[afnog] Dns Reverse Delegation

Geert Jan de Groot geertj at nsrc.org
Sat Feb 5 12:42:11 EAT 2005 

On Fri, 4 Feb 2005 19:36:43 +0100  "Joe Ndidi Onwubuya" wrote:
> I have done all the corrections suggested in afnog mailing=20
> list, But i still did not get a reply from ripe.
> Please any suggestion on the way forward?

There are two issues:
1. Possible problems with mail to auto-dbm at ripe.net
   (which, unfortunately, works for me - see other message
2. The health of the delegations as submitted to RIPE.

This message is about the latter.
When I worked for RIPE myself (7 year ago now), we found that many 
organisations have trouble setting up DNS zones. Especially new,
unexperienced operators frequently had serious trouble making
a setup that would work at all.
Once a zone was set up correctly, chances were much better thar
the zone would remain operational correctly, hence:
"it's more difficult to break something that works than to 
make something that works".

It therefore makes sense to check the zones before delegation is done,
and that's one of the checks the zones have to pass. 
Unfortunately, the zones discussed are not free of errors;
please don't look at it personally, many defect zone submissions were
done before you and many will happen after you.

So, please let's use this as an educational thing and make things work!

While I don't know the exact criteria, I found at least the following
problems:
64.100.212.in-addr.arpa - 70.100.212.in-addr.arpa:
72.100.212.in-addr.arpa
- The RIPE database object only lists 2 nameservers, while the zone itself
  lists 3 nameservers:
  - ns.cybaaspace.net
  - ns1.cybaaspace.net
  - ns.skannet.com (this one isn't listed in the DNS zone)
  Please make the domain object list all three.
- ns.cybaaspace.net and ns1.cybaaspace.net have consecutive IP addresses,
  which suggests they are installed on the same table. Tripping over the
  power cord will probably knock out both.
  This is fine as long as ns.skannet.com is running secondary, so you'll
  *need* the 3rd nameserver!
- ns.skannet.com is not authoritive for any of these zones. 
  Please work with Sunday to make ns.skannet.com authoritive for these zones!

71.100.212.in-addr.arpa 
- This zone only list one nameserver: rockfish.cybaaspace.net

Can you please work on these problems, so that each zone:
- has at least 2 nameservers in geographically different locations
  (making the skannet one work is probably easiest)
- make the nameserver set you use, the same as the one you send in
  to RIPE?
- Check your mail logs for (rejected?) mail from ripe-dbm at ripe.net?

Thanks,

Geert Jan
(not working for, nor representing, the RIPE NCC!)

More information about the afnog mailing list