[dns-operations] t.arin.net and RFC1918 reverse zones [was: 172.in-addr.arpa DNSSEC broken]

Matt Rowley matt at arin.net
Fri May 23 19:47:09 UTC 2014

Hi Chris,

Thanks for pointing this out to us.  We are investigating as to why that
SOA is being returned on T.  It doesn't jive with our configs.  We're
looking into this now, and I'll let you know what we find.


Chris Thompson wrote:
> I came across this while investigating the 172.in-addr.arpa KSK rollover
> problem, but it is unrelated.
> t.arin.net is configured with dummy empty zones for
> [16-31].172.in-addr.arpa,
> as well as 168.192.in-addr.arpa (and 10.in-addr.arpa, but it's unlikely to
> get asked about that one). They look exactly like the "automatic empty
> zones"
> of all modern BIND versions.
> The other seven official nameservers [ruvwxyz].arin.net for the zones
> {176,192}.in-addr.arpa are not so configured. They return a referral
> to the AS112 servers blackhole-{1,2}.iana.org when queried for RFC1918
> addresses.
> It isn't obvious that this does any harm - RFC1918 reverse queries that
> escape onto the Internet get an NXDOMAIN one way or another, but the
> inconsistency is somewhat confusing.

More information about the dns-operations mailing list