Hi all,
yes, here is a concrete example:
# ip-dns-1 runs BIND 9.16.33:
dig @ip-dns-1 spectrum.cern.ch +short +norecurse
spectrum-lb.cern.ch. <- Here we get only the CNAME
# ip-dns-0 runs BIND 9.11:
dig @ip-dns-0 spectrum.cern.ch +short +norecurse
spectrum-lb.cern.ch.
Hello,
how do ISPs automatically create the reverse and forwaring zones for
their customers IP pools?
For example one of their clients has the IP 2001:db::3.
Its reverse zone
3.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.b.d.0.0.1.0.0.2.ip6.arpa
includes a PTR pointing to
Marco Moock writes:
> Hello,
>
> how do ISPs automatically create the reverse and forwaring zones for
> their customers IP pools?
>
> For example one of their clients has the IP 2001:db::3.
We mostly don't do this for IPv6. It's a pointless exercise, IMHO.
We give every customer/site a /48.
Am 27.10.2022 um 10:58:18 Uhr schrieb Bjørn Mork:
> Possible, but only for very small pools. Note that $GENERATE only is
> a short form for easier hand editing of zone files on the primary
> server. The zone is expanded on load and zone transfers etc will
> contain the expanded data set. It
>> Edit the corresponding REVERSE zone & add following line in the end
>>
>> $GENERATE 1-255 $ IN PTR 10-11-11-$.example.com.
>>
>> Dont forget to Reload bind config & you are done.
>
> Thanks.
> How is the syntax for IPv6?
> Is it possible to do it for an entire /64?
The full syntax of the
Well,
So here a bit more details.
Sorry, I cannot take an example with a DNS server accessible to you (*)
because they have all been upgraded to 9.16.
The .cern.ch contains:
spectrum-lb IN NS ip-dns-1.cern.ch.
spectrum-lb IN NS ip-dns-2.cern.ch.
spectrum IN CNAME spectrum-lb.cern.ch.
On 10/27/22 1:16 AM, Marco Moock wrote:
Hello,
Hi,
how do ISPs automatically create the reverse and forwaring zones for
their customers IP pools?
I think it might be out of scope for what you were asking about, but I
believe the following is an alternative approach.
For example one of
Are the zones cern.ch and spectrum-lb.cern.ch on the same authoritative
sDNS server?
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list
ISC funds the development of this software with paid support subscriptions.
Contact us at https://www.isc.org/contact/
Marco writes:
> Did it create any problems if you don't have Reverse DNS for the IPv6
> addresses for normal customer traffic?
Not to my knowledge.
I've had support for semi-automatic delegation to customers on my
todo-list for ~10 years but never gotten around to actually doing
it. I'm sure a
Hi Veronique.
As Petr said, please don't send a pcap. This is getting beyond the scope of
the list and into proper support territory. For which I would recommend
that CERN pay ISC for professional support services.
Regarding your external example, I get this:
%dig @192.65.187.5
Hello,
please see answer in-line:
On 27. 10. 22 14:28, Veronique Lefebure wrote:
(*) On an external DNS server you can try with the following similar case:
Running DiG 9.11.21 on a linux client
ext-dns-1 (192.65.187.5) runs BIND9.16:
dig @ext-dns-1 foundservices.cern.ch | grep flags | grep
On 10/27/22 11:23 AM, Marco wrote:
It isn't, because a customer gets /48 or /56 in most cases.
"For example one of their clients has the IP 2001:db::3." is a singular IP.
The customer's router can use various methods to assign addresses, auto
configuration and DHCPv6.
Agreed.
However
IRC for example will check for PTR and gate login. I know there are others
but that came to mind quickly. In some regions having PTRs was a
requirement. It has been years but I recall LACNIC required/desired PTRs be
set.
On Thu, Oct 27, 2022 at 2:47 PM Grant Taylor via bind-users <
On 10/27/22 4:18 PM, Andrew Latham wrote:
IRC for example will check for PTR and gate login. I know there are
others but that came to mind quickly. In some regions having PTRs was a
requirement. It has been years but I recall LACNIC required/desired PTRs
be set.
I wasn't aware of IRC's
Am 27.10.2022 um 13:08:40 Uhr schrieb Grant Taylor via bind-users:
> Aside: I do question what you would populate the /48 ~ /56 ip6.arpa
> zone with. What hypothetical data would you put in it? If it's PD
> to an end user, what information would the ISP put in there that
> wouldn't be
I tried back in 2013 to get the IETF to standardise delegating the reverse
tree when prefix delegations happen.
https://www.ietf.org/archive/id/draft-andrews-dnsop-pd-reverse-02.txt
named already supports updating PTR records based on the IP address of the
TCP connection making the UPDATE
grant> I'd be interested in learning what other things /require/ or are
grant> at least predicated on having PTR records for IPs.
Been a few years since I last delved but was appalled at some of the
pointless uses of rev-ptrs. NYT used to require it to let you connect to
their website, as one
Am 27.10.2022 um 09:52:55 Uhr schrieb Grant Taylor via bind-users:
> This is a singular IP (presumably link-net) for a customer. So there
> would be exactly one forward and one reverse PTR record.
It isn't, because a customer gets /48 or /56 in most cases. The
customer's router can use
Hi Marco
Probably Knot could help here
(https://www.knot-dns.cz/docs/3.2/html/modules.html#synthrecord-automatic-forward-reverse-records)
where Knot is able to generate IPv6-PTR and IPv6- based on a pattern
"on-the-fly". Do you want to achieve something like this?
# Reverse-Lookup
$ dig
On 10/27/22 1:24 PM, Marco wrote:
At least for IPv4, there are servers that reject connections from
IPs that don't have a reverse zone with PTR record.
Please elaborate.
I've not heard of (unspecified type of) servers rejecting connections
because of the lack of a PTR record.
I have heard
Havard Eidnes via bind-users wrote:
>To "fill" an ip6.arpa zone for a /64 requires 18446744073709551616
> records (yes, that's about 18 x 10^18 if my math isn't off). I predict
> you do not posess a machine capable of running BIND with that many
> records loaded -- I know we
> >To "fill" an ip6.arpa zone for a /64 requires 18446744073709551616
> > records (yes, that's about 18 x 10^18 if my math isn't off). I predict
> > you do not posess a machine capable of running BIND with that many
> > records loaded -- I know we don't.
>
> It sure would be
> > It probably does not play well with DNSSEC, although I was thinking
> > about whether some amount of wildcards in the signed reverse could
> > help, but I don't think so.
>
> Well, what if the reverse is an NSEC3 does that let the server
> make up stuff with having to sign it
Am 27.10.2022 um 07:23:01 Uhr schrieb JAHANZAIB SYED:
> Edit the corresponding REVERSE zone & add following line in the end
>
> $GENERATE 1-255 $ IN PTR 10-11-11-$.example.com.
>
> Dont forget to Reload bind config & you are done.
Thanks.
How is the syntax for IPv6?
Is it possible to do it for
Hi Veronique.
No, we cannot easily reproduce this behaviour because we have no knowledge
of the configs of either of those servers, the details of the zones you
have configured, the contents of those zones or of the system on which you
are running the dig command.
As I said, we need to see
On 27.10.22 09:08, Veronique Lefebure wrote:
yes, here is a concrete example:
# ip-dns-1 runs BIND 9.16.33:
dig @ip-dns-1 spectrum.cern.ch +short +norecurse
spectrum-lb.cern.ch. <- Here we get only the CNAME
# ip-dns-0 runs BIND 9.11:
dig @ip-dns-0 spectrum.cern.ch +short
It can be done on a need/manual basis, or if you have large ip block & you want
to reply automatically created response for your ip's , you can use $GENERATE
statement.
Basic example of adding auto PTR/REVERSE ipv4 Record generation
Edit the corresponding REVERSE zone & add following line in
On 26-10-2022 20:21, PGNet Dev wrote:
hi,
If there are currently no keys that we have to check the DS for, then
you may still see this log line.
all my zones have now toggled rumoured -> omnipresent. i took no
explicit manual action other than letting an arbitrarily long-ish time
pass.
Am 27.10.2022 um 07:23:01 Uhr schrieb JAHANZAIB SYED:
Edit the corresponding REVERSE zone & add following line in the end
$GENERATE 1-255 $ IN PTR 10-11-11-$.example.com.
Dont forget to Reload bind config & you are done.
On 27.10.22 07:58, Marco wrote:
How is the syntax for IPv6?
the
29 matches
Mail list logo
