Re: consolidating in-addr.arpa data
You can't resolve differences in both directions automatically without inevitable conflicts, similar to merging code changes. That said, RPZ for fun and profit... On Fri, 15 Sep 2023, John Thurston wrote: A host which auto-registers in MS DNS, creates an A in foo.alaska.gov and PTR in whatever.10.in-addr.arpa. MS DNS is happy to publish those. But the DNS system running on BIND also has a whatever.10.in-addr.arpa zone. So if I want to find the PTR for 13.12.11.10.in-addr.arpa, I must query both DNS systems in turn. If I get NXDOMAIN from both, then I can say the PTR doesn't exist. On each system, I'd like to be able to take the 10.in-addr.arpa data from the other, compute the differences, and incorporate them locally. Then I'll be able to query either system, and accept an NXDOMAIN with confidence. Something in an RPZ will take precedence over what's in the delegated zone. RPZs are zones like any other zone and can be AXFR / IXFRed. The choice of MS DNS taking precendence might be the obvious choice, but the namespace in the RPZ won't be the same (e.g. 1.0.0.10.in-addr.arpa.rpz.example.com): it won't be "naked". So that won't work off the shelf (I know of no option to automagically rewrite the delegating zone). However, if you made BIND a secondary for the MS DNS PTR zone then it should serve it; and you could put BIND-specific edits in an RPZ. Then the BIND-specific values would take precedence over what's in the MS DNS zone, at least as seen when BIND is queried. Rear View RPZ (https://github.com/m3047/rear_view_rpz/) watches (BIND) Dnstap telemetry for A/ queries and uses it to update PTR records in an RPZ, as an example. -- Fred Morris -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: consolidating in-addr.arpa data
Create a 10.in-addr.arpa zone with appropriate delegations and have all servers serve it. That way they can all find te sub zones. -- Mark Andrews > On 16 Sep 2023, at 10:16, John Thurston wrote: > > > A host which auto-registers in MS DNS, creates an A in foo.alaska.gov and PTR > in whatever.10.in-addr.arpa. MS DNS is happy to publish those. > > But the DNS system running on BIND also has a whatever.10.in-addr.arpa zone. > > So if I want to find the PTR for 13.12.11.10.in-addr.arpa, I must query both > DNS systems in turn. If I get NXDOMAIN from both, then I can say the PTR > doesn't exist. > > On each system, I'd like to be able to take the 10.in-addr.arpa data from the > other, compute the differences, and incorporate them locally. Then I'll be > able to query either system, and accept an NXDOMAIN with confidence. > > And since writing my earlier note, I have re-located the code I think I > stumbled across earlier > > Tony Finch's "nsdiff" > > > > https://dotat.at/prog/nsdiff/ > > > > -- > Do things because you should, not just because you can. > > John Thurston907-465-8591 > john.thurs...@alaska.gov > Department of Administration > State of Alaska > On 9/15/2023 2:21 PM, Greg Choules wrote: >> Hi John. >> Can you tell me a bit more please? >> - What zones exist in both BIND and MS DNS for something.10.in-addr.arpa? >> - Where are hosts auto registering to? I'd guess MS, but it would be good to >> confirm. >> - What does fragmentation look like? A few real examples would be useful. >> I'm trying to understand just what is the problem. >> - How much of 10 do you use? >> - What do you mean by "...can be published from two different DNS >> services."? Could you expand on that please? >> - Is there any zone transfer between BIND and MS DNS? >> >> Thanks, Greg >> >> On Fri, 15 Sept 2023 at 21:00, John Thurston >> wrote: >>> This question involves making our BIND system work with Microsoft's DNS >>> software. If this makes it off-topic, let me know and I'll be quiet about >>> it. >>> >>> We use ISC BIND to hold and host most of our zone data. Internally, we have >>> delegated some zones, and they are held in Microsoft DNS. These zones are >>> used for MS Active Directory 'Domains', and accept auto-registration of DNS >>> records from authorized hosts. Because we are using 10-dot addresses >>> internally, the auto-registration by hosts causes fragmentation of the >>> 10.in-addr.arpa zone data. >>> >>> I recall someone once offered a bit of code to mash this zone data back >>> together, so the same information can be published from two different DNS >>> services. I've hunted through this list's archive and have not found the >>> reference. Before I go roll my own, can anyone point me at an existing >>> solution? >>> >>> -- >>> -- >>> Do things because you should, not just because you can. >>> >>> John Thurston907-465-8591 >>> john.thurs...@alaska.gov >>> Department of Administration >>> State of Alaska >>> > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from > this list > > ISC funds the development of this software with paid support subscriptions. > Contact us at https://www.isc.org/contact/ for more information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: consolidating in-addr.arpa data
A host which auto-registers in MS DNS, creates an A in foo.alaska.gov and PTR in whatever.10.in-addr.arpa. MS DNS is happy to publish those. But the DNS system running on BIND also has a whatever.10.in-addr.arpa zone. So if I want to find the PTR for 13.12.11.10.in-addr.arpa, I must query both DNS systems in turn. If I get NXDOMAIN from both, then I can say the PTR doesn't exist. On each system, I'd like to be able to take the 10.in-addr.arpa data from the other, compute the differences, and incorporate them locally. Then I'll be able to query either system, and accept an NXDOMAIN with confidence. And since writing my earlier note, I have re-located the code I think I stumbled across earlier Tony Finch's "nsdiff" https://dotat.at/prog/nsdiff/ -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov Department of Administration State of Alaska On 9/15/2023 2:21 PM, Greg Choules wrote: Hi John. Can you tell me a bit more please? - What zones exist in both BIND and MS DNS for something.10.in-addr.arpa? - Where are hosts auto registering to? I'd guess MS, but it would be good to confirm. - What does fragmentation look like? A few real examples would be useful. I'm trying to understand just what is the problem. - How much of 10 do you use? - What do you mean by "...can be published from two different DNS services."? Could you expand on that please? - Is there any zone transfer between BIND and MS DNS? Thanks, Greg On Fri, 15 Sept 2023 at 21:00, John Thurston wrote: This question involves making our BIND system work with Microsoft's DNS software. If this makes it off-topic, let me know and I'll be quiet about it. We use ISC BIND to hold and host most of our zone data. Internally, we have delegated some zones, and they are held in Microsoft DNS. These zones are used for MS Active Directory 'Domains', and accept auto-registration of DNS records from authorized hosts. Because we are using 10-dot addresses internally, the auto-registration by hosts causes fragmentation of the 10.in-addr.arpa zone data. I recall someone once offered a bit of code to mash this zone data back together, so the same information can be published from two different DNS services. I've hunted through this list's archive and have not found the reference. Before I go roll my own, can anyone point me at an existing solution? -- -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov Department of Administration State of Alaska -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
Re: consolidating in-addr.arpa data
Hi John. Can you tell me a bit more please? - What zones exist in both BIND and MS DNS for something.10.in-addr.arpa? - Where are hosts auto registering to? I'd guess MS, but it would be good to confirm. - What does fragmentation look like? A few real examples would be useful. I'm trying to understand just what is the problem. - How much of 10 do you use? - What do you mean by "...can be published from two different DNS services."? Could you expand on that please? - Is there any zone transfer between BIND and MS DNS? Thanks, Greg On Fri, 15 Sept 2023 at 21:00, John Thurston wrote: > This question involves making our BIND system work with Microsoft's DNS > software. If this makes it off-topic, let me know and I'll be quiet about > it. > > We use ISC BIND to hold and host most of our zone data. Internally, we > have delegated some zones, and they are held in Microsoft DNS. These zones > are used for MS Active Directory 'Domains', and accept auto-registration of > DNS records from authorized hosts. Because we are using 10-dot addresses > internally, the auto-registration by hosts causes fragmentation of the > 10.in-addr.arpa zone data. > > I recall someone once offered a bit of code to mash this zone data back > together, so the same information can be published from two different DNS > services. I've hunted through this list's archive and have not found the > reference. Before I go roll my own, can anyone point me at an existing > solution? > > -- > -- > Do things because you should, not just because you can. > > John Thurston907-465-8591john.thurs...@alaska.gov > Department of Administration > State of Alaska > > -- > Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe > from this list > > ISC funds the development of this software with paid support > subscriptions. Contact us at https://www.isc.org/contact/ for more > information. > > > bind-users mailing list > bind-users@lists.isc.org > https://lists.isc.org/mailman/listinfo/bind-users > -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
consolidating in-addr.arpa data
This question involves making our BIND system work with Microsoft's DNS software. If this makes it off-topic, let me know and I'll be quiet about it. We use ISC BIND to hold and host most of our zone data. Internally, we have delegated some zones, and they are held in Microsoft DNS. These zones are used for MS Active Directory 'Domains', and accept auto-registration of DNS records from authorized hosts. Because we are using 10-dot addresses internally, the auto-registration by hosts causes fragmentation of the 10.in-addr.arpa zone data. I recall someone once offered a bit of code to mash this zone data back together, so the same information can be published from two different DNS services. I've hunted through this list's archive and have not found the reference. Before I go roll my own, can anyone point me at an existing solution? -- -- Do things because you should, not just because you can. John Thurston907-465-8591 john.thurs...@alaska.gov Department of Administration State of Alaska -- Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
