Re: Reverse Zone, Can It Be One Big Class B?

2017-12-01 Thread Tony Finch 
Ray Bellis  wrote:
>
> The main thing you may wish to consider is whether you ever wish to
> DNSSEC sign your reverse zones.
>
> If you do, the zone cut on the parent name servers (which is where the
> DS records would be) must match the zone cut on your own servers, which
> would contain the DNSKEY records.

Not just DNSSEC - it's also important for negative responses.

If your authoritative server has a zone for 0.192.in-addr.arpa but a
resolver is expecting the zone cut to belong to 2.0.192.in-addr.arpa
then it won't be able to parse negative responses according to RFC 2308.
In this situation the BIND resolver will treat it as a FORMERR and reject
the response.

> So, if your RIR has delegated a single /16 part of .in-addr.arpa to you,
> and you currently split that into /24 zones yourself, you'd be fine.
> If, OTOH, your RIR can only delegate at the /24 boundary, you'd have to
> maintain your zone cuts at that boundary too.

You can use DNAME to consolidate the PTR records into one big zone - see
https://tools.ietf.org/html/draft-fanf-dnsop-rfc2317bis

This works best if you can put the DNAME records in the parent zone, but
if you can't, you might still prefer to have several nearly-empty static
zones and one big active zone, rather than lots of little active zones.

Tony.
-- 
f.anthony.n.finch    http://dotat.at/  -  I xn--zr8h punycode
Thames: Northeast 5 to 7, becoming variable 3 or 4 later. Moderate or rough,
becoming slight or moderate. Squally showers. Good, occasionally moderate.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: Reverse Zone, Can It Be One Big Class B?

2017-11-30 Thread Ray Bellis 
On 30/11/2017 22:13, Reineman, Rick wrote:
> The subject is a little off, I have a Class B network masked down to
> a bunch of Class C networks.
> 
> I am replacing an old DNS service where they configured it as one
> might expect with one reverse mapping file per network.  So we have
> many of these files.
> 
> I don't see any reason why I can't treat my reverse mapping file as
> if it were all Class B addresses.  So one big reverse mapping  file
> just like my forward mapping file.  This would make management of the
> reverse mapping file much easier.
> 
> This is a smallish internal network, about 900 hosts or so.  We're
> doing no delegation.
> 
> So my question is, is there a good reason why I should not do this?
> It's been awhile since I had a DNS project and have never managed it
> on a Class B with Class C masked networks before.

The main thing you may wish to consider is whether you ever wish to
DNSSEC sign your reverse zones.

If you do, the zone cut on the parent name servers (which is where the
DS records would be) must match the zone cut on your own servers, which
would contain the DNSKEY records.

So, if your RIR has delegated a single /16 part of .in-addr.arpa to you,
and you currently split that into /24 zones yourself, you'd be fine.

If, OTOH, your RIR can only delegate at the /24 boundary, you'd have to
maintain your zone cuts at that boundary too.

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reverse Zone, Can It Be One Big Class B?

2017-11-30 Thread Reineman, Rick 
The subject is a little off, I have a Class B network masked down to a bunch of 
Class C networks.

I am replacing an old DNS service where they configured it as one might expect 
with one reverse mapping file per network.  So we have many of these files.

I don't see any reason why I can't treat my reverse mapping file as if it were 
all Class B addresses.  So one big reverse mapping  file just like my forward 
mapping file.  This would make management of the reverse mapping file much 
easier.

This is a smallish internal network, about 900 hosts or so.  We're doing no 
delegation.

So my question is, is there a good reason why I should not do this?  It's been 
awhile since I had a DNS project and have never managed it on a Class B with 
Class C masked networks before.

Thanks,
Rick

~~
Rick Reineman
IDT Engineering, San Jose, Ca.
Senior UNIX Administrator


___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users