2

Why are the reverse Zone files in Bind split by octets instead of subnets?

This is what I would expect to see:

subnets: 
  172.0.208/22
  10.0.2.0/25
  10.0.2.128/25

host# ls /path/to/zone/files
208.0.172.in-addr.arpa
0.2.0.10.in-addr.arpa
128.2.0.10.in-addr.arpa
Jenny D
  • 27,780
  • 21
  • 75
  • 114
frogstarr78
  • 485
  • 7
  • 18

2 Answers2

4

It is easiest to split on octect boundaries but see RFC2317 for "classless IN-ADDR.ARPA delegation." https://www.rfc-editor.org/rfc/rfc2317

Mark Wagner
  • 18,019
  • 2
  • 32
  • 47
  • Easier in what way? It seems easier to me to split zone files by their appropriate subnets. I must still be missing some detail about the reverse lookup "transaction". – frogstarr78 Jun 24 '11 at 21:00
  • ...Ah, I just got it. It's because of the hierarchal nature of DNS. Correct? The 209 tree couldn't be expected to be found in the 208 tree, without some mechanism to "span the node". – frogstarr78 Jun 24 '11 at 21:05
  • @frogstarr78 Exactly; from its perspective it's just another name, and the text hierarchy is all it knows; it's analogous to getting it to look for "abc.example209.com" in a zone for "example208.com". What @embobo's pointing to allows for delegations to occur in a more granular way, for instance to split up the /25s you referenced, but whoever's doing the delegating would still need to put the `172.0.209.x` information in the direct path: in `172.in-addr.arpa` or `0.172.in-addr.arpa` or `209.0.172.in-addr.arpa`. – Shane Madden Jun 24 '11 at 21:34
1

A query for 172.0.209.1 will be for a record at 1.209.0.172.in-addr.arpa, which isn't under the 208.0.172.in-addr.arpa zone. This is also why you can't have a reverse DNS delegation for a subnet smaller than /24, either; there's no ability or logic in the DNS standard to "split" the delegations for these zones into smaller chunks.

DNS serves name data; it has no special logic built around serving data for subnets, so the standard for reverse zones conforms to the "DNS-looking" format of the dot-separated numbers.

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • You can have a reverse DNS delegation for a subnet smaller than /24. – Mark Wagner Jun 24 '11 at 17:46
  • @embobo Fair point, but it's just a CNAME workaround. There's very little support out there among RIRs ([ARIN's policy here](https://www.arin.net/resources/request/reversedns.html)) or ISPs (at least, the ISPs that I've worked with), so it's most often not a viable option. But, point taken and +1 to your answer; it's important to mention in the context of this question. – Shane Madden Jun 24 '11 at 18:05
  • I guess I'm not understanding why the query couldn't find 172.0.209.1 under 208.0.172.in-addr.arpa any more/less then it could find 172.0.208.1. It seems very arbitrary. – frogstarr78 Jun 24 '11 at 20:43
  • @frogstarr78 When looking for `172.0.209.1`, it looks for a DNS record at `1.209.0.172.in-addr.arpa`, which is outside of the scope of the hierarchy that a zone for `208.0.172.in-addr.arpa` can accommodate. – Shane Madden Jun 26 '11 at 02:03