[dns-operations] [Ext] Signing on the fly and UltraDNS

John Levine johnl at taugh.com
Tue Jan 5 15:58:19 UTC 2021

In article <701C6017-9EB5-4660-90A2-4AE0E7E93424 at icann.org> you write:
>That all seems correct. However, I brought the issue to this mailing list, instead of to the UltraDNS folks, because I am using tools that expect host
>names instead of domain names (in this case, dig); now I have to write shims around them. Other signing-on-the-fly mechanisms might cause similar issues
>for dig or other tools.

But wouldn't that equally fail on a SRV record with a _tcp name or a DKIM
key with _domainkey?  If you're poking at the DNS I'd think you need to be
prepared for anything the DNS can return.

It is not clear to me that this stuff is there to prevent enumeration.
The funky names allow zone updates without having to keep the zone in
canonical order to regenerate the NSEC chain.

More information about the dns-operations mailing list