0

I am in the middle of auditing our DNS infrastructure. Everything works fine (zone delegation, etc.) but I am wondering about the coherence of the infrastructure for a particular zone delegation (with respect to the state of the art).

Server A delegates the reverse map zone 10.in-addr.arpa to server B. But server B delegates sub-zones like 10.0.10.in-addr.arpa and 11.0.10.in-addr.arpa back to server A (! <- this is what bugs me)

The whole thing works fine. When using dig on a workstation:

  • if I try to get the PTR for 1.10.0.10.in-addr.arpa using server A, it gives me the answer right away (without recursion because it has the corresponding zone file for 10.0.10.in-addr.arpa)
  • if I try to get the PTR for 1.10.0.10.in-addr.arpa using server B, I also get the answer thanks to the recursion mechanism (B sends me the answer he got from A).

All right, but is this correct with respect to the DNS protocol and good practice?

Jacques
  • 3
  • 3

1 Answers1

0

Yes, this is entirely OK.

A very minor caveat is that diagnostic tools that trawl through the DNS tree in order to try to find potential problems may be confused by a setup like this. Specifically, I strongly suspect that Zonemaster (which I was involved in writing) would not handle that correctly. But that's a problem in the tool, not in your setup :-)

Calle Dybedahl
  • 2,083
  • 12
  • 17