The nameservers for in-addr.arpa are:
in-addr.arpa. NS a.in-addr-servers.arpa.
in-addr.arpa. NS b.in-addr-servers.arpa.
in-addr.arpa. NS c.in-addr-servers.arpa.
in-addr.arpa. NS d.in-addr-servers.arpa.
in-addr.arpa. NS e.in-addr-servers.arpa.
in-addr.arpa. NS f.in-addr-servers.arpa.
this is a signed zone, and denial of existence is mostly(!) accompanied
by the required NSEC records. However, in the case of:
1.0.0.127.in-addr.arpa. IN PTR ?
the "A" server response is wrong, it leaks an internal empty zone for
"0.0.127.in-addr.arpa" for which there is no insecure delegation in
the parent zone, so the unsigned denial of existence is BOGUS.
While all the servers respond with an NXDOMAIN rcode, the authority
section from the "A" server contains only:
0.0.127.in-addr.arpa. SOA localhost. root.localhost. 1 604800
86400 2419200 604800
While from all the other servers:
in-addr.arpa. SOA b.in-addr-servers.arpa. nstld.iana.org.
2022091523 1800 900 604800 3600
in-addr.arpa. RRSIG SOA 8 2 3600 20230712183222 20230622021342
48561 in-addr.arpa. [omitted]
in-addr.arpa. NSEC 1.in-addr.arpa. NS SOA RRSIG NSEC DNSKEY
in-addr.arpa. RRSIG NSEC 8 2 3600 20230706072654 20230615102113
48561 in-addr.arpa. [omitted]
126.in-addr.arpa. NSEC 128.in-addr.arpa. NS DS RRSIG NSEC
126.in-addr.arpa. RRSIG NSEC 8 3 3600 20230704100647 20230613061852
48561 in-addr.arpa. [omitted]
--
Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
