Paul Hoffman writes: > Greetings again. Those of us who research DNSSEC adoption in the real world > are being a bit stymied by some of the sign-on-the-fly systems, such as this > one, apparently from UltraDNS. (Similar results are given for any nonexistent > name in house.gov, such as "www1".)
[...] > ~.anynameyouwans~.house.gov. 882 IN RRSIG NSEC 13 4 900 20210625144704 > 20201227144704 34842 house.gov. > cyHvX3u6PVXUmSqWwFbzDEwKDpCLklowf+QnNF5q4hwUulvaZci+n2Ml > yK7K2Q0ttdsaicN255QJmNU7pBD5qA== > ~.anynameyouwans~.house.gov. 882 IN NSEC anynameyouwant!.house.gov. > RRSIG NSEC > !~.house.gov. 882 IN RRSIG NSEC 13 3 900 20210625144704 > 20201227144704 34842 house.gov. > gQ8Rwjx/31pXh0Anx9+wYSmj3BRpKp7PGegmEvmdejiVV6UmFfds8YyV > nqjs9Au1XZVgNjtE9fjQC87nElKUCQ== > !~.house.gov. 882 IN NSEC -.house.gov. RRSIG NSEC This kind of trick is documented in RFC 4470 Minimally Covering NSEC Records and DNSSEC On-line Signing. It gives even weirder names. Kim Minh. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations