Last week I noticed, that Kabel Deutschland, a cable provider in Germany, returns for any non existing hosts "18.104.22.168". It seems, thats it is rolled out since last fall. Even for DNSSEC enabled infrastructure it breaks it totally:
; <<>> DiG 9.3.4 <<>> +dnssec web.pixaco.se @22.214.171.124
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; ANSWER SECTION:
web.pixaco.se. 0 IN A 126.96.36.199
Beside that, this behavour breaks the whole DNS, since many mechanism rely on a negative answer. The most visible effect for the users is, that when having a typo on surfing, he will forwarded to http://suche.kabeldeutschland.de/de.kde.assist/?domain=
All that for getting some extra money, but racing price dumping for connectivity, this sucks a lot.
If you are a customer and feel pissed, you can send a friendly note to them:
Kabel Deutschland Vertrieb und Service GmbH & Co. KG
A quick and dirty workaround for dnsmasq maybe to add "bogus-nxdomain=188.8.131.52" to your config file. This doesn't fix the DNSSEC problem.
The problem also pops up at dns-operations and there are traces at google too.
[UPDATE] Over 1 year later zdnet.de discoverd the problem.