Reverse DNS mapping delegation
Results 1 to 9 of 9

Thread: Reverse DNS mapping delegation

  1. #1
    Junior Member
    Join Date
    Oct 2002
    Posts
    5

    Reverse DNS mapping delegation

    Hello, I need your lights in an issue that troubles me.

    I maintain a dedicated server at servermatrix, in a subnet of 5 internet IPs (255.255.255.248). Recently I decided to host my domains in my own dns server. I also thought to set my reverse dns zone, and request the authorative servers for this C class (belonging to servermatrix/theplanet) to delegate authority for my subnet at my DNS server. Anyway, I believed it was obvious that my arpa DNS zone wouldn't affect anything since no other internet DNS server reffered to it as the authorative DNS for that C class -and to my understanding reverse dns mappings are delegated in the same hierarchical way as all the other DNS records, using the ARPA naming scheme. For that reason I didn't bother setting my zone to handle only my small subnet's reverse mapping, since it is actually a bit complicated from what I saw, involving a practical trick of using CNAME aliases, as the minimum de-facto supported arpa zone is a C class.

    The strange thing that happened, is that 2 days after I set up this, the reverse mapping for the whole C class was ruined!! Meaning that no reverse DNS resolving is possible for an IP at this subnet. I checked the whole route of authority for this C class, beginning from the ARPA rootservers, and the authorative servers are still the proper ones, those of servermatrix (dns1.theplanet.com & dns2.theplanet.com). BUT when I try to query them for the anwser, they simply do not reply. They will reply to ANY other question, either with an answer for the zones of their authority or will return the authorative DNS server for all the rest. But they will NOT respond AT ALL for querries of my particular class.

    In example:

    root@shanny:~# dig -x [CENSORED_IP2] @ns1.theplanet.com

    ; <<>> DiG 9.2.3 <<>> -x [CENSORED_IP2] @ns1.theplanet.com
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16418
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

    ;; QUESTION SECTION:
    ;[CENSORED].in-addr.arpa. IN PTR

    ;; ANSWER SECTION:
    [CENSORED].in-addr.arpa. 86400 IN PTR
    [CENSORED].reverse.theplanet.com.

    ;; AUTHORITY SECTION:
    [CENSORED].in-addr.arpa. 86400 IN NS ns1.theplanet.com.
    [CENSORED].in-addr.arpa. 86400 IN NS ns2.theplanet.com.

    ;; ADDITIONAL SECTION:
    ns1.theplanet.com. 86400 IN A 216.234.234.30
    ns2.theplanet.com. 86400 IN A 12.96.160.115

    ;; Query time: 1056 msec
    ;; SERVER: 216.234.234.30#53(ns1.theplanet.com)
    ;; WHEN: Sun Jun 6 21:22:35 2004
    ;; MSG SIZE rcvd: 161
    <Here I query for an other IP that belongs to their authority zone. They answer, naturally.>



    root@shanny:~# dig -x 212.54.222.230 @ns1.theplanet.com

    ; <<>> DiG 9.2.3 <<>> -x 212.54.222.230 @ns1.theplanet.com
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57778
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;230.222.54.212.in-addr.arpa. IN PTR

    ;; AUTHORITY SECTION:
    212.in-addr.arpa. 7200 IN SOA ns.ripe.net. ops-212.ripe.net. 2004060680 43200 7200 1209600 7200

    ;; Query time: 611 msec
    ;; SERVER: 216.234.234.30#53(ns1.theplanet.com)
    ;; WHEN: Sun Jun 6 21:27:57 2004
    ;; MSG SIZE rcvd: 100
    <Here I query for an ip that doesn't belong to their authorative zone. Naturally, they respond with something (the authorative DNS server at this case -they propably querried the nameservers at the resolv.conf or even from the root.hints, doesn't matter- ).>


    root@shanny:~# dig -x [CENSORED_IP1] @ns1.theplanet.com

    ; <<>> DiG 9.2.3 <<>> -x [CENSORED_IP1] @ns1.theplanet.com
    ;; global options: printcmd
    ;; connection timed out; no servers could be reached
    <Finally, here I query for my server's IP reverse mapping record, which belongs to their authorative zone. Even if it wasn't, the server SHOULD respond with SOMETHING. But you see it does not. >

    At this point, I need to mention that even if from some strange occurence my own DNS server acted as the authorative, reverse dns mapping wouldn't work as I had done a small mistake that rendered the whole zone file invalid. So I have no way to know right now if the DNS servers all around would use my DNS as the authorative, or simply everything is f**ked up. I only know that authority has not been delegated to it from any other (parent authorative) DNS server, and thus that should be impossible.

    Putting aside my anxity -that I have not reverse DNS service on my own, so as a result my mailserver mailfunctions and I have problems pointing an important domain to my DNS *(I'll explain that later) and that I may have caused many other people the same problems-,

    I give 3 possible explanations:

    1) DEVILISH COINSIDENCE, an irrelevant problem of ServerMatrix' DNS server -no comments-

    2) I am totally misinformed about DNS, what happened is a natural result of my ignorance -I don't think so, though, since reverse DNS in the whole internet would collapse all the time if it was so-

    3) Something out of specifications has happened, in example as a result of servermatrix hostmaster's misconfiguration, that allowed some sort of -unintended- spoofing from my part (though I see not how would that happen!).

    In any case, things are screwed for me and for many other people

    The other problem that I mentioned before, would be completely explained if it is somewhere on the DNS RFCs or the .org TLD rootserver's practice that they will not delegate authority for a domain to a DNS server that has no reverse dns mapping (that would be natural since rfc demands that every host has a reverse dns). Does anyone know? -I don't feel like looking for this right now-


    I need to hear your thoughts, both because I am desperate to solve the problem asap and from natural curiosity. Thanks in advance

  2. #2
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    For that reason I didn't bother setting my zone to handle only my small subnet's reverse mapping, since it is actually a bit complicated from what I saw, involving a practical trick of using CNAME aliases, as the minimum de-facto supported arpa zone is a C class.
    Then what have you done here?

    and request the authorative servers for this C class (belonging to servermatrix/theplanet) to delegate authority for my subnet at my DNS server.
    I think that the two statements above may be conflicting, (though I might not be totally comprehending the problem). It seems to me that you "requested" the the authority for your 8(?) IP's be passed from theplanet.com top your name servers. Then you _seem_ to be saying that, because of an issue of complexity, you are really trying to be the authority for the entire zone for the C Class, (but that's per the RFC, "minimum de facto supported arpa zone").

    The result would appear to be that you have wrestled authority from theplanet.com for the reverse DNS for the entire zone but then, by the use of a cname, you have messed up the entire zone.

    While the answer to the problem may be of interest it would seem that you are affecting others within the C Class. Since you only have 5 addresses I would consider returning authority of the reverse zone to theplanet.com and have them set up your 5 RDNS entries and have done with it......

    If you are using windows for the DNS servers can you see anything odd in the DNS Event log, (or anywhere else if you are using *nix)?
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  3. #3
    Junior Member
    Join Date
    Oct 2002
    Posts
    5
    For that reason I didn't bother setting my zone to handle only my small subnet's reverse mapping, since it is actually a bit complicated from what I saw, involving a practical trick of using CNAME aliases, as the minimum de-facto supported arpa zone is a C class.
    Then what have you done here?
    I have added a zone for "0.0.127.in-addr.arpa" (replace 0.0.127 with my IP's network part of a class C, reversed the same way). I was certain (and still am) that since authority is delegated hierarchically, beginning from the ARPA rootservers, which for that particular zone delegate authority to theplanet's DNS, no matter what, they would be the ones queried from all the other slave dns, so all the ISPs' dns would point to them. To my understanding, is absolutely the same as setting a DNS authorative server in a DSL line, for a zone containing i.e. antionline.org, and without any other action from your part see that 1-2 days later antionline.org is OFF. Which obviously will not happen!

    I think that the two statements above may be conflicting
    I was planning to ask the servers of theplanet to delegate authority for my small subnet to my dns (so that they would have to mess with cutting an arpa zone for that small subnet, since it is a bit complicated ), as that should be the only way I could have the reverse mapping authority for my IPs. Still I didn't ask as I hit that problem before I make the contact. I was intending to ask theplanet if my zone set up would work, but I didn't think that would be necessary before I ask for delegation, for the reason that I mentoned above.

    The result would appear to be that you have wrestled authority from theplanet.com for the reverse DNS for the entire zone but then, by the use of a cname, you have messed up the entire zone.
    I don't think that I have (or could) wrestle authority without been given it from one of the parrent authorative DNS servers or doing something nasty. Also, I didn't use the solution involving cnames to handle my arpa zone (I expected theplanet to use it), and that's why I followed the easy solution of making a zone for the whole C class.

    I have deleted the "suspicious" zone since yesterday, still nothing has changed. I intend to wait one more day before I do as you suggest.

    Finally, I haven't seen any unusual messages on my logs.

    Thank you

  4. #4
    Junior Member
    Join Date
    Oct 2002
    Posts
    5
    I tried the services of dnsstuff.com and it yielded some more info:

    Asking NS1.THEPLANET.COM. for CENSORED.in-addr.arpa PTR record:
    ns1.theplanet.com says to go to NS2.THEPLANET.COM. (zone: 93.69.in-addr.arpa.)
    Asking NS2.THEPLANET.COM. for CENSORED.in-addr.arpa PTR record:
    ns2.theplanet.com says to go to NS2.THEPLANET.COM. (zone: 93.69.in-addr.arpa.)
    Asking NS2.THEPLANET.COM. for CENSORED.in-addr.arpa PTR record:
    ns2.theplanet.com says to go to NS2.THEPLANET.COM. (zone: 93.69.in-addr.arpa.)
    Asking NS2.THEPLANET.COM. for CENSORED.in-addr.arpa PTR record:
    ns2.theplanet.com says to go to NS1.THEPLANET.COM. (zone: 93.69.in-addr.arpa.)
    Asking NS1.THEPLANET.COM. for CENSORED.in-addr.arpa PTR record:
    ns1.theplanet.com says to go to NS2.THEPLANET.COM. (zone: 93.69.in-addr.arpa.)
    Asking NS2.THEPLANET.COM. for CENSORED.in-addr.arpa PTR record:
    ns2.theplanet.com says to go to NS1.THEPLANET.COM. (zone: 93.69.in-addr.arpa.)
    Asking NS1.THEPLANET.COM. for CENSORED.in-addr.arpa PTR record:
    ns1.theplanet.com says to go to NS1.THEPLANET.COM. (zone: 93.69.in-addr.arpa.)

    ...........

    Error: It looks like you've stuck me in a loop!.

    Details:
    I am programmed to stop after 20 DNS queries, since most reverse DNS lookups can be finished
    after just 3 queries. It sounds like you're stuck in a loop.
    and

    Getting NS record list at g.root-servers.net... Done!
    Looking up at the 7 69.in-addr.arpa. parent servers:



    Server
    Response
    Time


    chia.arin.net
    NS1.THEPLANET.COM. NS2.THEPLANET.COM.
    107ms


    dill.arin.net
    NS1.THEPLANET.COM. NS2.THEPLANET.COM.
    108ms


    henna.arin.net
    NS1.THEPLANET.COM. NS2.THEPLANET.COM.
    108ms


    indigo.arin.net
    NS1.THEPLANET.COM. NS2.THEPLANET.COM.
    108ms


    epazote.arin.net
    NS1.THEPLANET.COM. NS2.THEPLANET.COM.
    108ms


    figwort.arin.net
    Timeout



    ginseng.arin.net
    Timeout



    Status: Records DO NOT all match: At least one DNS server (ginseng.arin.net) did not respond.
    Now I tend to believe that it has to be a misconfiguration from theplanet (though perhaps I triggered the result)

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    But if what you say is true that, per the RFC, the minimum unit for an RDNS zone is a C-Class then theplanet wouldn't be able to break out your subnet on it's own unless they gave your responsibility for the entire zone - which is something they probably wouldn't do.

    [Still I didn't ask as I hit that problem before I make the contact]

    I dunno... It seems to me like you made changes but I am having difficulty understanding what you did exactly. How did you assume authority for the RDNS zone from theplanet? They would have to change their DNS to allow you to assume authority which I don't think they would do per my para above.

    Questions:

    Have you contacted theplanet and had them release authority for the RDNS zone for that C-Class to you?

    If you did, did they agree to do it and did they confirm the appropriate changes had been made?

    What changes did you specifically make to your DNS to make it authoritative for RDNS in that C-Class?

    [Edit]

    Ahh.... I see the new post....

    It seems like they did make changes but they sent the authority to NS2 which sends the authority back to NS1. It's definitely screwed up and certainly doesn't pass authority to you.

    The answers to the above questions will still be useful in helping me understand the exact situation. The trouble with DNS is that is distributed thus meaning lots of people have to all have their poop in one pile.....

    [/Edit]
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Junior Member
    Join Date
    Oct 2002
    Posts
    5
    But if what you say is true that, per the RFC, the minimum unit for an RDNS zone is a C-Class then theplanet wouldn't be able to break out your subnet on it's own unless they gave your responsibility for the entire zone - which is something they probably wouldn't do.
    Well, from what I've read, normally "only four levels of the in-addr.arpa portion of the name space were used--one level per octet of an IP address". I didn't speak about RFC, only for "de facto", meaning the supported configuration implementation of the named daemon. Still there is a hack that is documented in RFC 2317 that defines the use a configuration set in a zone file, that would yield the wanted result. That is in practice nothing more than a hack widely implemented (I've seen many ISPs that use it for this purpose, as it is a common thing to ask for the reverse mapping authority delegation of your IPs).

    Questions:

    Have you contacted theplanet and had them release authority for the RDNS zone for that C-Class to you?

    If you did, did they agree to do it and did they confirm the appropriate changes had been made?

    What changes did you specifically make to your DNS to make it authoritative for RDNS in that C-Class?
    - No, I didn't make any contact, else I would be contacting them again instead of being confused
    - I did the following very simple thing:

    I included a zone for the whole C class of my IPs at named.conf:

    zone "[CENSORED].93.69.in-addr.arpa" IN {
    type master;
    file "named.69.93.[CENSORED]";
    allow-update { none; };
    };
    and i defined the zone in "named.69.93.[CENSORED]" file as following


    $TTL 3D
    @ IN SOA [MYDNS]. hostmaster.[MYDNS]. (
    200406051 ; Serial, todays date + todays serial
    2H ; Refresh
    2H ; Retry
    1D ; Expire
    12H) ; Minimum TTL
    NS [MYDNS].

    [LAST_OCTET_OF_ONE_OF_MY_IPs] PTR [MY_CHOSEN_RESOLVING_NAME].

    The configuration is valid and works correctly (well it maybe wouldn't work properly in practice as I would not be authorative for the whole C class), but it shouldn't screw anything either! The problem lies somewhere else I believe, since the fact is that ThePlanet didn't make any changes to my acknowledge!

  7. #7
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    Well..... You've got me.....

    If it worked correctly before, (I'm assuming it was), and you didn't contact them they they probably wouldn't have changed anything. That being the case it should have continued to work. But it doesn't and we can clearly see their DNS servers looping the track to the Authoritative DNS server. I guess it's remotely possible that by coincidence they were messing with their DNS at the same time you were and they have messed it up..... Coincidences do happen and they are a right pain when they do because it's one of those unknown's we all hate.....

    However, when I say it would continue to work, it still wouldn't propogate down to your server until they relinquished authority over the zone. Since you haven't asked them to then the authority would remain with them no matter what you did at your end.

    I would call them and ask them to fix the looping issue first and then broach the subject of gaining authority over your subnets RDNS while they are looking at the looping issue. Right now you will never get it to work because of their looping issue.
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  8. #8
    Junior Member
    Join Date
    Oct 2002
    Posts
    5
    So you believe that what happens has nothing to do with what I did, right? I would believe so as well, but I find it extremely weird that the looping (or whatever) occurred right after I set up my DNS server for this rdns zone, especially because the problem regards ONLY my class! I mean, I have tested almost a dozen of ThePlanet subnets, and rdns is ruined only for my class!

    Of course I will do as you suggest (doesn't seem to have any other option anyway). I am only wondering if I need to mention all these things to ServerMatrix..

    Thanks for your help, if there is something interesting in their reply I'll post it

  9. #9
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    I can't see how what you did affected their servers unless they had already delegated authority for the RDNS zones to you and set their servers up as secondary zones to pull from your DNS server. As I have said, I can't see them relinquishing authority to you with such a small subnet of the whole and allowing you to manage RDNS for the majority of the C-Class which isn't yours. So, no.... It can't be you.

    I'm betting on a coincidence to be honest, but yes, if you find out exactly what happened I would be very interested in hearing how it worked.... or didn't in this case....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides