If they're on private IP addresses, per RFC, they shouldn't be listed in a public DNS zone. If they aren't listed in a public DNS zone, it's not really an issue, is it?
Still a bit of an issue. Primarily the reasoning here is that if you compromise one of our systems, we'd prefer to make it as difficult as possible to traverse across our internal network.
Obviously that is mostly handled by access controls, but every little helps.
If memory serves, it does say "should not" and not "MUST NOT" (cf. RFC2119). Thus, it's not technically a "violation" to do so but it certainly goes against the recommendations, IMO.
I also "do DNS for a living" (and have been for ~20 years) but I'm sure there's still things that I don't know. This is one of those often overlooked things simply because it isn't that common and one doesn't often see any major issues because of it.
So it does, I've never noticed this section before:
Indirect references to such addresses should be contained within the
enterprise. Prominent examples of such references are DNS Resource
Records and other information referring to internal private
addresses. In particular, Internet service providers should take
measures to prevent such leakage.
