$ORIGIN directive in IPv6 zone files

Question

I have often seen similar BIND zone files:

$ORIGIN 2.0.3.0.8.b.d.0.1.0.0.2.ip6.arpa.
$TTL 604800
@   IN  SOA ns1.example.org. hostmaster.example.org. (
        1978022513  ; Serial
        10800       ; Refresh
        3600        ; Retry
        2419200     ; Expire
        604800 )    ; Default TTL

        NS   ns1.example.org.
        NS   ns2.example.org.
        TXT  "2001:db8:302::/48 Example IPv6 reverse"


$ORIGIN 0.0.0.0.2.0.3.0.8.b.d.0.1.0.0.2.ip6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR host.example.net.

Why is there additional $ORIGIN directive? I mean this "$ORIGIN 0.0.0.0.2.0.3.0.8.b.d.0.1.0.0.2.ip6.arpa." one. Why isn't it simply:

$ORIGIN 2.0.3.0.8.b.d.0.1.0.0.2.ip6.arpa.
$TTL 604800
@   IN  SOA ns1.example.org. hostmaster.example.org. (
        1978022513  ; Serial
        10800       ; Refresh
        3600        ; Retry
        2419200     ; Expire
        604800 )    ; Default TTL

        NS   ns1.example.org.
        NS   ns2.example.org.
        TXT  "2001:db8:302::/48 Example IPv6 reverse"

1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0 PTR host.example.net.

user · Accepted Answer · 2016-10-28T07:22:17.497

Any $ORIGIN directive only applies from that point onwards. See for example Pro DNS and BIND - Chapter 8 - $ORIGIN Directive.

The first $ORIGIN directive makes it easy to refer to 2001:db8:302::/48, which is covered by the zone.

The second $ORIGIN directive makes it easy to refer to 2001:db8:302:0::/64, which is a reasonable-sized subnet (/64 being a standard sized subnet in IPv6).

This avoids a quad of zeroes, which with the otherwise unwieldy IPv6 reverse RR names can make it pretty hard to keep track of things. I for one didn't count whether your example had 19, 20 or 21 0 in it. Of course, one would hope I don't have to count 15, 16 or 17 either, but at least that's a little shorter.

Note that you shouldn't make your name server authoritative for the entire /48 reverse zone unless the entire /48 block is actually under your control and assigned to you.

Pro tip: Especially in the case of IPv6 subnets and reverse DNS records, keep in mind that you are allowed to use a non-fully-qualified name in the $ORIGIN directive. For example:

$ORIGIN 2.0.3.0.8.b.d.0.1.0.0.2.ip6.arpa. ;; Below this applies to 2001:db8:302::/48
@ SOA ...
; ... whatever else applies ...

$ORIGIN 0.0.0.0 ;; Below this applies to 2001:db8:302:0::/64
; ... whatever applies ...

Especially in this case, I strongly recommend leaving a comment next to the $ORIGIN directive to make the intent clear. Lack of terminating periods at the end of labels is a common source of DNS problems, so it's good to explicitly call out that you didn't intend to make a fully qualified name if so.

Also note that this trick only works for longer origins, so you can go from 2001:db8:302::/48 to 2001:db8:302:0::/64, but not from 2001:db8:302:0::/64 to 2001:db8:302:1::/64. (But you could go from 2001:db8:302::/60 to 2001:db8:302:1::/64, if you were so inclined.)

score 1 · Answer 2 · answered Jul 19 '13 at 17:02

Just to add to @MichaelKjörling's answer, I do something similar in my DNS bind setup. It's just so that I don't have to keep replicating chunks of names that are repetitive.

$ORIGIN .
$TTL 604800 ; 1 week
bubba.net       IN SOA  ns.bubba.net. hostmaster.bubba.net. (
                2000075011 ; serial
                28800      ; refresh (8 hours)
                7200       ; retry (2 hours)
                3600000    ; expire (5 weeks 6 days 16 hours)
                86400      ; minimum (1 day)
                )
            NS  ns.bubba.net.
            A   192.168.1.1
            MX  10 mail.bubba.net.
            MX  20 mail.bubba.net.
            TXT "v=spf1 mx/24 ~all"

I then can start my domain "bubba.net" by setting the $ORIGIN going forward in the file from here:

$ORIGIN bubba.net.
apu         A   192.168.1.112
            HINFO   "VZ12" "VZ12"
            MX  10 mail
            TXT "v=spf1 redirect=bubba.net"
bart            A   192.168.1.103
            HINFO   "VZ3" "VZ3"
            MX  10 mail
            TXT "v=spf1 redirect=bubba.net"

I then later in the same file set the $ORGIN again, this time to a "somedom.com.bubba.net." so I can do things like this:

$ORIGIN somedom.com.bubba.net.
$TTL 172800 ; 2 days
bender                      CNAME   bender.bubba.net.
blog                        CNAME   blogs.bubba.net.
db                          CNAME   db.bubba.net.

So in the above there is a entry that when expanded is saying this:

bender.somedom.com.bubba.net.   CNAME   bender.bubba.net.

I do this a number of times in the file to add additional domains into the mix. The reason I do it this way is so that I can setup servers in a primary domain (bubba.net) but create CNAMEs for servers and service names in other domains and overlay them onto my primary domain.

For example:

I have the domain on the internet, somedom.com. I create a CNAME in that domain's name space called blog.somedom.com. Setting up the service and configuring it I'll use blog.somedom.com everywhere, but buried in my DNS bind server I have the CNAME mapping blog.somedom.com that ties this name to the actual server blog.bubba.net that is providing the service.

References

Chapter 8 - $ORIGIN Directive - Pro DNS and BIND

$ORIGIN directive in IPv6 zone files

2 Answers2

References