[dns-operations] IMPORTANT: Please ensure your NSEC3 iteration count is sufficiently low
ietf-dane at dukhovni.org
Sat Apr 17 16:30:57 UTC 2021
> On Apr 17, 2021, at 10:43 AM, Warren Kumari <warren at kumari.net> wrote:
> Do you happen to have the list of the 279 anywhere?
Yes. I sent the full dossier off-list to Puneet. I'll resend you a copy.
Few are broadly popular, but not all are complete unknowns. The only ones
with an "Alexa rank" (recentish snapshot of the Tranco list) are:
Zone Tranco# Iters
---- ------- -----
photon.com 8300 500
raytheon.com 13880 500
unitymedia.de 28724 330
posteo.de 44277 250
uneb.br 66247 330
bbn.com 93451 500
unity-mail.de 205975 330
kabelbw.de 354397 330
phst.at 636940 250
gender-summit.com 674579 500
unity-mail.com 783623 330
Of the above:
- posteo.de is a small to midsize email provider in Germany.
An early DANE adopter. The are multiple posteo.* domains
with other TLD suffixes, but these don't show up on Tranco.
- kabelbw.de, unity-mail.com, unitymedia.de is a cable broadband+email
provider in Germany, also an early DANE adopter.
- uneb.br is a university in Brazil
- phst.at is a teacher training school in Austria.
I've already reached out to posteo.de and unitymedia.de via my contacts
at sys4.de, I hope they'll take appropriate action soon, but feel free
to ping them separately, they may expedite remediation.
Grouped by SOA mname, the top 10 zone counts (224 total) are:
51 ns01.posteo-dns.de # posteo.de ...
48 ns01.3s-dns.de # 3sdns.de, 3shosting.de, 3smail.de ...
45 dfw-infma1.ext.ray.com # photon.com, raytheon.com, bbn.com ...
36 ns1.upc.biz # unitymedia.de ...
15 jupiter.cloud1500.com # caffari.net ...
7 ns5.dnsmadeeasy.com # webactive.ch ...
6 dns01.consistec.de # consistec.de ...
6 devnull.itsynergy.net.uk # gender-summit.com, itsynergy.net.uk ...
5 ns1.vnode.net # vnode.net ...
5 ns1.phst.at # phst.at ...
The below are somewhat more exposed to forgery via negative responses, because
they also have a zone apex wildcard record, so any name can be denied and the
wildcard substituted (which may not be a problem if the data's the same).
*.itsspasadena.com. IN A 184.108.40.206
*.rispasadena.com. IN A 220.127.116.11
*.ybti.net. IN CNAME ybti.net.
ybti.net. IN A 18.104.22.168
*.unitymediabusiness.de. IN A 22.214.171.124
*.posteo.de. IN A 126.96.36.199
*.initramfs.io. IN CNAME initramfs.io.
initramfs.io. IN A 188.8.131.52
*.dwreports.com. IN A 184.108.40.206
More information about the dns-operations