[dns-operations] Signing on the fly and UltraDNS

Paul Hoffman paul.hoffman at icann.org
Tue Jan 5 02:39:27 UTC 2021


Greetings again. Those of us who research DNSSEC adoption in the real world are being a bit stymied by some of the sign-on-the-fly systems, such as this one, apparently from UltraDNS. (Similar results are given for any nonexistent name in house.gov, such as "www1".)

--Paul Hoffman

# dig +dnssec +noidnout anynameyouwant.house.gov a

; <<>> DiG 9.16.10 <<>> +dnssec +noidnout anynameyouwant.house.gov a
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 3131
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 6, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
; COOKIE: 82c292cc154c0bee35a4c8d95ff3cf3d4fb01e0d645f3375 (good)
;; QUESTION SECTION:
;anynameyouwant.house.gov.	IN	A

;; AUTHORITY SECTION:
~.anynameyouwans~.house.gov. 882 IN	RRSIG	NSEC 13 4 900 20210625144704 20201227144704 34842 house.gov. cyHvX3u6PVXUmSqWwFbzDEwKDpCLklowf+QnNF5q4hwUulvaZci+n2Ml yK7K2Q0ttdsaicN255QJmNU7pBD5qA==
~.anynameyouwans~.house.gov. 882 IN	NSEC	anynameyouwant!.house.gov. RRSIG NSEC
!~.house.gov.		882	IN	RRSIG	NSEC 13 3 900 20210625144704 20201227144704 34842 house.gov. gQ8Rwjx/31pXh0Anx9+wYSmj3BRpKp7PGegmEvmdejiVV6UmFfds8YyV nqjs9Au1XZVgNjtE9fjQC87nElKUCQ==
!~.house.gov.		882	IN	NSEC	-.house.gov. RRSIG NSEC
house.gov.		882	IN	SOA	pdns109.ultradns.com. ncc.mail.house.gov. 1407134 10800 1080 2419200 900
house.gov.		882	IN	RRSIG	SOA 13 2 900 20210625144704 20201227144704 34842 house.gov. p4vIz0ORiZPlwbbpbGo5TEex+eYnvgj+pLzIaK4mSHwUzF+bk15Xx6ao HikR5X1/ejuVUIuS6teRjm8ZVdoKag==

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2584 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210105/d99b8e68/attachment.bin>


More information about the dns-operations mailing list