DNS -- reverse zone delegation on a CIDR subnet

Hello Again, Friends!

I am running BIND9 on Debian Linux 3.1 on a Dell Dimension 4100
desktop.

I need some help getting conceptual clarity on reverse zone
delegation.

The terms "registration" and "delegation" seem to be used
interchangeably in the literature. Do they mean the same thing, or
are they different?

The forward zone delegation for my domain is taken care of by the
registrar of my domain (Lunarpages).

However, I believe the delegation of the reverse zone has to be done
by my ISP (different from the domain registrar, in my case).

Is that correct?

To date, my ISP (RCN, which holds a monopoly in our building) has not
been helpful. (They wouldn't even tell me the static IP address that
I'm paying them for until I called their Department of Corporate
Escalations.) Consequently, I don't want discuss reverse zone
delegation with them until I have a pretty good understanding of what
I need them to do.

I have a static IP address from my ISP (RCN) which has provided me
with the following address information:

static IP address: 207.237.37.110
netmask: 255.255.255.224
network: 207.237.37.96
broadcast: 207.237.37.127
gateway: 207.237.37.97
ns1.dns.rcn.net: 207.172.3.8
ns2.dns.rcn.net: 207.172.3.9

An ARIN database search shows that 207.237.37.96 is a subnet of
of the CIDR network 207.237.0.0/16:

http://ws.arin.net/whois/?queryinput=207.237.37.96

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Here is the current delegation of my reverse zone (querying not my own
nameserver but RCN's):

%nslookup –type=any 207.;237.37.110 ns1.dns.rcn.net

Server: ns1.dns.rcn.net
Address: 207.172.3.8#53

Non-authoritative answer:
110.37.237.207.in-addr.arpa name = 207-237-37-110.c3-0.nyr-
ubr2.nyr.ny.static.cable.rcn.com.

Authoritative answers can be found from:
37.237.207.in-addr.arpa nameserver = auth4.dns.rcn.net.
37.237.207.in-addr.arpa nameserver = auth2.dns.rcn.net.
37.237.207.in-addr.arpa nameserver = auth3.dns.rcn.net.
37.237.207.in-addr.arpa nameserver = auth1.dns.rcn.net.
auth1.dns.rcn.net internet address = 207.172.3.20
auth2.dns.rcn.net internet address = 207.172.11.14
auth3.dns.rcn.net internet address = 207.172.3.21
auth4.dns.rcn.net internet address = 207.172.3.22
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

All the material I have read on DNS configuration ("DNS and BIND",
"Linux System Administration") starts from the assumption that you
have authority delegated for a whole subnet. The subnet is identified
in named.conf, and the hosts within the subnet are identified in PTR
records in the reverse zone file. I don't have a subnet -- just a
static IP address on a subnet that my RCN is operating. RCN is not
going to delegate the whole subnet to me., so I don't know how I would
handle this case.

From reading the DNS HOWTO http://tldp.org/HOWTO/DNS-HOWTO-5.html
("You've Got a Classless Subnet"), I learned that configuring a
reverse lookup for a classless subnet is tricky, and that my ISP may
not know how to do it. Unfortunately, the hyperlink "Ask Mr. DNS"
http://www.acmebw.com/askmrdns/00007.htm which is supposed to explain
how to configure a reverse lookup for a classless subnet is broken, so
I can't read what appears to be very important material on this topic.

Does anyone happen to have access to the contents of "Ask Mr. DNS"?
Alternatively, is there another source on this topic?

Thanks, as always, for your insights.

Best Regards,

Vwaju
New York City

Vwaju <(E-Mail Removed)> wrote:
> I need some help getting conceptual clarity on reverse zone
> delegation.

> The terms "registration" and "delegation" seem to be used
> interchangeably in the literature. Do they mean the same thing, or
> are they different?

Probably different, but like many words they can mean only what the
writer intends them to mean[*].


> The forward zone delegation for my domain is taken care of by the
> registrar of my domain (Lunarpages).

> However, I believe the delegation of the reverse zone has to be done
> by my ISP (different from the domain registrar, in my case).

Yes, that's correct. Your ISP "owns" the IP address space that you're
using, so it's up to them to create the rDNS entry for you.


> I have a static IP address from my ISP (RCN) which has provided me
> with the following address information:

> 110.37.237.207.in-addr.arpa name = 207-237-37-110.c3-0.nyr-
> ubr2.nyr.ny.static.cable.rcn.com.

Start with your preferred canonical forward DNS entry for your
server. Maybe it's server.manhattanhandyman.com.

Then you go to your ISP and say something along the lines of,
"please create an rDNS entry for my static IP, 207.236.37.110, of
server.manhattanhandyman.com. Here's the proof that I own that domain..."

You won't get (and shouldn't expect) delegation for a single IP address,
but you should be able to get them to create you an rDNS entry.

What you then do with your local DNS server is entirely up to you.
Personally I use gw.roaima.co.uk as a reference to my external IP address,
and everything else from my internal DNS refers to the 192.168.* networks
that I use internally. This means that (e.g.) www.roaima.co.uk resolves to
an internal address, whereas if you query it you'll see a public address.

Chris
[*] attributed to Humpty Dumpty

On Nov 11, 7:42*pm, Chris Davies <chris-use...@roaima.co.uk> wrote:
> Vwaju <l...@manhattanhandyman.com> wrote:
> > I need some help getting conceptual clarity on reverse zone
> > delegation.
> > The terms "registration" and "delegation" seem to be used
> > interchangeably in the literature. *Do they mean the same thing, or
> > are they different?
>
> Probably different, but like many words they can mean only what the
> writer intends them to mean[*].

My question was too abstract. Let me be more concrete:

My domain is obliqueuniverse.org, which I purchased from Lunarpages
(reseller for OpenSRS Reseller Services). My nameserver is running on
jupiter.obliqueuniverse.org, and I "registered" it with OpenSRS. As I
understand it, this means that the zone obliqueuniverse.org is now
"delegated" to my nameserver jupiter.obliqueuniverse.org. Would this
be correct?

> Here's the proof that I own that domain..."

Would supplying a link to the registration info at BetterWhoIs
constitute proof?

http://betterwhois.com/bwhois.cgi?do....org&x=33&y=10

> What you then do with your local DNS server is entirely up to you.
> Personally I use gw.roaima.co.uk as a reference to my external IP address,
> and everything else from my internal DNS refers to the 192.168.* networks
> that I use internally. This means that (e.g.)www.roaima.co.ukresolves to
> an internal address, whereas if you query it you'll see a public address.

Yes, this is what I am doing too.

Many thanks Chris, for your helpful remarks!

Best Regards,

Vwaju
New York City

Vwaju <(E-Mail Removed)> wrote:
> My domain is obliqueuniverse.org, which I purchased from Lunarpages
> (reseller for OpenSRS Reseller Services). My nameserver is running on
> jupiter.obliqueuniverse.org, and I "registered" it with OpenSRS. As I
> understand it, this means that the zone obliqueuniverse.org is now
> "delegated" to my nameserver jupiter.obliqueuniverse.org. Would this
> be correct?

Well. According to "whois" the three name servers are ns1.dns.rcn.net,
ns2.dns.rcn.net, and jupiter.obliqueuniverse.org. The two RCN servers
don't seem to know about your domain (or if they do, they're not telling),
and I can't query jupiter because I don't know what its address is. (And I
can't find out what jupiter's address is, unless I ask the nameserver for
obliqueuniverse.org. And I can't get that because it's within the domain.)

You need either to give RCN your DNS records and drop jupiter from the
list, or else put jupiter's IP address in the whois record and maybe
drop RCN. (You may find that the NS records require a name, in which
case you can't put jupiter.obliqueuniverse.org.)

This might be a good time to take a look at zoneedit.com, whose services
I have used for my own domain for the past several years, and which I
can thoroughly recommend.

Chris

Hi, Chris --

> According to "whois" the three name servers are ns1.dns.rcn.net,
> ns2.dns.rcn.net, and jupiter.obliqueuniverse.org. The two RCN servers
> don't seem to know about your domain (or if they do, they're not telling),

I plan to ask RCN (or Lunarpages, which may be more cooperative) to
configure 1 or 2 of their nameservers as slave for my zone (with the
nameserver at jupiter.obliqueuniverse.org as primary). I didn't want
to do this until I got clear on the matter of reverse zone delegation
(the issue I began this thread with).

Thanks to your elucidation of reverse zone delegation, I think I'm
ready for that conversation.

> and I can't query jupiter because I don't know what its address is. (And I
> can't find out what jupiter's address is, unless I ask the nameserver for
> obliqueuniverse.org. And I can't get that because it's within the domain.)

Maybe I am more confused than I thought. The IP address of
jupiter.obliqueuniverse.org is 207.237.37.110. I registered my
namesever running on jupiter.obliqueuniverse.org (along with the
nameservers from RCN) with OpenSRS (providing, of course, the IP
address for jupiter). Queries for obliqueuniverse.org are supposed to
query these servers in rotation. It understand that any query to the
RCN servers will fail until they are configured as slave for my zone.

However, this query

$ nslookup -type=ns org.

produces this output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server: 192.168.2.2
Address: 192.168.2.2#53

Non-authoritative answer:
org nameserver = tld1.ultradns.net.
org nameserver = tld2.ultradns.net.
org nameserver = a0.org.afilias-nst.info.
org nameserver = b0.org.afilias-nst.org.
org nameserver = c0.org.afilias-nst.info.
org nameserver = d0.org.afilias-nst.org.

Authoritative answers can be found from:
d0.org.afilias-nst.org internet address = 199.19.57.1
tld1.ultradns.net internet address = 204.74.112.1
tld2.ultradns.net internet address = 204.74.113.1
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
and this query

$ nslookup -type=ns obliqueuniverse.org tld2.ultradns.net

produces this output:
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Server: tld2.ultradns.net
Address: 204.74.113.1#53

Non-authoritative answer:
*** Can't find obliqueuniverse.org: No answer

Authoritative answers can be found from:
obliqueuniverse.org nameserver = ns1.dns.rcn.net.
obliqueuniverse.org nameserver = jupiter.obliqueuniverse.org.
jupiter.obliqueuniverse.org internet address = 207.237.37.110
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Therefore, I thought all I had to do was get the RCN nameserver
configured as my backup (slave) server.

Is this wrong?

> You need either to give RCN your DNS records and drop jupiter from the
> list, or else put jupiter's IP address in the whois record and maybe
> drop RCN. (You may find that the NS records require a name, in which
> case you can't put jupiter.obliqueuniverse.org.)

Pending proper configuration of another nameserver as backup (slave)
to my zone, I just deleted the RCN servers from the registry at
OpenSRS. (I had thought that the registry would not accept *less
than* 2 nameservers, but this is not the case.) Based on the test
lookups above, it would seem to me that *now* a query on
obliqueuniverse.org from outside my network ought to give the IP
address 207.237.37.110.

Does it? If not, can you advise me as to the flaw in my thinking.

> This might be a good time to take a look at zoneedit.com, whose services
> I have used for my own domain for the past several years, and which I
> can thoroughly recommend.

I will keep this URL. However, I don't want to short-circuit this
valuable learning experience.

Thanks again, Chris, for engaging in this dialogue with me!

Best Regards,

Vwaju
New York City

Vwaju <(E-Mail Removed)> wrote:
> I plan to ask RCN (or Lunarpages, which may be more cooperative) to
> configure 1 or 2 of their nameservers as slave for my zone (with the
> nameserver at jupiter.obliqueuniverse.org as primary) [...]

Fine. We'll leave that out of the loop for now, then.


> Maybe I am more confused than I thought. The IP address of
> jupiter.obliqueuniverse.org is 207.237.37.110. I registered my
> namesever running on jupiter.obliqueuniverse.org (along with the
> nameservers from RCN) with OpenSRS (providing, of course, the IP
> address for jupiter).

Ah, you gave the IP address. That's good as it's needed for a "glue"
record in org. itself. (This resolves the circular argument.)

> $ nslookup -type=ns obliqueuniverse.org tld2.ultradns.net
> obliqueuniverse.org nameserver = ns1.dns.rcn.net.
> obliqueuniverse.org nameserver = jupiter.obliqueuniverse.org.
> jupiter.obliqueuniverse.org internet address = 207.237.37.110

That's also good and it confirms that org. knows about jupiter.UO.org


> Therefore, I thought all I had to do was get the RCN nameserver
> configured as my backup (slave) server.

That's correct.


> [...] it would seem to me that *now* a query on
> obliqueuniverse.org from outside my network ought to give the IP
> address 207.237.37.110.

It should, yes, provided you have got your name server configured
correctly on jupiter and it's able to respond to external queries.

As at 2054-2059 UTC (1554-1559 EST), I can't get any response from
your server:

dig @207.237.37.110 soa obliqueuniverse.org
dig @207.237.37.110 any obliqueuniverse.org

So, you need to check your firewall rules for 53/udp and 53/tcp and
confirm that bind is configured to respond to requests outside your
local network.

Chris

Hi, Chris --

> As at 2054-2059 UTC (1554-1559 EST), I can't get any response from
> your server:
>
> dig @207.237.37.110 soa obliqueuniverse.org
> dig @207.237.37.110 any obliqueuniverse.org

Previously (as described above) querying TLD nameserver listed the
jupiter and the RCN servers as authoritative. Yesterday, I deleted
the RCN servers from the registry (as noted above). Now, a query to
*any* of TLD nameservers

% nslookup -type=ns -norecurse obliqueuniverse.org tld2.ultradns.net

produces output like this:

- - - - - - - - - - - - - - - - - - - - - -
Server: tld2.ultradns.net
Address: 204.74.113.1#53

** server can't find obliqueuniverse.org: NXDOMAIN
- - - - - - - - - - - - - - - - - - - - - -

The same dig queries that you did from outside my network also come up
empty from within my network.

When you add a nameserver to the registry, it takes 24-48 hours for it
to become part of the rotation. Is it possible that there is some
latency associated with *any change* to the registry?

> > [...] it would seem to me that *now* a query on
> > obliqueuniverse.org from outside my network ought to give the IP
> > address 207.237.37.110.
>
> It should, yes, provided you have got your name server configured
> correctly on jupiter and it's able to respond to external queries.

BIND is using the default configuration file, named.conf. This
morning, I edited the NS records so that *only* jupiter is queried,
and reloaded BIND. Is there something special I must do for BIND to
respond to *outside* queries.

> So, you need to check your firewall rules for 53/udp and 53/tcp and
> confirm that bind is configured to respond to requests outside your
> local network.
>

I am running Debian Linux 3.1 (debian-31r8-i38g-netinst.iso) on a Dell
Dimension 4100 desktop. This computer is connected by Ethernet cable
to the Internet through a Dell Truemobile 2300 Broadband Router (which
does NAT) and from there to a proprietary cable modem furnished by
RCN.

The Truemobile router has DHCP enabled, and it is configured to always
assign the IP address 192.168.2.2 to the host running BIND. Port
forwarding is configured to forward all DNS traffic (TCP and UDP)
directed to 207.237.37.110 (port 53) to 192.168.2.2 (port 53).

Thanks again for your help!

Best Regards,

Vwaju
New York City

Chris wrote:
>> As at 2054-2059 UTC (1554-1559 EST), I can't get any response from
>> your server:
>> dig @207.237.37.110 soa obliqueuniverse.org
>> dig @207.237.37.110 any obliqueuniverse.org

Vwaju <(E-Mail Removed)> wrote:
> Previously (as described above) querying TLD nameserver listed the
> jupiter and the RCN servers as authoritative. Yesterday, I deleted
> the RCN servers from the registry (as noted above). Now, a query to
> *any* of TLD nameservers

> % nslookup -type=ns -norecurse obliqueuniverse.org tld2.ultradns.net

> produces output like this:

> - - - - - - - - - - - - - - - - - - - - - -
> Server: tld2.ultradns.net
> Address: 204.74.113.1#53

> ** server can't find obliqueuniverse.org: NXDOMAIN
> - - - - - - - - - - - - - - - - - - - - - -

But they /do/ know about jupiter.OU.org:

dig +short jupiter.obliqueuniverse.org @tld1.ultradns.net
207.237.37.110


> When you add a nameserver to the registry, it takes 24-48 hours for it
> to become part of the rotation. Is it possible that there is some
> latency associated with *any change* to the registry?

Yes. That'll be the DNS TTL, which superficially appears to be 86400
seconds (24 hours).


>> So, you need to check your firewall rules for 53/udp and 53/tcp and
>> confirm that bind is configured to respond to requests outside your
>> local network.
>>

> I am running Debian Linux 3.1 (debian-31r8-i38g-netinst.iso) [...]

> The Truemobile router has DHCP enabled, and it is configured to always
> assign the IP address 192.168.2.2 to the host running BIND. Port
> forwarding is configured to forward all DNS traffic (TCP and UDP)
> directed to 207.237.37.110 (port 53) to 192.168.2.2 (port 53).

Ah. I can query with TCP but not with UDP. You need to check the rules
for your UDP forwarding on your firewall and/or router:

dig +short +tcp @207.237.37.110 ns obliqueuniverse.org
jupiter.obliqueuniverse.org.

Chris

PS "dig" is in the dnsutils package, and I'd recommend it over nslookup

> But they /do/ know about jupiter.OU.org:
>
> * * dig +short jupiter.obliqueuniverse.org @tld1.ultradns.net
> * * 207.237.37.110

I'm puzzled by this. It would seem that the /only/ way that
tld1.ultradns.net (a TLD server for .org) could know about
jupiter.obliqueuniverse.org is because I registered it as the
nameserver for obliqueuniverse.org. However, I don't get any answer
either:

$ dig +short obliqueuniverse.org @tld1.ultradns.net
<silence>

And, tld1.ultradns.net /was/ giving an answer the day befor yesterday
(before I removed the the RCN servers from the registry, since they
are not configured as slaves yet).

I'm stumped.

> Ah. I can query with TCP but not with UDP. You need to check the rules
> for your UDP forwarding on your firewall and/or router:

Oops. I thought port forwarding was configured for DNS for both TCP
and UDP. Now it is.

> * * dig +short +tcp @207.237.37.110 ns obliqueuniverse.org
> * * jupiter.obliqueuniverse.org.

My version of dig doesn't seem to have a +udp option:

$ dig -h | grep tcp
+[no]tcp
$ dig -h | grep udp
<silence>

Vwaju <(E-Mail Removed)> wrote:
> Oops. I thought port forwarding was configured for DNS for both TCP
> and UDP. Now it is.

Looks like you've got the whole thing working now. I can resolve OU.org
"from the top" right down into things like www.OU.org.

Chris