On Fri, Oct 08, 2021 at 09:37:34AM +0200, Moritz Müller via dns-operations wrote:
> > I wonder whether this is an attempt to collect the NSEC3 chain for an > > off-line dictionary attack? 12 character random names are long enough > > to sample the space very well, though shorter strings would also do. > > That sounds possible, but doesn’t explain the _dmarc/default labels, right? Indeed the choice of labels is unexplained, a straightforward NSEC3 hash scan would perhaps use just random 2LDs and QTYPE = A. I can't think of why a high volume unsolicited mail batch would use DKIM signatures with random non-existent origin domains, rather than simplky leave the signatures out. I don't know of any advantages to adding such DKIM signatures (DKIM signatures that can't be checked and absent DKIM signatures are supposed to be equivalent). -- Viktor. _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations