[dns-operations] Looking for zones using white lies (RFC 4470)

Shumon Huque shuque at gmail.com
Fri Jan 27 12:23:06 UTC 2023


On Fri, Jan 27, 2023 at 3:39 AM Stephane Bortzmeyer <bortzmeyer at nic.fr>
wrote:

> On Fri, Jan 27, 2023 at 12:19:18AM -0500,
>  Viktor Dukhovni <ietf-dane at dukhovni.org> wrote
>  a message of 30 lines which said:
>
> > Three sample zones:
>
> They all seem to use black lies, not white lies.
>

I took a quick look:

* herokudns.com is definitely "black" ("minimal"?) lies, hosted on NS1,
which uses that method.
* cfcualerts.com appears to use normal pre-computed NSEC3.
* technohazard.io - no idea; my attempts at eliciting negative responses
result in SERVFAIL.

UltraDNS (Neustar Security Services) is known to use NSEC White Lies. I
have a test zone there,
which you can examine: "ultratest.huque.com".

$ dig +dnssec foobar.nxd.ultratest.huque.com. A +noall +authority
!~.nxd.ultratest.huque.com. 1792 IN     RRSIG   NSEC 13 5 1800
20230722123724 20230123123724 39543 ultratest.huque.com.
q+TWfjkPmlWs/xVBsZu3kiWyhUqcZJWjq2U28BVoLcT8kCacqjRF1NKM
qEss4HsL9VxpAlq7AfRarczZwNtBaA==
!~.nxd.ultratest.huque.com. 1792 IN     NSEC    -.nxd.ultratest.huque.com.
RRSIG NSEC
foobaq~.nxd.ultratest.huque.com. 1792 IN RRSIG  NSEC 13 5 1800
20230722123724 20230123123724 39543 ultratest.huque.com.
UM1w+ZxUTUXCZ/T8xD5cOHOgrJaBHJM7UPFTOs4UlMjkbRcK3L7eEn8M
/36nCgTfQNk+cllamUqr5CJ+FuUDFw==
foobaq~.nxd.ultratest.huque.com. 1792 IN NSEC   foobar!.
nxd.ultratest.huque.com. RRSIG NSEC
ultratest.huque.com.    1792    IN      SOA     dns01.salesforce.com.
hostmaster.salesforce.com. 2019101692 1800 900 2592000 1800
ultratest.huque.com.    1792    IN      RRSIG   SOA 13 3 1800
20230722123724 20230123123724 39543 ultratest.huque.com.
6nhsLNAUv0TYiA6Gp0evnicallUmMEsr0T9qK3GvmkxVy+8FC9v2DsUR
rp+o7/QMjKl+dvYncQcIspRZmUlgZw==

Shumon.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20230127/5eb24a23/attachment.html>


More information about the dns-operations mailing list