[dns-operations] in-addr.arpa. "A" server "loopback network" misconfiguration
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Jun 22 14:17:57 UTC 2023
The nameservers for in-addr.arpa are:
in-addr.arpa. NS a.in-addr-servers.arpa.
in-addr.arpa. NS b.in-addr-servers.arpa.
in-addr.arpa. NS c.in-addr-servers.arpa.
in-addr.arpa. NS d.in-addr-servers.arpa.
in-addr.arpa. NS e.in-addr-servers.arpa.
in-addr.arpa. NS f.in-addr-servers.arpa.
this is a signed zone, and denial of existence is mostly(!) accompanied
by the required NSEC records. However, in the case of:
1.0.0.127.in-addr.arpa. IN PTR ?
the "A" server response is wrong, it leaks an internal empty zone for
"0.0.127.in-addr.arpa" for which there is no insecure delegation in
the parent zone, so the unsigned denial of existence is BOGUS.
While all the servers respond with an NXDOMAIN rcode, the authority
section from the "A" server contains only:
0.0.127.in-addr.arpa. SOA localhost. root.localhost. 1 604800 86400 2419200 604800
While from all the other servers:
in-addr.arpa. SOA b.in-addr-servers.arpa. nstld.iana.org. 2022091523 1800 900 604800 3600
in-addr.arpa. RRSIG SOA 8 2 3600 20230712183222 20230622021342 48561 in-addr.arpa. [omitted]
in-addr.arpa. NSEC 1.in-addr.arpa. NS SOA RRSIG NSEC DNSKEY
in-addr.arpa. RRSIG NSEC 8 2 3600 20230706072654 20230615102113 48561 in-addr.arpa. [omitted]
126.in-addr.arpa. NSEC 128.in-addr.arpa. NS DS RRSIG NSEC
126.in-addr.arpa. RRSIG NSEC 8 3 3600 20230704100647 20230613061852 48561 in-addr.arpa. [omitted]
--
Viktor.
More information about the dns-operations
mailing list