[dns-operations] t.arin.net and RFC1918 reverse zones [was: 172.in-addr.arpa DNSSEC broken]

Mark Andrews marka at isc.org
Fri May 23 22:14:29 UTC 2014

In message <Prayer. at hermes-1.csi.cam.ac.uk>, Chris Thom
pson writes:
> I came across this while investigating the 172.in-addr.arpa KSK rollover
> problem, but it is unrelated.
> t.arin.net is configured with dummy empty zones for [16-31].172.in-addr.arpa,
> as well as 168.192.in-addr.arpa (and 10.in-addr.arpa, but it's unlikely to
> get asked about that one). They look exactly like the "automatic empty zones"
> of all modern BIND versions.
> The other seven official nameservers [ruvwxyz].arin.net for the zones
> {176,192}.in-addr.arpa are not so configured. They return a referral
> to the AS112 servers blackhole-{1,2}.iana.org when queried for RFC1918
> addresses.
> It isn't obvious that this does any harm - RFC1918 reverse queries that
> escape onto the Internet get an NXDOMAIN one way or another, but the 
> inconsistency is somewhat confusing.

It breaks code that is used to determine if reverse queries for these address
are leaking onto the internet.  It also doesn't move the leaked traffic to
the sacrificial servers.

One server doing it shouldn't be big problem.  All of them doing it would be
a big problem.


> -- 
> Chris Thompson               University of Cambridge Information Services,
> Email: cet1 at uis.cam.ac.uk    Roger Needham Building, 7 JJ Thomson Avenue,
> Phone: +44 1223 334715       Cambridge CB3 0RB, United Kingdom.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list