Re: [dns-operations] Looking for zones using white lies (RFC 4470)

[Shumon Huque]

On Fri, Jan 27, 2023 at 3:39 AM Stephane Bortzmeyer <bortzme...@nic.fr>
wrote:

> On Fri, Jan 27, 2023 at 12:19:18AM -0500,
>  Viktor Dukhovni <ietf-d...@dukhovni.org> wrote
>  a message of 30 lines which said:
>
> > Three sample zones:
>
> They all seem to use black lies, not white lies.
>

I took a quick look:

* herokudns.com is definitely "black" ("minimal"?) lies, hosted on NS1,
which uses that method.
* cfcualerts.com appears to use normal pre-computed NSEC3.
* technohazard.io - no idea; my attempts at eliciting negative responses
result in SERVFAIL.

UltraDNS (Neustar Security Services) is known to use NSEC White Lies. I
have a test zone there,
which you can examine: "ultratest.huque.com".

$ dig +dnssec foobar.nxd.ultratest.huque.com. A +noall +authority
!~.nxd.ultratest.huque.com. 1792 IN     RRSIG   NSEC 13 5 1800
20230722123724 20230123123724 39543 ultratest.huque.com.
q+TWfjkPmlWs/xVBsZu3kiWyhUqcZJWjq2U28BVoLcT8kCacqjRF1NKM
qEss4HsL9VxpAlq7AfRarczZwNtBaA==
!~.nxd.ultratest.huque.com. 1792 IN     NSEC    -.nxd.ultratest.huque.com.
RRSIG NSEC
foobaq~.nxd.ultratest.huque.com. 1792 IN RRSIG  NSEC 13 5 1800
20230722123724 20230123123724 39543 ultratest.huque.com.
UM1w+ZxUTUXCZ/T8xD5cOHOgrJaBHJM7UPFTOs4UlMjkbRcK3L7eEn8M
/36nCgTfQNk+cllamUqr5CJ+FuUDFw==
foobaq~.nxd.ultratest.huque.com. 1792 IN NSEC   foobar!.
nxd.ultratest.huque.com. RRSIG NSEC
ultratest.huque.com.    1792    IN      SOA     dns01.salesforce.com.
hostmaster.salesforce.com. 2019101692 1800 900 2592000 1800
ultratest.huque.com.    1792    IN      RRSIG   SOA 13 3 1800
20230722123724 20230123123724 39543 ultratest.huque.com.
6nhsLNAUv0TYiA6Gp0evnicallUmMEsr0T9qK3GvmkxVy+8FC9v2DsUR
rp+o7/QMjKl+dvYncQcIspRZmUlgZw==

Shumon.

_______________________________________________
dns-operations mailing list
dns-operations@lists.dns-oarc.net
https://lists.dns-oarc.net/mailman/listinfo/dns-operations