[dns-operations] Signing on the fly and UltraDNS
Kim Minh Kaplan
kimminh.kaplan+dns-operations at afnic.fr
Tue Jan 5 07:27:17 UTC 2021
Paul Hoffman writes:
> Greetings again. Those of us who research DNSSEC adoption in the real world are being a bit stymied by some of the sign-on-the-fly systems, such as this one, apparently from UltraDNS. (Similar results are given for any nonexistent name in house.gov, such as "www1".)
[...]
> ~.anynameyouwans~.house.gov. 882 IN RRSIG NSEC 13 4 900 20210625144704 20201227144704 34842 house.gov. cyHvX3u6PVXUmSqWwFbzDEwKDpCLklowf+QnNF5q4hwUulvaZci+n2Ml yK7K2Q0ttdsaicN255QJmNU7pBD5qA==
> ~.anynameyouwans~.house.gov. 882 IN NSEC anynameyouwant!.house.gov. RRSIG NSEC
> !~.house.gov. 882 IN RRSIG NSEC 13 3 900 20210625144704 20201227144704 34842 house.gov. gQ8Rwjx/31pXh0Anx9+wYSmj3BRpKp7PGegmEvmdejiVV6UmFfds8YyV nqjs9Au1XZVgNjtE9fjQC87nElKUCQ==
> !~.house.gov. 882 IN NSEC -.house.gov. RRSIG NSEC
This kind of trick is documented in RFC 4470 Minimally Covering NSEC
Records and DNSSEC On-line Signing. It gives even weirder names.
Kim Minh.
More information about the dns-operations
mailing list