Re: xinetd /etc/host.deny ALL:PARANOID
At 10:01 PM 1/10/02 -0600, Nathan E Norman wrote:
>Congratulations ... you just set up your DNS incorrectly. Every PTR
>entry should resolve to a _unique_ name, and that name should resolve
>to a _unique_ IP. That doesn't mean you can't have additional A
>records doing load balancing.
To give a POTS analogy, say you have 10 lines coming into your modem bank in
a hunt group. That's when you have one number that scrolls over onto all 10
of the lines based on which ones are busy. However, all 10 of those lines
have to have individual unique phone numbers even though they are reached
through the common hunt group number. They all have unique phone
number/circuit id pairs.
>zone IN 3.2.1.in-addr.ARPA:
>
> 4 IN PTR host4.netblk1-2-3.madduck.net.
> 4 IN PTR host5.netblk1-2-3.madduck.net.
I assume you meant to write "5" there. ;)
>zone IN netblk1-2-3.madduck.net:
>
> host4.netblk1-2-3.madduck.net. IN A 1.2.3.4
> host5.netblk1-2-3.madduck.net. IN A 1.2.3.5
>
>zone IN madduck.net:
>
> mail.madduck.net. IN A 1.2.3.4
> IN A 1.2.3.5
>
>Not all A records need PTR records. It never fails to amaze me how
>many people don't understand this.
This is sort of the function of canonical names. "Other" names for the IP
besides the absolute name (or Loopback name in our parlance). But CNAME's
are deprecated for other reasons. I personally never had any problems using
them.
>All the people who say "but I don't control the reverse for my IP(s)"
>don't understand the issue ... it's up to the registered contact for
>the block to make sure reverse resolution works. Of course that means
>resolving to A records that the contact also controls. This is all
>spelled out in the RFCs and best practice documents.
It has been possible for some time now to allocate really really small IP
blocks. I had a /27 allocated to me in ARIN once. I controlled my own
reverse lookups that way. I don't know how small they will go though.
--
REMEMBER THE WORLD TRADE CENTER ---=< WTC 911 >=--
00000100
Reply to: