[Dnssec-deployment] DU(edu)Z spotted
Chris Thompson
cet1 at cam.ac.uk
Mon Jul 26 17:43:23 EDT 2010
On Jul 20 2010, I wrote:
>$ dig +multi +noall +answer dnskey edu.
>
>edu. 86081 IN DNSKEY 256 3 7 (
> AwEAAa8zR++++++++++++++++THIS/IS/AN/INVALID/
> KEY/AND/SHOULD/NOT/BE/USED/CONTACT/INFO/AT/E
> DUCAUSE/DOT/EDU+++++++++++++++++++++++++++++
> +++++++++++++++++++++++++++++++++++++++++++8
> ) ; key id = 15328
>edu. 86081 IN DNSKEY 257 3 7 (
> AwEAAawyJ++++++++++++++++THIS/IS/AN/INVALID/
> KEY/AND/SHOULD/NOT/BE/USED/CONTACT/INFO/AT/E
> DUCAUSE/DOT/EDU+++++++++++++++++++++++++++++
> ++++++++++++++++++++++++++++++++++++++++++++
> ++++++++++++++++++++++++++++++++++++++++++++
> ++++++++++++++++++++++++++++++++++++++++++++
> ++++++++++++++++++++++++++++++++++++++++++++
> ++++++++++++++++++++++++++++++++++++++8=
> ) ; key id = 5330
That's NSEC3-RSASHA1 with Opt-Out, and scattershotting the NSEC3 records
suggests there are 200+ DS records there (all NSEC3 records except that
for the apex indicate the presence of a DS record). If those are genuine,
it would be an impressive number when the zone goes DNSSEC-live, but I
have my suspicions that they may be faked. I haven't yet found a known
"edu" SLD that has a DS record there.
--
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the Dnssec-deployment
mailing list