.63.in-addr.arpa. 86400 IN NS NS2.MCLEODUSA.NET.
254.63.in-addr.arpa. 86400 IN NS NS1.MCLEODUSA.NET.
254.63.in-addr.arpa. 86400 IN NS NS3.MCLEODUSA.NET.
;; Received 112 bytes from 192.26.92.32#53(HENNA.ARIN.NET) in 41 ms

177.134.254.63.in-addr.arpa. 7200 IN NS ns2.cyzap.net.
177.134.254.63.in-addr.arpa. 7200 IN NS ns1.cyzap.net.
;; Received 90 bytes from 209.253.113.19#53(NS3.MCLEODUSA.NET) in 17 ms

177.134.254.63.in-addr.arpa. 3600 IN CNAME
177.176-28.134.254.63.in-addr.arpa.
177.176-28.134.254.63.in-addr.arpa. 16 IN PTR testnew177.cyzap.net.
;; Received 104 bytes from 172.30.111.3#53(ns1.cyzap.net) in 0 ms

===================================================================
Why did the simple dig (without trace or specifying ns1.cyzap.net) not
return the PTR record?
Also, if I do dig @ns1.cyzap.net -x 63.254.134.177 and then dig -x
63.254.134.177 +trace , it will not give the PTR record if it traces to
ns2.cyzap.net. If I do, dig @ns2.cyzap.net -x 63.254.134.177 and then
dig -x 63.254.134.177 +trace, it will not give PTR record if it traces
to ns1.cyzap.net. That is why sometimes I am getting PTR from trace
option and sometimes not. Something is broken here.


Thank you,
Raj


Kevin Darcy wrote:

Raj Adhikari wrote:

Thanks Chris for the reply.
Actually, let me put my question the other way.
How can one delegate the classless subnet to other DNS?
Actually, one of our ISP could not delegate classless subnet to our
server ns1.cyzap.net. I am trying to help them in delegating the
classless subnet to us. So this scenario is simulating our ISP and us. I
was just testing with one of our other subnets checking if delegation
will work. Unfortunately, we both are using windows DNS. Windows just
have RFC 2317 way on configuring the delegation on it KB article using
CNAME, which I think has lots of problems. But I am following this BIND
way for delegation. I think, in windows the DNS configuration is more or
less similar to BIND.

There is no "BIND way" versus "Windows way". For a range smaller than
/24 you either need to host all the records in the /24 zone, delegate
each entry individually (as /32 zones), or use CNAMEs. This is
determined by the protocol, regardless of whether you're using
Microsoft DNS, BIND or any other implementation.

Note that many thousands (tens of thouands? hundreds of thousands?) or
organizations use RFC 2317 for their reverse DNS without issues. So,
on what do you base your assessment of this approach as having "lots
of problems"? The folks who published RFC 2317 actually know what
they're talking about. People complaining on forums about having
botched their RFC 2317 configs, probably *don't*.

In this scenario, lets say ns1.cyzap.net is my ISP and
ns1.monetreesystems.com is us. ns1.cyzap.net owns 63.254.134.0/24 and
ns1.moneytreesystems.com take a subnet 134.224/28 from them. So isn't
there a way for ns1.cyzap.net to delegate the subnet to
ns1.moneytreesystems.com?

The /24 is delegated to ns1.cyzap.net. Zone delegation is on octet
boundaries. So the next available boundary for delegation would be
/32, i.e. delegating each of the 16 usable addresses (or perhaps just
the 14 usable addresses) individually.

Do ns1.cyzap.net again have to talk to their
upper ISP to delegate directly to us?

No, that doesn't help. What would the /16 nameservers delegate?
They've already delegated 134.254.63.in-addr.arpa, there's nothing
more you can expect of them.

- Kevin

Chris Hills wrote:

On 10/11/09 18:25, Raj Adhikari wrote:

Now I can do a dig for an hour or so. But again I run into same
problem.
It wont return PTR record unless I explicitly do dig on ns1.cyzap.net.
Also, the last did showing ns1.cyzap.net as Authority NS for this IP.
But trace showing ns1.moneytreesystems.com as final sender.

Could someone shed a light on this?

254.63.in-addr.arpa. 86400 IN NS NS3.MCLEODUSA.NET.
254.63.in-addr.arpa. 86400 IN NS NS1.MCLEODUSA.NET.
254.63.in-addr.arpa. 86400 IN NS NS2.MCLEODUSA.NET.
;; Received 112 bytes from 192.42.93.32#53(y.arin.net) in 173 ms

228.134.254.63.in-addr.arpa. 7200 IN NS ns1.cyzap.net.
228.134.254.63.in-addr.arpa. 7200 IN NS ns2.cyzap.net.
;; Received 90 bytes from 209.253.113.19#53(NS3.MCLEODUSA.NET) in
159 ms

228.134.254.63.in-addr.arpa. 3600 IN NS
ns2.moneytreesystems.com.
228.134.254.63.in-addr.arpa. 3600 IN NS
ns1.moneytreesystems.com.
;; BAD (HORIZONTAL) REFERRAL
;; Received 160 bytes from 64.253.181.53#53(ns2.cyzap.net) in 167 ms

You should not chain a delegation in this manner. Either make the
servers ns1.cyzap.net. and ns2.cyzap.net. authoritative for
228.134.254.63.in-addr.arpa. or have your ISP change the NS records to
point directly to ns1.moneytreesystems.com. and
ns2.moneytreesystems.com. The cyzap servers do not respond with the
authority bit set ("aa" in dig).

Regards,

Chris

_______________________________________________
bind-users mailing list
bind-users@xxxxxxxxxxxxx
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
bind-users mailing list
bind-users@xxxxxxxxxxxxx
https://lists.isc.org/mailman/listinfo/bind-users

_______________________________________________
bind-users mailing list
bind-users@xxxxxxxxxxxxx
https://lists.isc.org/mailman/listinfo/bind-users

.

---

• Prev by Date: Re: Reverse DNS Dig returning PTR results only with trace option
• Next by Date: Re: Reverse DNS Dig returning PTR results only with trace option
• Previous by thread: Re: Reverse DNS Dig returning PTR results only with trace option
• Next by thread: Re: Reverse DNS Dig returning PTR results only with trace option
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Questions regarding global MX and NS records ... Also, if you have a wildcard in a zone, then you'll never get an NXDOMAIN for a query of any name in that part of the namespace hierarchy, because the names in such queries will be "matched" by the wildcard, even if the lookup is some type other than MX. ... www1.example.com cname www1.lb.example.com. ... If you delegate each name individually to the GSS, you don't get proper SOA/NS record responses. ... Another benefit of aliasing out each name, instead of delegating each one individually, is that you avoid a lot of "sub-delegation" ugliness if you have multiple sets of load-balancers, and you want to *nest* names, using diverse sets of load-balancers, within their own application-defined hierarchies, e.g. ... (comp.protocols.dns.bind) Re: CNAME only zone? ... your desired CNAME target; ... they do not delegate the zone to you. ... have SOA and NS records at the zone apex. ... (comp.protocols.dns.bind) Re: Parent is a CNAME ... CNAME chains - CNAMEs pointing to other CNAMEs - are ... If you delegate there is ambiguity because there are CNAME and other ... subdomain.a child zone and the A record for ns1 must be in the child ... zone but may also need to be in the current zone as glue. ... (comp.protocols.dns.bind) Reverse zone delegation for 172.16.16.0/20 - HOW TO? ... There are some sites in different districts of above towns, they get a block of IP-addresess: 172.xx.0.0/20 from its main town's server. ... Now I want to build hierarchic structure of DNS servers in each location. ... And delegate zones accordingly. ... I used a trick and made zone 172.in-addr.arpa. ... (comp.protocols.dns.bind) Re: Reverse DNS Dig returning PTR results only with trace option ... /24 zone, delegate each entry individually, or use ... I followed this for the configuration and naming convention from ... ; (1 server found) ... The don't currently delegate it to ... (comp.protocols.dns.bind)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

newsgroups.derkeiler.com  > Archive  > Comp  > comp.protocols.dns.bind  > 2009-11