[dns-operations] IMPORTANT: Please ensure your NSEC3 iteration count is sufficiently low

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Apr 17 16:30:57 UTC 2021

> On Apr 17, 2021, at 10:43 AM, Warren Kumari <warren at kumari.net> wrote:
> Do you happen to have the list of the 279 anywhere?

Yes.  I sent the full dossier off-list to Puneet.  I'll resend you a copy.
Few are broadly popular, but not all are complete unknowns. The only ones
with an "Alexa rank" (recentish snapshot of the Tranco list) are:

Zone                  Tranco#  Iters
----                  -------  -----
photon.com               8300    500
raytheon.com            13880    500
unitymedia.de           28724    330
posteo.de               44277    250
uneb.br                 66247    330
bbn.com                 93451    500
unity-mail.de          205975    330
kabelbw.de             354397    330
phst.at                636940    250
gender-summit.com      674579    500
unity-mail.com         783623    330

Of the above:

 - posteo.de is a small to midsize email provider in Germany.
   An early DANE adopter.  The are multiple posteo.* domains
   with other TLD suffixes, but these don't show up on Tranco.

 - kabelbw.de, unity-mail.com, unitymedia.de is a cable broadband+email
   provider in Germany, also an early DANE adopter.

 - uneb.br is a university in Brazil

 - phst.at is a teacher training school in Austria.

I've already reached out to posteo.de and unitymedia.de via my contacts
at sys4.de, I hope they'll take appropriate action soon, but feel free
to ping them separately, they may expedite remediation.

Grouped by SOA mname, the top 10 zone counts (224 total) are:

     51 ns01.posteo-dns.de		# posteo.de ...
     48 ns01.3s-dns.de			# 3sdns.de, 3shosting.de, 3smail.de ...
     45 dfw-infma1.ext.ray.com		# photon.com, raytheon.com, bbn.com ...
     36 ns1.upc.biz			# unitymedia.de ...
     15 jupiter.cloud1500.com		# caffari.net ...
      7 ns5.dnsmadeeasy.com		# webactive.ch ...
      6 dns01.consistec.de		# consistec.de ...
      6 devnull.itsynergy.net.uk	# gender-summit.com, itsynergy.net.uk ...
      5 ns1.vnode.net			# vnode.net ...
      5 ns1.phst.at			# phst.at ...

The below are somewhat more exposed to forgery via negative responses, because
they also have a zone apex wildcard record, so any name can be denied and the
wildcard substituted (which may not be a problem if the data's the same).

  *.itsspasadena.com. IN A
  *.rispasadena.com. IN A

  *.ybti.net. IN CNAME ybti.net.
  ybti.net. IN A

  *.unitymediabusiness.de. IN A

  *.posteo.de. IN A

  *.initramfs.io. IN CNAME initramfs.io.
  initramfs.io. IN A

  *.dwreports.com. IN A


More information about the dns-operations mailing list