10.5 Subdomains of in-addr.arpa Domains

Forward-mapping domains aren't the only domains you can divide into subdomains and delegate. If your in-addr.arpa namespace is large enough, you may need to divide it, too. Typically, you divide the domain that corresponds to your network number into subdomains that correspond to your subnets. How that works depends on the type of network you have and on your network's subnet mask.

10.5.1 Subnetting on an Octet Boundary

Since Movie U. has just three /24 (Class C-sized) networks, one per segment, there's no particular need to subnet those networks. However, our sister university, Altered State, has a Class B-sized network, 172.20/16. Their network is subnetted between the third and fourth octet of the IP address; that is, their subnet mask is 255.255.255.0. They've already created a number of subdomains of their domain: altered.edu, including fx.altered.edu (okay, we copied them); makeup.altered.edu; and foley.altered.edu. Since each of these departments also runs its own subnet (their Special Effects department runs subnet 172.20.2/24, Makeup runs 172.20.15/24, and Foley runs 172.20.25/24), they'd like to divvy up their in-addr.arpa namespace appropriately, too.

Delegating in-addr.arpa subdomains is no different from delegating subdomains of forward-mapping domains. First, they or their departments create three new zones, 2.20.172.in-addr.arpa, 15.20.172.in-addr.arpa, and 25.20.172.in-addr.arpa. The 20.172.in-addr.arpa administrators also need to add the NS records with the New Delegation Wizard, as we described in the fx.movie.edu example earlier in this chapter. Figure 10-7 shows how the second screen of the New Delegation Wizard would look when adding delegation to the 2.20.172.in-addr.arpa zone:

Figure 10-7. Adding reverse-mapping delegation using the New Delegation Wizard
figs/dnsw3_1007.gif

After running the New Delegation Wizard, the NS records in 20.172.in-addr.arpa.dns would look something like the following partial listing of the file's contents:

;
;  Delegated sub-zone:  15.20.172.in-addr.arpa.
;
15                               NS     prettywoman.makeup.altered.edu.
prettywoman.makeup.altered.edu.  A      172.20.15.2
15                               NS     priscilla.makeup.altered.edu.
priscilla.makeup.altered.edu.    A      172.20.15.3
;  End delegation


;
;  Delegated sub-zone:  2.20.172.in-addr.arpa.
;
2                                NS     gump.fx.altered.edu.
gump.fx.altered.edu.             A      172.20.2.1
2                                NS     toystory.fx.altered.edu.
toystory.fx.altered.edu.         A      172.20.2.5
;  End delegation


;
;  Delegated sub-zone:  25.20.172.in-addr.arpa.
;
25                               NS     blowup.foley.altered.edu.
blowup.foley.altered.edu.        A      172.20.25.10
25                               NS     muppetshow.foley.altered.edu.
muppetshow.foley.altered.edu.    A      172.20.25.2
;  End delegation

The Altered State administrators needed to use the fully qualified domain names of the name servers in the NS records because the default origin in this file is 20.172.in-addr.arpa. Strictly speaking, those glue address records aren't needed since the names of the name servers to which they delegated the zone weren't in the delegated zones. We were a little chagrined to discover that the DNS console forced us to enter IP addresses for these name servers and then put them in 20.172.in-addr.arpa.dns. The name server even includes them in a zone transfer of the 20.172.in-addr.arpa zone. Since the glue records are not required, all that is unnecessary.

10.5.2 Subnetting on a Nonoctet Boundary

What do you do about networks that aren't subnetted neatly on octet boundaries, like subnetted /24 (Class C-sized) networks? In these cases, you can't delegate along lines that match the subnets. This forces you into one of two situations: you have multiple subnets per in-addr.arpa zone or you have multiple in-addr.arpa zones per subnet. Neither is particularly pleasing.

10.5.2.1 Class A and B networks

Let's take the case of the /8 (Class A-sized) network 15/8, subnetted with the subnet mask 255.255.248.0 (a 13-bit subnet field and an 11-bit host field, or 8,192 subnets of 2,048 hosts). In this case, the subnet 15.1.200.0, for example, extends from 15.1.200.0 to 15.1.207.255. Therefore, the delegation for that single subdomain in db.15, the zone datafile for 15.in-addr.arpa, might look like this:

200.1       NS    ns-1.cns.hp.com.
200.1       NS    ns-2.cns.hp.com.
201.1       NS    ns-1.cns.hp.com.
201.1       NS    ns-2.cns.hp.com.
202.1       NS    ns-1.cns.hp.com.
202.1       NS    ns-2.cns.hp.com.
203.1       NS    ns-1.cns.hp.com.
203.1       NS    ns-2.cns.hp.com.
204.1       NS    ns-1.cns.hp.com.
204.1       NS    ns-2.cns.hp.com.
205.1       NS    ns-1.cns.hp.com.
205.1       NS    ns-2.cns.hp.com.
206.1       NS    ns-1.cns.hp.com.
206.1       NS    ns-2.cns.hp.com.
207.1       NS    ns-1.cns.hp.com.
207.1       NS    ns-2.cns.hp.com.

That's a lot of delegation for one subnet!

You'd set this up with the DNS console by running the New Delegation Wizard (eight times!) and specifying two labels of the domain name of the delegated domain, as shown in Figure 10-8.

Figure 10-8. Using the New Delegation Wizard to add reverse-mapping delegation
figs/dnsw3_1008.gif
10.5.2.2 /24 (Class C-sized) networks

In the case of a subnetted /24 (Class C-sized) network, say 192.253.254/24, subnetted with the mask 255.255.255.192, you have a single in-addr.arpa zone, 254.253.192.in-addr.arpa, that corresponds to subnets 192.253.254.0/26, 192.253.254.64/26, 192.253.254.128/26, and 192.253.254.192/26. This can be a problem if you want to let different organizations manage the reverse-mapping information that corresponds to each subnet. You can solve this in one of three ways, none of which is pretty.

10.5.2.2.1 Solution 1

The first solution is to administer the 254.253.192.in-addr.arpa zone as a single entity and not even try to delegate. This requires either cooperation between the administrators of the four subnets involved or the use of a tool like the DNS console to allow each of the four administrators to take care of her own data.

10.5.2.2.2 Solution 2

The second solution is to delegate at the fourth octet. That's even nastier than the /8 delegation we just showed. You'll need at least a couple of NS records per IP address. To set this up with the DNS console, you'd need to create the 254.253.192.in-addr.arpa zone and run the New Delegation Wizard 254 times, one for each usable value in the fourth octet. Here's how the 254.253.192.in-addr.arpa.dns file might end up looking (we've removed the unnecessary glue A records for clarity and brevity):

;
;  Delegated sub-zone:  1.254.253.192.in-addr.arpa.
;
1                NS          ns1.foo.com.
ns1.foo.com.     A       10.0.0.1
1                          NS          ns2.foo.com.
ns2.foo.com.     A       10.0.0.2
;  End delegation


;
;  Delegated sub-zone:  2.254.253.192.in-addr.arpa.
;
2                          NS          ns1.foo.com.
ns1.foo.com.     A       10.0.0.1
2                          NS          ns2.foo.com.
ns2.foo.com.     A       10.0.0.2
;  End delegation

 . . . 

;  Delegated sub-zone:  65.254.253.192.in-addr.arpa.
;
65                         NS          gw.bar.com.
gw.bar.com.      A       10.0.1.1
65                         NS          relay.bar.com.
relay.bar.com.   A       10.0.1.2
;  End delegation

;  Delegated sub-zone:  66.254.253.192.in-addr.arpa.
;
66                          NS          gw.bar.com.
gw.bar.com.       A       10.0.1.1
66                          NS          relay.bar.com.
relay.bar.com.    A       10.0.1.2
;  End delegation

 . . . 

;
; Delegated sub-zone:  129.254.253.192.in-addr.arpa.
;
129                         NS          mail.baz.com.
mail.baz.com.     A       10.0.2.1
129                         NS          www.baz.com.
www.baz.com.      A       10.0.2.2
;  End delegation

;
; Delegated sub-zone:  193.254.253.192.in-addr.arpa.
;
193                         NS          mail.baz.com.
mail.baz.com.     A       10.0.2.1
192                         NS          www.baz.com.
www.baz.com.      A       10.0.2.2
;  End delegation

And so on, all the way down to 254.254.253.192.in-addr.arpa. Of course, on ns1.foo.com, you'd also expect the name server to be authoritative for 1.254.253.192.in-addr.arpa, and in the zone datafile for 1.254.253.192.in-addr.arpa, you'd find just the one PTR record (plus an SOA and two NS records):

;
;  Database file 1.254.253.192.in-addr.arpa.dns for 1.254.253.192.in-addr.arpa zone.
;      Zone version:  4
;

@                       IN  SOA ns1.foo.com.  hostmaster.foo.com. (
                         4            ; serial number
                         900          ; refresh
                         600          ; retry
                         86400        ; expire
                         3600       ) ; default TTL

;
;  Zone NS records
;

@                       NS     ns1.foo.com.
ns1.foo.com.            A 10.0.0.1
@                       NS  ns2.foo.com.
ns2.foo.com.            A   10.0.0.2

;
;  Zone records
;

@                       PTR    thereitis.foo.com.

When you create the child zone with the DNS console, check the radio button labeled Reverse lookup zone name in the New Zone Wizard, since with Network ID checked, you can't enter all four octets of the IP address.

Note that the PTR record is attached to the zone's domain name, since the zone's domain name corresponds to just one IP address. Now, when a 254.253.192.in-addr.arpa name server receives a query for the PTR record for 1.254.253.192.in-addr.arpa, it will refer the querier to ns1.foo.com and ns2.foo.com, which will respond with the one PTR record in the zone.

10.5.2.2.3 Solution 3

Finally, there's a clever technique that obviates the need to maintain a separate zone datafile for each IP address.[2] The organization responsible for the overall /24 network creates CNAME records for each of the domain names in the zone, pointing to domain names in new subdomains, which are then delegated to the proper servers. These new subdomains can be called just about anything, but names like 0-63, 64-127, 128-191, and 192-255 clearly indicate the range of addresses each subdomain will reverse map. Each subdomain then contains only the PTR records in the range for which the subdomain is named.

[2] We first saw this explained by Glen Herrmansfeldt at CalTech in the newsgroup comp.protocols.tcp-ip.domains. It's now codified as RFC 2317.

Here is an excerpt from the 254.253.192.in-addr.arpa.dns file:

;
;  Delegated sub-zone:  0-63.254.253.192.in-addr.arpa.
;

0-63                    NS       ns1.foo.com.
ns1.foo.com.            A 10.0.0.1
0-63                    NS       ns2.foo.com.
ns2.foo.com.            A 10.0.0.2
;  End delegation

1                       CNAME    1.0-63.254.253.192.in-addr.arpa.
 . . . 

;
;  Delegated sub-zone:  128-191.254.253.192.in-addr.arpa.
;

128-191                 NS       mail.baz.com.
mail.baz.com.           A 10.0.2.1
128-191                 NS       www.baz.com.
www.baz.com.            A 10.0.2.2
;  End delegation

129                     CNAME    129.128.191.254.253.192.in-addr.arpa.
130                     CNAME    130.128-191.254.253.192.in-addr.arpa.
2                       CNAME    2.0-63.254.253.192.in-addr.arpa.
 . . . 

;
;  Delegated sub-zone:  64-127.254.253.192.in-addr.arpa.
;

64-127                  NS       relay.bar.com.
relay.bar.com.          A 10.0.1.1
64-127                  NS       gw.bar.com.
gw.bar.com.             A 10.0.1.2
;  End delegation

65                      CNAME    65.64-127.254.253.192.in-addr.arpa.
66                      CNAME    66.64-127.254.253.192.in-addr.arpa.
 . . .

The zone datafile for 0-63.254.253.192.in-addr.arpa, 0-63.254.253.192.in-addr.arpa.dns, can contain just PTR records for IP addresses 192.253.254.1 through 192.253.254.63.

Here is part of the 0-63.254.253.192.in-addr.arpa.dns file:

;
;  Database file 0-63.254.253.192.in-addr.arpa.dns for 0-63.254.253.192.in-addr.arpa zone.
;      Zone version:  3
;

@                       IN  SOA ns1.foo.com.  hostmaster.foo.com. (
                         3            ; serial number
                         900          ; refresh
                         600          ; retry
                         86400        ; expire
                         3600       ) ; default TTL

;
;  Zone NS records
;

@                       NS      ns1.foo.com.
@                       NS  ns2.foo.com.

;
;  Zone records
;

1                       PTR     thereitis.foo.com.
2                       PTR     setter.foo.com.
 . . .

The way this setup works is a little tricky, so let's go over it. A resolver requests the PTR record for 1.254.253.192.in-addr.arpa, causing its local name server to go look up that record. The local name server ends up asking a 254.253.192.in-addr.arpa name server, which will respond with the CNAME record indicating that 1.254.253.192.in-addr.arpa is actually an alias for 1.0-63.254.253.192.in-addr.arpa and that the PTR record is attached to that name. The response will also include NS records telling the local name server that the authoritative name servers for 0-63.254.253.192.in-addr.arpa are ns1.foo.com and ns2.foo.com. The local name server then queries either ns1.foo.com or ns2.foo.com for the PTR record for 1.0-63.254.253.192.in-addr.arpa and receives the PTR record.