Delegating /24's from a /19

Robert Bonomi bonomi at mail.r-bonomi.com
Tue Mar 15 20:40:08 UTC 2005


> From owner-nanog at merit.edu  Tue Mar 15 14:12:12 2005
> Date: Tue, 15 Mar 2005 15:12:10 -0500
> From: Robert Blayzor <rblayzor at inoc.net>
> To: alex at pilosoft.com
> Cc: Mike Sawicki <fifi at HAX.ORG>, nanog at merit.edu
> Subject: Re: Delegating /24's from a /19
>
>
> alex at pilosoft.com wrote:
> > Either by doing DNS delegation on the zone boundary or by SWIP'ing the 
> > space to the other company.
>
> You can SWIP it yes, but that won't help DNS on small blocks like /24's.
>
> > It is very easy to do DNS delegation, say if you have 128.0.0.0/19, and 
> > you want to delegate 128.0.1.0/24, in your zone file for 
> > 0.128.in-addr.arpa zone put 
> > 
> > 1 IN	NS	ns1.othercompany.com
> > 1 IN	NS	ns2.othercompany.com
>
> The only way it will work is to use RFC2317 or slave the zones from the
> other name server.  Because he does not have the entire /16 you can't
> just delegate like that.

OK, what am I missing?

*ASSUMPTION*:
  The holder of the /16 _has_ delegated rDNS for the 32  /24s to the /19 owner.

The /19 owner can, on it's nameserver, run an "authoritative" zone for
the /16 -- with _its_ /24s listed explicitly, and a wildcard pointing 
back to the rDNS nameserver of the /16 owner.

"He who" queries from the outside world will work their way down from the
.arpa zone, to the  X.W.in-addr.arpa  zone, get referred to the nameserver
at "thiscompany", and get referred to the NS listed for Y.X.W.in-addr.arpa.
which will resolve  Z.Y.X.W.in-addr.arpa.

"He who" queries the /19 owner nameserver directly for a Y.X.W.in-addr.arpa 
address that lies within the /19 owner's addresses will get answered by
that nameserver, *or* be referred to the client's server. If they ask for
something *outside* the  /19 owner's space, the wildcard -- referring to
the 'upstream' (the /16 owner) nameserver kicks in.

_AS_LONG_AS_ the 'delegated to' nameserver has the wildcard in it pointing
back to the 'parent' nameserver, this seems to work just fine. Admittedly,
if the upstream block owner changes the _name_ of it's nameserver(s), the
'delegated to' nameserver  requires manual tweaking, but, realistically,
"how often" does _that_ happen?





More information about the NANOG mailing list