Jan 30
Jan 30
Partly out of curiosity on the usage of NSEC3 (see RFC 5155) and partly for experimenting with BIND 10‘s Python DNS library, I’ve written a small Python script that uses the BIND 10 library and checks whether and how NSEC3 is used in top level domains (TLDs). Of my particular interest was whether there was a non Opt-Out TLD, because that was one major advertised feature of NSEC3 especially for very large zones (many of TLDs are very large) with many insecure delegations (which should also be the case today for many TLDs).
Overall the results were not so different from what I had expected, but I still found some interesting (to me) facts:
- Some TLDs (still? or intentionally?) use NSEC, including “cutting edge” TLDs in this area like .se.
- Some, seemingly large, TLDs are (also seemingly) not Opt-Out zones.
- There’s one TLD that uses a quite large number of hash iterations (150).
- The experiment identified a bug in BIND 10:-)
Recent Comments