Mailinglist Archive: opensuse-security (375 mails)

< Previous Next >
RE: [suse-security] DNS
  • From: "Reckhard, Tobias" <tobias.reckhard@xxxxxxxxxxx>
  • Date: Thu, 12 Sep 2002 09:06:49 +0200
  • Message-id: <96C102324EF9D411A49500306E06C8D101B19E09@xxxxxxxxxxxxxxxxx>
Michael Zimmermann wrote (and Outlook makes me put this line here
manually...):
> At Mittwoch, 11. September 2002 10:14 Reckhard, Tobias wrote:
> > [about how to do reverse delegation for one's IP's]
> > Either you use the RFC 2317 muck to work around BIND's
> configuration file
> > problems with CIDR, introducing lots of ugly CNAMEs in the process.
>
> Pardon me, Tobias,
>
> you're saying, that there is a way to do reverse delegation WITHOUT
> either having the corresponding arpa zone delegated to you (either
> as a class-C delegation or a partial one through RFC2317) ?

No. I am explaining those two options you name.

Martin Gaugusch had said: "Except for people who own a whole C-class network
you must tell your provider to change the PTR records. You can't
administrate them yourself, if you have less than a C-class network."

And this is what my response adresses. CIDR does not force you to resign
your DNS authority and have your ISP assume it entirely.

> How?
>
> That would mean you could (howsoever ugly) go around the
> arpa authoritative nameserver for the class-C subnet --
> which would be certainly security related in my version of
> the DNS bible.

No, there's a misunderstanding about. Say you have 4 IP addresses:
1.2.3.4-7. You have four hosts on them (let's forget about network and
broadcast addresses, etc. temporarily, it doesn't affect DNS anyway):
host4.example through host7.example. You've got a name server on 1.2.3.4.

The net block 1.2.3/24 belongs to your ISP, so the authority for
3.2.1.in-addr.arpa is delegated to them. You need them to delegate authority
for your IP addresses to you.

In the straightforward case, they (using BIND) do the following:
4.3.2.1.in-addr.arpa. NS a.ns.4.3.2.1.in-addr.arpa.
a.ns.4.in-addr.arpa. A 1.2.3.4
5.3.2.1.in-addr.arpa. NS a.ns.5.3.2.1.in-addr.arpa.
a.ns.5.in-addr.arpa. A 1.2.3.4
6.3.2.1.in-addr.arpa. NS a.ns.6.3.2.1.in-addr.arpa.
a.ns.6.in-addr.arpa. A 1.2.3.4
7.3.2.1.in-addr.arpa. NS a.ns.7.3.2.1.in-addr.arpa.
a.ns.7.in-addr.arpa. A 1.2.3.4

And you (with tinydns) do:
cd /service/tinydns/root; for a in `seq 4 7`; do add-ns
$a.3.2.1.in-addr.arpa 1.2.3.4; done; make

I won't go into the RFC 2317 stuff..

Cheers,
Tobias

< Previous Next >