DNS is known to most Internet users for translating hostnames into IP addresses (called forward resolution). An example of this is entering www.example.com into the browser and receiving an IP address for the server dedicated to that website. A lesser-known task that DNS performs is determining the hostname from an IPv4 address, commonly called reverse resolution. This is normally used by servers to find the human-friendly name associated with the IP address. The process of acquiring reverse resolution is accomplished using PTR records that are rooted in the in-addr.arpa domain. ARIN requires organizations to maintain their in-addr.arpa domain records for associated networks so that reverse resolution can be managed effectively.
Reverse DNS Delegation Management
ARIN’s delegation management tools enable you to individually manage each reverse delegation within both IPv4 and IPv6 networks. Delegations can be managed in IPv4 on bit boundaries (/8, /16 or /24s), and IPv6 networks can be managed on nibble boundaries (every 4 bits of the IPv6 address). For example, in IPv4, you could have a /23 network registered with ARIN that is comprised of two /24 delegations. In this case, you are able to delegate one set of nameservers to the first delegation and another set of nameservers to the second delegation.
There are two ways to manage delegations. Occasional users can manage their delegations via ARIN Online, but users who manage a large number of delegations can programmatically modify their delegations using ARIN’s RESTful provisioning system.
You can also use DNSSEC, thus adding security to your reverse records. Once your reverse zone is secured, you need to indicate to the parent (in this case, ARIN) that your zone is DNSSEC enabled. This signal to enable DNSSEC is done by using Delegation Signer (DS) records. You can also manage DS resource records for each delegation through ARIN Online or using the RESTful provisioning system.
Using Your ARIN Online Account
To modify delegations via ARIN Online:
- Select IP Addresses > Search from the left navigation menu.
- Select the Net Name for the network you wish to update.
- Select the Actions button, then choose Manage Reverse DNS. The resulting screen will show all of the reverse DNS zones that you have permission to modify, any nameservers delegated to that zone, any registered Delegation Signer (DS) resource record key tags, and the names of any customers with shared authority over a zone.
- Select the zone or zones you wish to change and choose the Modify Nameservers or the Modify DS Records button.
- Add or remove nameservers/DS Records and click Apply to All. These changes will be applied to all the selected zones. Your changes will take effect in the DNS within 24 hours.
Note: If the nameservers for the selected delegations differ, they will not display on the listing page and you will receive a warning message. If you choose to add nameservers, those changes made will be applied to all of the selected zones and all previously listed nameservers will be deleted. The same applies to DS record changes.
To modify delegations through a RESTful call, you must first generate an API key. To create an API key, log in to your ARIN Online account and select Your Account > Settings in the left navigation menu. In the API Key Management section, select Create API Key. Your API key will be issued automatically.
Using RESTful Calls
ARIN offers a RESTful web service that you can use to modify your nameservers or DS records. This provisioning system allows for more secure interactions with ARIN's database and provides even stronger authentication on automated submissions. More information is provided in the API documentation for ARIN’s RESTful web service.
An API key is required when using the RESTful web service. Your changes will take effect in the DNS within 24 hours.
DNS management can be performed through ARIN Online and ARIN’s RESTful interface by organizations who are direct and indirect resource holders. The resource holder who directly receives space from ARIN will be able to manage their delegations. ARIN also allows organizations that receive space from an ISP to jointly manage this space with their ISP via SWIP. This is called shared authority.
Note: Organizations who receive space from their ISP via SWIP will not have shared authority if the SWIP is from the ISP's /16 or larger. All DNS management would be performed by the ISP.
If you delegate addresses via SWIP to your customers, in ARIN’s Whois, you may see their organization name listed in the Authorized Organizations column. This indicates that they share the authority to manage the reverse DNS zone. They can log in to their ARIN Online account and view this screen, but only for the addresses you’ve delegated to them via SWIP. As customers disconnect from you, it’s imperative that you protect your records by promptly removing any delegations to them, thus severing their shared authority rights for your reverse zones.
Search Related Content
- Quick Guide to ARIN's Whois
- Bulk Whois
- Whois Inaccuracy Reporting
- Registry Data Access Protocol (RDAP)
- Number Resource Fraud Reporting
- Provisioning & Maintenance of Registration Records (Reg-RWS)
- Resource Public Key Infrastructure (RPKI)
- CIDR Calculator
- Routing Registry
- Software Repository