For reverse lookup of some IP addresses within the CUDN we are using a scheme, loosely inspired by RFC 2317, but using DNAMEs rather than CNAMEs. The primary motivation is to reduce the number of small reverse zones.
For technical details, see "Pruning the reverse zone tree", which was written primarily for people outside the university. More recently we wrote a draft revision to RFC 2317 although it has been allowed to expire without passing through the standardization process.
When the scarcity of available IP addresses in 131.111/16 became critical
in 2002, the Computer Laboratory kindly donated the top half of their
allocation 128.232/16 for general use within the University. We used
this gradually from the top down, and eventually had 32 reverse zones
covering the range 128.232.[224-255].x, which were delegated from the
parent reverse zone 232.128.in-addr.arpa.
In 2009, we decided to use a significant proportion of the remaining
IP addresses for
Wi-Fi / eduroam
connections. Rather than increase the number of reverse zones further,
we arranged to cover the range 128.232.[128-223].x with DNAMEs in
232.128.in-addr.arpa indirecting to PTR records maintained
under in-addr.arpa.cam.ac.uk. This has proved a successful
idea. Resolvers that can cope with reverse lookup done in the style
of RFC 2317 (which are now widespread) can also deal with
indirection done by DNAME, by virtue of the "synthesised CNAMEs"
returned by nameservers.
in-addr.arpa.cam.ac.uk was initially part of the cam.ac.uk
zone, but in November 2010 it was made into a separate zone of its own
(at that time unsigned, but see below).
It is available for stealth slaving from the authoritative
nameservers, and was added to the
sample configuration.
In February and March 2011 we extended the scheme to cover the range
128.232.[224-255].x as well, in a number of steps. After this
the 32 individual zones 224.232.128.in-addr.arpa to
255.232.128.in-addr.arpa no longer existed, and were
removed from the sample configuration.
In May 2013 the IP addresses used for Wi-Fi / eduroam connections were changed to be CUDN-wide private, but we retained the mechanism for the other addresses in the range 128.232.[128-255].x.
By January 2014 the parent zone 232.128.in-addr.arpa had
been signed, together with a chain of trust from the root (see
here for more details). It therefore
became useful to sign the zone in-addr.arpa.cam.ac.uk
as well, and this has now been done, making the results of reverse
lookup for IP addresses in the range 128.232.[128-255].x fully
validatable.
In September 2015 the high demand for wireless connectivity and the
fragmentation of the 172.16/12 address blocks led us to start using
10.128.0.0/9, the top half of the largest
RFC 1918 block. (The bottom
half of this block is reserved for institution-private addresses.) To
avoid the need for 129 additional zones, we are using the consolidated
reverse zone technique again. Our version of the 10.in-addr.arpa
zone contains 128 DNAME records pointing into the zone
in-addr.arpa.private.cam.ac.uk.
There is a separate page with advice for institutions which are using the 10.0.0.0/9 address range.
For slave nameservers using BIND, slaving 232.128.in-addr.arpa
(NB from the CL nameservers, not the UCS ones) and
in-addr.arpa.cam.ac.uk provides the functionality
that reverse lookup of IP addresses in the range 128.232.[128-255].x
can then be done without contacting external nameservers.
There are more specific constraints for hosts running Windows DNS Server. In general, we now encourage administrators of such hosts not to slave zones at all, following the recommendations here. However, for those who do wish to continue such slaving, please note the following:
Windows 2003 and 2003R2 do not support zones containing DNAMEs at all. You should not attempt to slave
232.128.in-addr.arpa, and without that slavingin-addr.arpa.cam.ac.ukis fairly pointless.Windows 2008R2 and (to a lesser extent) 2008 do more or less support zones containing DNAMEs. The recommendations for BIND users above may be followed.