RFC1918 addresses in zone files

Fri Sep 1 16:37:07 UTC 2000

>>>>> "Eric" == Eric A Hall <ehall at ehsco.com> writes:

    Georgi> Is using of rfc1918 addresses together with real IP in
    Georgi> zone file prohibited?
    >>  No. Why would it be? RFC1918 addresses are valid IP addresses.

    Eric> The obvious exception here is NS records for delegation
    Eric> hints. You really should not use 1918 addresses to point to
    Eric> authoritative servers for a zone, since external resolvers
    Eric> will never go to the right server.

Well yes, sort of. AFAIK there's nothing in the DNS RFCs which say
"you must not do this". Or any name servers which enforce those
restrictions as far as I'm aware. There's absolutely nothing wrong
with using RFC1918 addresses with NS records, provided they are used
properly. [If an Intranet that exclusively uses RFC1918 addressing
internally didn't have those NS records in their (internal)
delegations, their DNS wouldn't work. I'm sure you knew that. But by
ommiting that qualification, you implied that nobody should ever use
RFC1918 addresses with their NS records. So since we're picking
nits....] As your rightly point out, the problem would arise if those
RFC1918 addresses were presented to the outside world or another net
that used RFC1918 addresses. But that's not really any different from
the general case of advertising unreachable NS records or wrong
addresses for them anyway. If someone enters syntactically valid but
incorrect data in their zone files, all sorts of network services can
break. Garbage in, garbage out.

    Eric> MX records can also have problems in those cases where the
    Eric> MX list includes 1918 addresses which are also valid mail
    Eric> systems on the remote network. If a remote mailer tries
    Eric> sending to a 1918 address and delivery to a local server
    Eric> succeeds (due to overlapping addresses), the mail may not
    Eric> get delivered if the mailer decides there's a configuration
    Eric> error.

True. I hadn't considered that. But people shouldn't be advertising
RFC1918 addresses externally or, worse, intermixing their net with
another organisation's RFC1918 net. You've reminded us of some of the
very bad things that can happen when private addresses leak into the
public DNS name space.