[nsd-users] Setting up Reverse DNS Delegation

W.C.A. Wijngaards wouter at NLnetLabs.nl
Fri Dec 19 23:20:37 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Lew,

Quick reply before I log off, but it seems you are missing
zone:
     name: "192/26.187.206.74.in-addr.arpa"
     zonefile: db.192-255.187.206.74.rev
     provide-xfr: 24.456.879.932/26 intrakey
     notify: 24.456.879.91 intrakey    # this
     provide-xfr: 74.96.313.32 interkey
     notify: provide-xfr: 74.96.313.32 interkey   # and this

Note that the notify is not a netblock but a specific address.
Also the key could be NOKEY for the notify (if their software cannot
handle TSIGs on notifies).

So, your config provides the axfr, but does not send a notify to the
secondary, so it does not know when to ask...
The above sends notifies to the two servers.

That PTR record also looks fishy; it points to itself. Maybe you mangled
this in this email only.

As an aside, we provide a way to configure axfr permission and notify
separately, to help deployment in different situations.  I believe that
BIND needs the server listed in the NS records to send it notifies.  NSD
does not need that, it needs notify: lines. I thought BIND had
also-notify {}; to do the same thing.

Best regards (and a happy christmas break :-) ),
   Wouter

Lew Payne wrote:
> Hello fellow nsd users,
> 
> I'm trying to set up reverse zones in nsd for the netblock I've been
> delegated.  I'm having trouble getting it to work, and I'm not sure
> why.  I've done this on bind many times before.  So, at this point,
> I'm trying to determine if the problem is on my end, or the delegation
> (ISP's) end.  Would someone mind walking me through the steps to get
> this running on nsd (and/or to debug the delegator).
> 
> What I find strange is that I've been asked to allow AXFR from one of
> their DNS servers (I guess it's going to secondary my PTR's... but
> why?), and to include it (the NS record for their server) in my
> reverse zone file.  I've never had to do this before, so maybe someone
> on here can give me hints as to how to do this correctly.  Here's what
> I've done (provide-xfr IP's mangled for security reasons):
> 
> RFC-2317 (e.g., 0/27.3.168.192.in-addr.arpa)  <<-- verified with ISP
> that's how they're providing them.
> 
> ##  REVERSE DNS ZONE
> ##
> zone:
>   name: "192/26.187.206.74.in-addr.arpa"
>   zonefile: db.192-255.187.206.74.rev
>   provide-xfr: 24.456.879.932/26 intrakey
>   provide-xfr: 74.96.313.32 interkey  <<== told by ISP to allow AXFR from them!
> 
> The file db.192-255.187.206.74.in-addr.arpa contains (abbreviated):
>   $ORIGIN 192/26.187.206.74.in-addr.arpa.
>   IN NS  ns1.ispserver.com.
>   IN NS  ns1.myzoneserver.com.
>   IN NS  ns2.myzoneserver.com.
>   194   IN      PTR     194.187.206.74.ispserver.com.   <<== told by
> ISP to add this!
>   ... my stuff... IN PTR
> 
> Can someone clue me in as to what I've done wrong...  I suspect I
> can't do this plain-old "bind" style.
> 
> Regards,
> Lew Payne
> _______________________________________________
> nsd-users mailing list
> nsd-users at NLnetLabs.nl
> http://open.nlnetlabs.nl/mailman/listinfo/nsd-users

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAklMLEUACgkQkDLqNwOhpPhXhACeMMKj3qOoAAfPFrTaUEumJ5pB
RCoAn0/9M8OQupWjVl0uIzVjAztujGNl
=Q8eL
-----END PGP SIGNATURE-----



More information about the nsd-users mailing list