|
Sanity Check DNS Reverse Zone Config
I'd like to have a sanity check on some reverse zones. Note that A.B.C.0/24 a classfull (C) network and I.J.K.128/27 is a classless network. Problem is that PTR lookups for the two reverse zones are failing (dnsstuff DNS traversal says there are no PTR records). named-checkzone passes the zones, and local lookups seem to work fine. Inconsistent results can be found across the internet.
Thanks! named.conf: # ACL Entries for Zone Control acl NSlist { A.B.C.D;ns1 E.F.G.H;ns3 }; options { directory "/var/named/data/"; // version statement - inhibited for security. version "Would you like fries with that?"; pid-file "/var/run/named/named.pid"; statistics-file "/var/run/named.stats"; dump-file "/var/named/named.dump"; // Specifies which hosts are allowed to query this nameserver. Any is a pre-defined ACL. allow-query { any;}; // Transfer security is defined in zone clauses. allow-transfer {"none";}; // Disables all recursive queries allow-recursion {none;}; }; key "rndc-key" { algorithm hmac-md5; secret "dyxNSsjrGChgEjGKMDbqjC"; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; zone "."{ type hint; file "named.ca"; }; zone "0.0.127.in-addr.arpa"{ type master; file "named.local"; notify no; }; # Reverse Lookup Zone for Office A zone "C.B.A.in-addr.arpa"{ type master; file "db.A.B.C"; allow-transfer {localhost;NSlist;}; # Reverse Lookup Zone for Office B zone "K.J.I.in-addr.arpa"{ type master; file "db.I.J.K"; allow-transfer {localhost;NSlist;}; }; # Forward Lookup Zone A.com zone "A.com"{ type master; file "A.com"; allow-transfer {localhost;NSlist;}; }; ZONE FILE db.A.B.C: ; in-addr file for A.B.C.0/24 $TTL 43200 @ IN SOA ns2.A.com. dnsadmin.A.com( 2009101501 ; serial, todays date plus increment 21600 ; refresh, seconds 1800 ; retry, seconds 1209600 ; expire, seconds 72000 ) ; minimum, seconds @ IN NS ns1.A.com. IN NS ns2.A.com. IN NS ns3.A.com. ; Pointer Records 25 IN PTR mail1.A.com. ZONE FILE db.I.J.K: ; in-addr file for I.J.K/27 $TTL 43200 @ IN SOA ns2.A.com. dnsadmin.A.com( 2009101701 ; serial, todays date plus increment 21600 ; refresh, seconds 1800 ; retry, seconds 1209600 ; expire, seconds 72000 ) ; minimum, seconds @ IN NS ns2.A.com. IN NS ns1.A.com. IN NS ns3.A.com. 137 IN PTR mail2.A.com. 138 IN PTR mail3.A.com. |
Did you have your network provider or ISP (e.g. AT&T) delegate the reverse to you by providing them with your DNS server(s) information?
That is a separate task from getting your domain Registrar (e.g. Network Solutions) to point to your DNS servers for the forward lookups. This only provides for the forward lookups whereas above provides for the reverse. It might be instructive to look at which server DNSStuff queried to see if it is that of your network provider. |
Sanity Check DNS Reverse Zone Config
Thanks for the reply jlightner.
Yes I have had the ISP delegate the classless zones to my nameservers. We believe the issue may be around the configuration of the records in the reverse zone for the classless net block. So as I'm learning, I'm looking for someone to look at the necessary changes and say - "yep that's it, you're configured properly". I made changes to handle the CNAME lookups that are used to resolve PTR records in classless net blocks. in zone K.J.I.in-addr.arpa I added the line: 138.K.J.I.in-addr.arpa. IN CNAME 138.K.J.I.A.com. and in the forward zone for A.com I added the line: 138.K.J.I.A.com. IN PTR mail3.A.com. I was unaware that you could use a PTR record in a forward lookup zone, but since classless reverse lookups use CNAMES to get around non-octet boundaries aka classless IP delegation, it does kind of make sense. There aren't many examples out there - Did I do it correctly? Thanks again! |
| All times are GMT -5. The time now is 11:03 PM. |