Re: [dns-operations] Looking for zones using white lies (RFC 4470)
shuque> The UltraDNS implementation doesn't use the more precise white shuque> lies epsilon function defined in the spec, but it is probably shuque> good enough for all practical purposes. shuque> And it's much closer to white lies than "black" lies, because it shuque> preserves the correct semantics of NXDOMAIN. That's actually a pretty good summary already. Basically a "loose" white lies that was computationally less intensive while trying to be as close to the RFC as was practical. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Looking for zones using white lies (RFC 4470)
On Fri, Jan 27, 2023 at 11:16 AM Paul Ebersman < list-dns-operati...@dragon.net> wrote: > shuque> UltraDNS (Neustar Security Services) is known to use NSEC White > shuque> Lies. I have a test zone there, > > shuque> which you can examine: "[[ultratest.huque.com]]". > > My recollection is that the NSS implementation is really grey lies, > i.e. not quite RFC white lies but not fully black like cloudflare. > Paul - what's the definition of "grey lies"? The UltraDNS implementation doesn't use the more precise white lies epsilon function defined in the spec, but it is probably good enough for all practical purposes. And it's much closer to white lies than "black" lies, because it preserves the correct semantics of NXDOMAIN. Shumon. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Looking for zones using white lies (RFC 4470)
shuque> UltraDNS (Neustar Security Services) is known to use NSEC White shuque> Lies. I have a test zone there, shuque> which you can examine: "[[ultratest.huque.com]]". My recollection is that the NSS implementation is really grey lies, i.e. not quite RFC white lies but not fully black like cloudflare. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Looking for zones using white lies (RFC 4470)
On Fri, Jan 27, 2023 at 3:39 AM Stephane Bortzmeyer wrote: > On Fri, Jan 27, 2023 at 12:19:18AM -0500, > Viktor Dukhovni wrote > a message of 30 lines which said: > > > Three sample zones: > > They all seem to use black lies, not white lies. > I took a quick look: * herokudns.com is definitely "black" ("minimal"?) lies, hosted on NS1, which uses that method. * cfcualerts.com appears to use normal pre-computed NSEC3. * technohazard.io - no idea; my attempts at eliciting negative responses result in SERVFAIL. UltraDNS (Neustar Security Services) is known to use NSEC White Lies. I have a test zone there, which you can examine: "ultratest.huque.com". $ dig +dnssec foobar.nxd.ultratest.huque.com. A +noall +authority !~.nxd.ultratest.huque.com. 1792 IN RRSIG NSEC 13 5 1800 20230722123724 20230123123724 39543 ultratest.huque.com. q+TWfjkPmlWs/xVBsZu3kiWyhUqcZJWjq2U28BVoLcT8kCacqjRF1NKM qEss4HsL9VxpAlq7AfRarczZwNtBaA== !~.nxd.ultratest.huque.com. 1792 IN NSEC-.nxd.ultratest.huque.com. RRSIG NSEC foobaq~.nxd.ultratest.huque.com. 1792 IN RRSIG NSEC 13 5 1800 20230722123724 20230123123724 39543 ultratest.huque.com. UM1w+ZxUTUXCZ/T8xD5cOHOgrJaBHJM7UPFTOs4UlMjkbRcK3L7eEn8M /36nCgTfQNk+cllamUqr5CJ+FuUDFw== foobaq~.nxd.ultratest.huque.com. 1792 IN NSEC foobar!. nxd.ultratest.huque.com. RRSIG NSEC ultratest.huque.com.1792IN SOA dns01.salesforce.com. hostmaster.salesforce.com. 2019101692 1800 900 2592000 1800 ultratest.huque.com.1792IN RRSIG SOA 13 3 1800 20230722123724 20230123123724 39543 ultratest.huque.com. 6nhsLNAUv0TYiA6Gp0evnicallUmMEsr0T9qK3GvmkxVy+8FC9v2DsUR rp+o7/QMjKl+dvYncQcIspRZmUlgZw== Shumon. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Looking for zones using white lies (RFC 4470)
On Fri, Jan 27, 2023 at 12:19:18AM -0500, Viktor Dukhovni wrote a message of 30 lines which said: > Three sample zones: They all seem to use black lies, not white lies. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Re: [dns-operations] Looking for zones using white lies (RFC 4470)
On Thu, Jan 26, 2023 at 08:33:21PM +0100, Stephane Bortzmeyer wrote: > I'm looking for zones in the wild that are signed using the technique > of white lies (RFC 4470). > > [Not the black lies used by Cloudflare.] Three sample zones: herokudns.com. IN SOA dns1.p05.nsone.net. hostmaster.nsone.net. 1661188672 600 900 1209600 10 herokudns.com. IN RRSIG SOA 13 2 60 20230128051202 20230126051202 44688 herokudns.com. [...] foobarbaz.herokudns.com. IN NSEC \000.foobarbaz.herokudns.com. RRSIG NSEC foobarbaz.herokudns.com. IN RRSIG NSEC 13 3 10 20230128051202 20230126051202 44688 herokudns.com. [...] technohazard.io. IN SOA squid.technohazard.io. hostmas...@technohazard.io. 2022081701 900 300 86400 1800 technohazard.io. IN RRSIG SOA 13 2 3600 20230202180551 20230125150551 19807 technohazard.io. [...] foobarbaz.technohazard.io. IN NSEC \000.foobarbaz.technohazard.io. A TYPE13 TXT TYPE29 TYPE37 TYPE44 RRSIG NSEC TLSA TYPE55 TYPE61 TYPE99 foobarbaz.technohazard.io. IN RRSIG NSEC 13 3 3600 20230204051400 20230127021400 19807 technohazard.io. [...] cfccualerts.com. IN SOA ns1.dnsbycomodo.net. admin.dns.com. 2021101281 10800 864000 7200 7200 cfccualerts.com. IN RRSIG SOA 13 2 7200 20230129122400 20230109122400 39711 cfccualerts.com. [...] foobarbaz.*.cfccualerts.com. IN NSEC \000.foobarbaz.*.cfccualerts.com. RRSIG NSEC foobarbaz.*.cfccualerts.com. IN RRSIG NSEC 13 4 3600 20230129122400 20230109122400 39711 cfccualerts.com. [...] -- Viktor. ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations
[dns-operations] Looking for zones using white lies (RFC 4470)
I'm looking for zones in the wild that are signed using the technique of white lies (RFC 4470). [Not the black lies used by Cloudflare.] Do you know some? ___ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations