URGENT: ns.internic.net blown

Per Gregers Bilse bilse at EU.net
Sun Mar 5 18:52:39 UTC 1995

On Mar 5, 10:34, Len Rose wrote:
> It just recently happened to two of our networks as well (last week). I don't
> remember being warned about this, yet it has happened to several providers so
> far.

It's a little worse than that in this case; 194 isn't a provider
block, it's one of the two superblocks in Europe, delegated to the
RIPE NCC (the other one is 193).

The bogus info is actually in the zone files themselves, according
to Lars-Johan Liman at KTH in Sweden (they run nic.nordu.net, one
of the root servers).  This means that all root servers will be
infected -- I just checked three, and yep, sure enough.

Those root operators reading this, please consider fixing the zone
file; the correct data is

194.IN-ADDR.ARPA.       518400  NS      sunic.sunet.se.
194.IN-ADDR.ARPA.       518400  NS      munnari.oz.au.
194.IN-ADDR.ARPA.       518400  NS      sparky.arl.mil.
194.IN-ADDR.ARPA.       518400  NS      ns.ripe.net.
194.IN-ADDR.ARPA.       518400  NS      ns.eu.net.
194.IN-ADDR.ARPA.       518400  NS      ns.uu.net.
194.IN-ADDR.ARPA.       518400  NS      layon.inria.fr.

munnari.oz.au.  86400   A
munnari.oz.au.  86400   A
sparky.arl.mil. 52142   A
sparky.arl.mil. 52142   A
ns.ripe.net.    86400   A
ns.eu.net.      86400   A
ns.uu.net.      7200    A
layon.inria.fr. 172800  A
sunic.sunet.se. 86400   A
sunic.sunet.se. 86400   A

bilse, EUnet NOC  +31 20 592 5110; 24hr +31 20 592 5165 (emergencies only)
EUnet Comm. Svcs. +31 20 623 3803; fax  +31 20 622 4657 http://www.EU.net

More information about the NANOG mailing list