name ttl class rr name 15 IN PTR www.example.com.
The value '15' (the base IP address) in the above example is actually a name (an owner-name or left-hand name) and because it does not teminate with a 'dot' BIND appends the $ORIGIN (or if an $ORIGIN is missing the zone name that referenced this zone file). The example below, which defines a reverse map zone file for the Class C address 192.168.23.0, should make this clearer:
$TTL 2d ; 172800 secs $ORIGIN 23.168.192.IN-ADDR.ARPA. @ IN SOA ns1.example.com. hostmaster.example.com. ( 2003080800 ; serial number 12h ; refresh 15m ; update retry 3w ; expiry 3h ; NXDOMAIN ttl ) IN NS ns1.example.com. IN NS ns2.example.com. ; 2 below is actually an unqualified name and becomes ; 18.104.22.168.IN-ADDR.ARPA. 2 IN PTR joe.example.com. ; FDQN .... 15 IN PTR www.example.com. .... 17 IN PTR bill.example.com. .... 74 IN PTR fred.example.com. ....
Because the $ORIGIN reflects the reverse map domain, all right-hand names must use an FQDN format (they end with a dot). If the terminating dot on joe.example.com above were omitted in error it would become joe.example.com.23.168.192.IN-ADDR.ARPA - not the desired result!.
PTR RRs (Resource Records), like most other RRs, may be part of an RRset (RRs which have the same owner-name (left-hand name) and RR type). If multiple owner-names are assigned to a single host (IPv4 or IPv6) in a forward mapped zone file using CNAME RRs, A RRs or AAAA RRs then each of these owner-names can be defined using a PTR RRset in the reverse map (though, obviously, the owner-name of the original RR is transposed to a right-hand name in the PTR RR), for example:
; forward zone file for example.com ... mail IN A 192.168.0.7 www IN A 192.168.0.7 ; OR mail IN A 192.168.0.7 www IN CNAME 192.168.0.7 ... # reverse map zone file for 0.168.192.IN-ADDR.ARPA ... 7 IN PTR mail.example.com. 7 IN PTR www.example.com. ...
The reverse map zone file is prefectly legitimate. However, in tests a number of mail systems, which invariably perform a reverse look up, did not handle PTR RRsets and failed unless the mail server appeared first which is difficult to guarantee (see rrset-order). Thus, if a mail server (mail.example.com) and, say, a web server (www.example.com) both have the same IP address (as illustrated in the example above) then since mail systems invariably use reverse lookups as a trivial security check it may be sensible to define the reverse map to only contain mail.example.com.
It is not mandatory (for either IPv4 or IPv6), but considered good practise, to define all assigned IPs in a reverse map. Care should, however, be exercised to avoid huge PTR RRsets. For example, a web server may map thousands of virtual domains onto a single IP address (of the web server). If every one of these virtual domains appeared in the reverse map (a legitimate construct) then a reverse map query would lead to a huge RRset response and a DDoS attack would be a likely result.
It is sensible to define the reverse map zone file in order of IP addresses (the zone file is always sorted into canonical order when it is loaded by DNS software) or some other fixed order to avoid subsequent errors (duplications or omissions) or to simplify manual searching for a particular value.
There are no A RRs for the defined NS names (respectively ns1.example.com and ns2.example.com) since both are out-of-zone names. Any lookup is done via the forward zone file for example.com in which suitable A RRs for these names must exist.
PTR Usage: While the overwhelming use of the PTR RR is in reverse mapping (for both IPv4 and IPv6) the PTR RR is not limited to this usage. Essentially, the PTR record may be thought of as a CNAME like RR (mapping a name to another name). The significant difference is that a query which results in a CNAME RR will cause the DNS to automatically restart the query using the alias (or canonical) name if it resolves within the same domain. When a query results in a PTR RR(s) the response is immediately returned and no further DNS processing results. Other than reverse mapping, this author cannot immediately think of a use for such a capability. More imaginitive readers may find alternative applications.
IPv6 and IPv4 addresses cannot be mixed in the same zone file as they can for forward-map zones. IPv6 addresses are reverse mapped under the domain IP6.ARPA whereas IPv4 addresses are mapped under the IN-ADDR.ARPA domain. IPv6 reverse-maps use a nibble domain name format defined in Chapter 3. The following fragment illustrates the use of the PTR RR to reverse-map the IPv6 addresses 2001:db8:0:1::1, 2001:db8:0:1::1, 2001:db8:0:2::1 and 2001:db8:0:1::1:
; reverse IPV6 zone file for example.com $TTL 2d ; default TTL for zone 172800 secs $ORIGIN 0.0.0.0.8.b.d.0.1.0.0.2.IP6.ARPA. @ IN SOA ns1.example.com. hostmaster.example.com. ( 2003080800 ; sn = serial number 12h ; refresh = refresh 15m ; retry = update retry 3w ; expiry = expiry 2h ; NXDOMAIN TTL ) ; name servers Resource Recordsfor the domain IN NS ns1.example.com. ; the second name servers is ; external to this zone (domain). IN NS ns2.example.net. ; PTR RR maps a IPv6 address to a host name ; hosts in subnet ID 1 22.214.171.124.0.0.0.0.0.0.0.0.0.0.0.0.126.96.36.199 IN PTR ns1.example.com. 188.8.131.52.0.0.0.0.0.0.0.0.0.0.0.0.184.108.40.206 IN PTR mail.example.com. ; hosts in subnet ID 2 220.127.116.11.0.0.0.0.0.0.0.0.0.0.0.0.18.104.22.168 IN PTR joe.example.com. 22.214.171.124.0.0.0.0.0.0.0.0.0.0.0.0.126.96.36.199 IN PTR www.example.com.
Notes: The IPv6 range 2001:db8:: has been reserved for documentation purposes only by the great and mighty.
Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.
3 reverse map
4 dns types
5 install bind
8 zone records
12 bind api's
13 dns security
bits & bytes
notes & tips
This work is licensed under a Creative Commons License.
If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Firefox