[dns-operations] t.arin.net and RFC1918 reverse zones [was: 172.in-addr.arpa DNSSEC broken]
Chris Thompson
cet1 at cam.ac.uk
Fri May 23 17:26:42 UTC 2014
I came across this while investigating the 172.in-addr.arpa KSK rollover
problem, but it is unrelated.
t.arin.net is configured with dummy empty zones for [16-31].172.in-addr.arpa,
as well as 168.192.in-addr.arpa (and 10.in-addr.arpa, but it's unlikely to
get asked about that one). They look exactly like the "automatic empty zones"
of all modern BIND versions.
The other seven official nameservers [ruvwxyz].arin.net for the zones
{176,192}.in-addr.arpa are not so configured. They return a referral
to the AS112 servers blackhole-{1,2}.iana.org when queried for RFC1918
addresses.
It isn't obvious that this does any harm - RFC1918 reverse queries that
escape onto the Internet get an NXDOMAIN one way or another, but the
inconsistency is somewhat confusing.
--
Chris Thompson University of Cambridge Information Services,
Email: cet1 at uis.cam.ac.uk Roger Needham Building, 7 JJ Thomson Avenue,
Phone: +44 1223 334715 Cambridge CB3 0RB, United Kingdom.
More information about the dns-operations
mailing list