lug-bg: Ukazvane na A resursni zapisi v IN-ADDR.ARPA syglasno RFC 1101
- Subject: lug-bg: Ukazvane na A resursni zapisi v IN-ADDR.ARPA syglasno RFC 1101
- From: vlk@xxxxxxxxxxxxxxxxx (Vesselin Kolev)
- Date: Mon, 10 Feb 2003 13:24:27 +0200
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Tozi posting neka se razgleda kato dopylnenie na predishniate mi
postingi na temata tunneli. V nego shte izpolzvam niakoi ot resheniata
podadeni v RFC 1101 (malko starichko RFC, no dosta nepoznato po
nashite zami... zashto li???)
Ako se nalaga da se praviat tunneli kato se operira samo s realni
adresi prostranstva se poluchava chesto slednia efect. Ponezhe
tunelnite prostranstva se ukazvat kato mrezhi sys 30-bitovi
subnetni maski (okteten zapis 255.255.255.252) chesto nastypva
obyrkvane koia mrezha ot kyde zapochva i kyde svyrshva. Za da
ne se byrkate mozhete da izpolzvate syotvetnata za mrezhata vi
in-addr.arpa zona za celta.
* * *
Shte vi pokazha kak stava tova pri nalichieto na mrezha ot class C
i bezklasovo delegirani mrezhi.
* * *
1. IN.ADDR.ARPA za mrezha ot class "C"
Primerna shema: Shte razgledame mrezhata ot class C 192.168.1.0.
Tazi in-addr.arpa domaina za syotvetnata mrezha e delegiran ot
centralen register za 168.192.in-addr.arpa po slednia nachin:
$ORIGIN 168.192.in-addr.arpa.
1 NS ns1.example.dom.
NS ns2.example.dom.
Administratoryt na syotvetnata mrezha obache e reshil da razdeli
tazi mrezha na po-malki segmenti za razlichni celi. Naprimer za
prostranstva za tunneli, podmrezhi i t.n... Naprimer, eto kak toi e
strukturiral svoiata mrezha:
192.168.1.0/30 -> tunelno IP prostranstvo
192.168.1.4/30 -> tunelno IP prostranstvo
192.168.1.8/30 -> tunelno IP prostranstvo
192.168.1.12/30 -> tunelno IP prostranstvo
192.168.1.16/28 -> potrebitelska mrezha No.1
192.168.1.32/29 -> potrebitelska mrezha No.2
192.168.1.40/29 -> potrebitelska mrezha No.3
192.168.1.48/28 -> potrebitelska mrezha No.4
192.168.1.64/26 -> potrebitelska mrezha No.5
192.168.1.128/25 -> potrebitelska mrezha No.6
Nai-malkoto za da ulesni rabotata si, administratoryt mozhe da
opishe mrezhite i mrezhovite maski v in-addr.arpa domaina. Po-
dolu vi davam primer kak tova se pravi v zonata 1.168.192.in-addr.arpa:
$TTL 86400 ; 1 day
@ SOA ns1.example.dom. root.example.dom. (
2003020902 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
3600000 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
NS ns1.example.dom.
NS ns2.example.dom.
0 PTR net-address.example.dom.
A 255.255.255.252
1 PTR host1.tunnel-1.example.dom.
2 PTR host2.tunnel-1.example.dom.
3 PTR broadcast.tunnel-1.example.dom.
4 PTR net-address.tunnel-2.example.dom.
A 255.255.255.252
5 PTR host1.tunnel-2.example.dom.
6 PTR host2.tunnel-2.example.dom.
7 PTR broadcast.tunnel-2.example.dom.
8 PTR net-address.tunnel-3.example.dom.
A 255.255.255.252
9 PTR host1.tunnel-3.example.dom.
10 PTR host2.tunnel-3.example.dom.
11 PTR broadcast.tunnel-3.example.dom.
12 PTR net-address.tunnel-4.example.dom.
A 255.255.255.252
13 PTR host1.tunnel-4.example.dom.
14 PTR host2.tunnel-4.example.dom.
15 PTR broadcast.tunnel-4.example.dom.
16 PTR net-address.usernet-1.example.dom.
A 255.255.255.240
...
...
...
31 PTR broadcast.usernet-1.example.dom.
32 PTR net-address.usernet-2.example.dom.
A 255.255.255.248
...
...
...
39 PTR broadcast.usernet-2.example.dom.
40 PTR net-address.usernet-3.example.dom.
A 255.255.255.248
...
...
...
47 PTR broadcast.usernet-3.example.dom.
48 PTR net-address.usernet-4.example.dom.
A 255.255.255.240
...
...
...
63 PTR broadcast.usernet-4.example.dom.
64 PTR net-address.usernet-5.example.dom.
A 255.255.255.192
...
...
...
127 PTR broadcast.usernet-5.example.dom.
128 PTR net-address.usernet-6.example.dom.
A 255.255.255.128
...
...
...
255 PTR broadcast.usernet-6.example.com.
Celta na tezi A zapisi (pone v nashia sluchai) e da pokazhe ot kyde
zapochva dadena mrezha i kakva e neinata subnet maska. Tova mnogo
pomaga v orientirovkata.
Malko obiasnenia otnosno zapitvaniata...
Ako napravite zapitvaneto
dig @ns1.example.dom -t PTR 0.1.168.192.in-addr.arpa
hte poluchite otgovor:
[root@ns1 root]# dig @ns1.example.dom. -t PTR 0.1.169.192.in-addr.arpa
...
;; ANSWER SECTION:
0.1.168.192.in-addr.arpa. 86400 IN PTR net-address.tunnel-1.example.dom.
...
Ako iskate da izvlechete A RR:
[root@ns1 root]# dig @ns1.example.dom. -t A 0.1.169.192.in-addr.arpa
...
;; ANSWER SECTION:
0.1.168.192.in-addr.arpa. 86400 IN A 255.255.255.252
...
Taka i shte razberete, che raboti.
Kogato iskate da proverite arhitekturata na vashata mrezha, mozhete da
zadadete AXFR na zonata i da ia vidite v neinata cialost. Dosta e polezno
i to v mnogo sluchai. Zabravete za paranoiata za zabrana na transfer na
zoni in-addr.arpa. Mozhe da se dokazhe na 5 reda, che tova e absoliutno
glupavo i nenuzhno.
* * *
2. IN.ADDR.ARPA za bezklasovo delegirane
Primerna shema: Klient e poluchil mrezhata 192.168.2.0/26 (okteten zapis
na subnetnata maska 255.255.255.192). Delegianeto na domaina in.addr-arpa
za tazi mrezha e izvyrsheno v zonata na domaina 2.168.192.in-addr.arpa
po slednia nachin (za poveche podrobnosti vizh RFC 2317):
...
...
0 NS ns1.client.dom.
NS ns2.client.dom.
1 CNAME 1.0
2 CNAME 2.0
...
...
...
63 CNAME 63.0
...
...
Klientyt ot svoia strana e izgradil pri sebe si zona za domaina
0.2.168.192.in-addr.arpa i e napravil slednia mrezova arhitektura:
192.168.2.0/30 -> tunelno IP prostranstvo
192.168.2.4/30 -> tunelno IP prostranstvo
192.168.2.8/30 -> tunelno IP prostranstvo
192.168.2.12/30 -> tunelno IP prostranstvo
192.168.2.16/28 -> potrebitelska mrezha No.1
192.168.2.32/29 -> potrebitelska mrezha No.2
192.168.2.40/29 -> potrebitelska mrezha No.3
192.168.2.48/28 -> potrebitelska mrezha No.4
Sorcyt na zonata (sys sykrashtenia) e ot vida:
$TTL 86400 ; 1 day
@ SOA ns1.client.dom. root.client.dom. (
2003020902 ; serial
86400 ; refresh (1 day)
3600 ; retry (1 hour)
3600000 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
NS ns1.client.dom.
NS ns2.client.dom.
PTR net-address.client.dom.
A 255.255.255.252
1 PTR host1.tunnel-1.client.dom.
2 PTR host2.tunnel-1.client.dom.
3 PTR broadcast.tunnel-1.client.dom.
4 PTR net-address.tunnel-2.client.dom.
A 255.255.255.252
5 PTR host1.tunnel-2.client.dom.
6 PTR host2.tunnel-2.client.dom.
7 PTR broadcast.tunnel-2.client.dom.
8 PTR net-address.tunnel-3.client.dom.
A 255.255.255.252
9 PTR host1.tunnel-3.client.dom.
10 PTR host2.tunnel-3.client.dom.
11 PTR broadcast.tunnel-3.client.dom.
12 PTR net-address.tunnel-4.client.dom.
A 255.255.255.252
13 PTR host1.tunnel-4.client.dom.
14 PTR host2.tunnel-4.client.dom.
15 PTR broadcast.tunnel-4.client.dom.
16 PTR net-address.usernet-1.client.dom.
A 255.255.255.240
...
...
...
31 PTR broadcast.usernet-1.client.dom.
32 PTR net-address.usernet-2.client.dom.
A 255.255.255.248
...
...
...
39 PTR broadcast.usernet-2.client.dom.
40 PTR net-address.usernet-3.client.dom.
A 255.255.255.248
...
...
...
47 PTR broadcast.usernet-3.client.dom.
48 PTR net-address.usernet-4.client.dom.
A 255.255.255.240
...
...
...
63 PTR broadcast.usernet-4.client.dom.
Prilicha na prednia sluchai e edno izkliuchenie!!!
Vnimanie!!! TOVA E OSNOVNATA RAZLIKA MEZHDU DVATA
SLUCHAIA I E DOBRE DA IA PROCHETETE V-N-I-M-A-T-E-L-N-O!
Neka sega da izikskvame izvlichaneto na PTR resursen zapis za
0.2.168.192.in-addr.arpa. Shemata na izvlichane shte byde slednata:
Shte byde zapitan registyra za 168.192.in-addr.arpa, posle shte ima
zapitvane kym zonata na domaina 2.168.192.in-addr.arpa i ottam
zapitvaneto shte byde izprateno kym zonata na domaina
0.2.168.192.in-addr.arpa. I tuk idva tykia moment. Zabelezhete kyde i
kak e napraven PTR RR za 0.2.168.192.in-addr.arpa. Toi e napraven
v headera na zonata (sravnete s prednia sluchai). Ako se napravi
opisanieto
0 PTR net-address.client.dom.
A 255.255.255.252
to niama da raboti. Tuk niakoi mozhe da kazhe "da, ama ako
napravia
0 CNAME 0.0
v zonata ma domaina 2.168.192.in-addr.arpa ... ". Da, no obyrnete
vnimanie, che taka shte se poluchi slednoto natrupvane na definicii
0 NS ns1.client.dom.
0 NS ns2.client.dom.
0 CNAME 0.0
koeto ne e syvsem korektno.
* * *
Tova shte se opitam da go sybera i doopravia v edna documentacia za da
mozhe da e v chitaem i priaten za okoto vid, no tova shte se sluchi po-
natatyk. Sega samo go napravih za da pomogna na tezi, koito cepiat
mrezhite na mnogo submrezhi.
* * *
Vyzmozhno e mnogo clienti da sreshtnat nerazbirane po vyprosa ot strana
na systemnite administratori na dostavchicite. Shte gi pomolia da mi pishat
na lichnia e-mail za podobni sluchai.
Pozdravi
Vesselin Kolev
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQE+R4vx+48lZPXaa+MRAryTAKD4KBN2ITy7Mnv68dqOsZCptpIIRACg/60K
x37BrCovkMwH+XeWDhoE52Y=
=iFib
-----END PGP SIGNATURE-----
============================================================================
A mail-list of Linux Users Group - Bulgaria (bulgarian linuxers).
http://www.linux-bulgaria.org - Hosted by Internet Group Ltd. - Stara Zagora
To unsubscribe: http://www.linux-bulgaria.org/public/mail_list.html
============================================================================
- Относно:
- Re: lug-bg:
- Изпратено от: vlk@xxxxxxxxxxxxxxxxx (Vesselin Kolev)
|