Introduction

I was recently playing around with DNSSEC and figured out that the root DNS zone . uses NSEC and not NSEC3 to prove the absence of a resource record. This looked interesting to me and triggered some ideas. So I did some experiments and here are the results.

TL;Dr:

The most interesting facts:

  • The root DNS zone uses NSEC can be therefore be DNSSEC zone walked
  • There are more than 1500 TLDs
  • More than 90% of all TLDs haven DNSSEC configured
  • The most used algorithm for signing DNS zones is RSA/SHA-256
  • 53 TLDs also use NSEC and can therefore also be DNSSEC zone walked

Note: The results may not be exactly accurate because it was not always verified if every query was always successful.

NSEC in the Root Zone

If the DNS root zone . is queried for the nameservers of the top level domain gugus. (something that does not exist), the following NSEC record and the according RRSIG signature record is returned:

$ dig gugus. NS +dnssec @8.8.8.8 +multiline
[...]
guge.			82883 IN NSEC guide. NS DS RRSIG NSEC
guge.			82883 IN RRSIG NSEC 8 1 86400 (
				20200417050000 20200404040000 48903 .
				JQDqlkmru8j9MIMtNTkb+Omq3+p/GeJ28ACMetTVacaO
[...]

This NSEC record tells the DNS client that there is no NS record for a domain between the domain guge. and guide.. So two existing domains are disclosed in this NSEC record. It’s now possible to query the root nameservers for the alphabetically next domain by e.g. adding an a after the previously discovered domain, which is guidea.:

$ [ g g [ . u u . d . i i . i . d d . g ] e e 2 Y ] . . 0 r g 2 Y u 0 N i 0 f d 8 8 4 4 e 1 1 1 d a 7 7 7 E . 7 7 0 O 1 1 5 o N 0 J S I I 0 I N N 0 Y + 0 C d N R W n S R 2 s s E S 0 y s C I 2 I e G 0 x c g 0 g u N 4 d @ i S 0 M 8 t E 4 T . a C 0 f 8 r 4 j . s 8 0 c 8 . 0 J . 1 0 A 8 N 0 e S 8 / + 6 4 r m D 4 8 Y u S 0 9 j l 0 0 z t R 3 5 i R ( x l S . q i I G n G g e 4 N 8 S f E Q C E

This shows the alphabetically next top level domain guitars. in the NSEC record. Using this technique, it’s possible to enumerate all existing DNS records of a domain. This is called DNSSEC zone walking.

In the concrete example of the DNS root zone, this allows to get a list of all top level domains (TLDs).

A Note on NSEC3

DNSSEC zone walking does not work when NSEC3 is used to prove the absence of a DNS record. If NSEC3 is used, only hashes of domains are returned:

$ [ M M Q Q 1 1 . B B U U T T d . 2 2 2 2 I I i . 6 6 H H R R g ] R M N R 2 E z T Q N T 2 c m 9 1 N 9 2 j u D B S D 0 Q 7 A U S A 0 N 9 G T S G 0 5 k t U 2 U 2 8 Z Q 3 Q 2 e 6 6 K 6 2 G l h 3 C S 3 0 u 1 A D D A 0 P Q M 0 D M 0 q o i A R O A 0 I Z 6 9 S 6 0 M / 8 Q S 8 0 f Y s 4 V A 4 4 r p 7 2 7 4 n h H 5 H 4 X N d G D G 2 p 3 5 H R 5 2 5 K K S R K 3 E j o 9 2 R 9 4 z e D O R D 8 H y J F R J 0 c g e 5 I R 5 1 n 3 N P S N 1 5 V 2 B S 2 0 d c s S L S S 9 t m 7 0 I 7 5 9 d J 3 I J 2 e 6 n M B I M 2 B D T H G T 0 k 1 D Q G D 5 H A o N V G N 5 I v 4 S 4 3 t v U F U 4 h T t V G V 0 c S J V ) J 4 5 b R Q ) R 2 x i e M L D M 1 K 3 O G O 5 f b H C H 9 r M x V 6 N V + b 5 6 5 F A 1 C 1 h x i S T S S 2 0 d D M D 2 f T C I C 2 Z P s 3 M K 3 0 + Y T C T 0 y a 9 L 9 0 M I t 4 S E 4 2 Y e 2 V 2 2 2 0 7 6 7 2 O I . K I Y K 0 L Z 5 8 5 0 q j 1 G 1 0 3 S c 1 5 1 0 L U 3 M 3 0 o A 6 8 6 0 E b h S B N S 3 S t O M O 3 d L D 2 D 3 4 d 3 V S 3 2 5 0 7 7 7 2 f / L Q L 3 X K + E U E E 5 t x V 5 V 9 7 A 1 P 1 1 6 H d 2 P C 2 1 Y F D N D 1 Y U 9 U 9 0 I o n G D 3 G 9 2 V 4 V 4 5 A W S D S 2 P s s I T P I 0 E E 5 F 5 0 L E N 1 N 0 n H s K A A K 1 u B C 7 C 1 7 k N 2 N 1 G N e U U R U 1 V b D 7 D 1 c 4 L H L 1 Q 6 c . 0 A . 8 w V . 1 . 5 C Z . O . 6 M x c R M c h H c 9 c R 1 c F c 0 K h M h 1 M + h P h 1 I 9 h L h 1 U M + . S ) . 8 1 K . F . 8 W T . 1 . 8 G D m 7 + s 7 9 N 7 1 J u 8 8 5 B M 8 8 5 2 U 8 8 5 V / l 9 9 7 R 9 9 9 7 1 7 9 9 7 2 0 t 9 9 1 r 9 9 2 b 9 9 6 V i c 4 c c G R c E W l I I h C j I I h 0 8 I I h 1 / i N N . W l N N . Q j N N . 5 5 n K k K Q k 6 e N R K c N R V R N R z 1 S R Z w S R u A S R 2 A @ E S / = E S j = E S n = 8 C I I = C I D = C I i = . 3 G 3 G 3 G 8 ) ) ) . 1 N 1 N 1 N 8 S S S . 1 E 1 E 1 E 8 C C C 2 3 2 3 2 3 C 1 C 1 C 1 C 3 C 3 C 3 B B B A 2 A 2 A 2 D D D B 9 B 9 B 9 D 0 D 0 D 0 6 0 6 0 6 0 ( ( ( ( ( (

These hashes could be cracked using e.g. hashcat and the hash mode 8300. After cracking, the alphabetically next non existing DNS record could be queried and so on in order to get all DNS entries.

DNSSEC Zone Walking in the Root Zone

Of course there are tools that automate the DNSSEC zone walking process, like ldns-walk. So, it’s possible to get all top level domains by walking throught the entire root zone .:

$ . a a a a a [ g g g g g [ z z z a a b b b . u u u u w . m o u l . a r a b b . g i i r . . . n e d . p r . o . e d t u . e r n N . t t ] . e a . N ] N . i s S N h N t . r S S c - S N . S . N s N N h w S S S N . S D R S . a O D N D N S S R l A S D S S S D N D S D N k S S D S S R I S S R R D R D S R G . R R R S R S R D R S R D S S R S R R S R I N R S | I I S R I R S R S G S S G G I R G R I S R I E I R t G S S G I R G N C G R e N N I N I G S S S e S S N G S G N I N E N I E E S E S N G S C S G z C C E N C N E S E E o C S S C E N C C N n D E E C S S e N C C E E _ S C C . K E Y

In total, there are more than 1'500 top level domains:

$ 1 5 w 1 c 3 - z l o n z e o _ n . e _ .

DNSSEC on the Top Level Domains

Now we have a list of all top level domains. Let’s analyze them for some DNSSEC related configuration.

The following script was used to query the TLDs for some infos:

#!/usr/bin/env bash

NAMESERVER="8.8.8.8"
OUTPUTFILE="dnssec-domain-analysis.out"
> "$OUTPUTFILE"

while read domain foo
do
  echo "[*] Domain $domain"
  dig "$domain" DS @"$NAMESERVER"
  dig "$domain" DNSKEY @"$NAMESERVER"
  dig "$domain" SOA +dnssec @"$NAMESERVER"
  NXDOMAIN="$(openssl rand -hex 16)"
  dig "$NXDOMAIN.$domain" +dnssec @"$NAMESERVER"
done < zone_. | tee -a "$OUTPUTFILE"

This script does the following:

  • Query the DS record to check if DNSSEC is configured (the DS record is configured in the parent zone, which is the root zone in this case)
  • Query the configured DNSSEC keys (should return at least one KSK and ZSK)
  • Query the SOA record with the according RRSIG record
  • Query a non-existing domain to check if NSEC or NSEC3 is used

Analysis: DNSSEC Enabled Domains

Searching for all TLDs that have a DS record configured and are therefore ready for DNSSEC:

$ a a a a [ a a b b . a | a r a b . w . p r . . k s . t ] o h r . t ^ [ - ^ u ; ] . * t I e N e . * h D a S s [ _ [ d : s s _ p r a e c c e o : r ] d ] [ 0 - 9 ] / { p r i n t $ 1 } ' d n s s e c - d o m a i n - a n a l y s i s . o u t \

In total, 1375 domains have a DS record configured:

$ 1 3 w 7 c 5 - h l a s h _ a d s s _ _ d r s e _ c r o e r c d o r d

This is ~91% of all top level domains:

$ . 9 b 0 c 8 1 - 9 l 0 q 2 2 4 5 7 0 1 6 3 7 7 3 5 7 / 1 1 2 5 0 1 2 4

The following domains do not have DNSSEC configured:

$ . a a a a a a b b b b b b b b b b b c c c c c c c c c c d d d e e e e f f f g g g g e i l o q s a b d f h i j n o s v d f g i k m u v w y j m o c g r t j k m a b e f g . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r e p g g g g g g g h h i i i j j j k k k k k l l m m m m m m m m m m m m m m n n n n n o g h m p q t u m t m q r e m o h m n p z s y g h k l m o p q s t u v w z e g i p r m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - f p p p p p p p p q r s s s s s s s s s t t t t t t t u v v v x x x x x x x x x x y z h a f g h k n s y a w d l m o r t v y z c d g j k o r z a g i n n n n n n n n n n e m a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - - - - - - - - - - . . s - - - - - - - - - - _ 8 d f m m m m o w x d 0 1 z g g g i g g k s a a c b b b x b b c _ o l 2 a a c 8 p l 2 r 2 f c 3 y p 9 f 6 a e 1 . 9 a h q 1 8 a l c a e 4 7 6 f f . 3 o . 2 f g g . l h r c 1 p p . y d . 6 a a e a . 1 2 z . a a o . . n e _ . | c u t - d ' - f 1 | c o l u m n

Testing if every domain with a DS record also has a signed SOA record and write the results into a file:

$ a a a a a a [ a a b b b b . w d d a r a b b b . h o o . p r . o v . i g n . t t i ] l r e y h y t e e e & e y . e . . p & < s e s r s y y y e - e e h e e e a q c c a s s s d h h s - o o _ d E d o " " s m " $ $ _ a ^ d d r i $ o o e n d m m c o a a o m i i r a n n d i n y n | . e o * s t R " e R e S \ I i G s . _ * z S o O n A e " _ s d i n g s n s e e d c - d o m a i n - a n a l y s i s . o u t \

There is one zone that has a DS record but no signed SOA record ( xn--mgbai9azgqp6j. is punycode for پاکستان. which is Pakistan):

$ x n g - r - e m p g b " a n i o 9 $ a " z g i q s p _ 6 z j o . n e n _ o s i g n e d

This domain always returns a SERVFAIL:

$ [ ; ; [ . ; ; . d . . i . f . g ] l ] > a x H g n E s - A : - D m E q g R r b < a < r i - d 9 ; a o z p Q g c U q o E p d R 6 e Y j : : . Q 1 S U , O E A R A Y N , S W s E t R a : t u 0 s , : A S U E T R H V O F R A I I T L Y , : i 0 d , : A 6 D 0 D 2 I 1 T 0 I O ; N ; A L f : l a 1 g s : q r r d r a ; Q U E R Y : 1 , A N S W E R : 0 , A U T H O R I T Y : 0 , A D D I T I O N A L : 1 [ . . . ] $ d i g x n - - m g b a i 9 a z g q p 6 j . S O A @ n s 1 . n t c . n e t . p k . [ . . . ] ; ; > H E A D E R < < - o p c o d e : Q U E R Y , s t a t u s : S E R V F A I L , i d : 3 0 0 8

This means that all other domains that have a DS record configured do also sign it’s zone.

However, some days later, the domain had a signed SOA record:

$ n S x s O O d . A h i n C g t 7 4 c w x . 1 = n n = - e 8 - t 6 m . 4 g p 0 b k 0 a . i 2 9 a 0 a d 2 z m 0 g i 0 q n 5 p . 1 6 n 8 j t 1 . c 8 . 5 S n 9 O e 0 A t 1 . + p 2 d k 0 n . 2 s 0 s 2 0 e 0 4 c 2 1 0 8 + 0 1 s 4 8 h 1 5 o 9 9 r 6 0 t 0 1 2 4 1 0 6 9 0 3 0 7 3 پ 6 ا 0 ک 0 س ت 6 ا 0 ن 4 . 8 0 Y 0 W I 8 2 6 R 4 C 0 m 0 8 U 4 k T 6 p K o M C E J v h W w b j t M C X N A n V c + q g c V 5 9 q u d J r / b U I u M f p p D 3 R 0 b 2 4 k / 5 Y k R t Y z Y t K Z 7 t P C T x f K L H q d L + a P i p F I + m Z J t a O q h p U r 7 K E P v 1 i + m j O + v Z W 3 3 N M H i 2 Z s / l / K q u a / i d s 1 r f p a F 7 0 Q 7 o n M 2 G Z H g w o b M S y f E 4 X t v v D 6 P k U K w m J l u A y f Q 0 g R 9 O 9 T U 9 s 0 5 6 9 9 8 e b y C / R Z p T Q D m d + H V r k A R T I C l L 3 S x y E z c e d q d o 3 r A Q r K R Q I Y E n v X z w 8 8 g 0 d B X f S n T Q J F 9 8 F p c K y T I G a h q 6 9 E r E O a G E X 9 D H o 0 o + C / l 4 q f N h V y w M + 9 J F J S I 8 4 Q d 9 B P E b / d R v t T

Analysis: DS Records

It’s possible to have multiple DS records. But most domains have exactly one DS record configured. This shows the number of domains and the number of DS records:

$ a | w k u 5 4 3 n 3 2 7 3 i 3 8 3 2 7 2 q ^ 1 4 2 6 3 5 [ - ^ c ; ] . * a I w N k . * ' D { S [ p [ r : i s n p t a c $ e 1 : ] } ] ' [ 0 | - 9 s ] r { t p | r i u n n t i q $ 1 - c } ' d s n o s r s t e c - - r d n o m a i n - a n a l y s i s . o u t \

A DS record looks like this:

g u r u . 8 6 4 0 0 I N D S 4 4 5 3 6 8 1 C 0 F 5 E A F D 2 3 D 5 B 7 8 3 9 D 3 8 8 5 4 5 C E 5 7 7 B 4 B E 3 9 9 D 1 9 0

DS record details:

  • The first number after the DS keyword is the key ID which is used to match the DNSKEY in the zone itself.

  • The 2nd number after the DS keyword is the algorithm which is used by the key for signing the DNS zone (see https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml for the entire list)

    • 1 = RSA/MD5
    • 2 = Diffie-Hellman
    • 3 = DSA/SHA1
    • 5 = RSA/SHA1
    • 6 = DSA-NSEC3-SHA1
    • 7 = RSASHA1-NSEC3-SHA1
    • 8 = RSA/SHA-256
    • 10 = RSA/SHA-512
    • 12 = GOST R 35.10-2001
    • 13 = ECDSA-P256/SHA256
    • 13 = ECDSA Curve P-256 with SHA-256
    • 14 = ECDSA-P384/SHA384
    • 15 = ED25519
    • 16 = ED448

  • The 3rd number after the DS keyword is the hashing algorithm used for the DS record

    • 1 = SHA-1
    • 2 = SHA-256
    • 3 = GOST R 34.11-94
    • 4 = SHA-384

  • The 4th number after the DS keyword is the hash of the DNSKEY itself

No domain has multiple DS records configured with different signing algorithms:

$ [ . a | . w . k s ] o r 1 1 1 t ^ z z z [ - u o i ^ u e n p ; r e . ] i . . c * c h I u . N t . * - D d S [ ' [ : s p - a f c e 1 : ] | ] [ u 0 n - i 9 q ] / - { c p | r i s n o t r t $ 1 - , n r $ 6 } ' d n s s e c - d o m a i n - a n a l y s i s . o u t \

Most domains have a DS record configured that points to a DNSKEY that uses RSA/SHA-256 to sign the zone. This shows the number of domains and the used signing algorithms:

$ a | w 2 k s 5 4 1 o 1 9 5 3 1 r 5 4 8 4 3 t ^ 8 7 5 1 1 [ | 0 3 ^ ; u ] n . i * q I N - . c * D | S [ s [ o : r s t p a - c n e r : ] ] [ 0 - 9 ] / { p r i n t $ 6 } ' d n s s e c - d o m a i n - a n a l y s i s . o u t \

Most domains only have one key configured (unique key ID). This shows the number of domains and the number of different key IDs:

$ a w k s u 8 4 o n 7 6 3 r i 0 8 7 t q ^ 1 2 3 [ - - ^ u c ; ] . * c s I u o N t r . t * - D d - S n [ ' r [ : s p - a f c e 1 : ] | ] [ u 0 n - i 9 q ] / - { c p | r i s n o t r t $ 1 - , n r $ 5 | } a ' w k d n ' s { s e p c r - i d n o t m a $ i 1 n - } a ' n a | l y s s o i r s t . o u t \

The most popular hashing algorithm in the DS record is SHA2. Only SHA2 and SHA1 are used:

$ a | w 1 k s 3 8 o 7 0 r 1 7 t ^ 2 1 [ - ^ u ; ] . * c I u N t . * - D d S [ ' [ : s p - a f c e 2 : ] | ] [ s 0 o - r 9 t ] / | { u p n r i i q n t - c $ 1 | , s $ o 7 r t } ' - r d n n s s e c - d o m a i n - a n a l y s i s . o u t \

All domains have a unique DNSKEY hash, so no domain is signed by the same key:

$ [ . a | . w . k s ] o r 1 1 1 1 t ^ F F F F [ | F F F F ^ B A 8 6 ; u A 7 C D ] n C F 0 6 . i 3 4 D B * q E 0 6 A I 4 C B 7 N - 4 C D 6 . c 7 E A 3 * F 0 2 8 D | D F 6 E S 2 7 D 7 [ s 5 5 3 D [ o 7 E 3 8 : r 0 6 4 0 s t 5 3 D 1 p 1 B 4 0 a - 0 C 2 8 c n 4 8 2 6 e r B 5 0 7 : B B 0 C ] 5 D 7 4 ] 0 F 3 3 [ F 0 7 3 0 8 4 3 4 - 6 9 1 D 9 5 5 6 2 ] 2 C 8 0 / E 8 7 E { 7 3 7 E C E D D p C B 8 0 r F 2 9 D i 6 B E 8 n E B 2 F t E 2 F 0 C 2 7 D $ B E A 0 8 F 1 A D C 2 4 } 9 A 0 ' 5 1 F 6 0 A d E 0 A n 1 9 6 s E 9 7 s 6 5 A e 5 3 7 c 8 1 3 - 9 C D d 0 3 7 o C 7 E m 9 D A a B 7 E i 9 F 3 n - a n a l y s i s . o u t

Analysis: DNSKEYS

A DNSKEY record looks like this:

c h . 3 4 5 6 8 I N D N S K E Y 2 5 7 3 1 3 8 T b 8 / h / O N 8 X s v U x j x U J y F L y k Q U U E y Y 8 0 L A C t a t 0 n N + S 0 T O j o Q 8 o 5 e + h u u m 6 Z O J x 1 b V h 4 P a U f o U v N B U S 7 7 V W B 0 Q = =

DNSKEY record details:

  • The 1st number after the DNSKEY keyword is the key type.
    • 257 = KSK, Key Signing Key (this hash is in the DS record in the parent zone and used to sign the ZSK)
    • 256 = Zone Signing Key, ZSK (this key is used to sign the record in this zone))
  • The 2nd number after the DNSKEY keyword is the protocol which is always 3 in DNSSEC.
  • The 3rd number after the DNSKEY keyword is the algorithm that is used for signing
    • 1 = RSA/MD5
    • 2 = Diffie-Hellman
    • 3 = DSA/SHA1
    • 5 = RSA/SHA1
    • 6 = DSA-NSEC3-SHA1
    • 7 = RSASHA1-NSEC3-SHA1
    • 8 = RSA/SHA-256
    • 10 = RSA/SHA-512
    • 12 = GOST R 35.10-2001
    • 13 = ECDSA-P256/SHA256
    • 13 = ECDSA Curve P-256 with SHA-256
    • 14 = ECDSA-P384/SHA384
    • 15 = ED25519
    • 16 = ED448

Most domains have only one KSK configured. This shows the number of domains and the number of configured KSK keys:

$ a | w k u 6 5 n 2 9 6 4 i 5 0 5 1 q ^ 1 2 4 3 [ - ^ c ; ] . * a I w N k . * ' D { N S p K r E i Y n [ t [ : $ s 1 p a } c ' e : | ] ] s + o 2 r 5 t 7 / | { u p n r i i q n t - c $ 1 | } s ' o r d t n s - s n e r c - d o m a i n - a n a l y s i s . o u t \

Most domains have two ZSKs configured. This shows the number of domains and the number of configured ZSK keys:

$ a | w k u 8 4 n 1 0 4 3 2 i 4 2 0 5 9 1 q ^ 2 1 3 5 4 6 [ - ^ c ; ] . * a I w N k . * ' D { N S p K r E i Y n [ t [ : $ s 1 p a } c ' e : | ] ] s + o 2 r 5 t 6 / | { u p n r i i q n t - c $ 1 | } s ' o r d t n s - s n e r c - d o m a i n - a n a l y s i s . o u t \

The following domains have multiple ZSKs configured with different signing algorithms:

$ a | w k s o r 2 2 2 2 2 2 2 2 2 2 2 2 2 t ^ i x x x x x x x x x x x x [ - n n n n n n n n n n n n n ^ u . - - - - - - - - - - - - ; - - - - - - - - - - - - ] 2 4 4 f g h h h m m s x . s 5 5 p e 2 2 2 g g 9 k * c b b c c b b b b b b c I c r r r r r r r r b g r 2 N u j 5 j j j e j j h u j d . t 9 c 9 9 9 g 9 9 1 8 9 l * c y c c c 3 c c a 2 c 3 D - . l . 3 . e . 8 . a . a N d . d v c . 5 S . e . e K ' . e E 0 Y h [ . [ - : f s p 1 a c | e : u ] n ] i + q 2 5 - 6 c / { | p g r r i e n p t - $ E 1 , $ 7 " } ^ ' + d 1 n s " s e c - d o m a i n - a n a l y s i s . o u t \

The same domains have also KSKs configured with different signing algorithms:

$ F i d l i ( ( e f a a s f w w k | k | / - d s s s e o o v \ ^ r ^ r / [ t [ t f ^ ^ d ; - ; - / ] u ] u 6 . . 3 * * I | I | a N N n . c . c d * u * u D t D t / N N d S - S - e K d K d v E E Y ' Y ' f [ [ d [ [ / : : 6 s - s - 2 p f p f a a a c 1 c 1 r e e e : | : | ] ] i ] u ] u d + n + n e 2 i 2 i n 5 q 5 q t 6 7 i / - / - c { c { c a l p | p | r r i g i g n r n r t e t e p p $ $ 1 - 1 - , E , E $ $ 7 7 } } ' " ' " ^ ^ d d n + n + s 1 s 1 s s e " e " c ) c ) - \ - d d o o m m a a i i n n - - a a n n a a l l y y s s i i s s . . o o u u t t \ \

Because the analysis of the DS records before shows that no zone has mulitple signing algorithms configured in the DS record, this shows that there are probbably unused keys configured due to key rotation or similar.

The most used signing algorithm over all keys is RSA/SHA-256. This shows the number of DNSKEYS and the according signature algorithm:

$ a | w 3 k s 5 9 o 2 2 8 6 3 r 8 4 4 8 1 t ^ 8 7 5 1 1 [ | 0 3 ^ ; u ] n . i * q I N - . c * D | N S s K o E r Y t [ [ - : n s r p a c e : ] ] + 2 5 [ 6 7 ] / { p r i n t $ 7 } ' d n s s e c - d o m a i n - a n a l y s i s . o u t \

These numbers are in a similar ratio like the algorithms used in the DS record but generally higher, because a domain can have multiple DNSKEYS configured.

There are domains that have multiple DNSKEYS configured with different signature algorithms:

$ a w k 2 2 2 2 2 2 2 2 2 2 2 2 ^ x x x x x x x x x x x i [ n n n n n n n n n n n n ^ - - - - - - - - - - - . ; - - - - - - - - - - - ] x s m h h h g f 4 4 2 . k 9 g 2 2 2 e p 5 5 s * c b b b b b c c b b c I 2 r g r r r r r r r r N d j u j j e j j j 5 j . l 9 8 9 9 g 9 9 9 c 9 * 3 c 2 c c 3 c c c y c D a . a 8 . e . 3 . l . N 5 . c v d . S e . e . K e . E 0 Y h [ . [ : s p a c e : ] ] [ 0 - 9 ] / { p r i n t $ 1 , $ 7 } ' d n s s e c - d o m a i n - a n a l y s i s . o u t | s o r t - u | c u t - d ' - f 1 | u n i q - c | s o r t - n r | g r e p - E " ^ + 1 "

For example, India in. has two DS records that point to DNSKEYS that use RSA/SHA-256 for signing but there are also two other DNSKEYS (a KSK and a ZSK) that uses the RSASHA1-NSEC3-SHA1 alrorithm:

$ 5 5 $ 2 2 2 2 4 4 5 5 5 5 d 7 7 d 7 6 6 7 i 3 3 i g 9 9 g 3 3 3 3 i 8 8 i 8 8 7 7 n n . 1 2 . A A A A w w w w D 2 9 D E E E E S B F N A A A A 5 1 S A A A A + C 2 K Z b b Z s A 2 E u X / u h 4 C Y D H T l o 5 F k h h D r 5 D + h N D n t A 6 s O S Z q 0 6 h h 6 I 8 E 0 o e f x A 6 4 r G p o X 5 A t e m L U 7 E g m t v 6 6 F v B U 9 D G C k 2 F E o l U f F D 1 B R Y 9 A 8 i 7 I D 0 Z / Q H F F N I H W 9 E C 5 o / E 0 e n S x 7 9 3 d X W 5 F B X U q E 2 M r 3 F C 7 D s 5 k 4 B F N G M 0 E g O 7 G E 3 Y 9 V A E 4 Q N n D 1 0 8 3 P 0 E A t 6 1 C C 3 S h 9 / 1 1 o P Q 4 C 8 J A S A D F g h v B C 0 i k O U A 6 1 R Y s 9 A 3 K z X F 2 P W 3 A 3 1 Q E C h b d r 1 S O c S 1 Q M G 0 7 D w g / 1 + + L G 4 k i E 3 A j T x C 7 c G A u 3 s H 9 A 4 D q B f 0 D t r F 9 T i U b D 4 Y F e 7 3 R x l 3 e I Z k 1 Q Z 1 W 3 H B 7 M 6 / 2 a 7 4 u V N e 7 m S W g 2 b 0 y P C c j S m J 1 / Q 4 K 9 7 Y Q H J i M b 6 M p G b g 5 K M 8 A b G d T P 3 F S q V z A Y 4 6 C o B D M q O H p V I y L x K H G y f r c J l 4 7 U S T I E D d O r J B J J u P L E j Z s G 9 L J 4 u j g e M n K I J f W C 8 w F Z O S L 0 t g X h e f S e 5 l t / v W l n 0 S 5 d V E S 6 R b k D 0 F v t y f J K P R X t K F C F A n X / 5 g E 5 + 2 h C 9 9 8 1 z K M p H z S 0 S P S i G c q x q r g 1 M q Q 8 Y 6 S c M g W e z s i A 6 z 3 v 6 J Z M l i H J n y Q 1 n 1 M a n A 9 h M 0 n S l x I p B z 5 K 1 D W / Z h z 5 B j k 7 1 B P S E Q A 3 w O 0 A U p / h 1 M Z J 5 N 2 g q U h i z i 0 a G R n I 7 G s Z S 9 W h c e q n v L 0 S w X k 3 O q u 6 5 v M J S R e n A L 7 t 5 1 w q i j h 0 A s i k 2 3 q u 3 Z e d n 5 4 B Z w n S Y c g q 1 p m O r G X D c D s M 4 G r G s e u f x D 3 Q 5 P p z V C T T a b U 6 g o q K H Z N i o Z F Q 8 n g V P k 4 d N + 0 U 1 r B P F 2 t 2 k M s K L m q z 8 L h Z q G u j v d b I A E B t F k b B o B z z Z 6 w M w E W Q + J 5 + Y u 2 j x w 7 p Z / F k g 3 o 5 a 6 M t 3 / 6 I o u O 1 0 B k 3 5 f h F L L T D C 9 j 1 d 1 Q + J u M i Z C D m f y 7 n Z H s X S 5 d Q K e J n W j K d D 0 s E 3 m T m V o n u J d R P O B m 6 F f 2 F C u 5 y c D x q g D Y t 9 t S M w J b 9 N W j 5 x B a x A + I d / g G l H 1 U s X z = = b M 5 W Z m 8 1 9 q u k j P Q i 3 f N h M D Z j y B D n B g c a O s 6 b w W c x c F u f O X n F j v / 4 c 9 h B s 6 1 J B Z 5 L Z + R S 6 + h 5 y Y u n m Q p u j E G a H a j M 2 W x T A d I d 8 / r B L u d J u f B x M K H u 9 o l 6 v H t R R O j A 2 V / r L X 3 l + n s u 0 M O 9 y Y S h c s a Y w 6 w A i l S f p E G G N 8 h r O K 6 P a H s s A I g 6 B X 8 8 C T j l Y T B C U k 6 z o b A R n D l 7 3 G 9 r j n + N W j 3 H I 4 d A o K I / 4 B B f N + u 4 j 8 I 4 J Y S C l / M z X 0 7 m O H 3 3 B l l F h E M = =

The records are then also signed using both keys (this can be seen on the key IDs 9182 and 65169):

$ [ i i $ [ i i [ . n n . n n . d . . . d . . . . i . i . . g ] 2 i [ 2 n [ g ] A [ ) A [ ) ] 0 s . 0 y . w . w . i 9 2 6 . 9 2 6 . i 8 E . ; 8 E . ; n 0 0 2 . 0 0 G . n 5 A . 5 A . . 0 0 v ] 0 0 V ] . 0 A ] Z 0 A ] Z 5 Y ) 5 h ) b S b S S I 1 i I 1 h D I / K I X K O N 9 Y N 9 6 N N T ; N H ; A 1 N 1 M S h h R 3 k R 3 C K D D a D N a + R 3 u R 3 C E N Z l N S l d S 3 W S 3 o Y S I g S 6 g n I 5 c I 5 w K x K f s G 0 n G 0 W + E o = E p = s u Q m Y L Y m e S 2 I S 2 n u t N m R c O 0 Q O 0 y l 2 B S 2 v S A 2 p A 2 o t 5 k E 5 C A + 0 y 0 a i 6 U C 6 l S m 7 0 V 8 0 z l R 3 B H u 4 d 4 9 i 3 7 R 3 i A l 1 1 d 1 1 A n Q S / 2 t 9 F 9 B e 7 H A 8 I 5 i 9 1 L 9 1 W o S 5 6 l 0 2 T 0 2 V ( S H ( n i 0 3 L 0 3 U X A d ; n 3 z 3 4 U 1 X e ( 5 r ( 5 Y 3 r k 0 u 0 m 5 ; s e y M G N y 9 q 6 x 7 k O 1 m 5 C V e 9 i 8 P 1 6 n y N d 2 4 6 G P 3 w 9 A 1 i 6 = i 1 D 9 d h n 4 i 4 Q P 6 . u n h S = A 5 a . X v h 1 Z s O 9 k 6 l A Y 1 R 9 Q X z 8 K B z W 2 P z u Q 1

Analysis: NSEC/NSEC3

In total, 53 domains use NSEC:

$ 5 3 a | w k s o r t ^ [ - ^ u ; \ . ] w + c \ . - [ l [ : s p a c e : ] ] . * I N [ [ : s p a c e : ] ] + N S E C [ [ : s p a c e : ] ] / { p r i n t $ 1 } ' d n s s e c - d o m a i n - a n a l y s i s . o u t \

This means it’s also possible to DNSSEC zone walk through the following zones:

$ a a a a a b b b b c c c c d d e e f r u u u x g l r t a a h l i z e r l a | p . d t . . a . . r r r i e . . n o w a i o c . s i c t i w k s . o . k . s k . . e o . f t . r r g h h r i i m l l s t i e i i d n j a i k . ^ g f g l p d . c e j s l n . l [ - a t g u p h a . t u . k b k o ^ u m . n i . o y z e y . . l l ; e . t p . t g . . r \ . a . s . o k x . . r e s s g n ] c n s p h x l . . x x - + o a p . r o y . w n n - x \ l m . h . p s . t e - - p n . u o o r t a d - - g - [ m m t p o i t t v . f l b - [ n . o i p n t n e z 1 s x : . c e g o . . c a 0 k s s r . o 2 c d c p . t . c c h 2 a y 9 . . a c . s e l e e 2 3 : . c h ] . y ] e . 2 * a I . N [ [ : s p a c e : ] ] + N S E C [ [ : s p a c e : ] ] / { p r i n t $ 1 } ' d n s s e c - d o m a i n - a n a l y s i s . o u t \

This is for example the entire arpa. zone where the famous in-addr.arpa. and the IPv6 equivalent ip6.arpa. can be seen:

$ a a e h i i i i i i u u r s 1 o n n p p p r r r l p 1 6 m - - 6 6 v i i n d a 1 4 e a a . - 4 s . . n . 2 . . d d a s o . a a s . a a d d r e n a r r - a a r r r r p r l r p p w r r p p . - a v y p a a a p p a a a s . e . a . . l a a . . r e r a . k . . p r N s r N N N N a v S . p N S S a N N S S . e a a S r S S r D r . D D p D R N s S p D S S a S D S R S . a N S . O S S a R . S R R A R I D r R R R R R R G S p S N R R S S R R S a I S R S I I R S I N R . G S I G G S I G S R D I G I G E S N N S G N N G N C I S S N S S N S G E R N S E E N S E D C R S E C C S E C N S S E C E C S I C C E R G C R D S N N I S S G E K C E N Y S E C

It’s also possible to walk through further zones of the arpa zone:

$ i 1 1 1 1 1 1 1 1 1 [ $ i 2 3 4 5 6 7 $ u f h m u n . 0 0 0 0 0 0 0 0 . p . . . . . . r t t a r l - i . 0 1 2 3 4 5 6 . l 6 0 0 0 0 0 0 l i p t i n d a n i . . . . . . . ] d . . . . . . . d . . p l . n d - n i i i i i i i n a 1 1 1 1 1 1 n a u . t u s d a - n n n n n n n s r . . . . . . s r r u o r - r d a - - - - - - - - p 0 0 0 0 0 0 - p i r . i w . d d a a a a a a a w a . . . . . . w a . i u . a a r d d d d d d d d a . 0 0 0 0 0 0 a . a . r a l r . r d d d d d d d l . . . . . . l r a i r k p a . r r r r r r r k i 2 2 2 2 2 2 k u p r . p a r a . . . . . . . p . . . . . . r a p a a i . p r a a a a a a a i 6 i i i i i i u i . a r . n a p r r r r r r r p . p p p p p p r . . p - i . a p p p p p p p 6 a 6 6 6 6 6 6 i a N a N a n . a a a a a a a . r . . . . . . . r A N . A d - N . . . . . . . a p a a a a a a a p P A P d a S N r a r r r r r r r a T P N T r d S N N N N N N N p . p p p p p p p . R T A R . d D S S S S S S S a a a a a a a a R P a r S R . N . . . . . . . N R T R r . R D D D D D D D S S R R R R p a R S S S S S S S S N N N N N N S R S a r R I S S S S S S S S I S R I . p S G R R R R R R R O O G I R G a I R R R R R R R A D D D D D D A G S . G N S S S S S S S S S S S S S N I N S I I I I I I I R M S N G S N N E G G G G G G G R R R R R R R X E S E S S C S R R R R R R C E N C E N N N N N N N I S S S S S S R C S S C S S S S S S S G I I I I I I R E O E E E E E E E G G G G G G S C A C C C C C C C N I S N N N N N N G R E S S S S S S R C E E E E E E N S C C C C C C S I D E G N C S N K D S E N E Y S C K E D Y N S K E Y

The most TLDs use NSEC3:

$ 1 3 a | 0 w 9 k s o - r F t . - u ^ [ | ^ ; w ] c + \ - . l [ [ : s p a c e : ] ] . * I N [ [ : s p a c e : ] ] + N S E C 3 [ [ : s p a c e : ] ] / { p r i n t $ 2 } ' d n s s e c - d o m a i n - a n a l y s i s . o u t \

The number of NSEC and NSEC3 domains no not match the number of domains that have a DS record configured. This is probbably due to some timeouts during the tests where no response was received. This was not further analyzed. It’s possible that I missed some details because of these timeouts. However, the statistics give still a good overview about the top level domain DNSSEC configuration.

MX Records for TLDs

During the analysis I was wondering if there are TLDs that have an MX record set up. The following have an MX record configured:

$ a a a c c d g g g g g g g h k k l l l m m p p s t t u w x x x i r x f p m p t t t t t t r h m k k l q r a o r t t a s n n n w d d . a . . a . . . . . . . . . . . . . p . . . l . . . . . - - - h o o b . . i - - - i d n . t m m n l i e i g x g e g 2 2 1 2 2 1 1 1 1 1 1 1 1 3 2 2 2 3 2 e 2 2 2 2 2 b t b < 1 1 0 3 1 1 4 4 4 4 4 4 4 0 5 1 1 3 1 5 1 . 1 1 1 1 1 a q r r " 5 3 5 7 5 5 5 3 3 3 3 3 3 3 7 9 5 5 5 5 9 5 5 5 5 5 5 h 1 x e $ z 9 5 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 1 m . a d o 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 1 9 9 9 9 9 a . d o n 9 I I 7 3 m e I I I I I I I I I I I I I I N I I I I N I 9 I I I I I h 3 d a _ N I N N N N N N N N N N N N N N N N N N 9 N N N N N j 3 5 o i . N M M k 5 9 m n M M M M M M M M M M M M M M X M M M M X M I M M M M M r 9 9 a " | X M X X X X X X X X X X X X X X X X X X N X X X X X d 9 i X 1 5 . I n M g 1 5 0 1 1 1 1 2 2 3 3 3 5 1 0 1 2 1 1 5 M 1 1 1 1 1 I N X r 0 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 m X 0 0 0 0 2 N f e 0 m m a a n A 1 M o @ p m a a y m n a a a a a a l n m m m y m i s 1 s S A m m 5 M X o 8 a y i i o a s s l l s s s p s a a a o x l . 0 p P L r a 9 X . " i o l l u i 1 p t t p p p h 1 i l l u 1 . p s M T . i 9 1 8 ^ l u . . r l . m 1 2 m m m a . l i i r - n a y b X 1 k l 1 0 . [ . r a i - . n x . . x x x . d 1 t t - m i . o b . . o . I 0 8 ^ o - l n d n i . a a 2 4 5 c n . h h d q c u a L A l w N y . ; f d a t n i c l s s . . . a s c i i n . . r n . S o o y o 8 ] f n n n s c . . p p g g g r . o - - s m m - k G P . r M o u . s s d e - . g g m m o o o n n m s l - e r d . O M n l X u r * h - . t n d p o x x o o o e e o l c n d . n s O X e d r - M o n n . e m . o . . g g g t t r t . e i s r G . t s 5 - d X r e e c e . g l l l l l . . e . n e a - . L L . i d n " e e t f d l . . e e e h k s n i d s n E . t m n s . d . . s e g g m m m r h t i c s e e . G e a s - | a s - . o o a a a . . e c . - r e C O . i - n i - i c o o i i i l . l i v d O O w l n e t . i m o g g l l l e l k m . s M G s . e e e m m m l l . . . c k . m n - . L . n e d e m e . e e c c c o . e e i E i d s e d . . o o o m d t m . c s - h d i c c m m m . i . m C . - i a i a o o . . . k a e O m i m s a t m m m t d M r m m _ t e . . . e i . . m e m e - - a e d x - a a t d i _ a t t e i a r t t t - a t e t e e a t e c e n n t e - o n t t t - a r t i i e a t d i o o n t t o n n t t e n . . i e n . c l o n t a p l n t i r a p . i o a . . p o n b o n . . l . x i x n t n - i - - e - n . m g x b t r q x 1 . m .

It would be interesting to see if these mailservers would actually accept and deliver mails for these TLDs.

Interesting is also that several domains have your-dns-needs-immediate-attention in it.

These always resolve to 127.0.53.53:

$ 1 2 d 7 i . g 0 . y 5 o 3 u . r 5 - 3 d n s - n e e d s - i m m e d i a t e - a t t e n t i o n . a r a b . + s h o r t

The TXT record gives more information about that:

$ " Y d o i u g r y D o N u S r - c d o n n s f - i n g e u e r d a s t - i i o m n m e n d e i e a d t s e - i a m t m t e e d n i t a i t o e n . a a t r t a e b n . t i T o X n T s + e s e h o h r t t t p s : / / i c a n n . o r g / n a m e c o l l i s i o n "

This mechanism is used to detect when operating a private domain name (e.g. a non-delegated TLD) results in a query to the public DNS, which should not happen. The IP 127.0.53.53 is is used to be quickly found in logfiles that can be used to alert the administrators.

Quote from this website:

127.0.53.53 is a special IPv4 address that will appear in system logs alerting system administrators that there is potential name collision issue, enabling a quick diagnosis and remediation. The “53” is used as a mnemonic to indicate a DNS-related problem owing to the use of network port 53 for the DNS service.

That’s it

I hope you learned something new about DNSSEC or the Internet :)