[dns-operations] Assistance Request: OpenDNS Not Resolving Certain .realtor™ Domains
Ondřej Surý
ondrej at sury.org
Wed Dec 3 11:34:22 UTC 2025
Yes, this record:
vesdsjhfre0tap5h15gth2f925g1nj4c.realtor. 3600 IN NSEC3 1 1 0 - (
VESDSJHFRE0TAP5H15GTH2F925G1NJ4C
NS )
proves that there's only a name that hashes to vesdsjhfre0tap5h15gth2f925g1nj4c
in the zone and nothing else. This could only happen to a zone that has only apex
and nothing else.
So this would be valid:
example.com. 3446 IN SOA ns.icann.org. noc.dns.icann.org. (
2025111919 ; serial
7200 ; refresh (2 hours)
3600 ; retry (1 hour)
1209600 ; expire (2 weeks)
3600 ; minimum (1 hour)
)
3446 RRSIG SOA 15 2 3446 (
20260102102702 20251203102702 24051 example.com.
+wglWi4gitiNDEcz93Vbxn5drRi0C23skeRU
eDPNTmY3t/zjyvZQ7FSXdudebNl3yN6fStR7
ccTSLdpYJkN/Bw== )
[...]
ONIB9MGUB9H0RML3CDF5BGRJ59DKJHVK.example.com. 3446 IN NSEC3 1 0 0 - (
ONIB9MGUB9H0RML3CDF5BGRJ59DKJHVK
NS SOA RRSIG DNSKEY NSEC3PARAM )
3446 RRSIG NSEC3 15 3 3446 (
20260102102702 20251203102702 24051 example.com.
8W6nGAyFtK02tREvsVxrOmC1tuN0WgemuB32
opafcY1wbrQp1E4NRAxmIOWx+QMLWOzLBEFI
LQZYsjWXYdVlAg== )
But NSEC3 for realtor itself is:
6nmm0atqnu3mc2ch7hsp6dqoifc8hkua.realtor. 3600 IN NSEC3 1 1 0 - (
K1T21K9PTIPFF8QKUGTO57C6B0AM722R
NS SOA RRSIG DNSKEY NSEC3PARAM CDS CDNSKEY
TYPE65534 )
Thus whatever vesdsjhfre0tap5h15gth2f925g1nj4c is, it is not the apex and it just proves
that both realtor and everything except n (where h(n) = vesds...) does not exist.
So, yeah, I am pretty sure that NSEC3 record is in fact invalid.
Ondrej
--
Ondřej Surý (He/Him)
ondrej at sury.org
> On 3. 12. 2025, at 12:03, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> Are you sure that's invalid? A record that isn't last isn't supposed to
> point backwawrds, but must otherwise the next value be a strict
> successor (>) or merely not a strict predecessor (>=)?
More information about the dns-operations
mailing list