Delegating /24's from a /19

Wed Mar 16 04:45:05 UTC 2005


> >> Um, why?
> >
> > 	Firstly he does NOT have authority for the /16 reverse.  Lots
> > 	of latent problems there.
> 
> Nor is he claiming it.  Nowhere on the internet is there anything saying
> that the entire /16 should be looked up against his nameserver.  No=20
> reference
> should exist pointing to his nameserver as authoritative for the /16.
> The convenience of having a zone file that is based on a /16 that he owns
> part of does not create authority out of thin air, nor does it make any
> meaningful claim to authority except to a system which (mistakenly) =
> attempts
> to use those nameservers as resolvers.  Yes, if you are going to do this, =
> it
> is a prerequisite that your nameserver _NOT_ be anyone's resolver.
> 
> > 	Secondly sideways delegations don't work.
> 
> Huh?  I'm not sure what you mean by "sideways delegations".  It is
> perfectly acceptable, for example, for:
> 
> a.root-servers.net returns 16.172.in-addr.arpa. IN NS ns1.arin.net.
> ns1.arin.net returns 124.16.172.in-addr.apra. IN NS ns1.foobar.com.
> ns1.foobar.com. returns 124.16.172.in-addr.arpa. IN NS ns1.subsidiary.com.
> ns1.subsidiary.com. returns 5.124.16.172.in-addr.arpa. IN PTR=20
> foo.subsidiary.com.

	Actually it isn't.  Nameservers can and do detect this as it
	looks like a classic lame delegation.  It also a sideways
	delgation, the zone depth didn't impove between ns1.foobar.com
	and ns1.subsidiary.com.

> This does work.  This is what is being proposed.
> 
> > 	Thirdly I'm sick and tired of having to debug stupid
> > 	schemes ISP's come up with to try to avoid SWIPing the
> > 	nameservers in situations like this.  They don't work
> > 	or they don't meet the customers expectations (i.e.
> > 	they have a /24 and should just be able to use x.y.z.in-addr.arpa
> > 	and have it work reliably).
> >
> So don't debug them.  As long as ARIN has all of the /24s within the /19
> pointing as NS records to the nameserver which contains the partially
> populated /16 zone file (or which secondaries each of the relevant /24 =
> zones
> from their true owners), things work just fine.  Nothing really to debug.

	Well when you have a bug report saying that your nameserver
	doesn't work because someone tried to do a sideways delegation
	you have to go in there and show what is broken.

	This is not expected to work.
 
> > 	Delegation is the DNS is strictly hierachical.
> >
> I don't see where the above breaks this.
> 
> > 	You either SWIP the new servers or you slave the zones
> > 	from the customer.  In both cases you are following the
> > 	delegation heirarchy.  Note even if you slave the zones
> > 	you still have to ensure the delegation is correct.
> >
> I guess we will have to agree to disagree on this.  I will point out that
> the above solution is working in a number of networks without problem.
> Sure, if you screw it up, it doesn't work.  That's true of DNS generally.
> 
> Owen
> 
> P.S.  Learn to trim quotations.
> 
> 
> --=20
> If this message was not signed with gpg key 0FE2AA3D, it's probably
> a forgery.
> 
> --==========63ACF217CA8F895998F9==========
> Content-Type: application/pgp-signature
> Content-Transfer-Encoding: 7bit
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.3 (Darwin)
> 
> iD8DBQFCN7SEn5zKWQ/iqj0RAtK5AJ4pagTb5Ei+uMqGf9ob9RfSHJFWnQCghs2K
> Ltjk1dF5GCdssFNx1KiczoQ=
> =Se+y
> -----END PGP SIGNATURE-----
> 
> --==========63ACF217CA8F895998F9==========--
> 
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: Mark_Andrews at isc.org