[dns-operations] t.arin.net and RFC1918 reverse zones [was: 172.in-addr.arpa DNSSEC broken]
Mark Andrews
marka at isc.org
Fri May 23 22:14:29 UTC 2014
In message <Prayer.1.3.5.1405231826420.5436 at hermes-1.csi.cam.ac.uk>, Chris Thom
pson writes:
> I came across this while investigating the 172.in-addr.arpa KSK rollover
> problem, but it is unrelated.
>
> t.arin.net is configured with dummy empty zones for [16-31].172.in-addr.arpa,
> as well as 168.192.in-addr.arpa (and 10.in-addr.arpa, but it's unlikely to
> get asked about that one). They look exactly like the "automatic empty zones"
> of all modern BIND versions.
>
> The other seven official nameservers [ruvwxyz].arin.net for the zones
> {176,192}.in-addr.arpa are not so configured. They return a referral
> to the AS112 servers blackhole-{1,2}.iana.org when queried for RFC1918
> addresses.
>
> It isn't obvious that this does any harm - RFC1918 reverse queries that
> escape onto the Internet get an NXDOMAIN one way or another, but the
> inconsistency is somewhat confusing.
It breaks code that is used to determine if reverse queries for these address
are leaking onto the internet. It also doesn't move the leaked traffic to
the sacrificial servers.
One server doing it shouldn't be big problem. All of them doing it would be
a big problem.
Mark
> --
> Chris Thompson University of Cambridge Information Services,
> Email: cet1 at uis.cam.ac.uk Roger Needham Building, 7 JJ Thomson Avenue,
> Phone: +44 1223 334715 Cambridge CB3 0RB, United Kingdom.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-jobs mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: marka at isc.org
More information about the dns-operations
mailing list