Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    BIND Package and RFC 2317 Classless IN-ADDR.ARPA delegation

    pfSense Packages
    1
    1
    77
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      svandive
      last edited by

      I think what I am asking for here would be considered a BUG fix, but I'm open to opinions.

      RFC 2317 describes a method that an ISP or Netblock owner can delegate Reverse IP resolution to an end customer outside of the Class boundaries (Class A, B, C).

      IP Addresses have been changed to protect the innocent

      I have a netblock assigned to me consisting of 71.26.44.8/29. My ISP has configured the appropriate CNAME entries in their DNS to redirect PTR record lookups to my DNS servers. This allows me to define the reverse IP resolution to whatever DNS entries I want. This is primarily relevant for hosting an E-Mail server as some E-Mail servers require the server hostname and IP address to match (forward and reverse).

      The delegated zone looks like this:

      8/29.44.26.71.in-addr.arpa.
      • One piece of important information here is, Forward Slash ( / ) in the Zone name is perfectly legal as is a DASH (-). My ISP could have chosen to use a DASH instead of the Forward Slash and all of my problems would be solved. However, my ISP has settled on a Forward Slash in keeping with typical CIDR notation, and they argue the Forward Slash is perfectly legal according to RFC 2181 (which is true) and BIND9 has no issue with it. The issue is with how the pfSense BIND pkg has chosen to use the NAME field in the Zone Configuration screen.

      So the problem I am having is in the GUI configuration for the Slave (or Master) zone configuration. You have to define the name of the Zone at the top of the GUI form:

      f0c0704d-dcea-4b6e-b64f-a0e0d019fcf1-image.png

      This NAME has two functions.

      1. This will be the name of the DB file that is created to hold the Resource Records.
      2. This name has to match the name of the incoming (if configured as slave) or ORIGIN zone name configured in the zone record.
      $ORIGIN 8/29.44.26.71.in-addr.arpa.

      So the issue is if you use a forward slash " / " in the ZONE name in the GUI this results in the GUI trying to create a DB file with a forward slash in the file name, thus resulting in a failure. Forward Slash is a perfectly legal character in DNS Zone names and RRs but that legality does not translate to a Filesystem.

      The way this is typically worked around when building a Zone manually is you would name the DB file db.8-29.44.26.71.in-addr.arpa. This name is legal for the file system, and would be entered in the Zone clause for named.conf as:

      zone "8/29.44.26.71.in-addr.arpa" IN {
type master;
file "/etc/bind/db.8-29.44.26.71.in-addr.arpa";
allow-query { any; };
};

      What I am asking for is a separation to be defined in the GUI to allow for a field that will define the name of the Database file (db.8-29.44.26.71.in-addr.arpa) and a separate form field to define the Name of the Zone (8/29.44.26.71.in-addr.arpa). This will allow for a file to be created with a valid name while still allowing for the use of a Forward Slash ( / ) in the Zone Name.

      1 Reply Last reply Reply Quote 0
      • First post
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.