Anders.com: Projects: Systems Administration Notes

Current Events and Technology

Home

Reverse classless delegations with tinydns

Dan Bernstein's djbdns package is a killer name server. Almost as killer of a name server as his qmail package is a killer mail server. BIND isn't so friendly and is full of bugs, but as many people still use bind, it has become necessary to make the two interoperate.

Getting tinydns to play nicely with BIND when participating in a classless reverse delegation took a little bit of hacking. I had to escape slash characters because my hosting provider decided to use them in my delegation and I had to prop up an old nslookup dependency.

Classless reverse delegation is when a nameserver that is authoritative for reverse DNS on a "class", (typically a /24 or 255.255.255.0 network) delegates some of those addresses to another server by carving out a small subset of that class and handing it to another server. A typical application of this is when you have a hosting farm that doesn't give out entire /24 subnet "classes" (255.255.255.0) to each of it's customers but rather just a /28 or so (255.255.255.240) of addresses. ( helpful netmask chart ) when the hosting company uses BIND, the delegation looks somthing like this:

; Reverse delegation for bandwidth.com
; <<64-95>> /28
64/27         IN      NS      ??????
$GENERATE 64-95 $ CNAME $.64/27.14.27.216.in-addr.arpa.

In this case, of the /24 "class c" network of IP addresses from 216.27.14.0-255, BIND will send CNAME records out as the somewhat arbitrarily named "64/29.14.27.216.in-addr.arpa" and designate another name server as the one who can resolve these addresses. Our task in tinydns is to act authoritativly for this 64/29.14.27.216.in-addr.arpa name and respond to the requests. Rather than explain everything, I decided to just post this example from my tinydns/root/data file:

#
# RFC 2317 ``classless'' reverse delegation
#
# tacky way to delegate reverse dns to us. our hosting provider gives
# us the following BIND delegation. they made up a fake domain called
# 64/28 (in other words 64/28.14.27.216.in-addr.arpa) which we
# supply with pointer records to the correct reverse.
#
# 64/27 is escaped as 64\05727 hence the strange character sequences.

.64\05727.14.27.216.in-addr.arpa:216.27.14.66:a
^64.64\05727.14.27.216.in-addr.arpa:netblock.bandwidth.com
^65.64\05727.14.27.216.in-addr.arpa:springboard-router.bandwidth.com
^66.64\05727.14.27.216.in-addr.arpa:ns1.bandwidth.com
^67.64\05727.14.27.216.in-addr.arpa:mx1.bandwidth.com
^68.64\05727.14.27.216.in-addr.arpa:web01.bandwidth.com
^69.64\05727.14.27.216.in-addr.arpa:ip69.bandwidth.com
^70.64\05727.14.27.216.in-addr.arpa:ip70.bandwidth.com
^71.64\05727.14.27.216.in-addr.arpa:ip71.bandwidth.com
^72.64\05727.14.27.216.in-addr.arpa:ip72.bandwidth.com
^73.64\05727.14.27.216.in-addr.arpa:ip73.bandwidth.com
^74.64\05727.14.27.216.in-addr.arpa:pricing01.bandwidth.com
^75.64\05727.14.27.216.in-addr.arpa:cf01.bandwidth.com
^76.64\05727.14.27.216.in-addr.arpa:router-cary.bandwidth.com
^77.64\05727.14.27.216.in-addr.arpa:dnscache.bandwidth.com
^78.64\05727.14.27.216.in-addr.arpa:vweb.bandwidth.com
^79.64\05727.14.27.216.in-addr.arpa:ip79.bandwidth.com
^80.64\05727.14.27.216.in-addr.arpa:ip80.bandwidth.com
^81.64\05727.14.27.216.in-addr.arpa:ip81.bandwidth.com
^82.64\05727.14.27.216.in-addr.arpa:ip82.bandwidth.com
^83.64\05727.14.27.216.in-addr.arpa:ip83.bandwidth.com
^84.64\05727.14.27.216.in-addr.arpa:ip84.bandwidth.com
^85.64\05727.14.27.216.in-addr.arpa:ip85.bandwidth.com
^86.64\05727.14.27.216.in-addr.arpa:ip86.bandwidth.com
^87.64\05727.14.27.216.in-addr.arpa:ip87.bandwidth.com
^88.64\05727.14.27.216.in-addr.arpa:ip88.bandwidth.com
^89.64\05727.14.27.216.in-addr.arpa:ip89.bandwidth.com
^90.64\05727.14.27.216.in-addr.arpa:ip90.bandwidth.com
^91.64\05727.14.27.216.in-addr.arpa:ip91.bandwidth.com
^92.64\05727.14.27.216.in-addr.arpa:ip92.bandwidth.com
^93.64\05727.14.27.216.in-addr.arpa:ip93.bandwidth.com
^94.64\05727.14.27.216.in-addr.arpa:ip94.bandwidth.com
^95.64\05727.14.27.216.in-addr.arpa:broadcast.bandwidth.com

#
# the depricated nslookup program as well as unknown others construct 
# their own in-addr.arpa names and send them to the server directly, 
# so the "correct way" has to work as well.
#

.66.14.27.216.in-addr.arpa:216.27.14.66:a

There are several goodies in there. I had to escape the slash and other characters. Or rather, you have to know how BIND will escape them and cover for that. Probably the easiest way to do this (and the way I did it) is to watch the tinydns logs as a lookup is attempted and see how BIND is escaping it and set djbdns to be authoritative for that. Another point I ran across is the fact that nslookup (and hence I assume other old programs) like to construct .in-addr.arpa addresses on their own and try to resolve those directly. I fixed this by telling my tinydns server to act authoritativly for 66.14.27.216.in-addr.arpa even though it really isn't supposed to.

That was it. After I got over those little hurdles, I had tinydns seamlessly taking a reverse classless delegation from BIND.

Some octal escape codes:

007 \a    010 \b    011 \t    012 \n    015 \r    040 (space)
041 !     042 "     043 #     044 $     045 %     046 &     
047 '     050 (     051 )     052 *     053 +     054 ,     
055 -     056 .     057 /     060 0     061 1     062 2     
063 3     064 4     065 5     066 6     067 7     070 8     
071 9     072 :     073 ;     074 <     075 =     076 >     
077 ?     100 @     101 A     102 B     103 C     104 D     
105 E     106 F     107 G     110 H     111 I     112 J     
113 K     114 L     115 M     116 N     117 O     120 P     
121 Q     122 R     123 S     124 T     125 U     126 V     
127 W     130 X     131 Y     132 Z     133 [     134 \     
135 ]     136 ^     137 _     140 `     141 a     142 b     
143 c     144 d     145 e     146 f     147 g     150 h     
151 i     152 j     153 k     154 l     155 m     156 n     
157 o     160 p     161 q     162 r     163 s     164 t     
165 u     166 v     167 w     170 x     171 y     172 z     
173 {     174 |     175 }     176 ~

I also have a djbdns / tinydns record builder for SRV and NAPTR records which aren't so easy to write in the generic format.

Comments are welcome. Use the email address below or the form on the right.

Once to every man and nation,
comes the moment to decide,
In the strife of truth with falsehood,
for the good or evil side;
Some great cause,
some great decision,
offering each the bloom or blight,
And the choice goes by forever,
'twixt that darkness and that light.

Once to Every Man and Nation.mp3
~ James R. Lowell - 1845

"In our sleep, pain that cannot forget falls drop by drop upon the heart and in our despair, against our will comes wisdom through the awful grace of God."

~ Aeschylus

"Some men see things as they are and ask 'Why?'. I dream of things things that never were and ask 'Why not?'"

~ RFK

"In dreams begin responsibilities."

~ U2

"... we do these things not because they are easy, but because they are hard!"

~ JFK - on sending man to the moon

user: pass: