Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
RE: [suse-security] DNS
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Thu, 12 Sep 2002 09:06:49 +0200
  • Message-id: <96C102324EF9D411A49500306E06C8D101B19E09@xxxxxxxxxxxxxxxxx>
Michael Zimmermann wrote (and Outlook makes me put this line here
> At Mittwoch, 11. September 2002 10:14 Reckhard, Tobias wrote:
> > [about how to do reverse delegation for one's IP's]
> > Either you use the RFC 2317 muck to work around BIND's
> configuration file
> > problems with CIDR, introducing lots of ugly CNAMEs in the process.
> Pardon me, Tobias,
> you're saying, that there is a way to do reverse delegation WITHOUT
> either having the corresponding arpa zone delegated to you (either
> as a class-C delegation or a partial one through RFC2317) ?

No. I am explaining those two options you name.

Martin Gaugusch had said: "Except for people who own a whole C-class network
you must tell your provider to change the PTR records. You can't
administrate them yourself, if you have less than a C-class network."

And this is what my response adresses. CIDR does not force you to resign
your DNS authority and have your ISP assume it entirely.

> How?
> That would mean you could (howsoever ugly) go around the
> arpa authoritative nameserver for the class-C subnet --
> which would be certainly security related in my version of
> the DNS bible.

No, there's a misunderstanding about. Say you have 4 IP addresses: You have four hosts on them (let's forget about network and
broadcast addresses, etc. temporarily, it doesn't affect DNS anyway):
host4.example through host7.example. You've got a name server on

The net block 1.2.3/24 belongs to your ISP, so the authority for is delegated to them. You need them to delegate authority
for your IP addresses to you.

In the straightforward case, they (using BIND) do the following: NS A NS A NS A NS A

And you (with tinydns) do:
cd /service/tinydns/root; for a in `seq 4 7`; do add-ns
$; done; make

I won't go into the RFC 2317 stuff..


< Previous Next >