Re: Problem to transfer reverse zone DNS on secondary DNS servers
On 12/27/19 3:43 PM, Paul Kosinski via bind-users wrote: P.S. Unfortunately our 2 current IPs, although adjacent, are not /31, and thus would require 2 delegations There's always going to be at least one record, be it an NS for delegation or CNAME for 2317, for each IP that's not being delegated at a higher dot boundary. It's a question of what other records are needed to support it. (This on the upstream ISP's side.) Then there's the question of what needs to be done on downstream side. This is highly dependent on what technique you use. There's the cross delegation hack, but that's considerably more work for a few IPs. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem to transfer reverse zone DNS on secondary DNS servers
I was pleased that I was able to get our two (successive) ISPs to set up reverse DNS for our small number of IP addresses, and each twice to change them when they moved us to moved us to new IP ranges (due to the IPv4 crunch). It never even occurred to me that it might be possible to have them delegated to our DNS server (which could handle it, being BIND running native on a Linux VM on their hardware -- no "helpful" ISP mandated interface software to interfere with configuration). P.S. Unfortunately our 2 current IPs, although adjacent, are not /31, and thus would require 2 delegations On Fri, 27 Dec 2019 13:40:11 -0700 Grant Taylor via bind-users wrote: > On 12/27/19 1:22 PM, Reindl Harald wrote: > > nobody out there will delegate single /255 ip's > > I've had multiple different ISP's delegate reverse DNS for single IPs > (/32 or /128) multiple times. > > Some used RFC 2317 Classless IN-ADDR.ARPA Delegation, others used > standard delegation. > > Some ~> many ~> maybe most will not delegate in any way. But enough > have done so (repeatedly) to definitely NOT be able to say nobody > will delegate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem to transfer reverse zone DNS on secondary DNS servers
On 12/27/19 1:22 PM, Reindl Harald wrote: nobody out there will delegate single /255 ip's I've had multiple different ISP's delegate reverse DNS for single IPs (/32 or /128) multiple times. Some used RFC 2317 Classless IN-ADDR.ARPA Delegation, others used standard delegation. Some ~> many ~> maybe most will not delegate in any way. But enough have done so (repeatedly) to definitely NOT be able to say nobody will delegate. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem to transfer reverse zone DNS on secondary DNS servers
Am 27.12.19 um 21:06 schrieb Grant Taylor via bind-users: >> if the ISP is willing to do and if you really own a large enough range >> that it makes sense is a different question, for just 3 random >> addresses it is unlikely to happen > > Agreed. > > But I will still ask the ISP to delegate the IPs to me as that's what I > prefer nobody out there will delegate single /255 ip's ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem to transfer reverse zone DNS on secondary DNS servers
On 12/27/19 10:49 AM, Reindl Harald wrote: in the real world they just delegate the reverse-zone to your nameserver like it#s done for our /24 range for years Please clarify what the "reverse-zone" is that you're talking about. Is it "246.2.186.in-addr.arpa." or "17.246.2.186.in-addr.arpa."? Delegating the former will likely have undesired ramifications. Delegating the latter (and it's associated IPs) is what I prefer to do. no need for zone transfers I agree that there's not a /need/ for a zone transfer from the client to the ISP. However Matus indicated that he /wanted/ the zone transfer. if the ISP is willing to do and if you really own a large enough range that it makes sense is a different question, for just 3 random addresses it is unlikely to happen Agreed. But I will still ask the ISP to delegate the IPs to me as that's what I prefer. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem to transfer reverse zone DNS on secondary DNS servers
On 12/27/19 10:48 AM, Matus UHLAR - fantomas wrote: I think that it should be either change local DNS or call ISP to change it, not both at once. Having both usually creates/hides different kinds of problems. Yes, ideally the configuration lives in one place. Multi-master is always problematic. Particularly for day to day operations. Initial configuration is another story. That will likely involve configuration at both ends. I.e. ISP delegating to customer and customer configuring their name server appropriately. the ISP should the client what zone to configure, Did you mean that to be "the ISP should *tell* the client what zone to configure"? e.g. pasteur-cayenne.246.2.186.in-addr.arpa and they put RFC 2317-like CNAME delegations to that. Maybe. Maybe not. I'd likely have stern words with an ISP if they tried to dictate to me how I configured my DNS zones and servers. I can see the ISP informing the customer of what options they support and then the customer choosing from that set. About the only reason that I'll accept from an ISP for them trying to dictate what zone is used is them admitting that their configuration management system having limitations and not supporting what I want. As an ISP, I'd like to be configured as slave for that domain. Okay. That's a different issue. One that is a preference at that. I don't have any overt objection to it. Yes, it can work, but I personally don't like setting up multiple reverse subdomains like this. I believe configuring single domain for multiple records is theway to go. As an ISP, you're only working with one domain, namely the associated in-addr.arpa domain. So why do you care how many domains the client needs to configure on their server? Your desire to slave transfer not withstanding. But even that is your desire. Your desire to have a slave copy means that you are beholden to how the domain owner wants to configure things. If that's one domain, fine. If that's multiple domains, then so be it. in any case, if the OP needs to fixing things on the local side AND to call ISP to change it, something is broken, or at least inefficiently implemented. I don't know if "broken" is how I'd describe this. I think the OP is still in the early set up phase. Thus why it's normal that he needs to call the ISP to get them to do the initial configuration. -- Grant. . . . unix || die smime.p7s Description: S/MIME Cryptographic Signature ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem to transfer reverse zone DNS on secondary DNS servers
Am 27.12.19 um 18:58 schrieb Matus UHLAR - fantomas: The only thing that I saw was a slip in that there is something outside the local DNS server that needs to be configured for reverse DNS. > >> Am 27.12.19 um 18:48 schrieb Matus UHLAR - fantomas: >>> I think that it should be either change local DNS or call ISP to >>> change it, >>> not both at once. Having both usually creates/hides different kinds of >>> problems > > On 27.12.19 18:50, Reindl Harald wrote: >> says who? > > common sense I'd say... > >> in our /24 range 1-99 are public servers, the rest is internal >> infrastructure and workstations and there is no point to have that >> mapping public > > Either you have DNS records or you have not. If you have them, either you > manage them, or you fetch part of it from customer have you ever heard about internal and external views? ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem to transfer reverse zone DNS on secondary DNS servers
The only thing that I saw was a slip in that there is something outside the local DNS server that needs to be configured for reverse DNS. Am 27.12.19 um 18:48 schrieb Matus UHLAR - fantomas: I think that it should be either change local DNS or call ISP to change it, not both at once. Having both usually creates/hides different kinds of problems On 27.12.19 18:50, Reindl Harald wrote: says who? common sense I'd say... in our /24 range 1-99 are public servers, the rest is internal infrastructure and workstations and there is no point to have that mapping public Either you have DNS records or you have not. If you have them, either you manage them, or you fetch part of it from customer. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. I wonder how much deeper the ocean would be without sponges. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem to transfer reverse zone DNS on secondary DNS servers
Am 27.12.19 um 18:48 schrieb Matus UHLAR - fantomas: >> The only thing that I saw was a slip in that there is something >> outside the local DNS server that needs to be configured for reverse DNS. > > I think that it should be either change local DNS or call ISP to change it, > not both at once. Having both usually creates/hides different kinds of > problems says who? in our /24 range 1-99 are public servers, the rest is internal infrastructure and workstations and there is no point to have that mapping public ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem to transfer reverse zone DNS on secondary DNS servers
Am 27.12.19 um 16:58 schrieb Grant Taylor via bind-users: > On 12/27/19 7:04 AM, Matus UHLAR - fantomas wrote: >> they configure it for fetching from your servers. > > I do object to this part of the statement. > > This seems to imply that the ISP is a secondary DNS server and doing > zone transfers off of their customer in the real world they just delegate the reverse-zone to your nameserver like it#s done for our /24 range for years no need for zone transfers if the ISP is willing to do and if you really own a large enough range that it makes sense is a different question, for just 3 random addresses it is unlikely to happen ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem to transfer reverse zone DNS on secondary DNS servers
On 12/27/19 7:04 AM, Matus UHLAR - fantomas wrote:
there's obviously something broken in this setup. You don't have
to call the ISP if the reverse DNS changes.
On 27.12.19 08:58, Grant Taylor via bind-users wrote:
Why do you say that?
What do you see that's broken in the OP's configuration?
I personally didn't see anything broken. Hence why reverses DNS
worked when querying the local server.
The only thing that I saw was a slip in that there is something
outside the local DNS server that needs to be configured for reverse
DNS.
I think that it should be either change local DNS or call ISP to change it,
not both at once. Having both usually creates/hides different kinds of
problems.
Either they set up reverse DNS for you completely, or they tell yuou
what domain to set up, you set it up
I don't have any overt objection to that part of the statement.
they configure it for fetching from your servers.
I do object to this part of the statement.
This seems to imply that the ISP is a secondary DNS server and doing
zone transfers off of their customer.
This can be made to work, but it still suffers from the typical
problems associated with shared administration of the
247.2.186.in-addr.arpa zone.
the ISP should the client what zone to configure, e.g.
pasteur-cayenne.246.2.186.in-addr.arpa
and they put RFC 2317-like CNAME delegations to that.
As an ISP, I'd like to be configured as slave for that domain.
However, you should not set up multiple domains like those:
19.247.2.186.in-addr.arpa
17.246.2.186.in-addr.arpa
22.246.2.186.in-addr.arpa
26.246.2.186.in-addr.arpa
30.246.2.186.in-addr.arpa
This may not be typical, but it can work perfectly fine. I've done
this many times in the past. (I'd still be doing it if I had a need
for it.)
Yes, it can work, but I personally don't like setting up multiple reverse
subdomains like this. I believe configuring single domain for multiple
records is theway to go.
The ISP inserts an NS record to delegate each subdomain
{17,19,22,26,30}.247.2.186.in-addr.arpa to the client's DNS server
which is authoritative for said zones. Said zones would include a PTR
in their apex. It works perfectly fine.
17.246.2.186.in-addr.arpa. IN SOA rname.example.net.
mname.example.net. (…)
IN NS mname.example.net.
IN PTR smtp.pasteur-cayenne.fr.
rfc 2317 describes how reverse DNS should be set up and it should
work automatically.
RFC 2317 Classless IN-ADDR.ARPA Delegation is one possible way to set
things up. There are others. E.g.
· Proper DNS delegation (as described above).
· ISP allowing Dynamic DNS updates of their in-addr.arpa. zone.
· Cross delegation hack.
· Reverse DNS zone backed by something more intelligent than a
traditional zone file. E.g. LDAP (AD) or a database.
I personally dislike RFC 2317's CNAME based delegation.
· I find it be unnecessarily complex and error prone, particularly
for people not accustom to it.
· It includes possible suggestions that many DNS servers can't use
("/" as the separator character).
· It imples that the sub-domain has some relation to the network size
being delegated. When in fact, the sub-domain could easily be any
arbitrary identifier. The customer ID might be a good choice.
· It does not lend itself to discontinuous IPs, particularly if
following the prefix related subdomain recommendations.
· I find it's wording to be abstracted to the point of being
ambiguous to a fault.
I strongly prefer standard DNS delegation via NS records. This can go
to discrete zones like the OP has / my example above. Or it can be a
cross delegation hack.
in any case, if the OP needs to fixing things on the local side AND to call
ISP to change it, something is broken, or at least inefficiently
implemented.
--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Fighting for peace is like fucking for virginity...
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem to transfer reverse zone DNS on secondary DNS servers
On 12/27/19 7:04 AM, Matus UHLAR - fantomas wrote:
there's obviously something broken in this setup. You don't have to
call the ISP if the reverse DNS changes.
Why do you say that?
What do you see that's broken in the OP's configuration?
I personally didn't see anything broken. Hence why reverses DNS worked
when querying the local server.
The only thing that I saw was a slip in that there is something outside
the local DNS server that needs to be configured for reverse DNS.
Either they set up reverse DNS for you completely, or they tell yuou
what domain to set up, you set it up
I don't have any overt objection to that part of the statement.
they configure it for fetching from your servers.
I do object to this part of the statement.
This seems to imply that the ISP is a secondary DNS server and doing
zone transfers off of their customer.
This can be made to work, but it still suffers from the typical problems
associated with shared administration of the 247.2.186.in-addr.arpa zone.
However, you should not set up multiple domains like those:
19.247.2.186.in-addr.arpa
17.246.2.186.in-addr.arpa
22.246.2.186.in-addr.arpa
26.246.2.186.in-addr.arpa
30.246.2.186.in-addr.arpa
This may not be typical, but it can work perfectly fine. I've done this
many times in the past. (I'd still be doing it if I had a need for it.)
The ISP inserts an NS record to delegate each subdomain
{17,19,22,26,30}.247.2.186.in-addr.arpa to the client's DNS server which
is authoritative for said zones. Said zones would include a PTR in
their apex. It works perfectly fine.
17.246.2.186.in-addr.arpa. IN SOA rname.example.net.
mname.example.net. (…)
IN NS mname.example.net.
IN PTR smtp.pasteur-cayenne.fr.
rfc 2317 describes how reverse DNS should be set up and it should work
automatically.
RFC 2317 Classless IN-ADDR.ARPA Delegation is one possible way to set
things up. There are others. E.g.
· Proper DNS delegation (as described above).
· ISP allowing Dynamic DNS updates of their in-addr.arpa. zone.
· Cross delegation hack.
· Reverse DNS zone backed by something more intelligent than a
traditional zone file. E.g. LDAP (AD) or a database.
I personally dislike RFC 2317's CNAME based delegation.
· I find it be unnecessarily complex and error prone, particularly for
people not accustom to it.
· It includes possible suggestions that many DNS servers can't use
("/" as the separator character).
· It imples that the sub-domain has some relation to the network size
being delegated. When in fact, the sub-domain could easily be any
arbitrary identifier. The customer ID might be a good choice.
· It does not lend itself to discontinuous IPs, particularly if
following the prefix related subdomain recommendations.
· I find it's wording to be abstracted to the point of being ambiguous
to a fault.
I strongly prefer standard DNS delegation via NS records. This can go
to discrete zones like the OP has / my example above. Or it can be a
cross delegation hack.
--
Grant. . . .
unix || die
smime.p7s
Description: S/MIME Cryptographic Signature
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Re: Problem to transfer reverse zone DNS on secondary DNS servers
On 27.12.19 00:27, Edouard Guigné wrote: I have forgotten this point, rdns is done by ISP... The same problem occured 2 years ago, and I have to call them to restart it. there's obviously something broken in this setup. You don't have to call the ISP if the reverse DNS changes. Either they set up reverse DNS for you completely, or they tell yuou what domain to set up, you set it up and they configure it for fetching from your servers. However, you should not set up multiple domains like those: 19.247.2.186.in-addr.arpa 17.246.2.186.in-addr.arpa 22.246.2.186.in-addr.arpa 26.246.2.186.in-addr.arpa 30.246.2.186.in-addr.arpa rfc 2317 describes how reverse DNS should be set up and it should work automatically. -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Windows 2000: 640 MB ought to be enough for anybody ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
