[dns-operations] t.arin.net and RFC1918 reverse zones [was: 172.in-addr.arpa DNSSEC broken]

Matt Rowley matt at arin.net
Sat May 24 16:35:28 UTC 2014

Hi again,

So we corrected this yesterday.  We realized that we have been tripping
this behavior in BIND:


(although the log message it's referring to never showed up for us)

The hosts which comprise t.arin.net run BIND as authoritative and as a
recursive resolver for just themselves.  This is due to the limited
footprint we have at that location).  That's why this didn't manifest
itself on Z, X, etc, despite functionally-identical configurations.

Thanks again for alerting us to this.


Matt Rowley wrote:
> Hi Chris,
> Thanks for pointing this out to us.  We are investigating as to why that
> SOA is being returned on T.  It doesn't jive with our configs.  We're
> looking into this now, and I'll let you know what we find.
> cheers,
> Matt
> Chris Thompson wrote:
>> I came across this while investigating the 172.in-addr.arpa KSK rollover
>> problem, but it is unrelated.
>> t.arin.net is configured with dummy empty zones for
>> [16-31].172.in-addr.arpa,
>> as well as 168.192.in-addr.arpa (and 10.in-addr.arpa, but it's unlikely to
>> get asked about that one). They look exactly like the "automatic empty
>> zones"
>> of all modern BIND versions.
>> The other seven official nameservers [ruvwxyz].arin.net for the zones
>> {176,192}.in-addr.arpa are not so configured. They return a referral
>> to the AS112 servers blackhole-{1,2}.iana.org when queried for RFC1918
>> addresses.
>> It isn't obvious that this does any harm - RFC1918 reverse queries that
>> escape onto the Internet get an NXDOMAIN one way or another, but the
>> inconsistency is somewhat confusing.

More information about the dns-operations mailing list