From owner-freebsd-questions@FreeBSD.ORG Mon Jul 23 17:34:01 2007 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 4F22E16A419 for ; Mon, 23 Jul 2007 17:34:01 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from mail-out3.apple.com (mail-out3.apple.com [17.254.13.22]) by mx1.freebsd.org (Postfix) with ESMTP id 3967313C45D for ; Mon, 23 Jul 2007 17:34:01 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from relay7.apple.com (relay7.apple.com [17.128.113.37]) by mail-out3.apple.com (Postfix) with ESMTP id 1D6C8C7D7EA; Mon, 23 Jul 2007 10:34:01 -0700 (PDT) Received: from relay7.apple.com (unknown [127.0.0.1]) by relay7.apple.com (Symantec Mail Security) with ESMTP id 07BCB3005F; Mon, 23 Jul 2007 10:34:01 -0700 (PDT) X-AuditID: 11807125-a0a1bbb0000007e5-bd-46a4e6884e91 Received: from [17.214.13.96] (cswiger1.apple.com [17.214.13.96]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by relay7.apple.com (Apple SCV relay) with ESMTP id DBB7A3004A; Mon, 23 Jul 2007 10:34:00 -0700 (PDT) In-Reply-To: <200707230404.l6N44GhK053836@banyan.cs.ait.ac.th> References: <46970917.3030502@fpt.vn> <200707130536.l6D5akxS070187@banyan.cs.ait.ac.th> <157815A5-2619-4457-85B0-40941C58C284@mac.com> <200707160607.l6G67tod005252@banyan.cs.ait.ac.th> <8928494B-76CC-4585-B95C-B4E5605F6DAF@mac.com> <200707230404.l6N44GhK053836@banyan.cs.ait.ac.th> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Mon, 23 Jul 2007 10:34:00 -0700 To: Olivier Nicole X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== Cc: freebsd-questions@freebsd.org, cuongvt@fpt.vn Subject: Re: is is able to setting up DNS server reverse lookup with DynamicIP? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 23 Jul 2007 17:34:01 -0000 On Jul 22, 2007, at 9:04 PM, Olivier Nicole wrote: > With some delay, several answers together. Very good. :-) >>> For the example I gave, I am of course authoritative. >> Are you? Depending on which servers I query, I either get an >> NXDOMAIN, an answer with no authoritative nameservers listed, or the >> results you've shown. That implies that there is something wrong >> with the DNS delegation, and/or the various nameservers aren't >> returning reliable results. > > I think that the no authoritative means it is an answer from a > cache. Am I wrong? If the server is configured to serve the zone as a primary or secondary, it ought to return authoritative; if the record is being served from cache, it will not be authoritative. >> Perhaps part of the problem seems to be that: >> >> % dig -t ns desktops.cs.ait.ac.th >> ; <<>> DiG 9.3.4 <<>> -t ns desktops.cs.ait.ac.th >> ;; global options: printcmd >> ;; Got answer: >> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19501 >> ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 >> >> ;; QUESTION SECTION: >> ;desktops.cs.ait.ac.th. IN NS >> >> ;; ANSWER SECTION: >> desktops.cs.ait.ac.th. 43049 IN NS dns.cs.ait.ac.th. >> >> ;; Query time: 1 msec >> ;; SERVER: 127.0.0.1#53(127.0.0.1) >> ;; WHEN: Mon Jul 16 12:48:42 2007 >> ;; MSG SIZE rcvd: 57 >> >> ...doesn't return any A records to go with the NS record for >> dns.cs.ait.ac.th. It's also the case that every domain should have >> at least two nameservers listed, and by strong preference at least >> one nameserver should be on another subnet to improve reliability. > > It should, because dns.cs.ait.ac.th has had a very stable IP for many > years and this one is served by 3 name servers. Compare your answers to that of other domains. Most big domains return A records for all nameservers listed; the rest return at least some A records as glue... > When I set-up the dynamic DNS, I did not replicate it because I was > not sure it woul dnot generate huge traffic, nor that redundancy was > as needed as for the static DNS. > > But I am in the process of upgrading the hardware, so I will duplicate > the name servers also for the dynamic part. OK. >> It's not anticipated that a reverse lookup would return a CNAME >> rather than a PTR. > > CNAME in rDNS is to my knowledge the only way to delegate a subnet of > a class C: > > I have a /24 IP range, /25 is static and /25 is dynamic. For > separation, stability, etc, I want to rDNS on /25 and that is not > possible without a trick: > > in the zone declaration for the rDNS of the /24 > 170.41.192.in-addr.arpa. I have a line that says: > > $GENERATE 128-254 $ IN CNAME $.170.41.192.rev- > dns.cs.ait.ac.th. > > hence the CNAME and the PTR are generated dynamically in the zone > 170.41.192.rev-dns.cs.ait.ac.th Ah, you're doing classless DNS delegation. This is fine, so long as what your CNAMEs point to actually exists. If you run something (modulo your shell) like: for x in `jot 128 128` ; do dig -x 192.41.170.$x ; done ...you'll notice that you get a good answer for something like: dig -t ptr 252.170.41.192.rev-dns.cs.ait.ac.th ...so the corresponding reverse lookup works: % dig -x 192.41.170.252 ; <<>> DiG 9.3.4 <<>> -x 192.41.170.252 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13714 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;252.170.41.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 252.170.41.192.in-addr.arpa. 42654 IN CNAME 252.170.41.192.rev- dns.cs.ait.ac.th. 252.170.41.192.rev-dns.cs.ait.ac.th. 3054 IN PTR alrw14.desktops.cs.ait.ac.th. ;; AUTHORITY SECTION: 170.41.192.rev-dns.cs.ait.ac.th. 42606 IN NS dns.cs.ait.ac.th. ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Jul 23 13:25:48 2007 ;; MSG SIZE rcvd: 142 ...but: % dig -x 192.41.170.253 ; <<>> DiG 9.3.4 <<>> -x 192.41.170.253 ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 4892 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;253.170.41.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 253.170.41.192.in-addr.arpa. 42652 IN CNAME 253.170.41.192.rev- dns.cs.ait.ac.th. ;; AUTHORITY SECTION: 170.41.192.rev-dns.cs.ait.ac.th. 10252 IN SOA dns.cs.ait.ac.th. postmaster.cs.ait.ac.th. 2006115146 21600 1800 1209600 43200 ;; Query time: 1 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Mon Jul 23 13:25:50 2007 ;; MSG SIZE rcvd: 145 ...so perhaps I'd think about adding a: $GENERATE 128-254 $.170.41.192 PTR dhcp-192-41-170-$.cs.ait.ac.th. ...to populate your delegated PTR records, and then permit dynamic DNS or whatever to update these as needed. Regards, -- -Chuck