Hi, Shumon:
I recognize the characteristic output generated by DNSDB :-)
Looking at the NS records in the .COM zone, too, one sees a change of
delegated nameservers in late January:
;; bailiwick: com.
;; count: 120
;; first seen in zone file: 2014-09-22 16:14:40 -0000
;; last seen in zone file: 2015-01-19 17:29:49 -0000
hbonow.com. IN NS ns1.transip.nl.
hbonow.com. IN NS ns2.transip.eu.
hbonow.com. IN NS ns0.transip.net.
;; bailiwick: com.
;; count: 43
;; first seen in zone file: 2015-01-22 17:25:42 -0000
;; last seen in zone file: 2015-03-09 16:25:34 -0000
hbonow.com. IN NS ns1.p38.dynect.net.
hbonow.com. IN NS ns2.p38.dynect.net.
hbonow.com. IN NS ns3.p38.dynect.net.
hbonow.com. IN NS ns4.p38.dynect.net.
The first NS RRset coincides (within hours/days) of the DS and DNSKEY
records appearing.
It appears TransIP is a VPS/DNS/domain/web hosting provider, and they
describe DNSSEC signing as a feature of their DNS hosting service:
https://www.transip.eu/domain-name/transdns/
[...] TransDNS is the foundation of our DNSSEC implementation, a DNS
protocol security extension. Signing more than 500.000 domain names
with DNSSEC was a challenge we gladly took. Because of TransDNS we
were one of the first domain providers in The Netherlands that
signed all domain names. We are now the largest DNSSEC provider in
the world. We could not have done this with third-party solutions.
That is why we develop everything in-house.
I would guess that the hbonow.com domain had a change of registrar and a
change of registrant in late January, and the DS record was somehow left
in place without anyone noticing before yesterday's launch.
Shumon Huque wrote:
> I did a quick check of a passive DNS database, and I see evidence of a
> DNSKEY record, seen only once, and at one point in time ()
>
> count 1
> first seen 2014-09-25 02:51:55 -0000
> last seen 2014-09-25 02:51:55 -0000
> hbonow.com. DNSKEY 256 3 7
> AwEAAbdwDjj6iKhhoft8CChLX27lJtvpeQOJ3Chwj4dD\
> p+jkszfH0BkG fZEA9IG1qMPWlwKnpMuu+zK9UALSCFqHgCOB5twHDDBSQZtcAtEphL2Q
> Sz63p5Cc3\
> dfttmeoRSyrEM3OUb5r4kD+8koRF3J/lqZIjOuGubIwGLyc qQY1WXNj
> hbonow.com. DNSKEY 256 3 7
> AwEAAdCFum57JkPoCzS0VUaS7HWWC2ZBB1AJpirzUAq0\
> fMQ3o5e9hY6G tcxc+/nYwGJOyV9RyGqptgxPdhIQkig5bSjFnFc8vHsXFELP2I9dHccE
> hd6j26W0N\
> cLpvLPMCEFfuXHSaRMFST9hYQQeHQgalMDfwBgbYLc55wFe vYPfhqdh
> hbonow.com. DNSKEY 257 3 7
> AwEAAZ7udsRZQA3WhGVMXSEmgNUFgaSH06sAEhAbiZOE\
> xP51hcmwg+O3 /eouCV7RsePUKkaQQqOo7jDs6D8gj2uFlPG2Vv4bfz6+vv1Xp7sBKGm4
> F9rjxwHpM\
> b7l0RGGejr3vuiURcRYtrbbQu85di8qt7Q9V6YxxryObj5L
> NnM9IB5p5SEpMfGByyA3iuDVvZSw6N2\
> G90/SiNoVbFCW5hTGTocZNDBw
> csTO2WyHrtXebP32tuwOef24nvSlBknI+PNNH3TEg3BPgE+rNQ8mo\
> Y4I Zoz/kw19oHNOi/8Rspa7LCyANg1exaGKWiVnaX5uGBxQmyEH4UKd4iF6 IQK4TC1h4l0=
>
> Was this a temporary test? Or was it installed for a while, but the zone
> was dormant (not queried) for DNSKEY records.
>
> The DS seems to have been there for much longer:
>
> bailiwick com.
> count 162
> first seen in zone file 2014-09-23 16:14:19 -0000
> last seen in zone file 2015-03-09 16:25:34 -0000
> hbonow.com. DS 51249 7 1 90DC90D0578FCFDDF6ED5DE0B35E9652CD2396A8
>
> I'll stop speculated now, and wait for info from definitive sources ..
--
Robert Edmonds
