Skip to content

(:redirect DNS/ipv6rDNS:)

Configuring rDNS using NSD

We can configure our rDNS using nsd, an authoritative name server. nsd comes as part of openbsd base so no installation will be necessary.

NOTICE: This guide assumes you have already configured nsd for forward DNS resolution.

IPv6 Subnet

Suppose we have been delegated the rDNS zone for our IPv6 subnet, 2001:550:3402:1:143::/80. To find out our zone, we need to fill in all the missing zeros, put periods between each digit, reverse the digits, then add ip6.arpa:

2001:550:3402:1:143:: # original subnet
2001:0550:3402:0001:0143:: # fill in the missing zeros
2.0.0.1.0.5.5.0.3.4.0.2.0.0.0.1.0.1.4.3 # add periods between each digit
3.4.1.0.1.0.0.0.2.0.4.3.0.5.5.0.1.0.0.2 # reverse the digits
3.4.1.0.1.0.0.0.2.0.4.3.0.5.5.0.1.0.0.2.ip6.arpa # add ip6.arpa

Here is a simple command to do this:

echo "<IPv6 subnet>"|rev|sed "s/://g;s/\(.\)/\1./g;s/$/ip6.arpa/"

(:if false:)

grep inet6.*48 /etc/hostname.vio0|awk '{print$2}'|rev|sed "s/://g;s/(.)/\1./g;s/$/ip6.arpa/"

(:ifend:)

Replace with your real IPv6 subnet. Make sure to fill in any missing zeros.

For example:

echo "2001:0550:3402:0001"|rev|sed "s/://g;s/\(.\)/\1./g;s/$/ip6.arpa/"

Zone File

Now we must create the zone file in /var/nsd/zones/master/3.4.1.0.1.0.0.0.2.0.4.3.0.5.5.0.1.0.0.2.ip6.arpa:

$ORIGIN 3.4.1.0.1.0.0.0.2.0.4.3.0.5.5.0.1.0.0.2.ip6.arpa.
@       3600    IN      SOA     ns1.ircnow.org. admin.ircnow.org. (
                2021020105 1800 3600 1209600 3600 )
        3600    IN      NS      ns1.jrmu.coconut.ircnow.org.
        3600    IN      NS      ns2.jrmu.coconut.ircnow.org.
0.0.0.0.0.0.0.0.0.0.0.0         3600    IN      PTR     user1.coconut.ircnow.org.
1.0.0.0.0.0.0.0.0.0.0.0         3600    IN      PTR     user2.coconut.ircnow.org.

/var/nsd/etc/nsd.conf

Now we only need to add this section to /var/nsd/etc/nsd.conf:

zone:
        name: "3.4.1.0.1.0.0.0.2.0.4.3.0.5.5.0.1.0.0.2.ip6.arpa"
        zonefile: "master/3.4.1.0.1.0.0.0.2.0.4.3.0.5.5.0.1.0.0.2.ip6.arpa"

Restart nsd and test

$ doas rcctl restart nsd

We can test using host or [dig: We can test using host or [dig:

host 2001:550:3402:1:143::1 <nameserver-ip>

Replace with your actual nameserver IP. Once you have confirmed this is working, you can then ask to have your zone delegated to your nameserver.

You can then test if both forward and reverse DNS lookup work by using netcat to connect to IRC.

(:if false:)

Troubleshooting

Primary and secondary server

If you need a secondary server to host the zone, you can do this as follows. Add to the block that describes your master zone, records about the secondary zone as in the example:

zone:
    name: "example.net"
    zonefile: "master/example.net"
    notify: 20.20.20.20 NOKEY
    provide-xfr: 20.20.20.20 NOKEY

Create a new block in the secondary server config file, as in the example:

zone:
    name: "example.net"
    zonefile: "slave/example.net"
    allow-notify: 10.10.10.10 NOKEY
    request-xfr: 10.10.10.10 NOKEY

The zone file for NSD

The next step is to write the zone files for NSD. First the forward lookup zone example.net:

; Domain file from My project
example.net.    3600  SOA   ns.example.net. admin.example.net. (
                            2020070701   ; serial YYYYMMDDnn
                            10800        ; refresh
                            3600         ; retry
                            604800       ; expire
                            86400 )      ; minimum TTL
example.net.    NS    ns.example.net.
example.net.    NS    ns.secondary.net.
ns              A     10.10.10.10
example.net.    A     10.10.10.10
www             A     10.10.10.10
irc             A     10.10.10.10
imap            A     10.10.10.10
smtp            A     10.10.10.10
example.net.    mx    10 smtp.example.net.

Save this zone file as /var/nsd/zones/master/example.net

Configuration check and start

NSD bring along a tool to check the configuration file before you start or reload the daemon:

$ doas nsd-checkconf /var/nsd/etc/nsd.conf

Any errors are reported, so no news are good news. You can go ahead and start NSD:

$ doas rcctl enable nsd
$ doas rcctl start nsd

If there are issues you can start nsd in debug mode

doas nsd -d -V 3

https://www.denic.de/en/service/tools/nast/

$ORIGIN 1.0.0.0.2.0.4.3.0.5.5.0.1.0.0.2.ip6.arpa.
@       3600    IN      SOA     ns1.ircnow.org. admin.ircnow.org. (
                2020112906 1800 3600 1209600 3600 )
        3600    IN      NS      cherry.ircnow.org.
        3600    IN      NS      pear.ircnow.org.
        3600    IN      NS      mango.ircnow.org.
        3600    IN      NS      peach.ircnow.org.
        3600    IN      NS      banana.ircnow.org.
        3600    IN      NS      guava.ircnow.org.
        3600    IN      NS      jujube.ircnow.org.
        3600    IN      NS      plum.ircnow.org.
        3600    IN      NS      fig.ircnow.org.
        3600    IN      NS      orange.ircnow.org.
        3600    IN      NS      lemon.ircnow.org.
        3600    IN      NS      grape.ircnow.org.
        3600    IN      NS      coconut.ircnow.org.
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0         3600    IN      PTR     www.example.com.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0         3600    IN      PTR     www.example.org.

In /var/nsd/etc/nsd.conf:

zone:
        name: "1.0.0.0.2.0.4.3.0.5.5.0.1.0.0.2.ip6.arpa"
        zonefile: "master/1.0.0.0.2.0.4.3.0.5.5.0.1.0.0.2.ip6.arpa"
        include-pattern: "ircnow.org"

(:ifend:)