Hello, I need your lights in an issue that troubles me.

I maintain a dedicated server at servermatrix, in a subnet of 5 internet IPs (255.255.255.248). Recently I decided to host my domains in my own dns server. I also thought to set my reverse dns zone, and request the authorative servers for this C class (belonging to servermatrix/theplanet) to delegate authority for my subnet at my DNS server. Anyway, I believed it was obvious that my arpa DNS zone wouldn't affect anything since no other internet DNS server reffered to it as the authorative DNS for that C class -and to my understanding reverse dns mappings are delegated in the same hierarchical way as all the other DNS records, using the ARPA naming scheme. For that reason I didn't bother setting my zone to handle only my small subnet's reverse mapping, since it is actually a bit complicated from what I saw, involving a practical trick of using CNAME aliases, as the minimum de-facto supported arpa zone is a C class.

The strange thing that happened, is that 2 days after I set up this, the reverse mapping for the whole C class was ruined!! Meaning that no reverse DNS resolving is possible for an IP at this subnet. I checked the whole route of authority for this C class, beginning from the ARPA rootservers, and the authorative servers are still the proper ones, those of servermatrix (dns1.theplanet.com & dns2.theplanet.com). BUT when I try to query them for the anwser, they simply do not reply. They will reply to ANY other question, either with an answer for the zones of their authority or will return the authorative DNS server for all the rest. But they will NOT respond AT ALL for querries of my particular class.

In example:

root@shanny:~# dig -x [CENSORED_IP2] @ns1.theplanet.com

; <<>> DiG 9.2.3 <<>> -x [CENSORED_IP2] @ns1.theplanet.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16418
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;[CENSORED].in-addr.arpa. IN PTR

;; ANSWER SECTION:
[CENSORED].in-addr.arpa. 86400 IN PTR
[CENSORED].reverse.theplanet.com.

;; AUTHORITY SECTION:
[CENSORED].in-addr.arpa. 86400 IN NS ns1.theplanet.com.
[CENSORED].in-addr.arpa. 86400 IN NS ns2.theplanet.com.

;; ADDITIONAL SECTION:
ns1.theplanet.com. 86400 IN A 216.234.234.30
ns2.theplanet.com. 86400 IN A 12.96.160.115

;; Query time: 1056 msec
;; SERVER: 216.234.234.30#53(ns1.theplanet.com)
;; WHEN: Sun Jun 6 21:22:35 2004
;; MSG SIZE rcvd: 161
<Here I query for an other IP that belongs to their authority zone. They answer, naturally.>



root@shanny:~# dig -x 212.54.222.230 @ns1.theplanet.com

; <<>> DiG 9.2.3 <<>> -x 212.54.222.230 @ns1.theplanet.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 57778
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;230.222.54.212.in-addr.arpa. IN PTR

;; AUTHORITY SECTION:
212.in-addr.arpa. 7200 IN SOA ns.ripe.net. ops-212.ripe.net. 2004060680 43200 7200 1209600 7200

;; Query time: 611 msec
;; SERVER: 216.234.234.30#53(ns1.theplanet.com)
;; WHEN: Sun Jun 6 21:27:57 2004
;; MSG SIZE rcvd: 100
<Here I query for an ip that doesn't belong to their authorative zone. Naturally, they respond with something (the authorative DNS server at this case -they propably querried the nameservers at the resolv.conf or even from the root.hints, doesn't matter- ).>


root@shanny:~# dig -x [CENSORED_IP1] @ns1.theplanet.com

; <<>> DiG 9.2.3 <<>> -x [CENSORED_IP1] @ns1.theplanet.com
;; global options: printcmd
;; connection timed out; no servers could be reached
<Finally, here I query for my server's IP reverse mapping record, which belongs to their authorative zone. Even if it wasn't, the server SHOULD respond with SOMETHING. But you see it does not. >

At this point, I need to mention that even if from some strange occurence my own DNS server acted as the authorative, reverse dns mapping wouldn't work as I had done a small mistake that rendered the whole zone file invalid. So I have no way to know right now if the DNS servers all around would use my DNS as the authorative, or simply everything is f**ked up. I only know that authority has not been delegated to it from any other (parent authorative) DNS server, and thus that should be impossible.

Putting aside my anxity -that I have not reverse DNS service on my own, so as a result my mailserver mailfunctions and I have problems pointing an important domain to my DNS *(I'll explain that later) and that I may have caused many other people the same problems-,

I give 3 possible explanations:

1) DEVILISH COINSIDENCE, an irrelevant problem of ServerMatrix' DNS server -no comments-

2) I am totally misinformed about DNS, what happened is a natural result of my ignorance -I don't think so, though, since reverse DNS in the whole internet would collapse all the time if it was so-

3) Something out of specifications has happened, in example as a result of servermatrix hostmaster's misconfiguration, that allowed some sort of -unintended- spoofing from my part (though I see not how would that happen!).

In any case, things are screwed for me and for many other people

The other problem that I mentioned before, would be completely explained if it is somewhere on the DNS RFCs or the .org TLD rootserver's practice that they will not delegate authority for a domain to a DNS server that has no reverse dns mapping (that would be natural since rfc demands that every host has a reverse dns). Does anyone know? -I don't feel like looking for this right now-


I need to hear your thoughts, both because I am desperate to solve the problem asap and from natural curiosity. Thanks in advance