Re: Reverse Zone, Can It Be One Big Class B?
Ray Belliswrote: > > The main thing you may wish to consider is whether you ever wish to > DNSSEC sign your reverse zones. > > If you do, the zone cut on the parent name servers (which is where the > DS records would be) must match the zone cut on your own servers, which > would contain the DNSKEY records. Not just DNSSEC - it's also important for negative responses. If your authoritative server has a zone for 0.192.in-addr.arpa but a resolver is expecting the zone cut to belong to 2.0.192.in-addr.arpa then it won't be able to parse negative responses according to RFC 2308. In this situation the BIND resolver will treat it as a FORMERR and reject the response. > So, if your RIR has delegated a single /16 part of .in-addr.arpa to you, > and you currently split that into /24 zones yourself, you'd be fine. > If, OTOH, your RIR can only delegate at the /24 boundary, you'd have to > maintain your zone cuts at that boundary too. You can use DNAME to consolidate the PTR records into one big zone - see https://tools.ietf.org/html/draft-fanf-dnsop-rfc2317bis This works best if you can put the DNAME records in the parent zone, but if you can't, you might still prefer to have several nearly-empty static zones and one big active zone, rather than lots of little active zones. Tony. -- f.anthony.n.finch http://dotat.at/ - I xn--zr8h punycode Thames: Northeast 5 to 7, becoming variable 3 or 4 later. Moderate or rough, becoming slight or moderate. Squally showers. Good, occasionally moderate. ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: Reverse Zone, Can It Be One Big Class B?
On 30/11/2017 22:13, Reineman, Rick wrote: > The subject is a little off, I have a Class B network masked down to > a bunch of Class C networks. > > I am replacing an old DNS service where they configured it as one > might expect with one reverse mapping file per network. So we have > many of these files. > > I don't see any reason why I can't treat my reverse mapping file as > if it were all Class B addresses. So one big reverse mapping file > just like my forward mapping file. This would make management of the > reverse mapping file much easier. > > This is a smallish internal network, about 900 hosts or so. We're > doing no delegation. > > So my question is, is there a good reason why I should not do this? > It's been awhile since I had a DNS project and have never managed it > on a Class B with Class C masked networks before. The main thing you may wish to consider is whether you ever wish to DNSSEC sign your reverse zones. If you do, the zone cut on the parent name servers (which is where the DS records would be) must match the zone cut on your own servers, which would contain the DNSKEY records. So, if your RIR has delegated a single /16 part of .in-addr.arpa to you, and you currently split that into /24 zones yourself, you'd be fine. If, OTOH, your RIR can only delegate at the /24 boundary, you'd have to maintain your zone cuts at that boundary too. Ray ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Reverse Zone, Can It Be One Big Class B?
The subject is a little off, I have a Class B network masked down to a bunch of Class C networks. I am replacing an old DNS service where they configured it as one might expect with one reverse mapping file per network. So we have many of these files. I don't see any reason why I can't treat my reverse mapping file as if it were all Class B addresses. So one big reverse mapping file just like my forward mapping file. This would make management of the reverse mapping file much easier. This is a smallish internal network, about 900 hosts or so. We're doing no delegation. So my question is, is there a good reason why I should not do this? It's been awhile since I had a DNS project and have never managed it on a Class B with Class C masked networks before. Thanks, Rick ~~ Rick Reineman IDT Engineering, San Jose, Ca. Senior UNIX Administrator ___ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users