Ray Bellis <r...@isc.org> wrote: > > The main thing you may wish to consider is whether you ever wish to > DNSSEC sign your reverse zones. > > If you do, the zone cut on the parent name servers (which is where the > DS records would be) must match the zone cut on your own servers, which > would contain the DNSKEY records.
Not just DNSSEC - it's also important for negative responses. If your authoritative server has a zone for 0.192.in-addr.arpa but a resolver is expecting the zone cut to belong to 2.0.192.in-addr.arpa then it won't be able to parse negative responses according to RFC 2308. In this situation the BIND resolver will treat it as a FORMERR and reject the response. > So, if your RIR has delegated a single /16 part of .in-addr.arpa to you, > and you currently split that into /24 zones yourself, you'd be fine. > If, OTOH, your RIR can only delegate at the /24 boundary, you'd have to > maintain your zone cuts at that boundary too. You can use DNAME to consolidate the PTR records into one big zone - see https://tools.ietf.org/html/draft-fanf-dnsop-rfc2317bis This works best if you can put the DNAME records in the parent zone, but if you can't, you might still prefer to have several nearly-empty static zones and one big active zone, rather than lots of little active zones. Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ - I xn--zr8h punycode Thames: Northeast 5 to 7, becoming variable 3 or 4 later. Moderate or rough, becoming slight or moderate. Squally showers. Good, occasionally moderate. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users