On Tue, Mar 10, 2015 at 4:58 PM, Robert Edmonds <edmo...@mycre.ws> wrote:
> Hi, Shumon: > > I recognize the characteristic output generated by DNSDB :-) > My failed attempt to provide you with a minor degree of anonymity! :-) Thanks for the additional analysis. And I agree with your guesses. A clearer picture of likely events is emerging .. Shumon. > > Looking at the NS records in the .COM zone, too, one sees a change of > delegated nameservers in late January: > > ;; bailiwick: com. > ;; count: 120 > ;; first seen in zone file: 2014-09-22 16:14:40 -0000 > ;; last seen in zone file: 2015-01-19 17:29:49 -0000 > hbonow.com. IN NS ns1.transip.nl. > hbonow.com. IN NS ns2.transip.eu. > hbonow.com. IN NS ns0.transip.net. > > ;; bailiwick: com. > ;; count: 43 > ;; first seen in zone file: 2015-01-22 17:25:42 -0000 > ;; last seen in zone file: 2015-03-09 16:25:34 -0000 > hbonow.com. IN NS ns1.p38.dynect.net. > hbonow.com. IN NS ns2.p38.dynect.net. > hbonow.com. IN NS ns3.p38.dynect.net. > hbonow.com. IN NS ns4.p38.dynect.net. > > The first NS RRset coincides (within hours/days) of the DS and DNSKEY > records appearing. > > It appears TransIP is a VPS/DNS/domain/web hosting provider, and they > describe DNSSEC signing as a feature of their DNS hosting service: > > https://www.transip.eu/domain-name/transdns/ > > [...] TransDNS is the foundation of our DNSSEC implementation, a DNS > protocol security extension. Signing more than 500.000 domain names > with DNSSEC was a challenge we gladly took. Because of TransDNS we > were one of the first domain providers in The Netherlands that > signed all domain names. We are now the largest DNSSEC provider in > the world. We could not have done this with third-party solutions. > That is why we develop everything in-house. > > I would guess that the hbonow.com domain had a change of registrar and a > change of registrant in late January, and the DS record was somehow left > in place without anyone noticing before yesterday's launch. > > Shumon Huque wrote: > > I did a quick check of a passive DNS database, and I see evidence of a > > DNSKEY record, seen only once, and at one point in time () > > > > count 1 > > first seen 2014-09-25 02:51:55 -0000 > > last seen 2014-09-25 02:51:55 -0000 > > hbonow.com. DNSKEY 256 3 7 > > AwEAAbdwDjj6iKhhoft8CChLX27lJtvpeQOJ3Chwj4dD\ > > p+jkszfH0BkG fZEA9IG1qMPWlwKnpMuu+zK9UALSCFqHgCOB5twHDDBSQZtcAtEphL2Q > > Sz63p5Cc3\ > > dfttmeoRSyrEM3OUb5r4kD+8koRF3J/lqZIjOuGubIwGLyc qQY1WXNj > > hbonow.com. DNSKEY 256 3 7 > > AwEAAdCFum57JkPoCzS0VUaS7HWWC2ZBB1AJpirzUAq0\ > > fMQ3o5e9hY6G tcxc+/nYwGJOyV9RyGqptgxPdhIQkig5bSjFnFc8vHsXFELP2I9dHccE > > hd6j26W0N\ > > cLpvLPMCEFfuXHSaRMFST9hYQQeHQgalMDfwBgbYLc55wFe vYPfhqdh > > hbonow.com. DNSKEY 257 3 7 > > AwEAAZ7udsRZQA3WhGVMXSEmgNUFgaSH06sAEhAbiZOE\ > > xP51hcmwg+O3 /eouCV7RsePUKkaQQqOo7jDs6D8gj2uFlPG2Vv4bfz6+vv1Xp7sBKGm4 > > F9rjxwHpM\ > > b7l0RGGejr3vuiURcRYtrbbQu85di8qt7Q9V6YxxryObj5L > > NnM9IB5p5SEpMfGByyA3iuDVvZSw6N2\ > > G90/SiNoVbFCW5hTGTocZNDBw > > csTO2WyHrtXebP32tuwOef24nvSlBknI+PNNH3TEg3BPgE+rNQ8mo\ > > Y4I Zoz/kw19oHNOi/8Rspa7LCyANg1exaGKWiVnaX5uGBxQmyEH4UKd4iF6 IQK4TC1h4l0= > > > > Was this a temporary test? Or was it installed for a while, but the zone > > was dormant (not queried) for DNSKEY records. > > > > The DS seems to have been there for much longer: > > > > bailiwick com. > > count 162 > > first seen in zone file 2014-09-23 16:14:19 -0000 > > last seen in zone file 2015-03-09 16:25:34 -0000 > > hbonow.com. DS 51249 7 1 90DC90D0578FCFDDF6ED5DE0B35E9652CD2396A8 > > > > I'll stop speculated now, and wait for info from definitive sources .. > > -- > Robert Edmonds >