On 8/24/2017 1:31 PM, Grant Taylor wrote:
Before I release my updates, I wonder if this was the right thing to
do.
I prefer to use a different method to do classless in-addr.arpa
delegation.
Specifically, I ask ISPs to put an NS record for the IP(s) in question
pointing to my own DNS server. Then I configure zone(s) that match
the full in-addr.arpa name with the PTR in the zone apex.
You can have a separate zone (d.c.b.a.in-addr.arpa.) for each IP
(a.b.c.d) -or- you can have a single parent zone (c.b.a.in-addr.arpa.)
with individual PTR records, much like the ISP normally does.
If you do the second method (parent c.b.a.in-addr.arpa. zone) I'd
recommend that you have NS records for the other 224 IPs that point to
your ISP's name server that is authoritative for the zone.
In effect, you are actually delegating the IPs an additional level.
This was done, at least the first part of providing the ISP the two NS
servers required. They used RFC2317 to setup the cname delegation.
On my servers, I had done what you suggestion with the second method
using a parent c.b.a.in-addr.arpa zone. It all seems to work, except
for the unexpected cname+ptr records with non-authoritive results.
Still studying the impact. I was trying to prevent some consistency
in the results in the resolver. In the same way, that its done for
A->CNAME->A results.
Thanks
--
HLS
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
