DNS is known to most Internet users in the task of translating hostnames into IP addresses called forward resolution. An example of this is typing www.example.com into the browser and returning an IP address for the server dedicated to that website. A lesser known task that DNS performs is determining the hostname from an IPv4 address, commonly called reverse resolution, is normally used by servers to find the human friendly name associated with the IP address. The process of acquiring reverse resolution is accomplished using PTR records that are rooted in the in-addr.arpa domain. ARIN requires organizations to maintain their in-addr.arpa domain records for associated networks so that reverse resolution can be managed effectively.
Reverse DNS Delegation Management
ARIN’s delegation management tools enable you to individually manage each reverse delegation within both IPv4 and IPv6 networks. Delegations can be managed in IPv4 on byte boundaries (/8, /16 or /24’s), and IPv6 networks can be managed on nibble boundaries (every 4 bits of the IPv6 address). For example in IPv4, you could have a /23 network registered with ARIN that is comprised of two /24 delegations. In this case, you are able to delegate one set of nameservers to the first delegation and another set of nameservers to the second delegation.
There are two ways to manage delegations . Occasional users can manage their delegations via ARIN Online, but users who manage a large number of delegations can programmatically modify their delegations using ARIN’s RESTful provisioning system.
You can also utilize DNSSEC, thus adding security to your reverse records. Once your reverse zone is secured, you need to indicate to the parent (in this case ARIN) that your zone is DNSSEC enabled. This signal to enable DNSSEC is done by using Delegation Signer (DS) records. You can also manage DS resource records for each delegation through ARIN Online or using the RESTful provisioning system.
Using Your ARIN Online Account
This topic is fairly complex for the occasional user, so we have created a user walkthrough of the ARIN Online delegation management tools. We recommend you preview the demonstration before getting started.
To modify delegations via ARIN Online, log in, and select IP Addresses > Search in the left navigation bar, then select the Network record (NET) you wish to update. Select the desired network and click the Manage Reverse DNS icon in the toolbar on the right.
The resulting screen will show all of the reverse DNS zones that you have permission to modify, any nameservers delegated to that zone, any registered Delegation Signer (DS) resource record key tags, and the names of any customers with shared authority over a zone. Select the zone or zones you wish to change and click the Modify Nameservers or the Modify DS Records button at the bottom of the page.
Add or remove nameservers/DS Records and click on the Apply to All button. These changes will be applied to all the selected zones. Your changes will take effect in the DNS within 24 hours.
NOTE: If the nameservers for the selected delegations differ, they will not display on the listing page and you will receive a warning message. If you choose to add nameservers, those changes made will be applied to all of the selected zones and all previously listed nameservers will be deleted. The same applies to DS record changes.
To modify delegations through a RESTful call, you must first generate an API key. To create an API key, log in to your ARIN Online account and select Your Account > Settings in the left navigation bar. In the API Key Management section, select “Create API Key”. Your API key will be issued automatically.
Using RESTful Calls
ARIN offers a RESTful web service that you can use to modify your nameservers or DS records. This provisioning system allows for more secure interactions with ARIN's database and provides even stronger authentication on automated submissions. More information is provided in the API documentation for ARIN’s RESTful web service.
An API key is required when using the RESTful web service. Your changes will take effect in the DNS within 24 hours.
DNS management can be performed through ARIN Online and ARIN’s RESTful interface by organizations who are direct and indirect resource holders. The resource holder who directly receives space from ARIN will be able to manage their delegations. ARIN also allows organizations that receive space from an ISP to jointly manage this space with their ISP via SWIP. This is called shared authority.
If you have SWIPed addresses to your customers in ARIN’s Whois, you may see their organization name listed in the Authorized Organizations column. This indicates that they share the authority to manage the reverse DNS zone. They can login to their ARIN Online account and also get to this screen, but only for the addresses you’ve SWIPed to them. The implications of shared authority are important to keep in mind. As customers disconnect from you, it’s imperative that you protect your records by promptly removing any SWIPs to them, thus severing their shared authority rights for your reverse zones.