[dns-operations] Signing on the fly and UltraDNS

Kim Minh Kaplan kimminh.kaplan+dns-operations at afnic.fr
Tue Jan 5 07:27:17 UTC 2021

Paul Hoffman writes:

> Greetings again. Those of us who research DNSSEC adoption in the real world are being a bit stymied by some of the sign-on-the-fly systems, such as this one, apparently from UltraDNS. (Similar results are given for any nonexistent name in house.gov, such as "www1".)


> ~.anynameyouwans~.house.gov. 882 IN	RRSIG	NSEC 13 4 900 20210625144704 20201227144704 34842 house.gov. cyHvX3u6PVXUmSqWwFbzDEwKDpCLklowf+QnNF5q4hwUulvaZci+n2Ml yK7K2Q0ttdsaicN255QJmNU7pBD5qA==
> ~.anynameyouwans~.house.gov. 882 IN	NSEC	anynameyouwant!.house.gov. RRSIG NSEC
> !~.house.gov.		882	IN	RRSIG	NSEC 13 3 900 20210625144704 20201227144704 34842 house.gov. gQ8Rwjx/31pXh0Anx9+wYSmj3BRpKp7PGegmEvmdejiVV6UmFfds8YyV nqjs9Au1XZVgNjtE9fjQC87nElKUCQ==
> !~.house.gov.		882	IN	NSEC	-.house.gov. RRSIG NSEC

This kind of trick is documented in RFC 4470 Minimally Covering NSEC
Records and DNSSEC On-line Signing. It gives even weirder names.

Kim Minh.

More information about the dns-operations mailing list