On Tue, 12 Jul 2011, Tom H wrote: > On Tue, Jul 12, 2011 at 2:02 PM, Henrique de Moraes Holschuh > <h...@debian.org> wrote: > > > > There are routes. Really. Maybe not everywhere, and maybe not all the > > time... but the IPv4 private space is often routed. > > > > http://www.cidr-report.org/as2.0/#Bogons > > http://www.cidr-report.org/as6447/#Bogons > > > > *Right now*, there are routes for parts the private space being leaked > > everywhere. > > IANA also maintains some server(s) for RFC1918 leaks. More or less ten > years ago, I was at a company where, one day, none of the Mac boxes > could telnet to or mount AFP shares on the Solaris boxes because that > IANA service was down and it was providing reverse DNS for RFC1918 > addresses...
That would be AS112. The AS112 project provides an anycast cloud for the three authoritative DNSes that take care of the IPv4 private, documentation and link-local addresses. They'll soon handle some of the IPv6 reverse address space as well. Note that AS112 clouds only route the IPv4 prefix 192.175.48.0/24, where the BLACKHOLE-1.IANA.ORG, BLACKHOLE-2.IANA.ORG and PRISONER.IANA.ORG DNS servers can be found, i.e. they do NOT provide a sinkhole for the IPv4 private address space, just reverse DNS service. http://public.as112.net/ http://tools.ietf.org/rfcmarkup?rfc-repository=http://www.rfc-editor.org/authors&doc=rfc6304&topmenu=true&document=draft-ietf-dnsop-as112-ops-09&docreplaces=draft-ietf-dnsop-as112-ops-09&title=RFC-EDITOR+AUTH48+REVIEW+COPY&extrastyle=body+{background-color:%23fee%3b} And there is the "AS112 operator's relief" RFC: http://tools.ietf.org/rfcmarkup?rfc-repository=http://www.rfc-editor.org/authors&doc=rfc6305&topmenu=true&document=draft-ietf-dnsop-as112-under-attack-help-help-06&docreplaces=draft-ietf-dnsop-as112-under-attack-help-help-06&title=RFC-EDITOR+AUTH48+REVIEW+COPY&extrastyle=body+{background-color:%23fee%3b} Sorry about the long URLs, RFCs-to-be don't have nice short URLs (or I don't know them). PS: that does mean the company where you worked at had incompetent DNS administrators (if they had any at all). PS2: Debian ships bind properly configured by default to never leak requests that would end up answered by AS112. I am not sure about the other nameservers, though. -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20110712204348.ga30...@khazad-dum.debian.net