[dns-operations] in-addr.arpa. "A" server "loopback network" misconfiguration

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Jun 22 14:17:57 UTC 2023


The nameservers for in-addr.arpa are:

    in-addr.arpa.           NS      a.in-addr-servers.arpa.
    in-addr.arpa.           NS      b.in-addr-servers.arpa.
    in-addr.arpa.           NS      c.in-addr-servers.arpa.
    in-addr.arpa.           NS      d.in-addr-servers.arpa.
    in-addr.arpa.           NS      e.in-addr-servers.arpa.
    in-addr.arpa.           NS      f.in-addr-servers.arpa.

this is a signed zone, and denial of existence is mostly(!) accompanied
by the required NSEC records.  However, in the case of:

    1.0.0.127.in-addr.arpa. IN PTR ?

the "A" server response is wrong, it leaks an internal empty zone for
"0.0.127.in-addr.arpa" for which there is no insecure delegation in
the parent zone, so the unsigned denial of existence is BOGUS.

While all the servers respond with an NXDOMAIN rcode, the authority
section from the "A" server contains only:

   0.0.127.in-addr.arpa.	SOA	localhost. root.localhost. 1 604800 86400 2419200 604800

While from all the other servers:

  in-addr.arpa.		SOA	b.in-addr-servers.arpa. nstld.iana.org. 2022091523 1800 900 604800 3600
  in-addr.arpa.		RRSIG	SOA 8 2 3600 20230712183222 20230622021342 48561 in-addr.arpa. [omitted]
  in-addr.arpa.		NSEC	1.in-addr.arpa. NS SOA RRSIG NSEC DNSKEY
  in-addr.arpa.		RRSIG	NSEC 8 2 3600 20230706072654 20230615102113 48561 in-addr.arpa. [omitted]
  126.in-addr.arpa.	NSEC	128.in-addr.arpa. NS DS RRSIG NSEC
  126.in-addr.arpa.	RRSIG	NSEC 8 3 3600 20230704100647 20230613061852 48561 in-addr.arpa. [omitted]

-- 
    Viktor.


More information about the dns-operations mailing list