[dns-operations] t.arin.net and RFC1918 reverse zones [was: 172.in-addr.arpa DNSSEC broken]

Chris Thompson cet1 at cam.ac.uk
Fri May 23 17:26:42 UTC 2014

I came across this while investigating the 172.in-addr.arpa KSK rollover
problem, but it is unrelated.

t.arin.net is configured with dummy empty zones for [16-31].172.in-addr.arpa,
as well as 168.192.in-addr.arpa (and 10.in-addr.arpa, but it's unlikely to
get asked about that one). They look exactly like the "automatic empty zones"
of all modern BIND versions.

The other seven official nameservers [ruvwxyz].arin.net for the zones
{176,192}.in-addr.arpa are not so configured. They return a referral
to the AS112 servers blackhole-{1,2}.iana.org when queried for RFC1918

It isn't obvious that this does any harm - RFC1918 reverse queries that
escape onto the Internet get an NXDOMAIN one way or another, but the 
inconsistency is somewhat confusing.

Chris Thompson               University of Cambridge Information Services,
Email: cet1 at uis.cam.ac.uk    Roger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 1223 334715       Cambridge CB3 0RB, United Kingdom.

More information about the dns-operations mailing list