Re: Most specific match on PTR records

2013-02-22 Thread Nikita Koshikov 
On Fri, Feb 22, 2013 at 6:51 PM, Doug Barton  wrote:

> On 02/22/2013 01:26 AM, Nikita Koshikov wrote:
>
>>
>>
>> On Thu, Feb 21, 2013 at 10:47 PM, Doug Barton > > wrote:
>>
>> Can you slave the 11.2.10.in-addr.arpa zone instead of forwarding?
>> That would be easier, and avoid the pitfalls already described by
>> others.
>>
>>
>> I can't, 10.2.11.0/24  network - is windows dhcp
>> with dynamic dns registers.
>>
>
> I'm not sure why that would mean that you cannot slave the zone. Are you
> concerned about too-frequent updates?
>

I don't have transfer capability on this server - only lookup. This machine
is managed by another scope of admins and they not wiling to reconfigure
something.


>
> Mark was right, a delegation in the zone file is the simplest solution. I
> suggested slaving the zone because it gives you better performance locally,
> but if it isn't possible, Mark's solution is just fine.
>
> Doug
>
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Most specific match on PTR records

2013-02-22 Thread Doug Barton 

On 02/22/2013 01:26 AM, Nikita Koshikov wrote:



On Thu, Feb 21, 2013 at 10:47 PM, Doug Barton mailto:do...@dougbarton.us>> wrote:

Can you slave the 11.2.10.in-addr.arpa zone instead of forwarding?
That would be easier, and avoid the pitfalls already described by
others.


I can't, 10.2.11.0/24  network - is windows dhcp
with dynamic dns registers.


I'm not sure why that would mean that you cannot slave the zone. Are you 
concerned about too-frequent updates?


Mark was right, a delegation in the zone file is the simplest solution. 
I suggested slaving the zone because it gives you better performance 
locally, but if it isn't possible, Mark's solution is just fine.


Doug

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Most specific match on PTR records

2013-02-22 Thread Matus UHLAR - fantomas 

On 21.02.2013 19:20, Nikita Koshikov wrote:

I'm trying to "cut" /24 network from the scope of /8 network, here is
example:

zone "11.2.10.in-addr.arpa" {
type forward;
forwarders { 192.168.1.23; 192.168.1.24; };
};

zone "10.in-addr.arpa" {
type master;
file "master/int/10.in-addr.arpa";
};


On 21.02.13 20:10, Hauke Lampe wrote:

The local authoritative data takes precedence over a forward zone.



10.in-addr.arpa is just a file that returns NXDOMAIN for any 10.0.0.0/8 ip
address. But I need to forward requests for 10.2.11.0/24 net to other dns
servers and the above config not working.


The easiest way might be to delegate the subdomain with a static-stub:

 zone "11.2.10.in-addr.arpa" {
 type static-stub;
 server-addresses { 192.168.1.23; 192.168.1.24; };
 };


so a "type static-stub" works, while "type forward" does not?
Is this another difference between those two types?

("type forward" has one advantage: it allows standard resolving to take
place when forwarding does not help.  But this is not the case.)

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
- Holmes, what kind of school did you study to be a detective?
- Elementary, Watson.  -- Daffy Duck & Porky Pig
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Most specific match on PTR records

2013-02-22 Thread Nikita Koshikov 
Thanks Mark, for elegant solution. It works. Thanks.

On Fri, Feb 22, 2013 at 1:49 AM, Mark Andrews  wrote:

>
> In message  ooq01ugyvw_...@mail.gmail.com>, Nikita Koshiko
> v writes:
> > Hello list,
> >
> >
> > I'm trying to "cut" /24 network from the scope of /8 network, here is
> > example:
> >
> > zone "11.2.10.in-addr.arpa" {
> > type forward;
> > forwarders { 192.168.1.23; 192.168.1.24; };
> > };
> >
> > zone "10.in-addr.arpa" {
> > type master;
> > file "master/int/10.in-addr.arpa";
> > };
> >
> > 10.in-addr.arpa is just a file that returns NXDOMAIN for any 10.0.0.0/8ip
> > address. But I need to forward requests for 10.2.11.0/24 net to other
> dns
> > servers and the above config not working.
> > I got empty responses for 10.2.11.0/24 net.
>
> When I see questions like this I ask "Why are you doing this the
> most complicated way?"  Just add a delegation for 11.2.10.in-addr.arpa
> to 10.in-addr.arpa.  If you are using global forwarders turn them
> off.
>
> zone "10.in-addr.arpa" {
> type master;
> file "master/int/10.in-addr.arpa";
> forwarders { /* empty */ };
> };
>
> 11.2NS  .
> 11.2NS  .
>
> > This is right: (192.168.1.8 - server with bind)
> >
> > $ host -t ptr 10.1.1.1 192.168.1.8
> > Using domain server:
> > Name: 192.168.1.8
> > Address: 192.168.1.8#53
> > Aliases:
> > Host 1.1.1.10.in-addr.arpa. not found: 3(NXDOMAIN)
> >
> > This is wrong:
> > $ host -t ptr 10.2.11.10  192.168.1.8
> > Using domain server:
> > Name: 192.168.1.8
> > Address: 192.168.1.8#53
> > Aliases:
> > Host 10.11.2.10.in-addr.arpa. not found: 3(NXDOMAIN)
> >
> > This is expected answer from the forwarded server  - 192.168.1.23
> > $ host -t ptr 10.2.11.10  192.168.1.23
> > Using domain server:
> > Name: 192.168.1.23
> > Address: 192.168.1.23#53
> > Aliases:
> > 10.11.2.10.in-addr.arpa domain name pointer hawk-agent.local.intranet.
> >
> > Can someone help with this ?
> >
> --
> Mark Andrews, ISC
> 1 Seymour St., Dundas Valley, NSW 2117, Australia
> PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Most specific match on PTR records

2013-02-22 Thread Nikita Koshikov 
On Thu, Feb 21, 2013 at 10:47 PM, Doug Barton  wrote:

> On 02/21/2013 10:20 AM, Nikita Koshikov wrote:
>
>> Hello list,
>>
>>
>> I'm trying to "cut" /24 network from the scope of /8 network, here is
>> example:
>>
>>  zone "11.2.10.in-addr.arpa" {
>>  type forward;
>>  forwarders { 192.168.1.23; 192.168.1.24; };
>>  };
>>
>>  zone "10.in-addr.arpa" {
>>  type master;
>>  file "master/int/10.in-addr.arpa";
>>  };
>>
>> 10.in-addr.arpa is just a file that returns NXDOMAIN for any 10.0.0.0/8
>>  ip address. But I need to forward requests for
>> 10.2.11.0/24  net to other dns servers and the
>> above config not working.
>>
>
> Can you slave the 11.2.10.in-addr.arpa zone instead of forwarding? That
> would be easier, and avoid the pitfalls already described by others.
>

I can't, 10.2.11.0/24 network - is windows dhcp with dynamic dns registers.


>
> Doug
>
>
> __**_
> Please visit 
> https://lists.isc.org/mailman/**listinfo/bind-usersto
>  unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Most specific match on PTR records

2013-02-22 Thread Nikita Koshikov 
Thanks for your response, Hauke

On Thu, Feb 21, 2013 at 9:10 PM, Hauke Lampe  wrote:

> On 21.02.2013 19:20, Nikita Koshikov wrote:
>
> I haven't tested this in detail but here's what I would try:
>
>
>  I'm trying to "cut" /24 network from the scope of /8 network, here is
>> example:
>>
>>  zone "11.2.10.in-addr.arpa" {
>>  type forward;
>>  forwarders { 192.168.1.23; 192.168.1.24; };
>>  };
>>
>>  zone "10.in-addr.arpa" {
>>  type master;
>>  file "master/int/10.in-addr.arpa";
>>  };
>>
>>
> The local authoritative data takes precedence over a forward zone.
>
>
>  10.in-addr.arpa is just a file that returns NXDOMAIN for any 10.0.0.0/8ip
>> address. But I need to forward requests for 10.2.11.0/24 net to other dns
>> servers and the above config not working.
>>
>
> The easiest way might be to delegate the subdomain with a static-stub:
>
>   zone "11.2.10.in-addr.arpa" {
>   type static-stub;
>   server-addresses { 192.168.1.23; 192.168.1.24; };
>
>   };
>
>   zone "10.in-addr.arpa" {
>   type master;
>   file "master/int/10.in-addr.arpa";
>   };
>
> This is a "synthetic" delegation. There could be a problem if a client
> queries 2.10.in-addr.arpa. The NXDOMAIN response (instead of nodata) can be
> interpreted as "*.2.10.in-addr.arpa. doesn't exist". A "real" delegation in
> the zone file is probably better.
>
> If your version of BIND is older than 9.8, you could try to move the
> master zone into a view and configure 10.in-addr.arpa as another forward
> zone in the client's view.
>
> Bind here is 9.3.6, so no static-stub is avaliable. Can you give simple
exmaple of view for this scenario ? I already have split dns on this
machine, it look like:

acl internals {
{}; //for correct
syntax comments resolution
10.0.0.0/8; //Servica lan
192.168.0.0/16;
};
view "internal" {
match-clients { internals; };
allow-transfer { internals; };
recursion yes;

// here 10/8 net
}



>
> Hauke.
>
>
> __**_
> Please visit 
> https://lists.isc.org/mailman/**listinfo/bind-usersto
>  unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/**listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Most specific match on PTR records

2013-02-21 Thread Mark Andrews 

In message <5126e59a.3030...@htt-consult.com>, Robert Moskowitz writes:
> 
> On 02/21/2013 06:49 PM, Mark Andrews wrote:
> > In message  com>, Nikita Koshiko
> > v writes:
> >> Hello list,
> >>
> >>
> >> I'm trying to "cut" /24 network from the scope of /8 network, here is
> >> example:
> >>
> >>  zone "11.2.10.in-addr.arpa" {
> >>  type forward;
> >>  forwarders { 192.168.1.23; 192.168.1.24; };
> >>  };
> >>
> >>  zone "10.in-addr.arpa" {
> >>  type master;
> >>  file "master/int/10.in-addr.arpa";
> >>  };
> >>
> >> 10.in-addr.arpa is just a file that returns NXDOMAIN for any 10.0.0.0/8 ip
> >> address. But I need to forward requests for 10.2.11.0/24 net to other dns
> >> servers and the above config not working.
> >> I got empty responses for 10.2.11.0/24 net.
> > When I see questions like this I ask "Why are you doing this the
> > most complicated way?"  Just add a delegation for 11.2.10.in-addr.arpa
> > to 10.in-addr.arpa.  If you are using global forwarders turn them
> > off.
> 
> ARGH!!!  Mark! Your 'problem' is you are too close to the code and see 
> obvious solutions!  :)

Delegations are basic DNS.

Forwarders, stub zones etc. are used when basic DNS doesn't work.
 
> This will make some things I do here with my 192.168 nets cleaner. Thanks.

No problem.

Mark
 
>  From the guy that started the 'net10' effort.
> 
> >
> > zone "10.in-addr.arpa" {
> > type master;
> > file "master/int/10.in-addr.arpa";
> > forwarders { /* empty */ };
> > };
> >
> > 11.2NS  .
> > 11.2NS  .
> >
> >> This is right: (192.168.1.8 - server with bind)
> >>
> >> $ host -t ptr 10.1.1.1 192.168.1.8
> >> Using domain server:
> >> Name: 192.168.1.8
> >> Address: 192.168.1.8#53
> >> Aliases:
> >> Host 1.1.1.10.in-addr.arpa. not found: 3(NXDOMAIN)
> >>
> >> This is wrong:
> >> $ host -t ptr 10.2.11.10  192.168.1.8
> >> Using domain server:
> >> Name: 192.168.1.8
> >> Address: 192.168.1.8#53
> >> Aliases:
> >> Host 10.11.2.10.in-addr.arpa. not found: 3(NXDOMAIN)
> >>
> >> This is expected answer from the forwarded server  - 192.168.1.23
> >> $ host -t ptr 10.2.11.10  192.168.1.23
> >> Using domain server:
> >> Name: 192.168.1.23
> >> Address: 192.168.1.23#53
> >> Aliases:
> >> 10.11.2.10.in-addr.arpa domain name pointer hawk-agent.local.intranet.
> >>
> >> Can someone help with this ?
> >>
> 
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>  from this list
> 
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Most specific match on PTR records

2013-02-21 Thread Robert Moskowitz 


On 02/21/2013 06:49 PM, Mark Andrews wrote:

In message 
, Nikita 
Koshiko
v writes:

Hello list,


I'm trying to "cut" /24 network from the scope of /8 network, here is
example:

 zone "11.2.10.in-addr.arpa" {
 type forward;
 forwarders { 192.168.1.23; 192.168.1.24; };
 };

 zone "10.in-addr.arpa" {
 type master;
 file "master/int/10.in-addr.arpa";
 };

10.in-addr.arpa is just a file that returns NXDOMAIN for any 10.0.0.0/8 ip
address. But I need to forward requests for 10.2.11.0/24 net to other dns
servers and the above config not working.
I got empty responses for 10.2.11.0/24 net.

When I see questions like this I ask "Why are you doing this the
most complicated way?"  Just add a delegation for 11.2.10.in-addr.arpa
to 10.in-addr.arpa.  If you are using global forwarders turn them
off.


ARGH!!!  Mark! Your 'problem' is you are too close to the code and see 
obvious solutions!  :)


This will make some things I do here with my 192.168 nets cleaner. Thanks.

From the guy that started the 'net10' effort.



zone "10.in-addr.arpa" {
type master;
file "master/int/10.in-addr.arpa";
forwarders { /* empty */ };
};

11.2NS  .
11.2NS  .


This is right: (192.168.1.8 - server with bind)

$ host -t ptr 10.1.1.1 192.168.1.8
Using domain server:
Name: 192.168.1.8
Address: 192.168.1.8#53
Aliases:
Host 1.1.1.10.in-addr.arpa. not found: 3(NXDOMAIN)

This is wrong:
$ host -t ptr 10.2.11.10  192.168.1.8
Using domain server:
Name: 192.168.1.8
Address: 192.168.1.8#53
Aliases:
Host 10.11.2.10.in-addr.arpa. not found: 3(NXDOMAIN)

This is expected answer from the forwarded server  - 192.168.1.23
$ host -t ptr 10.2.11.10  192.168.1.23
Using domain server:
Name: 192.168.1.23
Address: 192.168.1.23#53
Aliases:
10.11.2.10.in-addr.arpa domain name pointer hawk-agent.local.intranet.

Can someone help with this ?



___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Most specific match on PTR records

2013-02-21 Thread Mark Andrews 

In message 
, Nikita 
Koshiko
v writes:
> Hello list,
> 
> 
> I'm trying to "cut" /24 network from the scope of /8 network, here is
> example:
> 
> zone "11.2.10.in-addr.arpa" {
> type forward;
> forwarders { 192.168.1.23; 192.168.1.24; };
> };
> 
> zone "10.in-addr.arpa" {
> type master;
> file "master/int/10.in-addr.arpa";
> };
> 
> 10.in-addr.arpa is just a file that returns NXDOMAIN for any 10.0.0.0/8 ip
> address. But I need to forward requests for 10.2.11.0/24 net to other dns
> servers and the above config not working.
> I got empty responses for 10.2.11.0/24 net.

When I see questions like this I ask "Why are you doing this the
most complicated way?"  Just add a delegation for 11.2.10.in-addr.arpa
to 10.in-addr.arpa.  If you are using global forwarders turn them
off.

zone "10.in-addr.arpa" {
type master;
file "master/int/10.in-addr.arpa";
forwarders { /* empty */ };
};

11.2NS  .
11.2NS  .

> This is right: (192.168.1.8 - server with bind)
> 
> $ host -t ptr 10.1.1.1 192.168.1.8
> Using domain server:
> Name: 192.168.1.8
> Address: 192.168.1.8#53
> Aliases:
> Host 1.1.1.10.in-addr.arpa. not found: 3(NXDOMAIN)
> 
> This is wrong:
> $ host -t ptr 10.2.11.10  192.168.1.8
> Using domain server:
> Name: 192.168.1.8
> Address: 192.168.1.8#53
> Aliases:
> Host 10.11.2.10.in-addr.arpa. not found: 3(NXDOMAIN)
> 
> This is expected answer from the forwarded server  - 192.168.1.23
> $ host -t ptr 10.2.11.10  192.168.1.23
> Using domain server:
> Name: 192.168.1.23
> Address: 192.168.1.23#53
> Aliases:
> 10.11.2.10.in-addr.arpa domain name pointer hawk-agent.local.intranet.
> 
> Can someone help with this ?
> 
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Most specific match on PTR records

2013-02-21 Thread Doug Barton 

On 02/21/2013 10:20 AM, Nikita Koshikov wrote:

Hello list,


I'm trying to "cut" /24 network from the scope of /8 network, here is
example:

 zone "11.2.10.in-addr.arpa" {
 type forward;
 forwarders { 192.168.1.23; 192.168.1.24; };
 };

 zone "10.in-addr.arpa" {
 type master;
 file "master/int/10.in-addr.arpa";
 };

10.in-addr.arpa is just a file that returns NXDOMAIN for any 10.0.0.0/8
 ip address. But I need to forward requests for
10.2.11.0/24  net to other dns servers and the
above config not working.


Can you slave the 11.2.10.in-addr.arpa zone instead of forwarding? That 
would be easier, and avoid the pitfalls already described by others.


Doug

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Most specific match on PTR records

2013-02-21 Thread Ben Croswell 
You need to ensure if the resolver that is doing the forwarding also loads
the blank 10/8 that you have the smaller /24 delegated in the 10/8.
The reason being if it loads the /8 with no /24 delegation it will ignore
the forward because it believes the /24 doesn't exist.
On Feb 21, 2013 1:21 PM, "Nikita Koshikov"  wrote:

> Hello list,
>
>
> I'm trying to "cut" /24 network from the scope of /8 network, here is
> example:
>
> zone "11.2.10.in-addr.arpa" {
> type forward;
> forwarders { 192.168.1.23; 192.168.1.24; };
> };
>
> zone "10.in-addr.arpa" {
> type master;
> file "master/int/10.in-addr.arpa";
> };
>
> 10.in-addr.arpa is just a file that returns NXDOMAIN for any 10.0.0.0/8ip 
> address. But I need to forward requests for
> 10.2.11.0/24 net to other dns servers and the above config not working.
> I got empty responses for 10.2.11.0/24 net.
>
> This is right: (192.168.1.8 - server with bind)
>
> $ host -t ptr 10.1.1.1 192.168.1.8
> Using domain server:
> Name: 192.168.1.8
> Address: 192.168.1.8#53
> Aliases:
> Host 1.1.1.10.in-addr.arpa. not found: 3(NXDOMAIN)
>
> This is wrong:
> $ host -t ptr 10.2.11.10  192.168.1.8
> Using domain server:
> Name: 192.168.1.8
> Address: 192.168.1.8#53
> Aliases:
> Host 10.11.2.10.in-addr.arpa. not found: 3(NXDOMAIN)
>
> This is expected answer from the forwarded server  - 192.168.1.23
> $ host -t ptr 10.2.11.10  192.168.1.23
> Using domain server:
> Name: 192.168.1.23
> Address: 192.168.1.23#53
> Aliases:
> 10.11.2.10.in-addr.arpa domain name pointer hawk-agent.local.intranet.
>
> Can someone help with this ?
>
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Most specific match on PTR records

2013-02-21 Thread Hauke Lampe 

On 21.02.2013 19:20, Nikita Koshikov wrote:

I haven't tested this in detail but here's what I would try:


I'm trying to "cut" /24 network from the scope of /8 network, here is
example:

 zone "11.2.10.in-addr.arpa" {
 type forward;
 forwarders { 192.168.1.23; 192.168.1.24; };
 };

 zone "10.in-addr.arpa" {
 type master;
 file "master/int/10.in-addr.arpa";
 };



The local authoritative data takes precedence over a forward zone.


10.in-addr.arpa is just a file that returns NXDOMAIN for any 10.0.0.0/8 ip
address. But I need to forward requests for 10.2.11.0/24 net to other dns
servers and the above config not working.


The easiest way might be to delegate the subdomain with a static-stub:

  zone "11.2.10.in-addr.arpa" {
  type static-stub;
  server-addresses { 192.168.1.23; 192.168.1.24; };
  };

  zone "10.in-addr.arpa" {
  type master;
  file "master/int/10.in-addr.arpa";
  };

This is a "synthetic" delegation. There could be a problem if a client 
queries 2.10.in-addr.arpa. The NXDOMAIN response (instead of nodata) can 
be interpreted as "*.2.10.in-addr.arpa. doesn't exist". A "real" 
delegation in the zone file is probably better.


If your version of BIND is older than 9.8, you could try to move the 
master zone into a view and configure 10.in-addr.arpa as another forward 
zone in the client's view.



Hauke.

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users