Delegating a Classless Reverse DNS Zone

[David Enns]

We are trying to delegate to one of our customers a block
of IP addresses that we currently have reverse DNS
pointing to us. I have tried several times with the wizard
to delegate the IP block but with no success. Here is what
I'm trying to do:

Zone 10.168.192.in-addr.arpa
delegate 192-223.10.168.192.in-addr.arpa or
delegate 192/27.10.168.192.in-addr.arpa

When I do a reverse dns lookup both of these fail to point
to our customers DNS servers.

delegate 192.10.168.192.in-addr.arpa

This has been successful.

This is a standard primary domain being transferred to 2
secondary DNS servers.

Thanks for your help

David

 

[Kevin D. Goodknecht Sr. [MVP]]

In

We are trying to delegate to one of our customers a block
of IP addresses that we currently have reverse DNS
pointing to us. I have tried several times with the wizard
to delegate the IP block but with no success. Here is what
I'm trying to do:


delegate 192-223.10.168.192.in-addr.arpa

Let's use this example, in the 10.168.192.in-addr.arpa. zone create a
delegation named "192-223" and point that delegation to the DNS your
delegating to.
The rest is done with Cnames on your part.

Create this Cname record in the 10.168.192.in-addr.arpa. zone:
192 CNAME 192.192-223.10.168.192.in-addr.arpa.
193 CNAME 193.192-223.10.168.192.in-addr.arpa
194 CNAME 194.192-223.10.168.192.in-addr.arpa.
So on and so on to:
223 CNAME 223.192-223.10.168.192.in-addr.arpa.

Now 192.10.168.192.in-addr.arpa points to the Cname
192.192-223.10.168.192.in-addr.arpa. and so on.

Then have your customer create a reverse lookup zone named
192-223.10.168.192.in-addr.arpa with a 192 PTR record in it and its name.

 

[Ed Horley]

Kevin gave you the formal RFC 2317 way to delegate the IP space (spot on!).
Really you can also do this by creating a subdomain/subzone of your name
space and delegate that to the "customer" and build the files out in the
same format Kevin listed. Sometimes I think the RFC confuses a lot of folks
about what is happening because people don't understand that the "192-223"
listed in Kevin's example is simply a subdomain/subzone. For instance, if
your domain name was "example.com" you could do:

; delegate customer.example.com to your customers name servers
customer.example.com. NS ns1.customer.com
customer.example.com. NS ns2.customer.com

; in your reverse file for the IP address block simple create the CNAME
entries like
192 CNAME 192-168-10-192.customer.example.com
193 CNAME 192-168-10-193.customer.example.com
....

; your customer simply builds out on their name server a zone file for
customer.example.com.
; in the file they put:
192-168-10-192 PTR something.foo.bar.
192-168-10-193 PTR another.foo.bar.
....

Not the best example in the world I suppose but it really is to show that to
do sub /24 delegation it is really just a subdomain/subzone delegation using
CNAME entries to point to the subdomain/subzone (which happens to be hosted
on a different name server).

Great thing about this method is that you are still in control of the
reverse entries. If the relationship with the customer goes away simple
remove the CNAME entries and the delegation of the subdomain/subzone and you
can build regular PTR entries.

Hope that helps. Either that or I just confused a lot of folks ;-)

Ed Horley - MVP Windows Server - Networking

 

[Kevin D. Goodknecht Sr. [MVP]]

In

Kevin gave you the formal RFC 2317 way to delegate the IP
space (spot on!). Really you can also do this by creating
a subdomain/subzone of your name space and delegate that
to the "customer" and build the files out in the same
format Kevin listed. Sometimes I think the RFC confuses
a lot of folks about what is happening because people
don't understand that the "192-223" listed in Kevin's
example is simply a subdomain/subzone. For instance, if
your domain name was "example.com" you could do:

; delegate customer.example.com to your customers name
servers customer.example.com. NS ns1.customer.com
customer.example.com. NS ns2.customer.com

; in your reverse file for the IP address block simple
create the CNAME entries like
192 CNAME 192-168-10-192.customer.example.com
193 CNAME 192-168-10-193.customer.example.com
...

; your customer simply builds out on their name server a
zone file for customer.example.com.
; in the file they put:
192-168-10-192 PTR something.foo.bar.
192-168-10-193 PTR another.foo.bar.
...

Not the best example in the world I suppose but it really
is to show that to do sub /24 delegation it is really
just a subdomain/subzone delegation using CNAME entries
to point to the subdomain/subzone (which happens to be
hosted on a different name server).

Great thing about this method is that you are still in
control of the reverse entries. If the relationship with
the customer goes away simple remove the CNAME entries
and the delegation of the subdomain/subzone and you can
build regular PTR entries.

Hope that helps. Either that or I just confused a lot of
folks ;-)

Yes, reverse delegations confuse a lot of people, including me at first, but
if not done properly not only will it not work, if you have a mail server
that does reverse lookups the reverse lookups will fail. The reverse lookup
must first go to the parent DNS then back to the delegated zone. It was a
real trick for me the first time I did it, I just couldn't figure out how to
make it work and not cause a problem for internal machines. Then one day
watching a boring TV show the light just came on!

 

[Ace Fekay [MVP]]

In

Yes, reverse delegations confuse a lot of people, including me at
first, but if not done properly not only will it not work, if you
have a mail server that does reverse lookups the reverse lookups will
fail. The reverse lookup must first go to the parent DNS then back to
the delegated zone. It was a real trick for me the first time I did
it, I just couldn't figure out how to make it work and not cause a
problem for internal machines. Then one day watching a boring TV show
the light just came on!

Must have been a really bad TV show !! - Opera? After reading a couple
links, like this one here below (about the same as yours Kevin), and having
a previous SDSL line subnet delegated to me, found it wasn't that hard at
all. The ISP helped me back then too.

RE Reverse delegation - ISP-DNS Archive:
http://isp-lists.isp-planet.com/isp-dns/0209/msg00015.html


--
Regards,
Ace

Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.

This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services

Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.

 

[Jonathan de Boyne Pollard]

DE> We are trying to delegate to one of our customers a block of IP
DE> addresses that we currently have reverse DNS pointing to us.

It is not possible for your content DNS servers to delegate the same
delegation point in the DNS namespace tree that is delegated to your
content DNS servers in the first place.

DE> Zone 10.168.192.in-addr.arpa

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/dont-obscure-your-dns-data.html>

DE> delegate 192-223.10.168.192.in-addr.arpa
DE> or
DE> delegate 192/27.10.168.192.in-addr.arpa

<URL:http://homepages.tesco.net./~J.deBoynePollard/FGA/avoid-rfc-2317-delegation.html>

DE> delegate 192.10.168.192.in-addr.arpa
DE>
DE> This has been successful.

Do that, then.