Computer Journal

Enumerating DNSSEC NSEC and NSEC3 Records

by Javantea
Oct 25, 2014 - Jan 25, 2015

Introduction

By the way we're not any geeks, we hack into NASA
-- Dual Core "All The Things"

Permalink
dnssec-research-0.2.tar.xz [sig] 279MB
torrent [magnet]
nsec3walker-javantea.patch [sig]
ldns-endless-workaround.patch [sig]
passphrase-0.1.tar.xz [sig]
Git repository for passphrase: git clone https://www.altsci.com/repo/passphrase.git

DNSSEC has an interesting design flaw where it was designed around precomputation of all data. The keys are held offline so they cannot be seized in a compromise of the server. This presents a problem because the non-existence of a domain cannot be easily precomputed (Does abcdefg1234567.yourdomain.com exist? No, abcdefg1234567.yourdomain.com doesn't exist. If the response was "No" an attacker could replay that response on a domain that did exist. If the response was not signed, an attacker could generate their own No responses. If the server didn't respond, the resolver would have to wait until a timeout occurred which could take a minute depending on the implementation). To solve this problem, they created NXT records and then after that they created NSEC records. Almost no servers use NXT, but it's easy enough to parse those. NSEC records list the two nearest matches in the database to the requested record. Hackers found that this results in name enumeration and they wrote tools to use that. Dan J. Bernstein describes this attack on his page: DNS database espionage [1]. In response, Dan Kaminsky's DNSSEC proxy Phreebird dynamically generates NSEC3 responses that do not divulge any information. This research shows that no TLDs currently use Phreebird. What can you get out of NSEC and NSEC3 records? Every subdomain of nasa.gov? See below. Every subdomain of .br? Every subdomain of hpc.mil? Every subdomain of paypal.com? It turns out that there are millions of domains that can be enumerated with NSEC3 and NSEC walkers. That is exactly what I have done. ldns-walk allows enumeration of NSEC records and a patch to nsec3walker is available above. A bug in ldns-walk causes an endless while loop for some domains, a workaround has been made available until a fix is found.

All of these methods and attacks are 5 years old. What's the deal? Since 2009, the government of the United States and many other NICs have mandated the use of DNSSEC on many servers or simply signed all domains below their TLD. Adoption of DNSSEC has increased by orders of magnitude. In fact, nsec3walker is unable to collect all of .com in a single attempt, as one might expect. Patches are necessary to get nsec3walker to collect com NSEC3 records because it has no salt (nsec3walker was designed to assume that a salt was required). As more and more hashes are added, it becomes exponentially slower looking for hashes that fall between two hashes. For example, try finding a domain name that hashes between 00000000aaaaaaaaaaaaaaaaaaaaaaaa and 00000000bbbbbbbbbbbbbbbbbbbbbbbb. The odds of you finding a hash between those two are approximately 2⁴⁴:1. That means it will take trillions of hashes to find such a hash. This is the basis for the proof of work that has been very popular in programming since its use in Bitcoin (and before that, HashCash [2]).

The entirety of com was only 396191 domains, which means that only nameservers that have opted-in to DNSSEC are possible to enumerate. However, this shows that systems that opt-in to DNSSEC are uncovered by hash cracking, giving users a clear reason not to use DNSSEC. Furthermore, the results that come from NSEC walking show that if a nameserver chooses to use DNSSEC, NSEC3 costs people who wish to enumerate NSEC3 cpu time. Targeted attacks are much more effective against NSEC3 than generic attacks because an attacker can add a word to the cracking practically for free. For example testing the three domains:
microsofta.com
microsoftb.com
microsoftc.com
against all hashes in com is as easy as hashing the three domains:
a.com
b.com
c.com
This makes it possible to guarantee that none of the hashes are name + letter * 7 because given only 37 valid characters in domain names, there are only 95 billion unique name + letter * 7 combinations. It takes minutes to crack all possible values. Similarly, letter * 7 + name and letter * 4 + name + letter * 3 take the same amount of time. The entire wordlist from AI3 that are valid domain names is only 3678794 words long. This means that we can crack word + word + name, name + word + word, and word + name + word for 13.5 trillion SHA1 hashes (assuming that the domain uses a single iteration like com does). This takes weeks on a CPU but less time on a GPU. I spent a month and a half doing exactly this with the first 8000 words from the AI3 wordlist as well as brute force, with incredible success. I was able to crack 226346 of the 396932 com hashes found (57%). By using brute force, I was guaranteed to find all short domain names which leaves only long domain names for Markov chain cracking and passphrase cracking. As I said before, the AI3 wordlist is very effective against weak passphrases. Therefore we can only expect long or complex domains to remain. While you may reject the notion that over 43% of domain names that use DNSSEC are long and complex enough to make cracking difficult, I recommend trying oclHashcat against these NSEC3 hashes to verify my findings.

The relevancy of this project may seem slight when you first hear about it. Domain enumeration is fun but it is not a very productive use of time. DNSSEC is not a priority in the eyes of millions of users who don't benefit from it because their servers don't employ it. Google doesn't sign their domain (though the Google public DNS server supports DNSSEC), Microsoft doesn't sign their domain, Apple doesn't sign their domain, and Amazon doesn't sign their domain. Who then has picked it up? Governments, ICANN [3], NICs, and a select number of nameservers. Governments and ICANN have a broad vision of security for everyone where the keys are held by a few. This trust model where ICANN can sign any key they wish sounds awfully familiar. It is reminiscent of X.509 where every root CA can create a certificate for any domain they wish. Instead of sharing the trust between N untrusted entities, we only need to trust ICANN, Verisign, and the registrar to trust a signature. Thus the trust model reduces from M-to-N to M-to-3. How convenient for ICANN and Verisign that they hold the keys. Of course a single signature that is found that shouldn't exist will topple the trust in DNSSEC. This is why computer security researchers like Dan Kaminsky found themselves enamored with DNSSEC: it is a solution to the DNS man-in-the-middle problem that only requires trust in three entities.[9] That trust could easily be saved for months on caches, so an attacker would have to wait for months for the cache to renew even if they had a key signed by the root [4]. Dan Kaminsky spent a lot of time writing Phreeshell and Phreeload, two programs that use DNSSEC to give users and servers authentication for free.

This system does not fit in our attack model though. Keys are easily turned over to the government when a warrant is given or even when a warrant isn't given. By all likelihood, the NSA probably has the private keys for the root and most if not all TLDs. Don't think this is a slippery slope argument because the government has already used poisoning of names to serve malware [5] (whether they used DNS or not). The United States government is not a benign entity and it seeks power in any way it can. Indeed the US government is the very entity which we need secure software to defend against. Adding DNSSEC is not a vulnerability to our networks but it is yet another broken protocol with insufficient security added to the landscape taking the place of real solutions. The amount of backing and support that DNSSEC has received is actually deserved by other solutions. Since the start of this project in October 2014, 27 tlds have adopted DNSSEC. That means that DNSSEC adoption is hastening, not slowing. If we want this protocol to not exist in the future we have to ensure that those who use it wish that they did not. We can replace DNS with a protocol that has real security without requiring trust in a few large entities.

The fact that DIME relies upon DNSSEC to provide end-to-end e-mail encryption [6] is a serious flaw in the design of the protocol. Since DNSSEC can be replaced with a similar technology that is able to verify the authenticity of data using a root of trust, this is a fixable problem. However, it will not be fixed until the replacement technology is adopted by users of DIME.

Data

Subdomains found using NSEC walking

Note that this list is only lists a handful of the thousands of domains that support NSEC.
Download *.nasa.gov
Download *.hpc.mil
Download *.paypal.com
Download *.comcast.net
Download *.berkeley.edu
Download *.stanford.edu
Download *.upenn.edu
Download *.bucknell.edu
Download *.ucsc.edu
Download *.iastate.edu
Download *.csumb.edu
Download *.gsu.edu
Download *.pacificu.edu
Download *.umbc.edu
Download *.fhsu.edu
Download *.drake.edu
Download *.gotpantheon.com
Download *.mst.edu
Download *.bradley.edu
Download *.chattanoogastate.edu
Download *.psc.edu
Download *.yandex.com
Download *.desales.edu
Download *.sakh.com
Download *.nau.edu
Download *.nau.edu
Download *.gov.br
Download *.cmp.com
Download *.upf.edu
Download *.vmware.com
Download *.iu.edu
Download *.br
Download *.iupui.edu
Download *.tjhsst.edu
Download *.umc.edu
Download *.weber.edu
Download *.uiowa.edu
Download *.torchboxapps.com
Download *.espace2001.com
Download *.indiana.edu
Download *.cmu.edu
Download *.socrata.com
Download *.fluig.com
Download *.fixeads.com
Download *.star2star.com
Download *.monmouth.edu
Download *.gtc.edu
Download *.us
Download *.au
Download *.id

TLDs that support NSEC3:

Progress is indicated in the left column, X as finished initial cracking, / as finished collecting, ! as an error occurred, and blank as not collected due to time constraints but could be collected and cracked by a reader.

Success	TLD	Download		Notes
X	ac	Results	Hashes
X	af	Results	Hashes	Afghanistan only has 7 domains hashed: af, com.af, net.af, edu.af, org.af, gov.af, and posteo.af.
	ag
X	am	Results	Hashes
X	asia	Results	Hashes
X	at	Results	Hashes	at may have signed their subdomains.
X	aw	Results	Hashes
X	be	Results	Hashes	be may have signed their subdomains.
X	by	Results	Hashes	Belarus has 100 iterations.
X	bz	Results	Hashes
X	ca	Results	Hashes
X	cat	Results	Hashes	cat may have signed their subdomains.
X	cc	Results	Hashes
X	ch	Results	Hashes	Dig doesn't accept the request for nameservers (dig ns ch). I had to fix collect for this domain (dig ns ch.).
!	cl	Results	Hashes	Chile caused a bug in John due its long salt, which means only unhash results exist. Despite this, 82% of 45 names were cracked.
X	cn	Results	Hashes
X	com	Results	Hashes	57% completion in cracking 396932 hashes
X	cr	Results	Hashes	82% completion in cracking 7456 hashes
X	cx	Results	Hashes	100% completion in cracking 17 hashes
X	cz	Results	Hashes	48% completion in cracking 1043262 hashes. cz may have signed their subdomains.
X	de	Results	Hashes	17% completion in cracking 13618 hashes. This is likely the same problem as jp.
X	dk	Results	Hashes
X	edu	Results	Hashes
X	ee	Results	Hashes
X	es	Results	Hashes
X	eu	Results	Hashes	eu may have signed their subdomains.
X	fi	Results	Hashes
!	fo	Results	Hashes	Faroe Islands is a small country and collect gets stuck trying to enumerate it.
X	fr	Results	Hashes	fr may have signed their subdomains.
	gd
	gi
X	gl	Results	Hashes	98% completion in cracking 167 hashes
X	gov	Results	Hashes
X	gr	Results	Hashes
X	gs	Results	Hashes	South Georgia and the South Sandwich Islands only has gs, la.gs, and ur.gs.
X	hn	Results	Hashes	Honduras only has other top domains under hn: hn, gob.hn, org.hn, com.hn, mil.hn, net.hn, edu.hn, and coop.hn.
X	hr	Results	Hashes
	hu
	ie
!	in			Dig doesn't accept the request for nameservers (dig ns in). I had to fix collect for this domain (dig ns in.).
X	info	Results	Hashes
X	io	Results	Hashes	95% completion in cracking 699 hashes
	iq
X	is	Results	Hashes	is may have signed their subdomains.
X	jp	Results	Hashes	5% completion in cracking 3639 hashes due to language barrier and possibly other reasons
!	ki	Results	Hashes	Kirbati does not respond as expected. It returns only ki hashed which means its NSEC3 records are worthless.
X	kr	Results	Hashes
X	la	Results	Hashes	Laos has 150 iterations.
	lc
X	li	Results	Hashes	89% completion in cracking 359 hashes
X	lt	Results	Hashes
X	lu	Results	Hashes
X	lv	Results	Hashes
	ma
X	me	Results	Hashes
X	mil	Results	Hashes	93% completion in cracking 235 hashes
	mn
X	museum	Results	Hashes
X	my	Results	Hashes
X	name	Hashes	Hashes
X	nc	Results	Hashes
X	net	Results	Hashes	60% completion in cracking 79400 hashes. This was the only domain I attempted alphanumeric brute force up to 8 characters currently at 83% finished using over 15 days of cpu time (should finish in ~3 days).
X	nf	Results	Hashes	Norfolk Island only contains two domains: nf and nic.nf.
	nl
	no
X	nu	Results	Hashes	Niue took over 3 days and still didn't collect them all, this massive tld needs more work, but I cracked as many as I could. nu may have signed their subdomains.
X	nz	Results	Hashes	nz may have signed their subdomains.
X	org	Results	Hashes
X	pe	Results	Hashes
X	pl	Results	Hashes
	pm
X	pt	Results	Hashes
X	pw	Results	Hashes
X	re	Results	Hashes
X	ru	Results	Hashes
X	sb	Results	Hashes	Solomon Islands only hashes other top domains hashed under sb: com.sb, nic.sb, net.sb, org.sb, and gov.sb
X	sc	Results	Hashes
X	sh	Results	Hashes	96% completion in cracking 45 hashes
X	si	Results	Hashes
X	sj	Results	Hashes	Svalbard and Jan Mayen Islands does not respond as expected. It returns only sj hashed likely due to having no domains. This is the same response as Kirbati.
	su
X	tf	Results	Hashes	93% completion in cracking 432 hashes
X	th	Results	Hashes
X	tl	Results	Hashes
X	tm	Results	Hashes
X	tt	Results	Hashes
X	tv	Results	Hashes
X	tw	Results	Hashes	Taiwan took 23 hours and still didn't collect them all, this massive tld needs more work, but I cracked as many as I could. tw may have signed their subdomains.
X	ua	Results	Hashes
X	ug	Results	Hashes	Uganda does not respond as expected. It returns only ug hashed likely due to having no domains. This is the same response as Kirbati.
X	uk	Results	Hashes
	vc
	vu
X	wf	Results	Hashes	93% completion in cracking 320 hashes
	한국			Korea
	ভারত			India Bengali
X	中国	Results	Hashes	China simplified
X	中國	Results	Hashes	China traditional
X	भारत	Results	Hashes	India Hindi
	భారత్			India Telugu
	ભારત			India Gujarati
	台灣			Taiwan
	بھارت			India Urdu
	ไทย			Thailand
	рф			Russian Federation
	ਭਾਰਤ			India Punjabi
	இந்தியா			India Tamil
	yt

TLDs that support NSEC:

Success	TLD	Download	Notes
X	arpa	Results
	ad
X	au	Results
!	bg	Results	ldns-walk failed due to a bug after carrent\000.bg.
!	biz	Results	ldns-walk failed due to a bug after hcdata\000.biz.
X	br	Results
Partial	co	Results	ldns-walk failed due to a bug after audah\000.co.
X	id	Results
X	kg	Results
!	lk	Results	ldns-walk failed due to a bug after 6senses\000.lk.
	na
	pr
	se
	tn
X	us	Results
X	ලංකා	Results	Sinhala
X	تونس	Results	Tunisia Arabic
!	இலங்கை	Results	Sri Lanka Tamil. ldns-walk failed due to a bug after \000.xn--xkc2al3hye2a. Data comes from nsecwalker.py. Apologies for the formatting issues.

Selected level 2 domains that support NSEC3:

Success	TLD	Download		Notes
X	com.br	Results	Hashes	11% completion of 1810081 hashes, possibly due to a bug, subdomains, or invalid hashes. com.br may have signed most of their subdomains.
X	org.br	Results	Hashes	51% completion of 5615 hashes
X	dod.mil	Results	Hashes	51% completion of 63 hashes
X	anthrax.mil	Results	Hashes	100% completion of 9 hashes
X	fbi.gov	Results	Hashes	81% completion of 137 hashes
X	riaa.com	Results	Hashes	27% completion of 11 hashes
X	mil.cn	Results	Hashes	75% completion of 4 hashes

All domains collected that support NSEC:

*.in-addr.arpa
1ru.com
3cx.com
3cx.com
3di.com
acejewelers.com
apros.com.br
astellas.com
baker.edu
bancfirst.com
banktech.com
barneysfarm.com
berkeley.edu
besthotelonline.com
bie.edu
bradley.edu
bucknell.edu
cashbacksavers.com
cashnetusa.com
chattanoogastate.edu
chelloo.com
cipydo.com
cmcsa.com
cmp.com
cmu.edu
cn8.com
cnk.com
coisas.com
coloradomesa.edu
comcast.com
comcast.net
comcastaddeliverylite.com
comcastbundledeals.com
comcastconnect.com
comcastdigital.com
comcastspotlight.com
comcastsupport.com
csumb.edu
curry.com
danahermail.com
darkreading.com
datasheets.com
ddj.com
desales.edu
devtools-paypal.com
directbox.com
djeego.com
drake.edu
drdobbs.com
dutchbodybuilding.com
edn.com
eet.com
eetimes.com
emailpros.com
embedded.com
empirecls.com
enova.com
enovacorp.com
espace2001.com
eulerian.com
example.com
faturavirtual.com
fhsu.edu
fhtc.edu
fixeads.com
fluig.com
gamasutra.com
gdceurope.com
gdconf.com
getpantheon.com
gostorego.com
gotpantheon.com
gov.br
growjob.com
gsu.edu
gtc.edu
hansoft.com
hexageek.com
highlands.edu
highwaycabs.com
hotdealsclub.com
hpc.mil
httrack.com
iastate.edu
igf.com
imgrap.com
imovirtual.com
in-addr.arpa
indiana.edu
indianatech.edu
infoblox.com
informationweek.com
insurancetech.com
internetessentials.com
interop.com
ish.com
iu.edu
iub.edu
iupui.edu
jmeeting.com
kolabsys.com
kuapay.com
letsgopens.com
ltc.edu
magentotrial.com
matousec.com
mfi.com
mohela.com
monmouth.edu
moodlethemes.com
msj.com
mst.edu
mujjo.com
myeddebt.com
mykolab.com
nasa.gov
nau.edu
netcredit.com
networkcomputing.com
networking4all.com
nuvoli.com.br
nwc.com1
online-domain-tools.com
onlineapplyadvance.com
outfit7.com
outils-webmaster.com
pacificu.edu
packetizer.com
palisadesmedia.com
parachat.com
parsons.com
paypal-activate.com
paypal-apac.com
paypal-biz.com
paypal-cash.com
paypal-communication.com
paypal-community.com
paypal-customerfeedback.com
paypal-engineering.com
paypal-europe.com
paypal-forward.com
paypal-gifts.com
paypal-labs.com
paypal-marketing.com
paypal-media.com
paypal-mena.com
paypal-notify.com
paypal-prepaid.com
paypal-promo.com
paypal-research.com
paypal-special.com
paypal-survey.com
paypal-viewpoints.com
paypal-wujinggou.com
paypal.com
paypalobjects.com
powerdns.com
practicallygreen.com
premiumoutlets.com
pro-epic.com
psc.edu
psg.com
qruiser.com
rainvac.com
realredskins.com
recroom.com
redfoundry.com
rhyolite.com
rospravosudie.com
safelite.com
sakh.com
savagebeast.com
scales-chords.com
scl.edu
scriptcam.com
simon.com
snelis.com
socrata.com
standvirtual.com
stanford.edu
star2star.com
supermarktaanbiedingen.com
taxatietarieven.com
tci.com
teamcomcast.com
techonline.com
techweb.com
the700level.com
thepaypalblog.com
thevoiceofholland.com
thinkforexasia.com
thinkhdi.com
tiss.edu
tjhsst.edu
todoeduca.com
torchbox.com
torchboxapps.com
truman.edu
ubm-us.com
ucb.edu
ucdavis.edu
ucsc.edu
uiowa.edu
umbc.edu
umc.edu
uofk.edu
upenn.edu
upf.edu
uvp.com
vehix.com
verisigninc.com
vitral-vidrieras.com
vmware.com
wallstreetandtech.com
weareblis.com
weber.edu
wsi-models.com
x.com
xfinity.com
xfinityauthorizedoffers.com
xfinityhomesecurity.com
xfinitytv.com
xod.com
xse.com
yandex.com

Wikipedia's List of Internet top-level domains is a good resource for information about TLDs that support DNSSEC and which do not. It also contains detailed information about international domain names (IDN).

NASA.gov subdomains found using NSEC walking:

nasa.gov
3D-Printing.nasa.gov
_spf-ip4.nasa.gov
_spf-ip6.nasa.gov
_tcp.nasa.gov
_tls.nasa.gov
a-train.nasa.gov
above.nasa.gov
www.academy.nasa.gov
accesstospace.nasa.gov
www.acqp2.nasa.gov
adcc.nasa.gov
www.aee.nasa.gov
aen.nasa.gov
www.aero.nasa.gov
www.aero-space.nasa.gov
www.aeronautics.nasa.gov
aeronauticstestprogram.nasa.gov
www.aerospace.nasa.gov
afrc.nasa.gov
agencytokens.nasa.gov
airbornescience.nasa.gov
airspace.nasa.gov
airspacesystems.nasa.gov
www.alerts.nasa.gov
amn.nasa.gov
www.ams.nasa.gov
www.aos.nasa.gov
apm.nasa.gov
apmcpr.nasa.gov
apod.nasa.gov
www.appel.nasa.gov
appl.nasa.gov
appliedsciences.nasa.gov
applyonline.nasa.gov
m.apps.nasa.gov
apt.nasa.gov
www.aqua.nasa.gov
www.aquarius.nasa.gov
arc.nasa.gov
archimedes.nasa.gov
areslaunchvehicles.nasa.gov
artifacts.nasa.gov
www.as.nasa.gov
www.asap.nasa.gov
www.asc.nasa.gov
asevents.nasa.gov
askacademy.nasa.gov
askalibrarian.nasa.gov
askmagazine.nasa.gov
askmcc.nasa.gov
asp.nasa.gov
asteroid.nasa.gov
astro.nasa.gov
www.astrobiology.nasa.gov
www.astrogravs.nasa.gov
Astronauts.nasa.gov
astronomy2009.nasa.gov
asus-staging.nasa.gov
at.nasa.gov
www.atcsim.nasa.gov
www.atcviztool.nasa.gov
Athena.nasa.gov
atp.nasa.gov
atrain.nasa.gov
autodiscover.nasa.gov
www.autofeed.nasa.gov
aviationsafety.nasa.gov
awrs.nasa.gov
awrs-dev.nasa.gov
awrs-staging.nasa.gov
awslogin.nasa.gov
www.benefits.nasa.gov
www.benefitshandbook.nasa.gov
www.benefitstatement.nasa.gov
benefitstatement-dev.nasa.gov
benefitstatement-test.nasa.gov
bep.nasa.gov
bep-an-db.nasa.gov
bep-col-db.nasa.gov
bep-port-db.nasa.gov
bep-prod-col.nasa.gov
bep-prod-pub.nasa.gov
bep-prod-src.nasa.gov
bep-pub-db.nasa.gov
bep-stage.nasa.gov
bep-stage-col.nasa.gov
bep-stage-pub.nasa.gov
bep-stage-src.nasa.gov
bep-studio-db.nasa.gov
bep-wf-db.nasa.gov
bet.nasa.gov
bet-staging.nasa.gov
beyondeinstein.nasa.gov
www.bioastroroadmap.nasa.gov
www.biomaterials.nasa.gov
bizready.nasa.gov
bizready-staging.nasa.gov
blogs.nasa.gov
www.bluemarble.nasa.gov
booster.nasa.gov
brainbites.nasa.gov
brainbites-staging.nasa.gov
brainbites1.nasa.gov
blog.bready.nasa.gov
bready-dev.nasa.gov
bready-rra.nasa.gov
bready-sbx.nasa.gov
bready-test.nasa.gov
bsearch.nasa.gov
bsearch1.nasa.gov
budget.nasa.gov
budgetinfo.nasa.gov
buzzroom.nasa.gov
c3.nasa.gov
www.caib.nasa.gov
www.caib1.nasa.gov
calendar.nasa.gov
calendar1.nasa.gov
captcha.nasa.gov
cara.nasa.gov
carbon.nasa.gov
www.cas.nasa.gov
casc.nasa.gov
cce.nasa.gov
ccp.nasa.gov
ccs.nasa.gov
www.cdb.nasa.gov
cddis.nasa.gov
www.cdms.nasa.gov
cdscc.nasa.gov
www.ceh.nasa.gov
ceh1.nasa.gov
www.centennialchallenge.nasa.gov
www.centennialchallenges.nasa.gov
cev.nasa.gov
chandra.nasa.gov
chandra1.nasa.gov
chaucer.nasa.gov
www.chemistry.nasa.gov
www.ciencia.nasa.gov
ciencia1.nasa.gov
m.cima.nasa.gov
www.climate.nasa.gov
climatekids.nasa.gov
climatesimulation.nasa.gov
staging1.cms.nasa.gov
cms-dev.nasa.gov
cms-insidenasa.nasa.gov
cms-prod.nasa.gov
cms-test.nasa.gov
cms-tools.nasa.gov
cms-training.nasa.gov
cms2.nasa.gov
cmsdemo.nasa.gov
cmsdev.nasa.gov
cmstest.nasa.gov
cmstool.nasa.gov
cmswebsvc.nasa.gov
code.nasa.gov
codeb.nasa.gov
columbia.nasa.gov
comet.nasa.gov
comments.nasa.gov
comments-admin.nasa.gov
comments-submit.nasa.gov
comments1.nasa.gov
www.commercial.nasa.gov
commercialcrew.nasa.gov
communicating.nasa.gov
Communications.nasa.gov
science.community.nasa.gov
compass.nasa.gov
computer-security.nasa.gov
conference.nasa.gov
www.congressionaldata.nasa.gov
constellation-x.nasa.gov
constellationx.nasa.gov
cop.nasa.gov
www.core.nasa.gov
core1.nasa.gov
corecatalog.nasa.gov
corecatalog-staging.nasa.gov
cos.nasa.gov
cp4smpcommunity.nasa.gov
www.cpa.nasa.gov
cpgmip.nasa.gov
cphazard.nasa.gov
cphs.nasa.gov
cpoms.nasa.gov
cppraca.nasa.gov
cptrace.nasa.gov
crm1.nasa.gov
crusr.nasa.gov
www.cryotanks.nasa.gov
csbf.nasa.gov
csfmea-cil.nasa.gov
csg005.nasa.gov
cso.nasa.gov
cso-staging.nasa.gov
www.csuprojectalert.nasa.gov
www.ct562.nasa.gov
cube.nasa.gov
cxadp.nasa.gov
cxfmea-cil.nasa.gov
cxgmip.nasa.gov
cxhazard.nasa.gov
cxpraca.nasa.gov
darwin.nasa.gov
www.data.nasa.gov
www.daveml.nasa.gov
www.dawg.nasa.gov
dc8.nasa.gov
desktop-standards.nasa.gov
esb.dev.nasa.gov
mobile.dev.nasa.gov
dev-communications.nasa.gov
dev-im.nasa.gov
dev-insidenasa.nasa.gov
dev-mediaservices.nasa.gov
dev-nen.nasa.gov
dev-npars.nasa.gov
dev-www.nasa.gov
dfrc.nasa.gov
www.dfs.nasa.gov
dftsrv.nasa.gov
dialin.nasa.gov
dir.nasa.gov
dir-rra.nasa.gov
www.directory.nasa.gov
www.discovery.nasa.gov
discoverynewfrontiers.nasa.gov
discoverynewfrontiersnews.nasa.gov
disposal.nasa.gov
dln.nasa.gov
dln-staging.nasa.gov
*.dnet.nasa.gov
www.dockingstandard.nasa.gov
docs-nen.nasa.gov
dsds.nasa.gov
www.dsf.nasa.gov
dsn.nasa.gov
dspl.nasa.gov
www.dtd.nasa.gov
ducksewp.nasa.gov
earth.nasa.gov
earthdata.nasa.gov
earthdata-dev.nasa.gov
earthdata-uat.nasa.gov
www.earthobservatory.nasa.gov
echo.nasa.gov
stmd.eci.nasa.gov
www.eclipse99.nasa.gov
ecs.nasa.gov
ecs-program.nasa.gov
ecsprogram.nasa.gov
edc.nasa.gov
edos.nasa.gov
mgmt.edspace.nasa.gov
new.edspace.nasa.gov
proto.edspace.nasa.gov
www1.edspace.nasa.gov
www.education.nasa.gov
education1.nasa.gov
www.educatormissionspecialist.nasa.gov
efoia.nasa.gov
www.employeebenefits.nasa.gov
employeeorientation.nasa.gov
enasa.nasa.gov
enceladus.nasa.gov
engineeringforcomplexsystems.nasa.gov
ens.nasa.gov
www.ensemble.nasa.gov
www.entre.nasa.gov
www.enzo.nasa.gov
eo3.nasa.gov
eods.nasa.gov
eon.nasa.gov
eos.nasa.gov
eosdis.nasa.gov
eospso.nasa.gov
ep.nasa.gov
eparts.nasa.gov
epbs.nasa.gov
epbs-dvp.nasa.gov
epbs-tst.nasa.gov
epds.nasa.gov
epds-staging.nasa.gov
www.epims.nasa.gov
epms.nasa.gov
epss.nasa.gov
equipment.nasa.gov
esas.nasa.gov
esb.nasa.gov
esc.nasa.gov
www.esd.nasa.gov
esdpubs.nasa.gov
www.eseepo.nasa.gov
esm.nasa.gov
esmd.nasa.gov
esmo.nasa.gov
discapps-ts2.gesdisc.esodis.nasa.gov
www.espo.nasa.gov
www.espoarchive.nasa.gov
www.essp.nasa.gov
www.estips.nasa.gov
www.esto.nasa.gov
etads.nasa.gov
eto.nasa.gov
etsapprover.nasa.gov
europa.nasa.gov
www.evm.nasa.gov
execdev.nasa.gov
execsummit.nasa.gov
execsummit-dev.nasa.gov
execsummit-staging.nasa.gov
execsummit-test.nasa.gov
www.exobiology.nasa.gov
experts.nasa.gov
www.exploration.nasa.gov
explorationscience.nasa.gov
www.explorationsystems.nasa.gov
www.explorerschools.nasa.gov
externalsip.nasa.gov
eyes.nasa.gov
www.f2m.nasa.gov
www.faballiance.nasa.gov
faceinspace-staging.nasa.gov
www.family.nasa.gov
fastntts.nasa.gov
Fellowship.nasa.gov
finger.nasa.gov
fixedwing.nasa.gov
www.flight.nasa.gov
www.flightopportunities.nasa.gov
foia.nasa.gov
foiadev.nasa.gov
forms.nasa.gov
freecycle.nasa.gov
www.freedomtomanage.nasa.gov
fsa.nasa.gov
gaia.nasa.gov
gameon.nasa.gov
www.gapps.nasa.gov
gapps-groups.nasa.gov
gcgo.nasa.gov
gcmd.nasa.gov
gdscc.nasa.gov
genelab.nasa.gov
www.genome.nasa.gov
www.genomics.nasa.gov
www.gidep.nasa.gov
giss.nasa.gov
globalchange.nasa.gov
globe.nasa.gov
go.nasa.gov
googleapps.nasa.gov
gpm.nasa.gov
grail.nasa.gov
www.gravbio.nasa.gov
www.gravityprobeb.nasa.gov
graymarble.nasa.gov
grc.nasa.gov
grcfrkap2.grcfr.nasa.gov
greymarble.nasa.gov
gsearch.nasa.gov
gsearch1.nasa.gov
gsfc.nasa.gov
gss1.nasa.gov
gss2.nasa.gov
gulfofmexicoinitiative.nasa.gov
hacd.nasa.gov
hc.nasa.gov
hc-dev.nasa.gov
hc-test.nasa.gov
hcie.nasa.gov
hcie-dev.nasa.gov
hcie-sbx.nasa.gov
hcie-staging.nasa.gov
hcie-temp.nasa.gov
hcie-test.nasa.gov
hcie-wctest.nasa.gov
hcieweb.nasa.gov
hciewebstaging.nasa.gov
heasarc.nasa.gov
hec.nasa.gov
hedsadvprograms.nasa.gov
hedsadvsystems.nasa.gov
hefd.nasa.gov
heliophysics.nasa.gov
3dns.herndon.nasa.gov
hhp.nasa.gov
www.history.nasa.gov
extest.lmes.hop.nasa.gov
www.lmes.hop.nasa.gov
hpc.nasa.gov
www.hpcc.nasa.gov
hpps.nasa.gov
hq.nasa.gov
hq-flexnet.nasa.gov
hq-msc.nasa.gov
www.hqgiftshop.nasa.gov
hr.nasa.gov
hr-dev.nasa.gov
hr-rra.nasa.gov
hr-sbx.nasa.gov
hr-staging.nasa.gov
hr-test.nasa.gov
hrext-tst.nasa.gov
hrgo.nasa.gov
hris.nasa.gov
hrisconops.nasa.gov
hrisdev.nasa.gov
hrisdev3.nasa.gov
hrisstaging.nasa.gov
hrmes.nasa.gov
hrmobile.nasa.gov
hrmobile-tst.nasa.gov
hrr.nasa.gov
www.hrsm.nasa.gov
hsf.nasa.gov
hsfstage.nasa.gov
hspd12.nasa.gov
hspd121.nasa.gov
hst.nasa.gov
hubble.nasa.gov
humanresearchroadmap.nasa.gov
www.hurricanes.nasa.gov
www.hypered.nasa.gov
hypersonics.nasa.gov
i3p.nasa.gov
i3p-acq.nasa.gov
www.iam.nasa.gov
icam.nasa.gov
www.icb.nasa.gov
ice.nasa.gov
www.ice-tool.nasa.gov
www.icetool.nasa.gov
id.nasa.gov
www.idc.nasa.gov
idea-nasaspacebook.nasa.gov
idmax.nasa.gov
idp.nasa.gov
idsbx.nasa.gov
iemp.nasa.gov
ifmp.nasa.gov
ifsuss.nasa.gov
ildp.nasa.gov
ildp1.nasa.gov
im.nasa.gov
images.nasa.gov
imageseer.nasa.gov
imdc.nasa.gov
imdpc.nasa.gov
indigo.nasa.gov
innovate.nasa.gov
innovation.nasa.gov
insidenasa.nasa.gov
insight.nasa.gov
m.intern.nasa.gov
intern-staging.nasa.gov
intranet.nasa.gov
intranetsearch.nasa.gov
intranetsearch2.nasa.gov
www.invention.nasa.gov
invitation.nasa.gov
inwiki.nasa.gov
io.nasa.gov
www.ip.nasa.gov
ipam.nasa.gov
ipam1.nasa.gov
ipam2.nasa.gov
ipamcli.nasa.gov
ipao.nasa.gov
iplat.nasa.gov
www.ipp.nasa.gov
ipv6.nasa.gov
www.ipy.nasa.gov
irb.nasa.gov
iris.nasa.gov
www.isal.nasa.gov
www.ises.nasa.gov
www.isfr.nasa.gov
www.isosdata.nasa.gov
iss.nasa.gov
issresearchproject.nasa.gov
itlabs.nasa.gov
itportfolio.nasa.gov
itportfoliotest.nasa.gov
itsc.nasa.gov
www.itsecurity.nasa.gov
itsg.nasa.gov
ivv.nasa.gov
iws.nasa.gov
jesnic.nasa.gov
jpl.nasa.gov
www.jplwater.nasa.gov
jsc.nasa.gov
jscdns2.nasa.gov
jsceng.nasa.gov
jscer.nasa.gov
jscpao.nasa.gov
www.juno.nasa.gov
jupiter.nasa.gov
jwst.nasa.gov
kamikaze.nasa.gov
www.kepler.nasa.gov
www.kims.nasa.gov
www.km.nasa.gov
km1.nasa.gov
ks-kdc-sqlc1022.nasa.gov
ksc.nasa.gov
ksctechnology.nasa.gov
labs.nasa.gov
lance.nasa.gov
larc.nasa.gov
lasse.nasa.gov
latinawomen.nasa.gov
launchpad.nasa.gov
cv.launchpad-dev.nasa.gov
launchpad-sbx.nasa.gov
launchpad-test.nasa.gov
lc.nasa.gov
lc-dev.nasa.gov
lc-test.nasa.gov
ldap.nasa.gov
www.ldcm.nasa.gov
www.ldp.nasa.gov
www.leadership.nasa.gov
www.leag.nasa.gov
leap.nasa.gov
legalteam.nasa.gov
www.legislative.nasa.gov
www.lepag.nasa.gov
lerc.nasa.gov
www.lexec.nasa.gov
lifeonearth.nasa.gov
www.lifevents.nasa.gov
lima.nasa.gov
www.lisa.nasa.gov
lists.nasa.gov
live.nasa.gov
liveips.nasa.gov
liveipsup.nasa.gov
llis.nasa.gov
www.lmmp.nasa.gov
lmr.nasa.gov
lssc.nasa.gov
lsweb.nasa.gov
lsweb02.nasa.gov
www.lunarscience.nasa.gov
lyncdiscover.nasa.gov
lyncweb.nasa.gov
maf.nasa.gov
mafmaximo.nasa.gov
mafmaximotest.nasa.gov
mail.nasa.gov
managemyndc.nasa.gov
mangrove.nasa.gov
map.nasa.gov
maps.nasa.gov
maptis.nasa.gov
mars.nasa.gov
marsrover.nasa.gov
marsrovers.nasa.gov
mas.nasa.gov
www.materials.nasa.gov
materialsinspace.nasa.gov
maxdev.nasa.gov
maximo.nasa.gov
mcast.nasa.gov
mccs.nasa.gov
mdi.nasa.gov
mdr.nasa.gov
mdscc.nasa.gov
me2.nasa.gov
mediaservices.nasa.gov
meet.nasa.gov
mems.nasa.gov
meo.nasa.gov
mepag.nasa.gov
mercury.nasa.gov
metahouse.nasa.gov
mhp.nasa.gov
microbiology.nasa.gov
mil-hp.mil.nasa.gov
mindmapr.nasa.gov
Misse.nasa.gov
mission-madness.nasa.gov
missionscience.nasa.gov
missionstem.nasa.gov
mobile.nasa.gov
mobile1.nasa.gov
mobilewebproxy.nasa.gov
modear.nasa.gov
modelingguru.nasa.gov
modelinguru.nasa.gov
moon.nasa.gov
moontours.nasa.gov
www.move.nasa.gov
MSAT.nasa.gov
msfc.nasa.gov
msfcns2.nasa.gov
msfcns4.nasa.gov
msfcns6.nasa.gov
mtlo.nasa.gov
tiles.mts.nasa.gov
saml2.mynasa.nasa.gov
mynasa1.nasa.gov
mysites.nasa.gov
n-arc-kvm1-ipam.nasa.gov
n-gsfc-kvm1-ipam.nasa.gov
n-jsc-kvm1-ipam.nasa.gov
n-msfc-kvm2-ipam.nasa.gov
n0fwi09u.nasa.gov
naas.nasa.gov
naasdev.nasa.gov
naastest.nasa.gov
naastraining.nasa.gov
nacc.nasa.gov
www.nai.nasa.gov
naic.nasa.gov
nais.nasa.gov
nams.nasa.gov
nars.nasa.gov
nas.nasa.gov
nasa-ca-forum.nasa.gov
nasa-ice.nasa.gov
nasa-ice-esb.nasa.gov
nasa-ice-esbint.nasa.gov
nasa-ice-esbstage.nasa.gov
nasa-iceint.nasa.gov
nasa-icestage.nasa.gov
nasa-mis.nasa.gov
nasaartifacts.nasa.gov
nasaca.nasa.gov
www.nasacdb.nasa.gov
nasadc01.nasa.gov
nasadc02.nasa.gov
www.nasaeronauticsspacedatabase.nasa.gov
nasajobs.nasa.gov
nasapeople.nasa.gov
www.nasaprojectalert.nasa.gov
www.nasarecycles.nasa.gov
www.nasascience.nasa.gov
nasasearch.nasa.gov
nasaspacebook.nasa.gov
www.nasastars.nasa.gov
nasatechnology.nasa.gov
nasatv.nasa.gov
nascom.nasa.gov
www.naturalhazards.nasa.gov
ncad.nasa.gov
ncadinternal.nasa.gov
nccs.nasa.gov
www.ncis.nasa.gov
ncts.nasa.gov
nd.nasa.gov
ndc.nasa.gov
ndclab.nasa.gov
ndl.nasa.gov
ndmscollab.nasa.gov
ndmspub.nasa.gov
ndmssrc.nasa.gov
ndmsstgcollab.nasa.gov
ndmsstgpub.nasa.gov
ndmsstgsrc.nasa.gov
ndmswcdevimg.nasa.gov
ndmswcprdb7.nasa.gov
ndmswcprdimg.nasa.gov
ndmswcrtimg.nasa.gov
ndmswcsbximg.nasa.gov
ndmswcstgimg.nasa.gov
ndmswctstimg.nasa.gov
public.forms.neacc.nasa.gov
mobile.neacc.nasa.gov
forms.test.neacc.nasa.gov
near.nasa.gov
near-staging.nasa.gov
neba.nasa.gov
nebula.nasa.gov
ned.nasa.gov
www.nef.nasa.gov
nen.nasa.gov
www.nepp.nasa.gov
neps-dev.nasa.gov
neptune.nasa.gov
www.nesc.nasa.gov
nescacademy.nasa.gov
www.netcssi.nasa.gov
netman2.nasa.gov
netman4.nasa.gov
www.neurolab.nasa.gov
newdelhi.nasa.gov
www.newemployee.nasa.gov
newfrontiers.nasa.gov
www.news.nasa.gov
www.newsletters.nasa.gov
newsletters1.nasa.gov
newtechnology.nasa.gov
nex.nasa.gov
nexpass.nasa.gov
next.nasa.gov
nexus.nasa.gov
nfac.nasa.gov
ngi.nasa.gov
www.ngst.nasa.gov
www.nhhpc.nasa.gov
nic.nasa.gov
nics.nasa.gov
niks.nasa.gov
nipo.nasa.gov
nis.nasa.gov
nisn.nasa.gov
nisn-web.nasa.gov
nix.nasa.gov
nmis.nasa.gov
nmo.nasa.gov
nmo-apl.nasa.gov
nmo-cms.nasa.gov
nmp.nasa.gov
noca1.nasa.gov
noca2.nasa.gov
node1-nasaspacebook.nasa.gov
node2-nasaspacebook.nasa.gov
nods.nasa.gov
nomad.nasa.gov
nomadinternal.nasa.gov
www.nops.nasa.gov
nops-dev.nasa.gov
nops-test.nasa.gov
www.nors.nasa.gov
www.npdm.nasa.gov
www.npg2820.nasa.gov
nprop.nasa.gov
nrd.nasa.gov
nren.nasa.gov
ns.nasa.gov
ns-ext1.nasa.gov
ns1.nasa.gov
ns2.nasa.gov
ns3.nasa.gov
nsbf.nasa.gov
nsc.nasa.gov
nsckn.nasa.gov
nscs.nasa.gov
nscstep.nasa.gov
nsi.nasa.gov
nsipo.nasa.gov
nsirelay.nasa.gov
nsisrv.nasa.gov
nsminfo.nasa.gov
nsms.nasa.gov
nsms-dev.nasa.gov
nsms-test.nasa.gov
nsoc.nasa.gov
nss.nasa.gov
nssc.nasa.gov
nsstc.nasa.gov
ntp.nasa.gov
ntpio.nasa.gov
ntr.nasa.gov
www.ntrs.nasa.gov
ntrsreg.nasa.gov
nttsaw.nasa.gov
vendors.nvdb.nasa.gov
oacc.nasa.gov
www.obpr.nasa.gov
observer.nasa.gov
observer-tools.nasa.gov
observer1.nasa.gov
oce.nasa.gov
oceans.nasa.gov
oceexternal.nasa.gov
ocsp.nasa.gov
ocsp-dev.nasa.gov
ocsp-rra.nasa.gov
ocsp-test.nasa.gov
ocsp-test-rra.nasa.gov
octpartneringtool.nasa.gov
octreviewer.nasa.gov
odin-dev.nasa.gov
odin-test.nasa.gov
oedc.nasa.gov
oedc-staging.nasa.gov
oela.nasa.gov
oepm.nasa.gov
www.ohp.nasa.gov
oig.nasa.gov
oiglab.nasa.gov
oltaris.nasa.gov
www.onemis.nasa.gov
onenasa-jsc.nasa.gov
onenasa-msfc.nasa.gov
onmoon-1.nasa.gov
www.open.nasa.gov
Open-Manufacturing.nasa.gov
OpenManufacturing.nasa.gov
opensource.nasa.gov
opo.nasa.gov
opo2.nasa.gov
optics.nasa.gov
www.osbp.nasa.gov
oscar.nasa.gov
www.osdbu.nasa.gov
www.irma.osp.nasa.gov
www.outgassing.nasa.gov
outside-nde.nasa.gov
outside-se.nasa.gov
outside-software.nasa.gov
outside-structures.nasa.gov
outsidenasa.nasa.gov
parweb.nasa.gov
patches.nasa.gov
www.patentstats.nasa.gov
pbma.nasa.gov
pcat.nasa.gov
pdns1.nasa.gov
pds.nasa.gov
people.nasa.gov
www.pep.nasa.gov
perf.nasa.gov
ph.nasa.gov
pigiceshelf.nasa.gov
piv.nasa.gov
aplabpdc.pki.nasa.gov
www.planetaryprotection.nasa.gov
planetaryscience.nasa.gov
www.plans.nasa.gov
plasmasphere.nasa.gov
pluto.nasa.gov
pmm.nasa.gov
pmt.nasa.gov
pobox.nasa.gov
poif.nasa.gov
www.polaris.nasa.gov
polls.nasa.gov
pomegranate.nasa.gov
portal.nasa.gov
portalforums.nasa.gov
portfolio.nasa.gov
prism.nasa.gov
prism-rra.nasa.gov
prismcn1.nasa.gov
prismia1.nasa.gov
prismlb2.nasa.gov
prismqa1.nasa.gov
prismqa2.nasa.gov
prismye0.nasa.gov
privacy.nasa.gov
privacyimpact.nasa.gov
www.process.nasa.gov
procurement.nasa.gov
prognostics.nasa.gov
www.projectalert.nasa.gov
property.nasa.gov
psi.nasa.gov
pubdir.nasa.gov
publicforms.nasa.gov
publicportal.nasa.gov
pumas.nasa.gov
qa-insidenasa.nasa.gov
qa-nasaspacebook.nasa.gov
www.quality.nasa.gov
quantum.nasa.gov
www.quest.nasa.gov
www.questeam.nasa.gov
quicklaunch.nasa.gov
radio.nasa.gov
rapid.nasa.gov
rasc.nasa.gov
ready.nasa.gov
ready-staging.nasa.gov
redplanet.nasa.gov
Retiree.nasa.gov
www.rmc.nasa.gov
rms.nasa.gov
rms-dev.nasa.gov
rms-test.nasa.gov
rms-train.nasa.gov
rmsdb.nasa.gov
robot.nasa.gov
www.robotics.nasa.gov
robots.nasa.gov
rockettest.nasa.gov
rotarywing.nasa.gov
rps.nasa.gov
rpt.nasa.gov
rsatest.nasa.gov
russia.nasa.gov
saam.nasa.gov
saam-staging.nasa.gov
sage.nasa.gov
sara.nasa.gov
sas.nasa.gov
saterinfo-dev.nasa.gov
satern.nasa.gov
saterninfo.nasa.gov
saterninfo-dev.nasa.gov
saterninfo-test.nasa.gov
saternproject.nasa.gov
saternproject-dev.nasa.gov
saternproject-test.nasa.gov
saternreporting.nasa.gov
saternwebsvc.nasa.gov
saternwebsvc-test.nasa.gov
sats.nasa.gov
saturn.nasa.gov
www.sbir.nasa.gov
id.sbx.nasa.gov
3dns.sc.nasa.gov
scan.nasa.gov
www.science.nasa.gov
science1.nasa.gov
www.sciencecast.nasa.gov
www.sciencecasts.nasa.gov
www.scijinks.nasa.gov
scm.nasa.gov
scm-test.nasa.gov
SCMOK.nasa.gov
inl.sddl.nasa.gov
search.nasa.gov
search1.nasa.gov
www.section508.nasa.gov
sensorweb.nasa.gov
sewp.nasa.gov
www.sfa.nasa.gov
share.nasa.gov
sharepoint.nasa.gov
shfe.nasa.gov
www.shuttle.nasa.gov
shuttle-mir.nasa.gov
shuttle-station1.nasa.gov
shuttlealumni.nasa.gov
sip.nasa.gov
www.sm3b.nasa.gov
www.sm4.nasa.gov
sma.nasa.gov
smap.nasa.gov
www.smart.nasa.gov
www.smartskies.nasa.gov
smp.nasa.gov
snas.nasa.gov
soc.nasa.gov
socialforms.nasa.gov
www.sofia.nasa.gov
software.nasa.gov
www.softwarereuse.nasa.gov
soi.nasa.gov
solar.nasa.gov
solarsystem.nasa.gov
space-geodesy.nasa.gov
spacebook.nasa.gov
www.spacecomm.nasa.gov
www.spacecommunications.nasa.gov
spacecube.nasa.gov
www.spaceflight.nasa.gov
spaceflight1.nasa.gov
www.spacejobs.nasa.gov
spacelifesciences.nasa.gov
spacelink.nasa.gov
spacemed.nasa.gov
www.spaceoperations.nasa.gov
www.spaceplace.nasa.gov
spacerace.nasa.gov
www.spaceresearch.nasa.gov
www.spaceresearchgallery.nasa.gov
www.spacescience.nasa.gov
spacestationlive.nasa.gov
spacestationlive1.nasa.gov
spacetox.nasa.gov
spacewardbound.nasa.gov
spaceyourface.nasa.gov
span.nasa.gov
www.spds.nasa.gov
www.spectrum.nasa.gov
spinoff.nasa.gov
spotthestation.nasa.gov
src.nasa.gov
ssc.nasa.gov
sscmiranda.nasa.gov
ssds.nasa.gov
els2014.sservi.nasa.gov
sso.nasa.gov
sssaas.nasa.gov
www.ssurteam.nasa.gov
st5.nasa.gov
stage-communications.nasa.gov
stage-docsnen.nasa.gov
stage-im.nasa.gov
stage-insidenasa.nasa.gov
stage-inwiki.nasa.gov
stage-ipao.nasa.gov
stage-mediaservices.nasa.gov
stage-nasaspacebook.nasa.gov
stage-nen.nasa.gov
stage-oepm.nasa.gov
stage-outsidenasa.nasa.gov
stage-pia.nasa.gov
stage-planetaryscience.nasa.gov
stage-spacebook.nasa.gov
staging.nasa.gov
staging-science.nasa.gov
standards.nasa.gov
starbrite.nasa.gov
www.starcam.nasa.gov
stars.nasa.gov
stars-dev.nasa.gov
stars-ps.nasa.gov
stars-test.nasa.gov
www.station.nasa.gov
www.step.nasa.gov
sti.nasa.gov
stidaa.nasa.gov
straw.nasa.gov
straw-staging.nasa.gov
suborbital.nasa.gov
www.sunearthday.nasa.gov
www.sunearthday1.nasa.gov
supersonics.nasa.gov
support.nasa.gov
swehb.nasa.gov
swg.nasa.gov
swmetrics.nasa.gov
www.swpal.nasa.gov
tagconnect.nasa.gov
tdrss.nasa.gov
tech.nasa.gov
www.technology.nasa.gov
technologygateway.nasa.gov
technologyplan.nasa.gov
techport.nasa.gov
www.techsurvey.nasa.gov
www.teerm.nasa.gov
www.terra.nasa.gov
test.nasa.gov
www.tfaws.nasa.gov
www.thursdaysclassroom.nasa.gov
time.nasa.gov
titan.nasa.gov
titian.nasa.gov
earth-science.tracker.nasa.gov
lesson-plans.tracker.nasa.gov
pictures.tracker.nasa.gov
training-oepm.nasa.gov
www.transition.nasa.gov
trmm.nasa.gov
tu.nasa.gov
www.tv.nasa.gov
tvschedule.nasa.gov
tvschedule1.nasa.gov
equipment.uat.nasa.gov
m.intern.uat.nasa.gov
iris.uat.nasa.gov
mdr.uat.nasa.gov
nef.uat.nasa.gov
portfolio.uat.nasa.gov
www.ueet.nasa.gov
www.unites.nasa.gov
www.universe.nasa.gov
uranus.nasa.gov
userdocuments.nasa.gov
utility.nasa.gov
vafb.nasa.gov
vendor.nasa.gov
venus.nasa.gov
venustransit.nasa.gov
veritas.nasa.gov
vho.nasa.gov
video.nasa.gov
video-images.nasa.gov
videofiles.nasa.gov
videofiles1.nasa.gov
videoshare.nasa.gov
www.visibleearth.nasa.gov
www.visionforum.nasa.gov
vmo.nasa.gov
voicetelecon.nasa.gov
voicetelecon-test.nasa.gov
vpn.nasa.gov
www.vsde.nasa.gov
vsearch.nasa.gov
vsearch1.nasa.gov
vwo.nasa.gov
wat.nasa.gov
www.webb.nasa.gov
webdir.nasa.gov
www.webentre.nasa.gov
webmail.nasa.gov
www.weboflife.nasa.gov
webregister.nasa.gov
webregistration.nasa.gov
webregistrationfob.nasa.gov
webservices.nasa.gov
www.webtads.nasa.gov
webwork.nasa.gov
wff.nasa.gov
wiki.nasa.gov
www.wims.nasa.gov
wind.nasa.gov
wingsinorbit.nasa.gov
www.wire.nasa.gov
wise.nasa.gov
www.women.nasa.gov
www.workforcetransformation.nasa.gov
workforcetransition.nasa.gov
workmans.nasa.gov
www.workmanship.nasa.gov
wright.nasa.gov
wsc.nasa.gov
wsmr.nasa.gov
wsprodb.nasa.gov
wsprodc.nasa.gov
wsprodd.nasa.gov
wstf.nasa.gov
wstf-ns1.nasa.gov
wstf-ns2.nasa.gov
www.wtts.nasa.gov
wtts-stg.nasa.gov
wwt.nasa.gov
log.www.nasa.gov
www1.nasa.gov
www2.nasa.gov
x500.nasa.gov
www.xml.nasa.gov

Analysis

NASA.gov

The domains intranet.nasa.gov and intranetsearch.nasa.gov are obvious targets for unauthorized access to documents. We'll examine them closer.

dig intranet.nasa.gov

; <<>> DiG 9.10.1 <<>> intranet.nasa.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29075
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;intranet.nasa.gov.             IN      A

;; ANSWER SECTION:
intranet.nasa.gov.      599     IN      CNAME   intranet.nasawestprime.com.
intranet.nasawestprime.com. 299 IN      CNAME   redirects.nasawestprime.com.
redirects.nasawestprime.com. 299 IN     CNAME   dualstack.redirects-backup-330949873.us-east-1.elb.amazonaws.com.
dualstack.redirects-backup-330949873.us-east-1.elb.amazonaws.com. 59 IN A 50.16.224.76
dualstack.redirects-backup-330949873.us-east-1.elb.amazonaws.com. 59 IN A 54.225.198.227

;; Query time: 142 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Oct 26 09:38:48 PDT 2014
;; MSG SIZE  rcvd: 217

Connecting redirects to https://outsidenasa.nasa.gov/ which disconnects when you connect to it. This is an example of an internal service found by the NSEC walking technique. It doesn't have an obvious vulnerability, but the fact that it can be found but not accessed means that it's not for public consumption. By using a program like namedrop [7], you could find this address, but you wouldn't be able to find more complex names like spaceresearchgallery.nasa.gov. Another name that could be found by namedrop, but much more slowly, would be sharepoint.nasa.gov. This redirects to http://www.nasa.gov/centers/ames/home/index.html, which probably means that it uses F5 BigIP to redirect unauthorized IPs to their public website. Or it could be that their Sharepoint site was taken down.

A search for intranet.nasa.gov finds an unexpected VPN endpoint: https://intranet.jpl.nasa.gov/dana-na/auth/url_default/welcome.cgi This subdomain wasn't found because jpl.nasa.gov doesn't support DNSSEC, so this attack doesn't work against that subdomain. This doesn't phase the attacker.

The domain userdocuments.nasa.gov is an interesting site definitely for employees.

The domain voicetelecon.nasa.gov is probably a teleconference system, so an nmap scan may turn up SIP, Skype, H.323, or similar services. It turns out that voicetelecon.nasa.gov has an authenticated HTTPS site which seems to be connected to CenturyLink (the company that bought Qwest).

The domain staging.nasa.gov doesn't resolve which probably means that staging is an internal domain. The same is true for stage-*.nasa.gov. stage-communications.nasa.gov and many others resolve. They don't seem to be externally accessible though.

www.nasaeronauticsspacedatabase.nasa.gov

www.nasaeronauticsspacedatabase.nasa.gov turned out to be an interesting internal domain.

http://www.nasaeronauticsspacedatabase.nasa.gov/
redirects to:
https://dmzsrv.larc.nasa.gov/
redirects to:
https://ntrsreg.nasa.gov/
redirects to:
https://launchpad.nasa.gov/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1378321770&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A50%3A33Z
redirects to:
https://launchpad.nasa.gov/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1378321770&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A50%3A33Z&service=Level20NoNcad

Note that all of these server's certificates except for launchpad.nasa.gov are signed by NASA, not a trusted root certificate. Users who work for NASA would have this certificate installed on their work computers assuming they trust NASA's root certificate to not be compromised. launchpad.nasa.gov has the header: Www-authenticate: Negotiate which is indicitive of Kerberos. This assumes that the person who is visiting the page has authentication to NASA.gov. This proves beyond any doubt that all these systems are internal systems. larc.nasa.gov is in the ldns-walk results, but dmzsrv.larc.nasa.gov is not. The two are on completely different networks, so this domain name is an important omission from the NSEC results. The subdomains ntrsreg and launchpad are both in the NSEC results.

curl -i -k http://www.nasaeronauticsspacedatabase.nasa.gov/
HTTP/1.1 302 Found
Date: Thu, 19 Feb 2015 00:56:31 GMT
Server: Apache/2.2.15 (Red Hat) mod_jk/1.2.37 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips
Location: https://dmzsrv.larc.nasa.gov/
Content-Length: 213
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://dmzsrv.larc.nasa.gov/">here</a>.</p>
</body></html>

curl -i -k https://dmzsrv.larc.nasa.gov/
HTTP/1.1 302 Found
Date: Thu, 19 Feb 2015 00:57:18 GMT
Server: Apache/2.2.15 (Red Hat) mod_jk/1.2.37 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips
Location: https://ntrsreg.nasa.gov:443/
Content-Length: 213
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://ntrsreg.nasa.gov:443/">here</a>.</p>
</body></html>

curl -i -k https://ntrsreg.nasa.gov/
HTTP/1.1 302 Found
Date: Thu, 19 Feb 2015 00:53:25 GMT
Server: Apache/2.2.15 (Red Hat) mod_jk/1.2.37 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips
Set-Cookie:  Apache_NTRS=;Path=/;Secure
Set-Cookie:  Apache_NTRS=;Path=/;Secure
Location: https://launchpad.nasa.gov:443/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1683939677&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A53%3A25Z
Content-Length: 446
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://launchpad.nasa.gov:443/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1683939677&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A53%3A25Z">here</a>.</p>
</body></html>

curl -i -k 'https://launchpad.nasa.gov/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1378321770&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A50%3A33Z'
HTTP/1.1 401 Unauthorized
Set-Cookie: ACE-insert=R1617759527; path=/
Server: Oracle-iPlanet-Web-Server/7.0
Date: Thu, 19 Feb 2015 00:58:49 GMT
Cache-control: private
Pragma: no-cache
X-dsameversion: Oracle OpenSSO 8.0 Update 2 Patch3 Build 6.1(2011-June-8 05:24)
Am_client_type: genericHTML
Www-authenticate: Negotiate
Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwH5U%2FBfCXlZl8HYPqgP56f2hISXjxnzcA%3D%40AAJTSQACMDIAAlMxAAIwOA%3D%3D%23; Domain=launchpad.nasa.gov; Path=/
Set-cookie: amlbcookie=08; Domain=launchpad.nasa.gov; Path=/
Transfer-encoding: chunked

<!--
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2009 eTouch Federal Systems. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the eTouch Federal Systems License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License from eTouch Federal Systems
* by emailing to license@etouchfederal.com
* See the License for the specific language governing
* permission and limitations under the License.
*
*/
-->




<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<title>Please Wait While Redirecting to Login page</title>

<script language="JavaScript"> <!--

function redirectToAuth() {
    var url = window.location.href;
        var serviceName = "Level20NoNcad";
        if (url.indexOf("?") == -1) {
                url = url + "?" + "service=" + serviceName;
        } else  {
                if (url.indexOf("?SAMLRequest=") > -1) {
                        var protocol = window.location.protocol;
                        var host = window.location.host;
                        var contextPath = "/amserver";
                        var loginURL = protocol + "//" + host + contextPath + "/UI/Login?service=" + serviceName + "&goto=";
                        var gotoURL = escape(url);
                        url = loginURL + gotoURL;
                } else if (url.indexOf("?service=") > -1) {
                url = url.replace(/\?service=[^&?#]*/,"?service=" + serviceName);
                } else if (url.indexOf("&service=") > -1) {
                url = url.replace(/\&service=[^&?#]*/, "&service=" + serviceName);
                }else {
                url =url.concat("&service=" + serviceName);
                }
        }
    top.location.replace(url);
}

function getQueryParameters() {
    var loc = window.location.href;
        return loc;
    
}
//-->
</script>
</head>

<body bgcolor="#FFFFFF" onLoad="redirectToAuth();">
</body>
</html>

curl -i -k 'https://launchpad.nasa.gov/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1378321770&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A50%3A33Z&service=Level20NoNcad'
HTTP/1.1 200 OK
Set-Cookie: ACE-insert=R1617758438; path=/
Server: Oracle-iPlanet-Web-Server/7.0
Date: Thu, 19 Feb 2015 01:08:25 GMT
Set-cookie: amlbcookie=06; Domain=launchpad.nasa.gov; Path=/
Content-type: text/html;charset=UTF-8
Set-cookie: JSESSIONID=ABE2731A73016D3B5BBB307816AC628D; Path=/amserver; Secure ; HttpOnly
X-dsameversion: Oracle OpenSSO 8.0 Update 2 Patch3 Build 6.1(2011-June-8 05:24)
Am_client_type: genericHTML
Set-cookie: AMAuthCookie=AQIC5wM2LY4Sfcw3xT7ONFSzXl9OSCrrCLrVF5%2BiIAOciAk%3D%40AAJTSQACMDIAAlMxAAIwNg%3D%3D%23; Domain=launchpad.nasa.gov; Path=/
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-control: no-store
Transfer-encoding: chunked

...

This page is too long to put into an essay. Here are a few interesting strings:

<!-- App URL is https://ntrsreg.nasa.gov:443/; Server Id is ndkseasso02.ndc.nasa.gov -->
<!-- IE(8) requires the <td> and <img> to be on the same line, or else there will be a small gap (rolls eyes) -->
<div style="float:left;width:38%;color:#FFFFFF"><b>Need Help?</b> Call 1-866-419-6297 or 
<a style="color: #FFFFFF" href="mailto:MSFC-DL-HelpdeskMSFC@mail.nasa.gov?subject=Launchpad Help"><u>email the help desk</u></a><br/>
<a style="color: #FFFFFF" href="https://inwiki.nasa.gov/cm/wiki/?id=639" target="_blank">Want to Integrate? (Internal NASA only)</a></div></td>

This page allows you to login with a smartcard, RSA token, or username and password, or create an account. It contains this warning:

This is a US Government computer. This system is for authorized users only. By accessing and using this computer system, you are consenting to full system monitoring of your process -- including keystrokes. Be forewarned that unauthorized use of, or access to this computer system may subject you to disciplinary action and/or criminal prosecution.

From the FAQ:

1. What is Access Launchpad?
The NASA Access Launchpad, also called "Launchpad," is an online tool that you can use to create and update your NASA user profile or reset a forgotten password in just a few steps.

2. Whom do I contact if I need help or have questions about Launchpad?
Call the NASA Information Support Center at (866) 419-6297.

9. Can I use the Launchpad to update other personal information, like my e-mail address and last name?
Not at this time. Instead, visit NASA's User Self-Service (USS) tool [https://idmax.nasa.gov/idm/user/login.jsp], located within the Identity Management and Account Exchange (IdMAX) system. User Self‐Service allows you to change your display name, e‐mail addresses, or common names in the Agency directory.

14. What do I do if my browser indicates that there is a "certificate error" and I am unable to login to the Launchpad?
On some NASA Web browsers there is a configuration issue that results in this security certificate error. To resolve this issue, follow this two-step process:

Step 1: Visit the NASA PKI Operations Web site [http://pki.nasa.gov/index.php/tech-support/ca-root-certificates/] to download the NOCA and Treasury root certificates.

Click on the Download NOCA and Treasury root Certificates link and follow the prompts to open and install these CA certificates into your browser. If you receive a security warning about the US Treasury Root CA, this is normal: proceed with the certificate installation.

Note the use of http for pki.nasa.gov which is vulnerable to sslstrip. pki.nasa.gov is an internal system and apparently uses PHP.

*.gov Hashes Cracked

An example of a domain that I was able to find with brute force of all 7-character domains against .gov that I was not able to find using unhash is http://pdbcecc.gov/. This site gives a 404 which shows that it's not public (at least yet). Vital information for pdbcecc.gov lies below:

curl -i pdbcecc.gov
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Fri, 23 Jan 2015 01:20:22 GMT
Connection: close
Content-Length: 315

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Not Found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Not Found</h2>
<hr><p>HTTP Error 404. The requested resource is not found.</p>
</BODY></HTML>

dig ns pdbcecc.gov

; <<>> DiG 9.10.1-P1 <<>> ns pdbcecc.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1150
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;pdbcecc.gov.                   IN      NS

;; ANSWER SECTION:
pdbcecc.gov.            599     IN      NS      ns1.blackmesh.com.
pdbcecc.gov.            599     IN      NS      ns2.blackmesh.com.

;; Query time: 105 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 22 17:21:04 PST 2015
;; MSG SIZE  rcvd: 89

dig ns1.blackmesh.com.

; <<>> DiG 9.10.1-P1 <<>> ns1.blackmesh.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55362
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ns1.blackmesh.com.             IN      A

;; ANSWER SECTION:
ns1.blackmesh.com.      299     IN      A       74.121.197.78

;; Query time: 101 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 22 17:22:37 PST 2015
;; MSG SIZE  rcvd: 62

whois 74.121.197.78

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=74.121.197.78?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       74.121.192.0 - 74.121.199.255
CIDR:           74.121.192.0/21
NetName:        BLACKMESH-1
NetHandle:      NET-74-121-192-0-1
Parent:         NET74 (NET-74-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS36473
Organization:   BlackMesh Inc. (BLACK-25)
RegDate:        2010-01-25
Updated:        2012-03-02
Ref:            http://whois.arin.net/rest/net/NET-74-121-192-0-1

OrgName:        BlackMesh Inc.
OrgId:          BLACK-25
Address:        2465 J-17 Centreville Road
Address:        #720
City:           Herndon
StateProv:      VA
PostalCode:     20171
Country:        US
RegDate:        2006-03-21
Updated:        2011-09-24
Comment:        BlackMesh Managed Hosting
Ref:            http://whois.arin.net/rest/org/BLACK-25

OrgTechHandle: BNO34-ARIN
OrgTechName:   BlackMesh Network Operations
OrgTechPhone:  +1-888-473-0854 
OrgTechEmail:  noc@blackmesh.com
OrgTechRef:    http://whois.arin.net/rest/poc/BNO34-ARIN

OrgAbuseHandle: BNO34-ARIN
OrgAbuseName:   BlackMesh Network Operations
OrgAbusePhone:  +1-888-473-0854 
OrgAbuseEmail:  noc@blackmesh.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/BNO34-ARIN

RNOCHandle: BNO34-ARIN
RNOCName:   BlackMesh Network Operations
RNOCPhone:  +1-888-473-0854 
RNOCEmail:  noc@blackmesh.com
RNOCRef:    http://whois.arin.net/rest/poc/BNO34-ARIN

RTechHandle: BNO34-ARIN
RTechName:   BlackMesh Network Operations
RTechPhone:  +1-888-473-0854 
RTechEmail:  noc@blackmesh.com
RTechRef:    http://whois.arin.net/rest/poc/BNO34-ARIN

RAbuseHandle: BLACK5-ARIN
RAbuseName:   BlackMesh Abuse
RAbusePhone:  +1-888-473-0854 
RAbuseEmail:  abuse@blackmesh.com
RAbuseRef:    http://whois.arin.net/rest/poc/BLACK5-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#

dig +dnssec @74.121.197.78 pdbcecc.gov

; <<>> DiG 9.10.1-P1 <<>> +dnssec @74.121.197.78 pdbcecc.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14228
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pdbcecc.gov.                   IN      A

;; ANSWER SECTION:
pdbcecc.gov.            600     IN      A       74.121.201.181

;; AUTHORITY SECTION:
pdbcecc.gov.            600     IN      NS      ns1.blackmesh.com.
pdbcecc.gov.            600     IN      NS      ns2.blackmesh.com.

;; ADDITIONAL SECTION:
ns1.blackmesh.com.      300     IN      A       74.121.197.78
ns2.blackmesh.com.      300     IN      A       74.121.192.67

;; Query time: 91 msec
;; SERVER: 74.121.197.78#53(74.121.197.78)
;; WHEN: Thu Jan 22 17:24:04 PST 2015
;; MSG SIZE  rcvd: 137

dig +dnssec @69.36.157.30 pdbcecc.gov

; <<>> DiG 9.10.1-P1 <<>> +dnssec @69.36.157.30 pdbcecc.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15874
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;pdbcecc.gov.                   IN      A

;; AUTHORITY SECTION:
pdbcecc.gov.            86400   IN      NS      ns1.blackmesh.com.
pdbcecc.gov.            86400   IN      NS      ns2.blackmesh.com.
j5kqrti1gdqgv88konuq2qsuhshv60io.gov. 86400 IN NSEC3 1 0 8 4C44934802D3 J5N9AJJ79PQ4UVMESSBVONNK5QR5189S NS
j5kqrti1gdqgv88konuq2qsuhshv60io.gov. 86400 IN RRSIG NSEC3 8 2 86400 20150129221014 20150122221014 4352 gov. CvwShLn22m6o086Id9ythpPECag30WGD7IzUtWQ/Qo2fhKzurbpw3dFo J8dg/RyD6gZ/Rn7v4w/AlcpyE6Q6MiE7VMhbUtBUh9s8aHW6V9HPY3Xz fwicyxcDxfhpxzZKKoogJEGh5WATxAfe1n5fuAt///LXnQDXVJ47wc35 t1c=

;; Query time: 79 msec
;; SERVER: 69.36.157.30#53(69.36.157.30)
;; WHEN: Thu Jan 22 17:26:10 PST 2015
;; MSG SIZE  rcvd: 332

traceroute 74.121.201.181
traceroute to 74.121.201.181 (74.121.201.181), 30 hops max, 60 byte packets
 1  v10.core1.fmt2.he.net (64.62.180.89)  3.538 ms  3.532 ms  3.527 ms
 2  10ge1-1.core1.sjc2.he.net (72.52.92.74)  19.319 ms  19.318 ms  19.316 ms
 3  mpr1.sjc7.us (206.223.116.86)  0.848 ms  3.747 ms  0.836 ms
 4  ae9.cr1.sjc2.us.zip.zayo.com (64.125.31.201)  1.074 ms  1.065 ms  1.304 ms
 5  ae8.cr2.sjc2.us.zip.zayo.com (64.125.20.254)  1.577 ms  1.299 ms  1.298 ms
 6  ae1.cr2.lax112.us.zip.zayo.com (64.125.31.234)  9.344 ms  9.769 ms  10.261 ms
 7  ae3.cr2.iah1.us.zip.zayo.com (64.125.21.85)  44.680 ms  44.177 ms  43.938 ms
 8  ae14.cr2.dca2.us.zip.zayo.com (64.125.21.53)  68.638 ms  68.638 ms  68.984 ms
 9  ae1.er2.iad10.us.zip.zayo.com (64.125.20.122)  72.950 ms  75.889 ms  76.215 ms
10  64.125.198.77.t00053.above.net (64.125.198.77)  71.637 ms  69.384 ms  69.365 ms
11  aggr2-g10-va.net.hostventures.com (208.85.174.252)  69.902 ms  69.345 ms  69.609 ms
12  * * *
13  * * *
14  * * *

As you can see, there isn't any authenticated A record for pdbcecc.gov, which means that it's not valid. In fact, we see an NSEC3 record returned from the gov servers. The hash for pdbcecc.gov is j5kqrti1gdqgv88konuq2qsuhshv60io and the hash they give us j5n9ajj79pq4uvmessbvonnk5qr5189s look similar in the first two characters, but then change. So what this NSEC3 record is telling us is that they don't have a signed NS for pdbcecc.gov. That means that NSEC3 records we get from the .gov nameservers include all domains for .gov. Unlike .com which is opt-in, .gov NSEC3 records seems to be opt-out. Therefore the list of hashes I have collected are a definitive list of domains that had not opted-out from .gov NSEC3. Since I was able to brute force 7 characters of alpha-numeric domains, I can definitively say that my list of cracked domains are the full list of .gov domains that are less than 8 characters. If someone wants to run 8 or more characters on the hashes, we can build a list of almost every .gov domain. My guess is that there are longer domain names that can be found with the passphrase cracker which I only used up to a certain point on domains other than com. Two values found by passphrase3 are: richlandms.gov and richlandsnc.gov. This seems to point to names of cities and their respective state may be a pattern worth checking. However, seattlewa.gov doesn't make sense because there's only one Seattle. It turns out that bellevuewa.gov does exist, which makes perfect sense. I was able to crack that hash manually. As you can see, it would make sense to use a wordlist of all state abbreviations and all words in the AI3 wordlist (since all city names are in the AI3 wordlist). I was able to do this using passphrase7 and Wikipedia's List of U.S. state abbreviations. It turned up a very large number of hits as expected.

Brazil

Brazil has an interesting setup. The top level ccTLD .br uses NSEC, so that's how I discovered all those domains. I believe that the list is authoritative and equivalent to an AXFR (I have no counter-examples to prove otherwise so far). The most popular subdomain com.br uses NSEC3 with a long salt and 10 iterations, almost unheard of in DNSSEC other than a few .mil subdomains, org.br, by (Belarus) which unexplicably uses 100 iterations, probably to stop people like me (despite their efforts, I was able to crack 584 out of 1017 hashes), and la (Laos) which uses 150 iterations (despite their efforts I was able to 398 out of 746 hashes). The government tld gov.br uses NSEC. Note that all of these reside on the same DNS servers: [a-f].dns.br. What's more interesting is that there are more DNSSEC enabled com.br domains than there are DNSSEC enabled com domains. Why is this? In the way that gov.br signs all its domains with one key, com.br can sign all its domains with one key. This doesn't give anyone any less trust because the person with the private key can override any value in the database. com.br is in a special place where they can choose to put good known values for every domain in com.br and sign them thus giving everyone a correct representation of the entirety of com.br just like gov.br has done with NSEC. The reason we don't get a full representation of the entirety of com is because com chooses not to sign any of domains under it. Let's look at the data from a few signatures under com.br.

dig +dnssec @200.219.154.10 apros.com.br.

; <<>> DiG 9.10.1-P1 <<>> +dnssec @200.219.154.10 apros.com.br.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27275
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;apros.com.br.                  IN      A

;; AUTHORITY SECTION:
apros.com.br.           86400   IN      NS      c.sec.dns.br.
apros.com.br.           86400   IN      NS      b.sec.dns.br.
apros.com.br.           3600    IN      DS      64627 5 1 A56441015582BAEB5013AF87B203C2C86B461E3D
apros.com.br.           3600    IN      RRSIG   DS 7 3 3600 20141223100000 20141216100000 33018 com.br. mVYd7IidGO5i1KceUMaBn1xy7mKpHfJcZtHh6i4R/tbso9nRvxiiWoce hGmBxuFXYGlelHWH76SDAOnyzk2dAn768fy9r0X3bQOln1Kvv8fb4XUR COvjv4SS/6RZhf8KVU4fHFrABtg+O5nQG6bE66/Td7MdT9RNOE3LsiKm hUY=

;; ADDITIONAL SECTION:
b.sec.dns.br.           172800  IN      A       200.192.232.11
c.sec.dns.br.           172800  IN      A       200.189.40.11
b.sec.dns.br.           172800  IN      RRSIG   A 5 4 172800 20150123084353 20141114084353 943 dns.br. P5sdQem+wzVyD+0wycTVcP8FFp4H/XIOZa2yR8kr0uxQKRYPQJyhp6bW cbyFwFVnKCOapTsiWOtYztghFPn2oaF1s6K1rL1mWNIeyHLFXANQzRnj Zri3WGh61ZzvKz5KipxCXfnH+ZRLxsJVTcI0FCphUh9KfWLKhzd3czsm EF0sldY1retqDb9w5s3kC0Ao
c.sec.dns.br.           172800  IN      RRSIG   A 5 4 172800 20150123084353 20141114084353 943 dns.br. 41k1GaDsRFm2j9FbsVJwFSvoj7w73+8nGkq4UGV1EViAl2h5BfMtEXum CW4034v0WDzIp/FQl1OZ60EAaSnNIx/OnCb01AYX9olTOBAjEOKv6KFa 3muR/8Y9BOsDn9IIkSkRiZysYfDkWo3J8G6P58wjMe1MgNopUlaycXPL mXBOszg6YYj3/ZY/I5uO47dZ

;; Query time: 68 msec
;; SERVER: 200.219.154.10#53(200.219.154.10)
;; WHEN: Wed Dec 17 15:22:42 PST 2014
;; MSG SIZE  rcvd: 679

dig +dnssec @200.219.154.10 nuvoli.com.br.

; <<>> DiG 9.10.1-P1 <<>> +dnssec @200.219.154.10 nuvoli.com.br.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17235
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 7
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nuvoli.com.br.                 IN      A

;; AUTHORITY SECTION:
nuvoli.com.br.          86400   IN      NS      a.sec.dns.br.
nuvoli.com.br.          86400   IN      NS      b.sec.dns.br.
nuvoli.com.br.          3600    IN      DS      41021 5 1 735B1DB6F7EDEA0A5FC9E35D35F6B4ECA7F6E520
nuvoli.com.br.          3600    IN      RRSIG   DS 7 3 3600 20141223100000 20141216100000 33018 com.br. bg9YXXkjsRFDWdr9duEVB+QNtzy7OH1vMPLtv6nT5hLg5JRSlhYT0wPI MjqqkYqXxwS3vBaZ9uoRxSnAJT1i63g0fYctcAPocfGgxmEN1kVsNTRr 1iA3VkaKeqvmbvOz3PRY+doVOXlCeVFWNONiDQlvmFrKim3/ohnWYRBQ 9wk=

;; ADDITIONAL SECTION:
a.sec.dns.br.           172800  IN      A       200.160.0.11
a.sec.dns.br.           172800  IN      AAAA    2001:12ff::11
b.sec.dns.br.           172800  IN      A       200.192.232.11
a.sec.dns.br.           172800  IN      RRSIG   A 5 4 172800 20150123084353 20141114084353 943 dns.br. roMyXYw+pNs/Yv9FwDnAJNxKecAGjPDoUD/x1EXvDPsfBENPH8GIYifL kLGfdjtSWn0/hnpGl0GJbSzSeYVSqp+56CM07TRnNQNjnEan+UXPEgoy ztUPUibyelsbCXX9fuqD8yQNCHeZU/Cf0X1XVdUf9/k6MEKmTl1cfHgz DFcW6GekmhT4BIt2vjn5BX9x
a.sec.dns.br.           172800  IN      RRSIG   AAAA 5 4 172800 20150123084353 20141114084353 943 dns.br. Ku8c3YR8L/VVf0cePAlUGTb6ASKYrUpGMF0ajLE9THc6JDezJ2BR8Jz4 vxH1zOe911ssH3UxEL2+CDjCTjBwUa/A9BDdp0JMDCLciOactV8JME+F 7R1+Pr7lfTlbd8yf1NR5QjSNXu4w54EW95EbBaFWeV3vAWgYQJVNgW+x 6hP1qozZanbuQIBE8rn+T/8T
b.sec.dns.br.           172800  IN      RRSIG   A 5 4 172800 20150123084353 20141114084353 943 dns.br. P5sdQem+wzVyD+0wycTVcP8FFp4H/XIOZa2yR8kr0uxQKRYPQJyhp6bW cbyFwFVnKCOapTsiWOtYztghFPn2oaF1s6K1rL1mWNIeyHLFXANQzRnj Zri3WGh61ZzvKz5KipxCXfnH+ZRLxsJVTcI0FCphUh9KfWLKhzd3czsm EF0sldY1retqDb9w5s3kC0Ao

;; Query time: 68 msec
;; SERVER: 200.219.154.10#53(200.219.154.10)
;; WHEN: Wed Dec 17 15:23:28 PST 2014
;; MSG SIZE  rcvd: 890

You don't need to be able to do RSA or SHA1 to find out what's going on in this record. Simply look at the signer's name, which is 'dns.br' for all records. Then look at the DS records for each, they are different, which means each domain was signed by a different key. Then look at the nameservers: a.sec.dns.br and b.sec.dns.br, they are the same. Now we need to query each of the nameservers.

dig +dnssec @200.189.40.11 apros.com.br

; <<>> DiG 9.10.1-P1 <<>> +dnssec @200.189.40.11 apros.com.br
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8553
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;apros.com.br.                  IN      A

;; AUTHORITY SECTION:
apros.com.br.           900     IN      SOA     b.sec.dns.br. hostmaster.registro.br. 2015008000 345600 900 604800 900
apros.com.br.           900     IN      RRSIG   SOA 5 3 86400 20150217004706 20150108004706 64627 apros.com.br. S/ja/KYwj1UElZwHMTFF038BI5KQkmdMUS50nlYyxSGllPJdI0u3jU02 LaScCmBO6gwOfKE53C2El8OKUePenta2lL+NwEEpUV59m32R5dIMHYTU ayJzv1pQDRecM5qRd5q1QtIudt/CcCWUcz5OiqqrgTN7PMcYSDIuDEKH f2k=
apros.com.br.           900     IN      NSEC    email.apros.com.br. NS SOA MX RRSIG NSEC DNSKEY
apros.com.br.           900     IN      RRSIG   NSEC 5 3 900 20150217004706 20150108004706 64627 apros.com.br. jieFIGYg7SO2CULv8gkf/D9VcNtKe3d7uwaBCV3LAuIgiiwt2E2lJmVT 0IP4Ci6xUYySssYHeNpq0K3j8QHXLmU0tgxZvthN5yHPr9OqUSUioKz9 uOyFEOCjAzOGZuGeib4NCP0D9ilpM6pYNwwNJol14ANtqwMkAUQsCLLS BxY=

;; Query time: 202 msec
;; SERVER: 200.189.40.11#53(200.189.40.11)
;; WHEN: Sun Jan 25 01:27:07 PST 2015
;; MSG SIZE  rcvd: 492

dig +dnssec @200.160.0.11 nuvoli.com.br

; <<>> DiG 9.10.1-P1 <<>> +dnssec @200.160.0.11 nuvoli.com.br
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4387
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nuvoli.com.br.                 IN      A

;; AUTHORITY SECTION:
nuvoli.com.br.          900     IN      SOA     a.sec.dns.br. hostmaster.registro.br. 2015007000 345600 900 604800 900
nuvoli.com.br.          900     IN      RRSIG   SOA 5 3 86400 20150216190722 20150107190722 41021 nuvoli.com.br. SYwi7I9Qmvr97J/5tzYN2lMwDJ8EhjjG9F+DfRNzeHtA1SUy3IubNGow YUmLBBOIg+7hwFHFcnp5IAdFLYq+w4HcpQWAYwj7AOGd2lW2ZtLj5EcH 5xHF13UD2Dh3IpEa0YNjGpE2pLJO7xD62EzJWMzYBE3ikcr3TJROi5Rk dO4=
nuvoli.com.br.          900     IN      NSEC    agenda.nuvoli.com.br. NS SOA MX TXT RRSIG NSEC DNSKEY
nuvoli.com.br.          900     IN      RRSIG   NSEC 5 3 900 20150216190722 20150107190722 41021 nuvoli.com.br. cqOap8X6JXpae52CcAu/i94c9SLYX2sW4jo04PvFuDGRPgmwP86eW1Ey iayHOEe7gp5KfGnzcKBcm3dwp7EaVY5tugHb6UMndFLsw5i+Xw5JKNPU adxMaem/VtacyECtNMP2tW18Hhs4x85vItibZzqEBZNSCdJ8J6cEYpNj hzo=

;; Query time: 202 msec
;; SERVER: 200.160.0.11#53(200.160.0.11)
;; WHEN: Sun Jan 25 01:30:44 PST 2015
;; MSG SIZE  rcvd: 497

These results are totally unexpected. What you're seeing here is a.sec.dns.br using NSEC records (the totally insecure ones) to respond to a request for both subdomains of .com.br which uses NSEC3. Allow me to illustrate with a table.

Domain			NSEC	NSEC3
.br			NSEC
	.com.br			NSEC3
		nuvoli.com.br	NSEC

To prove the concept, here are the subdomains of apros.com.br and nuvoli.com.br:

ldns-walk @200.189.40.11 apros.com.br
apros.com.br.   apros.com.br. NS SOA MX RRSIG NSEC DNSKEY 
www.email.apros.com.br. CNAME RRSIG NSEC 
www.apros.com.br. A RRSIG NSEC 
xxx.apros.com.br. A RRSIG NSEC 

ldns-walk @200.160.0.11 nuvoli.com.br
nuvoli.com.br.  nuvoli.com.br. NS SOA MX TXT RRSIG NSEC DNSKEY 
agenda.nuvoli.com.br. CNAME RRSIG NSEC 
docs.nuvoli.com.br. CNAME RRSIG NSEC 
mail.nuvoli.com.br. CNAME RRSIG NSEC 
pop.nuvoli.com.br. CNAME RRSIG NSEC 
site.nuvoli.com.br. CNAME RRSIG NSEC 
videos.nuvoli.com.br. CNAME RRSIG NSEC 
www.nuvoli.com.br. CNAME RRSIG NSEC 

Plenty of examples exist of sites that have not opted-in to DNSSEC are in the cracked NSEC3 hash list, so there doesn't seem to be a rhyme or reason to which sites have NSEC3 records and which do not. It appears that many but not all domains have DS records which doesn't make sense considering the tech savvy of the domain owners (no offense but it is apparent). An explanation of how DNSSEC key generation works in Brazil would be helpful.

Let's look at com.

dig +dnssec @192.43.172.30 paypal.com

; <<>> DiG 9.10.1-P1 <<>> +dnssec @192.43.172.30 paypal.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4005
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;paypal.com.                    IN      A

;; AUTHORITY SECTION:
paypal.com.             172800  IN      NS      ns1.isc-sns.net.
paypal.com.             172800  IN      NS      ns2.isc-sns.com.
paypal.com.             172800  IN      NS      ns3.isc-sns.info.
paypal.com.             86400   IN      DS      21037 5 2 0DF17B28554954D819E0CEEAB98FCFCD56572A4CF4F551F0A9BE6D04 DB2F65C3
paypal.com.             86400   IN      RRSIG   DS 8 2 86400 20141223051543 20141216040543 48758 com. S3PBUN3MGHFhwl8z4QpUQLkcoPmj+UdRbMaCV/uzYqSs0vXj7PDfhEcx SM39OCsV+Vb0PyynoxSdF8R3Ef5RQR6T50b7EA/rqrwHobRX3MqqAaK3 HP5Ooc7m1Vzn262dQMyDswmwKOC70AbbZG/B7/wrA4/yBBcsVv/7nkSJ tE8=

;; ADDITIONAL SECTION:
ns1.isc-sns.net.        172800  IN      AAAA    2001:470:1a::1
ns1.isc-sns.net.        172800  IN      A       72.52.71.1
ns2.isc-sns.com.        172800  IN      A       38.103.2.1

;; Query time: 148 msec
;; SERVER: 192.43.172.30#53(192.43.172.30)
;; WHEN: Wed Dec 17 15:30:36 PST 2014
;; MSG SIZE  rcvd: 395

Instead of giving an A record like we requested, it gives us NS records and a DS record. The DS record is a hash of the public key's important parts so that we can validate answers from the correct nameservers. The RRSIG is that signature. Therefore, we can see quite clearly that paypal is signed by com and that no NSEC3 or NSEC record should be signed by com saying that paypal.com doesn't have a DS record. If you search for most com names, you will find that an NSEC3 is the response. That is because they have not given a DS record to their DNS nameserver.

Too many counterexamples exist for this theory of opt-out to be true. One is uol.com.br. Most domains in the massive list of 353059 hashes are unpopular domains despite being short and easy to remember. But there are too many popular .com.br domain names that are missing from this list.

dig +dnssec @200.160.0.10 uol.com.br

; <<>> DiG 9.10.1-P1 <<>> +dnssec @200.160.0.10 uol.com.br
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24620
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;uol.com.br.                    IN      A

;; AUTHORITY SECTION:
uol.com.br.             86400   IN      NS      eliot.uol.com.br.
uol.com.br.             86400   IN      NS      borges.uol.com.br.
uol.com.br.             86400   IN      NS      charles.uol.com.br.
5lj9r0juabvl3fe63ct5htuvvo36m541.com.br. 900 IN NSEC3 1 1 10 4CD2F2C437FF9B524572 5LJAMJNGRUHAV21OCLKU21CKT0AK0HU0 NS SOA RRSIG DNSKEY NSEC3PARAM
5lj9r0juabvl3fe63ct5htuvvo36m541.com.br. 900 IN RRSIG NSEC3 7 3 900 20150130100000 20150123100000 42678 com.br. wHByHzFhMzeHruEDApx30RYJZ+oFal2u+pBBNSF7LmsG4P4FsAXMIqrP 8mPkvCjODuN4bDhsifipGPRBX9wcxIxT1u+JsXsRRpkzSHWsaFr+R4Hd 2TZzPnlFvsg2A7eOZP2FmCODpbfR0tjPhORUrgPuAlHmIDLsb5o/FJZs tJg=
knvms0s1vbe556jfbf1vu3gbomgc7vtl.com.br. 900 IN NSEC3 1 1 10 4CD2F2C437FF9B524572 KNVQAUF72RDCQP1NH79TPHN33SH39N06 NS DS RRSIG
knvms0s1vbe556jfbf1vu3gbomgc7vtl.com.br. 900 IN RRSIG NSEC3 7 3 900 20150130100000 20150123100000 42678 com.br. SIZ9NXptxLQsmZc0PjMVyTGVwFo3aU/J9cQ8p0chapikmrm++8B9P6Pt 8iYaQwHp1dvIaxH1wQrvvtX+Jmw1+t8V9K0fXSWgNriOBsyTndedjpbx jnXnS7k453JQlCnxR7s4sCfjOKqdsrVyUFJciOiEMeGDfjuf/WOxAkFC oKY=

;; ADDITIONAL SECTION:
eliot.uol.com.br.       86400   IN      A       200.221.11.98
borges.uol.com.br.      86400   IN      A       200.147.255.105
charles.uol.com.br.     86400   IN      A       200.147.38.8

;; Query time: 206 msec
;; SERVER: 200.160.0.10#53(200.160.0.10)
;; WHEN: Sun Jan 25 00:45:13 PST 2015
;; MSG SIZE  rcvd: 661

The system used by Brazil is mirrored by the European Union tld .eu and the German tld .de and possibly many others. What is more confusing is that the American tld .us supports NSEC and is opt-out, which makes the entire .us DNS database available to everyone with ldns-walk in a few days time. USA is a strange place and it seems that the company that chose NSEC for .us is Neustar, Inc. and the company that chose NSEC3 for .com is Verisign. That makes perfect sense in an America sort of way. Another strange example is .net which is also owned by Verisign. .net seems to be opt-out unlike .com. My evidence for this is the same as above for .com.br. There is however an easy counterexample in google.net.

This leaves us with an unsatisfactory answer to our question of how authoritative our list is. On the other hand, we did manage to unconver enough domains that if we need to test something on servers (say another Wordpress vulnerability), we have a list of domain names to try it on (not actually exploit, but test the version number and such passively).

Setting up a DNSSEC domain

If you want to setup DNSSEC on your domain to do testing or to add yourself to the great NSEC3 list, this should help. I have my own nameserver on altsci.com (using tinydns aka djbdns) which doesn't support DS records, so I can't put my DNSSEC records onto a server. I chose to create a DS for bikeim.com using ldns-keygen.

ldns-keygen -a RSASHA256 -b 4096 bikeim.com

After a while (5 minutes to hours depending on your RNG entropy), this gives you three files, Kbikeim.com.+008+54945.ds, Kbikeim.com.+008+54945.key, and Kbikeim.com.+008+54945.private. The ds file is the record that you would add to a bind-compatible nameserver. The key file is the public DNSKEY record. In the key data we see 516 bytes. Clearly there are 4 bytes of header 03010001 and 512 bytes of N. Using Python, we can check if this value is easily factorable. It would be easier if we had p and q from the private file, but let's take a look from the perspective of the attacker.

bikeim.com.     IN      DS      54945 8 2 ccc45143a5ef6f37a92a7c3875403aeb32d9d9507fd642745970e2320725e5b4

bikeim.com.     IN      DNSKEY  256 3 8 AwEAAeNVhvRP3IT79YuJCUOfGm7PyUNZoLmiiuP/oGqkNlF8/9TVoaHPsix6aemFtCvMofLXZ2aBPovXKB0KyVxZ+F2QJHUuVIKOFL5dBe2EbVXkljJRV6M/rbWiPr4RpVNzhNijUHGulAeIJpaZdvEiCrO11hUIHw6v1m46OVgan7zge8ReOdSWVOS/4buQGXech2EXpCQXNPu+SVoOrIkipt3ZYgrzOEY+Qik0+bBoGcHf5YyTvUDQAHTw0/T97T/UIg4u10YnUK/O0QanBfsL1/7OxYoBaseZiuIv7YckGw9P2bSRkgOZvRT7Tm7nAszwvSjN2SawLZ2xd2xg28iwDysVkBA3oZ1q+aqfYo75imB1SEPguzJsonOBIZ8t26NPw3zRahmUGEucQUA2m7RO0ADDNAYBchrTwcOjRSBivd9btI/mC0QhzfhvmkIO4StBKSZdXTa2QM6JcCxk8ZAM4H/mGMEg5tHmJ0C0+fpUEBiFsrWa6PA4wV07JWAsIMX52rUWEVSwe0hN3WBxNAJ11wlzFCFhoYR0h5n1Cc8EHV6aFQ8zcmTF43lx9PtNPrUkYaVWH42Gwsc+tA/HWXbA0o4XdETJDZdVUyyX8OUv3cMBPONbIAZsvOO9DYjg783LaRI0FvISNxudDMzCUzajKvtgXHO4zI36UM67cnbVr1Qh ;{id = 54945 (zsk), size = 4096b}

python3
import binascii
import Crypto.Util.number
import gnfs1
import fermat1
import gmpy2

a = binascii.a2b_base64('AwEAAeNVhvRP3IT79YuJCUOfGm7PyUNZoLmiiuP/oGqkNlF8/9TVoaHPsix6aemFtCvMofLXZ2aBPovXKB0KyVxZ+F2QJHUuVIKOFL5dBe2EbVXkljJRV6M/rbWiPr4RpVNzhNijUHGulAeIJpaZdvEiCrO11hUIHw6v1m46OVgan7zge8ReOdSWVOS/4buQGXech2EXpCQXNPu+SVoOrIkipt3ZYgrzOEY+Qik0+bBoGcHf5YyTvUDQAHTw0/T97T/UIg4u10YnUK/O0QanBfsL1/7OxYoBaseZiuIv7YckGw9P2bSRkgOZvRT7Tm7nAszwvSjN2SawLZ2xd2xg28iwDysVkBA3oZ1q+aqfYo75imB1SEPguzJsonOBIZ8t26NPw3zRahmUGEucQUA2m7RO0ADDNAYBchrTwcOjRSBivd9btI/mC0QhzfhvmkIO4StBKSZdXTa2QM6JcCxk8ZAM4H/mGMEg5tHmJ0C0+fpUEBiFsrWa6PA4wV07JWAsIMX52rUWEVSwe0hN3WBxNAJ11wlzFCFhoYR0h5n1Cc8EHV6aFQ8zcmTF43lx9PtNPrUkYaVWH42Gwsc+tA/HWXbA0o4XdETJDZdVUyyX8OUv3cMBPONbIAZsvOO9DYjg783LaRI0FvISNxudDMzCUzajKvtgXHO4zI36UM67cnbVr1Qh')
print(len(a))
pubkey = a[4:]
n = Crypto.Util.number.bytes_to_long(pubkey)
sqrt_n_o = gmpy2.iroot(n, 2)
if sqrt_n_o[1] == True:
	# This should never happen.
	print("sqrt(n) is an integer?", sqrt_n_o[0])
	sys.exit(1)
#end if
sqrt_n = int(sqrt_n_o[0])
# Test all prime numbers between 2 and 100M
print("GNFS says:")
print(gnfs1.factor(n))
# Test all prime numbers between sqrt(n) - 100M and sqrt(n)
print(gnfs1.factor(n, sqrt_n-100000000))
# Test all prime numbers between sqrt(n) and sqrt(n) + 100M
print(gnfs1.factor(n, sqrt_n))

# This value is approximately avg(sqrt(n) - p) + random.randint(0, 10**612)
avg_dp = 5122621145277382969688872128728426311319062916369918553744475614137822128239111751511353800314424459393476073980222150875349214710113862716194143053700184839673329656916889528635540134824278796927552362314001739150979238910191197111793930789004332947626374399240746727048988580610116795558298839179459332579243595730226757884170938325481810783810414537512228088268372374961399100459554498981122225289301577799243710164897122021636246364828374395456301972549651900145263264668266694965564885028867313397309361132566062306265233613744832958703039138364820470503224523842264939229233952565654153686812604490002207694
# Test all prime numbers between sqrt(n) - 100M - avg_dp and sqrt(n) - avg_dp
print(gnfs1.factor(n, sqrt_n-100000000-avg_dp))
# Test all prime numbers between sqrt(n) - avg_dp and sqrt(n) - avg_dp + 100M
print(gnfs1.factor(n, sqrt_n-avg_dp))

# Use Fermat's factorization method to attempt to factor n.
# This can take a long time, so stop it after a few hours.
print(fermat1.fermat2(n, False))

Since all of these fail, we can look at factoring using a real GNFS on a realistic amount of time or GCD using a large number of collected public keys. The fastgcd software written by Nadia Heninger's group would be a good place to start. [8] To gather public keys like above, simply query DNSSEC servers: dig DNSKEY paypal.com

Until the code is written to test the keys and the protocols we won't know if DNSSEC actually provides any security to those who use it.

On the other hand, we do know how to sign the zone. Here is how to sign a simple zone. Note that this doesn't have MX records or AAAA records, but the process would be the same if it did.

# Get the A record and the NS record from its nameserver, in this case AltSci.com.
dig @216.218.134.11 bikeim.com >bikeim.com.zone
# Add the SOA record from a default server.
dig SOA bikeim.com >>bikeim.com.zone

# Actually sign the zone with your private key.
ldns-signzone bikeim.com.zone Kbikeim.com.+008+54945

# Verify the output.
cat bikeim.com.zone.signed
bikeim.com.	3600	IN	SOA	dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2014090300 3600 1801 604800 3601
bikeim.com.	3600	IN	RRSIG	SOA 8 2 3600 20150222173448 20150125173448 54945 bikeim.com. GFySqrmik3sE+UexBsXcB3jOJVi2Ia34Px0o5vh4rheCRjoYfYOTN0NjGeurSxHQTvHYyr6N2vtTkXtAnCv0X7Nl6O+iDlC9CwXtWoXzb/LygUYQjYQcEKypipvp6DowgH0/gCTYr2JCza69WDF6wz98k2WOOEq0HVgicu1v2t9SMBUkf0he6XyNLsw3juNA2kS48ZpZ1CZ+wSN6k/m8vvQ+mIxgTo4XeYZm9zQvrz/hXujEKzVBcjHRv+eQDtEAx5riptSpiIJFPUaHdyXEUc2P9mnq0/RxVo1JxchZpNNSk9vMZ0TcDQ2PGacbVtV1SlnhZ53iT2jrIqQSb7e4bJTVd6uJLRkkTFSOlylYQhIGHVbh14LWpdl/ntva8sC4UKK+LEBGHe6S0mhLB5XJB2RZJ/m8mJqqHFa2kE9jvWoxXvLeDfQoajZhcwuQD510X4TJBiFzC+tj1lXpVRE1PchGUPjSC/+O3yqfYIEFukfv17VhaA/BCGHenjdj8yDyxP+Bdh/5WuIQOuw7eWw3orCCk2nA/OS82MmB694TLYK/T4pIOGn1Ve4dAghCUmgaZWnamlTMjX5VgObQ8q31DxBOoC1mH7sUIMDWH6bjs/rmaPn6o04LdhtJhLKR4fWTz1mQP0qUGFK+QSM8k8G79GTrdha8cumNM2D7c1Pqi9g=
bikeim.com.	86400	IN	A	216.218.134.11
bikeim.com.	86400	IN	RRSIG	A 8 2 86400 20150222173448 20150125173448 54945 bikeim.com. qF5iig+Eb7HhgIwyOJIabVKq6MwD20Pi6KP+48qRPFAX5GzjEi8BjTHEBIlDaHKQ1zTdQjPE06ikUuCBln9ZxrqZWBF/NCYiCmQc3rQHzquMMX+NrFltW8X21IMXPsjiOHBygfUMeH8vGEXs/MvDyiO39OvIIB+Q5dHPu+0biB/TNJhdHVT4e3WC6A7AT7+X3p+6nLT3Q7FC1/cIKeX6nB7kAivcPUJdmoCw30v8csZnuDBYf3U2Nf91GGZJGRzA304f3GPOJ43bh6HK+K3ODIPHRfx00dXMdH5GR6j0mG1yeoUXKQaL1Ji7ydIr/SW3Zzq7HZJp8Qb3ZdCAmQDceN+mPWRPZPpU6gwvbCeL8+VZFCsdfRx8qmRFJXWTVtXa2dl9Bm6RVYQLNry4U4h8ljBmie19+PHAb0SWFy89llu2lMKetFKJjhtPBHIMZ6AxDUHiV3i4qPThkUaqkP2U37GUlf+3PWyh8oADAhQBMgKSKKFNGOpa6mMi15FeBPBMKOMujzdPW+158xOzTyLYD3XqAkUR+2MlFOe1wGJj+yQg34zLScWVcq91B3Z70F8uskLbxDya2GaNj7TvKa35eP6B/xYncCMwyBPv8X/5vH7qN9pf3MJTsrVA3jFcmxacD+LeMJr6ylhqIrD7zJppTyzGa6U7hmMIvyG97Nj00Ho=
bikeim.com.	259200	IN	NS	a.ns.bikeim.com.
bikeim.com.	259200	IN	NS	b.ns.bikeim.com.
bikeim.com.	259200	IN	RRSIG	NS 8 2 259200 20150222173448 20150125173448 54945 bikeim.com. H3DzLBtjhY61scgXmrHDqhZ5g3PwkjgJoTRtA3fsRa0f5CM3b7oF7q5GSSgNpZmlxsibn+G4w7xNE+yC5Ukcj6aNfTY59ABDjtRbX3DXe8sIKOdOZOLBp0GON0oUmmDt78nUmyHWvMhuoy5ylEbW0QP+4fgzIzaWpluK2CIhAShM7bdBgkz4QoRIy6g02UL+4qfDC8eRu01aXaK19JDFISicrd8OHbD4KeAvrhNRoCS1U73vWTu7sTwk7eCg13ajQJDUOfmwSISeL46lfu+A6v4lGPcpe1X6vOU3jdvu13oEO+AYokjiyP/wFW62FS3gsHQeyDscyncyQkNpZcntAFYCWvp2d4HGhHaB4kupLGE1lsoi6bM2fy0LCZOWzWVKBm3D9JMJA7vR72Q1V/ndmQnj2L/ziiaraoVLZ866lan/AdlwoSKrgOwLPLropvlnMWuem+z9cKOpyxD2mFDpveoeW14PtX070YO2f7+xpgBsJPZcFDHLHYm6r/2sAC569Wkh20sdxDaxq3V6FRF74uSuROlvECA1GWNlydoVyxtREvjliOEJPEBHqbzBGqRGhAteTpcnR47l35FHeDN3gc8iA0P3/WglLiAtu3vONKthX3IybZeQQxmcapQLK9Zu+3Y5OvL0QDKaxqeGcNf/tD/STzvYJB4/I26ewOvSBLY=
bikeim.com.	3600	IN	DNSKEY	256 3 8 AwEAAeNVhvRP3IT79YuJCUOfGm7PyUNZoLmiiuP/oGqkNlF8/9TVoaHPsix6aemFtCvMofLXZ2aBPovXKB0KyVxZ+F2QJHUuVIKOFL5dBe2EbVXkljJRV6M/rbWiPr4RpVNzhNijUHGulAeIJpaZdvEiCrO11hUIHw6v1m46OVgan7zge8ReOdSWVOS/4buQGXech2EXpCQXNPu+SVoOrIkipt3ZYgrzOEY+Qik0+bBoGcHf5YyTvUDQAHTw0/T97T/UIg4u10YnUK/O0QanBfsL1/7OxYoBaseZiuIv7YckGw9P2bSRkgOZvRT7Tm7nAszwvSjN2SawLZ2xd2xg28iwDysVkBA3oZ1q+aqfYo75imB1SEPguzJsonOBIZ8t26NPw3zRahmUGEucQUA2m7RO0ADDNAYBchrTwcOjRSBivd9btI/mC0QhzfhvmkIO4StBKSZdXTa2QM6JcCxk8ZAM4H/mGMEg5tHmJ0C0+fpUEBiFsrWa6PA4wV07JWAsIMX52rUWEVSwe0hN3WBxNAJ11wlzFCFhoYR0h5n1Cc8EHV6aFQ8zcmTF43lx9PtNPrUkYaVWH42Gwsc+tA/HWXbA0o4XdETJDZdVUyyX8OUv3cMBPONbIAZsvOO9DYjg783LaRI0FvISNxudDMzCUzajKvtgXHO4zI36UM67cnbVr1Qh ;{id = 54945 (zsk), size = 4096b}
bikeim.com.	3600	IN	RRSIG	DNSKEY 8 2 3600 20150222173448 20150125173448 54945 bikeim.com. b7KO83zWg8DeXEaU/axcsvQvT04wACPisH0keqgYajUPvYUV0mOqOoBCBQpt8wD+3TVCkI8nReRY04PvagIY9wKkGdVAXAv063uX24MK2+nVzXvR96TK8m5HG1fHQRnPc6aBdKKj+TIxWK5zJjwWJx+LGwzYvb6hFYyuty/8ji0EIBtDrHIPtSAFEJQsHCbSwm+OTvn2anz3MALvG3SAcGyy/Dxr/OCUMikGSuBgGiGQgPl7np8EIH8G9fVl/gRcyOMwfhgjKfYWWx6B2hShzVrJH/buClrUcxg+D4aGtGPM1JvoGKLv0flURIV58iSzoZZpuXa0EhhyQp/5D6h5QM/Hk7ULvR70zzNj//X9YRKdMM9ijwF11r1w8yCyDiFrs7LKSY/OFeHR1/XIsM40xPlJe5WyvJtOU9OCYsTLMtuNmFHSZrjq2mmXvPRHA72ctKunpGzpDukhUVjYMWJRLnIB7jZPYMkSyIwKrDcVBa13VIDJCzqNFtftlBq8ZAZdwiyKNPeuhPIg1TE+5u+DOErRXjSxOdww8yJaiFU8AZPBWH6QdD1vC5Q6aeFuGjrYpRfxX9Ty9LsnBFEv0Vv10pNBLLr3yRwcZM2qIW1U580GpHamzs2q0zXLbOLplYnzm0n+uQeBPSYfa9ykBECdPoWmpiK0i6U4dmNetfa36J8=
bikeim.com.	3601	IN	NSEC	a.ns.bikeim.com. A NS SOA RRSIG NSEC DNSKEY 
bikeim.com.	3601	IN	RRSIG	NSEC 8 2 3601 20150222173448 20150125173448 54945 bikeim.com. s1mG8xnwcYhoYaemwLWpUz/Cnsc0DZ1dgQauuhe2MQMq3WO+BJMZzLHVbZZWMrEQy9kwe/L722XJ1QASPJfQJIdGtAFElBZObtfJB219xLe8HbaDsZ1jnbND23E3eYemWnvyFyJ2UFWenOO0FpuCq2Jnu1Crqu3mmfIXtqiwI/ZcMKSYBh5GITHRK04wRRYv2D5hK4tl6Um/RRIBpL/+3OeYLn1dQQXsoHiF7ewYI1hIRxVDdg37m9QHA4Bc0AqZVMrxDU+a/9XYdDlPeHn9jGjb3dGgvgeWCgfQ6aR2yO4r/AbxtZrzg06GddsuCBZltuTmXe2kGiIVEgmW7SPVDxeCfwuHo3l4DaTl3N99WepzKbZnSinfuwb3LvY/FwMa6d/wRol7MbbrsgvaKKlvGb/Xmqvi1S3WvbhM8cTnMhhraYj5TkWhF/r9UB0wlooMh66MV2HQAJSdTIsHUxEn22unZ5RT7nv7Ss9DKBst5nRS8qQjsFfBbCOr6LFK9zP6GVMXRlQVN+8fgYfoUl79CGEfZ2CoAhutiXYR3gG4s5OHew8eACQR2MgUQQzwt8lF70E4WVsa0HXj9ElIs6pVdcwb35aiuEZdTySTbQIgeCY/9u452vjF/j+fMvCvwBhoVEFSwjoOWSQwrUuZs8+tBuXeNbTAXXYggv/YMOGciW4=
a.ns.bikeim.com.	259200	IN	A	216.218.134.11
a.ns.bikeim.com.	259200	IN	RRSIG	A 8 4 259200 20150222173448 20150125173448 54945 bikeim.com. qNnJUhx+LjvS+EbcnX0hUhuY/RUQuFsxwezcRYYpCPgmtBGC7Xq3MW9ARSjeAxHYPgnWJ0CQpzytgb6qTyt1+VtgILlF00u3LzTHa3r+l1JhF8fLuwfZaiL2xs4mVeXZEpw6u04yCa6kUWwgdGzjkxgj8JTqKXPIvHFU+5ByzEaDa7ZP5CHI74hhOHjrAVeDQEOPHott8JsYQU9oP54NvGrfYBYKOl610riwwIL35YwmjEAC4fM6kbZv9V1Gai8kbcmKVC0neDKc8JvgBy0t9eAxqZS9t+XOiH437JJzCE5UNELcnlKQh2ZBLcrUtW7AoEgwm3eCavWxMhBfNn8M8UnWhVldC0Y/1k7BBzczSz5Jo3mz3pSOFHEunseBOb1a1+nDVmY64Zvt9sU96wFYK3N/QkRT5TzvE/pDBzD+dWIBylNBKjiCnzhPQBkfaYVyb8IAjMuOJseC8TndvtnHN2ExsuSZSSC86cm2rca00+zXRcs3UNP4KASrNgUYVK8PgKoMstssonM7bh+ZIJbDMpFk8RyTXOjLZKoCCgbBQCgeez6BsaS2vEB3EVq6N3aeruqeHepMuzMqUNEwQxgw1w5uC8bOD4tfrE3WLGM3ZX9aOQWS+Zt71jXY+tJ60EKQ7asSG8ybCNGfbSu476lw6xkdjAQOK4bYm2S13cjgQP4=
a.ns.bikeim.com.	3601	IN	NSEC	b.ns.bikeim.com. A RRSIG NSEC 
a.ns.bikeim.com.	3601	IN	RRSIG	NSEC 8 4 3601 20150222173448 20150125173448 54945 bikeim.com. Sd+QashxB8P2IIdMviQcoUnrwkN5FxZLLfbh8xochGIHjuE+BKILZ5VVi9p+bRW0cAWkkY1bxkcN0GHG9V2M/oJ5ganvZWxoD6jI7YegLuSsz58Nwz0H+x405du0cyx+H3IsvKZkJ+4CPzTUmdgJoWKFjdgF1KVE/KWDvwagmQVrRTap5p4B/MSSQtFdCd1+3sBt+8FWzN3opozZCyGqwSz4TDQ6eVjrAjCVAnw+0RNphn8yceverdRkSq6cxncZds0bQzUB6Gkd6aP+/QZRHfGsZ7XFHtsYY/6vz7Ddmd7GhwZ+EaidiGPiC0OzoEbl/hMCfI+7I5Wn/4MHHRIK2wkzrLxpZaHA/FH0sH+BfGsyfUksk/H4Ys3u8TX0B99VfWmvNI7cObr7TQJToPGCtn49uyoTjfDJQJOH10jSY0FfeINz5ZTtBv+iW0y7A46Y4cYhpJKQLFanio//cKWx7ZhVJpEjgXLmmzvW1CNH9bxdngvaaEhJs+LLCCJkbemUWWyh8O8WCE//ZfI4/bzwtY52bWyZKG6jvJnrhhRIl6ZQYEPEaITfZz6uNU7x9AdcLI8JHkpyc2b7uXwEKmsgadGPyebA4FW2UTW72no8nnAtPHdAE1LYQOCAXjvb9r5Feq9GRvMpk/uW/VBLvNiC9QxWsVAYXjZ3FwpgFP/rZzQ=
b.ns.bikeim.com.	259200	IN	A	50.132.7.141
b.ns.bikeim.com.	259200	IN	RRSIG	A 8 4 259200 20150222173448 20150125173448 54945 bikeim.com. yy6Y+Zcj4bM1EtEPeQcR0fPRSWLA0E2l0Nmjs0Ztwyn+Y4L1y0OoBKQP2+PlZtuwKbjO+Umjd3bC1N8haRuFPIpt7n5JriASKZxWBTA0NP0b+1Gs5Kj1T61xDLFLi64JGA8AuwN/EliO7DyPywufnHcafF2a7Ve3O9xL+2AWCt4pL8/Y1JW3ALAGO/vQ/Hg8Bj5IQhkFpBhXN1Aujsj/g+vkxn56C6bWpJr9+Mwo1AaGpr1ebVpQdbmaI0NIqAhVhvgxkVyNKudlor/ZF0jaIk2AGLNl8+ptmV/yJ29cFdnCX2LnIw7WH4y/hXPs2sEL2GV2R1wcCeDzZo9GIGtki62r2XPil+vbByLlzB04q+sJrNR3VaWTGu2BoHFQpTqmfdocUUFSTFAOzdu5qKbvMp2i4VJWZuPiPCkP2TSanTX58cO7XkqaKdq2Mg+DjgD8T0Z3kNFOaK8ryHTNcc+GLEMNcjuq6WFT7r/8uZaHm9mfH5ma91Z3pTYwxtB4OFWJVC2eSRYvDmbn9hOZjcSwXdZaVxPyhScCvyPKwromB0/os37Z6YHIjyg+fqhLbq2ntmmBhzT31OedCmxtcRzIGkO+JdCzQxx6ljuGwsTgUCoCG3P3vHdphZ491Dar/3duPkizKPuWJqUsaTvRjpoJLyRhAted0D91iHvau0xdVno=
b.ns.bikeim.com.	3601	IN	NSEC	bikeim.com. A RRSIG NSEC 
b.ns.bikeim.com.	3601	IN	RRSIG	NSEC 8 4 3601 20150222173448 20150125173448 54945 bikeim.com. VzZF/Wua5GSlfRcFzBjAhQply9arSjsNBhYWwE1FGMSchKsMA+ajzT8JhRldxcraHz1J+Ytkj9iPubtJ8V9VjbJ3ahhZZpKCEWGCi8+xyYsBPwtZRlBzPwu0eUuul18+OocqtJBCUWzmv6bRGOBhWZCNbW3W6vIDz8fOzFHVOIDireouDTvlePoxKHDi4MPQXKOnrEODqv4A9PZKpubOriJ4mUhsnUjFLynUr8FlwG/kSSf42X50GTIGubQvq63DXWaN2wiA2i6VduMrmqmm2VETh6AbYxo8Esc2XnqVc1NZgzBobOuJx6bSjhbE1oULClFFyUSHUdyhVOKmmlfh1m/K+Up+dxtfKmDrE2Nt2k4QpMnBEx+IwhO4Oi5fQxZFkEle6NDnrPdMFwETeKpfzZvSp3fieTJRlsKOW8apw5O3A8EIJEwdTKVcVdy/Q43xEgtmVWGd4PV7pHcf8bQOkAiGhnzSy+PVwsyAKfITW2M8v8dTadkBMTdrk9+L6lk9lJyeQTsEgAX3PX1d2HNcSgTee0vzQPCKTTnlJIqbr45HUuw8vXYzQXeS0RdtQ7pl/qbGtW/tCcaYysNfG/LiXP2Aoss5hEEcU/8vc5EUz6kERN4mIAi5IAMHZFsjU7O8FxETkVbuvJl+PaUhlpIIVDpfFj0TGUOHSzPvYgw55kY=

Note how ldns create NSEC records instead of NSEC3 records. You have to specify extra flags for that, so let's do that. Since it's so easy to do, let's do one with a strong salt and 10 iterations and another with no salt and 0 iterations.

# Sign bikeim.com with a 9 byte salt and 10 iterations.
ldns-signzone -n -a 1 -t 10 -s b17e19c0ffee7eafff bikeim.com.zone Kbikeim.com.+008+54945

# Verify the output
cat bikeim.com.zone.signed
bikeim.com.	3600	IN	SOA	dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2014090300 3600 1801 604800 3601
bikeim.com.	3600	IN	RRSIG	SOA 8 2 3600 20150222180705 20150125180705 54945 bikeim.com. NFQxpvKb8u0v349IdxOLpup6jtO4NJB6bF/CDgUgC6he3K8ws6978VkjtXa5UcKGPe7FscsujsdAm4RGLB82m9uhNV1dpyhpl3NW/ScupnW1BpdeAnUtO2P2CVgySsy6TcyNK8atXHLvkbPBTJnWcTWq8fvaTPHeNufNRwjb1GmiiOWfq1MFTwzZqyqKjsYNZh7/lQ4hlZ3hIcNkF74poMfddU6OZyAx0UitYS3ffvnqELwYdVz0Ws3zuTES0RqrAYDJ4RilvO5zPhx7m5ckibNSICYquEVZeHc4mjpSVMUxs6bD4CP+98nrUogH64K3Ay5ZNhkdl/JW7KfzXm2a+OGjY6VOm1hMX0vSmossnw7mL8PEu+EPsLuRcppPuJi1MXRV8HVyfeicYzthJCxq8VpZIWsA/p06GXWq7qArbcGA4SsUqcRVzVk1AWzIse7oGRB0NfczfDcsE+L+B/7nw2/gfKHqYbWWwMGKJlNGFLn3Pt60PpuC9sjV1q8FEqNMtEtCNKX6lFsV7yqKbtJtnk6sKJqbHwG4kVvIflZPdd0wpX8Oy1ZVnbGdEzkvbvdCqdTfnUuy0EBgSTwCrvvrkG1gj6kwNaSt35JWPq4+u+yKiaRL8ldHqrzyJIT3S6Yvym1YBYDoiyVYsJYEzx6nHfzGK1KE2ZozG+/wb881Bho=
bikeim.com.	86400	IN	A	216.218.134.11
bikeim.com.	86400	IN	RRSIG	A 8 2 86400 20150222180705 20150125180705 54945 bikeim.com. M4h9KRE4VKagpCkdbBIai5fgeO1Z6rxpa1lBlVH0wzjAhRJ636cKz8ti2Qjm1WLgHutUwYKqHgt5TPJMtHnjU1m7IYn11nX8oA9/P17VcIeucBwlV2X8mLTpzKPz+CWFG7iByL9WgX/BbXLTDqbrdwbIob6tQncf8rpSBYxUymhQukL+Bh38/qQBKQKKocfYAI9ktQ5nYFF9M3b6wJ9obqlvMbddqWVIElTrGbWCQuyfRwQObmIpF21o/L5L3ak4JBOVUeUgGUzDeItfWm8mpg4nlxDmXhJpHTqYEmyX00EWaAQZiZeJRdHFDVFnBXxhyca/iWcp/QUoCKvhm4dWZIiLPPOap5Y0N5ls9JO6Cw3lNvHXtr2Gh9TIRZh2LdiTyn+ZXhdJA33OisgnrRVam6KSxbEcgyXQEu83dl3hmz/5Q3PwVXwagOs/RasK8BR1MS9zdo3CgcWldKQJjHZ6n7mcMGpkCoI8CNl1HE8CrMLkZzDXCo6ylMsINzBNCrsCfwCgOqD2w16ARhHRuBHJYRbdazA1v0i7i6LtA18X9fNsCmsgjua9teag2e28swNWMIj3bNVr33g8k8PbEzGiE/WkLARWxzokL1tsIUKfCe/Fvx5rVNJQrXLOQdh/9rd0qyMtADRqpEx1Fq6YDpw7DUwGcIUp1xAsyiCzGfkw9rg=
bikeim.com.	259200	IN	NS	a.ns.bikeim.com.
bikeim.com.	259200	IN	NS	b.ns.bikeim.com.
bikeim.com.	259200	IN	RRSIG	NS 8 2 259200 20150222180705 20150125180705 54945 bikeim.com. xrVSwvms2nGjuAWs3DrN7dLrn5o2JvYhRS2D3PkzaSA0Hap3+BdQMbfxUHqnQVYHm2XC1b2mgugHzMhU4UEtwPfnwF5YmnHda1crPo4or16HmiD4o4e31I7kPTPutFXdEGVCxRQkaEnECSgMhM3Qxhj54FqR5rLgQJQ8uGxJDuAyl43epmjxEoPXrosZ/bvJWdgyADJHBQRImYrGbnu+TzZpQrFMETAC1fSEECVFT9cEwPLL9gsgBE09b9fok5CpiPpsM7djDkxmm7k/sOydBrJ/ORMPsA+0EEfOYVAm4es3vCVWM1OUkVzSM5AdlsVcPUjR94Wt8J/ggdK+WK//HYU5k7HNpCvu2U3m/C1kGku0TLdCJkftvhHSsawTu33/plmPz6IJMIKLTNnxjuXUih7KLf+P0UMPgNL9ZOSLX29GF+CjE4JYQXNfhTUYqdBTDNFpcuyiNcUA6gy2PMWBToIRvD8h82v0gjuJ8lhsjncbj6twmkIhAPkjqjm/ygDNf5SxUln5eU9BjnobkmYL1sU/+MPddpattRoK3c4MVpqmWSwRqYyWC5aKKOubpbZdLFd1LrO6fECLhkX52S/plwhH/ZI4aUpLwX4FEtA/g0lN5HxafLwrfdCqlQpSiLap1eJbU2NpX7enTfkyt3pft0kxzXUekLUDNoV8YagL8Ck=
bikeim.com.	3600	IN	DNSKEY	256 3 8 AwEAAeNVhvRP3IT79YuJCUOfGm7PyUNZoLmiiuP/oGqkNlF8/9TVoaHPsix6aemFtCvMofLXZ2aBPovXKB0KyVxZ+F2QJHUuVIKOFL5dBe2EbVXkljJRV6M/rbWiPr4RpVNzhNijUHGulAeIJpaZdvEiCrO11hUIHw6v1m46OVgan7zge8ReOdSWVOS/4buQGXech2EXpCQXNPu+SVoOrIkipt3ZYgrzOEY+Qik0+bBoGcHf5YyTvUDQAHTw0/T97T/UIg4u10YnUK/O0QanBfsL1/7OxYoBaseZiuIv7YckGw9P2bSRkgOZvRT7Tm7nAszwvSjN2SawLZ2xd2xg28iwDysVkBA3oZ1q+aqfYo75imB1SEPguzJsonOBIZ8t26NPw3zRahmUGEucQUA2m7RO0ADDNAYBchrTwcOjRSBivd9btI/mC0QhzfhvmkIO4StBKSZdXTa2QM6JcCxk8ZAM4H/mGMEg5tHmJ0C0+fpUEBiFsrWa6PA4wV07JWAsIMX52rUWEVSwe0hN3WBxNAJ11wlzFCFhoYR0h5n1Cc8EHV6aFQ8zcmTF43lx9PtNPrUkYaVWH42Gwsc+tA/HWXbA0o4XdETJDZdVUyyX8OUv3cMBPONbIAZsvOO9DYjg783LaRI0FvISNxudDMzCUzajKvtgXHO4zI36UM67cnbVr1Qh ;{id = 54945 (zsk), size = 4096b}
bikeim.com.	3600	IN	RRSIG	DNSKEY 8 2 3600 20150222180705 20150125180705 54945 bikeim.com. nIKgI8pZMmf/dQfi0kAqF3VAvEi7EMClWZT0hvAGGSMkiS3FydcLd3YEICX8EdDewsVR+Uvd76ToLQeMMJEdR7JhXpd/Iemt0DK9RZhaTvXlio6+S/xok60HAg52V0l5PL2K5IQk+fpOxAtZvNY8cAykFKnf6qCCskrKl3VL684sW+VtaCt7/osupmkJ8M/yu5SKJUIcv4pGQv0oW84Xnr6ir59TeJNjFUr1Q7KgkzjN0QkIgXSJMKJ/0+rHemOlGx40n8df9YsQQRBiT0slju/Z/j8jviLhV1fsHKLirYy4/YZi7tUB+M4KkUSrFA8DE42CNN0H8lltqV7Q373hUjOGQoovEDKcbPvON/7pZ1NsEw5fIao8t0svCbdltdjsx/59PHGZQ25pGcKuXKHqdz+lrP9g+J8ipG5OwWfomUtOl2DQQ7YZEWmU3vAU3+EKXh3Zb29+KpXouWzlkih8OxE91PR9T1jMY3JDZUiQfeloBkwR6EwSqGXJCw0JR/XLEDgRrhWLAdH3w7xNIZrBqrWewoT8wChFX4CGk/OoEVg1IjHtec5SXkRfmLQNInODi0r0GXDHooDZwkrj7EUX07epqtdn6sScRNqJm7RQEkJficWUw9mcHqBV+3oRB4r3ErcQfJUUyQw6c3ZdpOe9WPoAKhUyHdKWs1NddD49izQ=
bikeim.com.	3600	IN	NSEC3PARAM	1 0 10 b17e19c0ffee7eafff 
bikeim.com.	3600	IN	RRSIG	NSEC3PARAM 8 2 3600 20150222180705 20150125180705 54945 bikeim.com. tZvUNvHoZwENgLnqv5Hpoleh6qjMonmg6sEz5+L12OnZppxDXyNEL724+TAsuR0K1YYg+PzVn6NnjZLrgCs+B0/f2G9bFb3BwTgfawTJPoYtppEOJlUBnnhjyTb9T1Wb08pnIkkNMZMFd6DhG/g0CiCFUdYPEk4/jMPvbmiGdAuDvejG7OZETjcXHLDBM7tbjbHFDatZ296DXo1sM1v+o07aj4T4qJcL529LWv9DnggCw4hKkh5LAZ9gkxIeUtau2R3jOP5sOUjR8zHivzXnzz9AUB3jC7nI2/x0nV8GK7VwGq3CsEoKWPZOHDgekXAe1RFAprtYwGB7UC6bIm/O2NnWRMzmCIEYBZsQP07pFKB2k6J3lKb7/72lvmPtl2o4bFHjJBW+FkCiwHTVIi19F++ELvy85jx8S0eJ5mQcvGUfVxl1QVDyxiOZhoIMM4u2S8PUotMCIpEmZvlJl/OnPib9xrDfeRJnEamMQvKjA/C43XTdbHruX70O1PO7gxJfPvoQCbmLzRPeUQRhLuSzsJ3WH4ZES9JNd3oF6IMrwuP0kGMRx/qKcTmg9ToBx3bRQfIM7q5GQFM/DGR7CE+GkG/z6FYdK1kO1xuT55DboUFhLHy9HEJjnk0HHGrrvR4I/RMEp106e7wb5MtzS+EC8BQbTqoTsm+MtkuefCtIMeU=
25m7umcbbcep021gup624cp6khao90qi.bikeim.com.	3601	IN	NSEC3	1 0 10 b17e19c0ffee7eafff  495hmaukgs0mcuu66e68iib1alrpdfr8 A NS SOA RRSIG DNSKEY NSEC3PARAM 
25m7umcbbcep021gup624cp6khao90qi.bikeim.com.	3601	IN	RRSIG	NSEC3 8 3 3601 20150222180705 20150125180705 54945 bikeim.com. V9tCtO4Qhgz4q22pXrQEc0gMNwfGwAfpMWOk45+4XHiYiSIpBYjQ23z2TpIpak5HyLg8Ol3vmMzcJEXg2a4qczcCr7aPjwAHvN2aWKTToM+YCY8UpSKP4M6az2r6/htDLHO58xQNmQ0IWwBrMRiCAEEe9iTQxz7Hv83RUogNNmHVWcULo6YWET9fgQdv8qEgGZ0cm0cC6QSpQtS9fzgApzGNbV667JYNfQvRhQb38K81AA0PLWiNZwMKSaCnmSEFK0AEhDMyLyGSDE5E9+2NrgKCZuTeh71nk8tKDISVJxJ1g7fnTitH1qA450eO5xhYLHrG7Ud6aP5bJLkmnqR4mF2r71LfEAWlhhkaDkkvz1Av4BA68M5JYtH/P00YOaSdf7+EuJWyOZT1ZhuLCfh/ox1iWQouw4K76ayQFGJfafEHDvxOsuaUBoDFaNf8kWl0p8uYl4xUJ9v2ZYaV/YEjc3DXXPTvGjb4r7VWeRTNnRLr9TpAcgsRbgGhzfpLgO193rl/JN2tE2hekLWKKkt3V90G19Wj0nYsxVkOh5561UEjgj4cwa2GTTOeuLnadDaCfcb7C+02xnJOFqGV/pZB0UVCVMfiKfPPuOdg8GXEMi2Y1xn6jszFUrUjl3V1i4QsvucFFcOsJxC+SsPgH4kUTRWJuhUBy6RgfM/GhG/3h20=
c1s5nhr1.bikeim.com.	86400	IN	CNAME	bikeim.com.
c1s5nhr1.bikeim.com.	86400	IN	RRSIG	CNAME 8 3 86400 20150222180705 20150125180705 54945 bikeim.com. fIxbj0MzvFXMwSITRzZBStN0nxnyk749y2AeUAOZh+aXkxB53QSpAITrXPzjDMgXy6RB2S6Cnisvf+MfC4Y7KwXufZ/eGyijNsANzwMRUeRg/J/CkPCec7z0BI04pFiczIdFcLYSFsza/zrdNUC/sPZD2P0A/I5C7AgEDfGoTm+HQgQz7ejbsiFe0Jbyp/Wm8B/xF2XaSUq57A7IMOCM9UcBdBeMgCxGyvaXZa/N9HduB9CFNs3bHp1fRAd43nxQwiERgExwmSN1NEEy5aTNaHcImbc4LD5/lqWqsXq32ToaXsTxULd/nrqI1hfmE5Rjyr+2se5ktOYhB4VIMlyv8geaZmKMQVny+DBE2YgMnwgdJgvQxo2o5biC6YWvMhr3AtGG8eSNw6+LccRQvRuohT8wrtdeMBasLTpgXqtYNhe2M/hnasrMjy242CV3zOwbSyUg4cmEuk2r6Wy1l08tSQWCpCmgB9R45Xh4uIvXTukPL58RodV4aVkigLzr1gK6Ui+YSaSD5PMvAAzYvmZYMg5SCiQpnee6VfRLxZyQJv3W8baC4p9Q7UYoSUU/xGouOTigU8u/c0uCjkyaxZXO2yGvfCNZdN8np0h3AcwDfTI3pYTpVg37pnyMiqPKcnn+cp2rRgWW5wO+3yika0L8k0S+QuSI0JIgAV3gvZCUIpc=
javaf499auko4mrgvkhhj16u8htrqujp.bikeim.com.	3601	IN	NSEC3	1 0 10 b17e19c0ffee7eafff  km6plui7sdj3rliepi2ppahubmm4b3ue CNAME RRSIG 
javaf499auko4mrgvkhhj16u8htrqujp.bikeim.com.	3601	IN	RRSIG	NSEC3 8 3 3601 20150222180705 20150125180705 54945 bikeim.com. LgiQe+B50Fn8W+JDsGzCddQjG8+kzddzrMRcURqgvHvo/e+W6JA785iu+eh87M3KI9+h08VHTbd7RtJqpq5hozEZmP5rNdyZKRN1+P9OmGH+k0wsPHGQ7GsNZifF9phrfKRLXo0gqKnAmV/HWtXUob567YmEE4z2WgU8xsQlQKZfHvptp+y0G0sqxXh3CBHevlzhS5ZFb/6zfgMgsPt+TFemCHsjFBCc9KP6VkXSvQbwRPgjZKcs8NSIStgh7+DiK2SpjvXMS367xDTXlzspx1VcZriaoLK9Tpj4+jHX2gBSN9q3GqVUOa6D4lRgOzBvuBmBAEFT2xbIY8ShSDz6pkSGjGliIUuR6PyBzhKAyF5UTfPo1hCwZwlGZ/NuRwz0NObnn5h9MS8HD+408qI2hM/2p/Cu3U6i9n/oJ/cJQOIhATPtr1SneBiMXWmI2cHv75eSgcUfV8wmKC2XL8zE0DFy3uwHe1dhpuUjwQaZ7Be9hgP+IQXVUjM3nnWJ70OzgmD4EsZYcuEPHrpLYNnfyNUvwbEWj8XMLUPMXZgCNDT8OqfdhQfIuSn6YMtzhW94kaIri/pRGq3RgoOUsMXKa5F/Ox9OlortxXSBCUt0Ql2g5YDZ484Fm0zgjrEeQcagUGF6g7bWRYCEkvibqL74C8nWp4aMad+2WcNU+fNXCFA=
495hmaukgs0mcuu66e68iib1alrpdfr8.bikeim.com.	3601	IN	NSEC3	1 0 10 b17e19c0ffee7eafff  c83dc2ceikqjrj8m2sr5tc4dk97um11s
495hmaukgs0mcuu66e68iib1alrpdfr8.bikeim.com.	3601	IN	RRSIG	NSEC3 8 3 3601 20150222180705 20150125180705 54945 bikeim.com. tnEDCosDIHxWdgevVId6MG//5LUX8Z4DGc4nqSqaOSLyiSwBnekRnFFYqGbb+kW7j2GzHQ24esyWEAhGSH0wslbnxD++sGdwuUpUrP1vlo+Iejqn07LgXuL4A9IwkNoIzVYBIZwWpLidi23xYTIgNxHF4UEzUrorMIam6s0rLvj08IJBfpSPue7VP6GaNGJE+lxT29wrpUxQVgOu3vda65j26b0M6VcVoofb7OZjrseNjJCA2IntOWiuiDqJrJwh1N0ghKxBW3A9zMLyU9tO0qlRjXu/jatirls3SJvG+1OP5AWSXrS94YqOJ7MhjqV9w32+UxfUftsAta76JLDiE51++sFVEH2qs0aTF6hWeS6sb8WEpyo6O/ItPl5oZ/EgjjnGrcayGOB0MOJReUTF4C/MFhFtMfQqTOcz5WlJMeDA80+5pI+IhYZuz0/D3wy99nd7Ic9U6IMyxcZP1tdDXFfyTZaLh1gxUXhWmCLhmV5duAYr+O1gustXJB7eyHDmlfxhSQaelFO6xjJJ3BasctSRsezHg2VqhMtPOogCl+EK61x5U/YlHYJm9yaVPVpiv9QQk/wkDrC/aln9vf57E4T4tsUE85R16O2ZtNwjKW1hW/16liQ6y7C7E+7PvscgiF4HxKpAW7X1aoNBqAxeV5GhOuZN1Ih2j0OqSAzr4WU=
a.ns.bikeim.com.	259200	IN	A	216.218.134.11
a.ns.bikeim.com.	259200	IN	RRSIG	A 8 4 259200 20150222180705 20150125180705 54945 bikeim.com. EeFMneX2L77pUnYz0HOwir/q77V5Fxa5pYLR75EUoT6/3GJlGw+slIrDHRLFjaJVLwf4KnBRmCPrzgipoeCh99xpawwtYwbI5rXpkgccJLmxYKUoE+k97hnpe8c4GHVgmkVzqc/A7U40LsVC5H3paxpirZqxT9reKWlYLP98bTN0BgKnBsN7gv5N8FTl3t0z6rAEMk5HimcKOxpaarvc+L8DdxEq6olcomAca1JDvrbsyZ4NlOP0YC+JulCYreVFWoeObeVv9BQMIvbiNehGM9jDoIVEdjJZJTMNFUpjP//rV626vKS8WwDyRmz+aYWAS/vylEwq3AkdMXy7RBHnJPmN9JPfaov78B6vlhP/gfaOnOVuVbHxjEA2PuXOtYMgqb2dWCpi3abIHusQHd4KRNIMlQYwPa0BQ8z/HL0w4pFqLfAurFQeNp58NR6fPfJvaLzLGGmnsTZSuMXsmS8CFTzY/8Rvj2oRP+BUcNOTJ6MdnOscmYk30K0maaikKll1Mix8Y+QRCwshPqLolX+I0fY+v66btY8jhuA07Rai5+vinOdCxgGoFYFN22cpgHSYt64CgBQRdPStyiB5W7udBjQpo7P5ZRJScUinxaUuU//0dT9dee5Ya6WIMc7K9Vtm3Qaa2OttI9kwdfbfRLIIF09pjA3wzIaNjAEmso+axrA=
km6plui7sdj3rliepi2ppahubmm4b3ue.bikeim.com.	3601	IN	NSEC3	1 0 10 b17e19c0ffee7eafff  25m7umcbbcep021gup624cp6khao90qi A RRSIG 
km6plui7sdj3rliepi2ppahubmm4b3ue.bikeim.com.	3601	IN	RRSIG	NSEC3 8 3 3601 20150222180705 20150125180705 54945 bikeim.com. dHkHtrxu987Fnio9oSsp35FOjS0Kc0LyKV0ohZ2dOO1zTJeBcnikhSzyXlX4qoh4ocRn8FkLKKfcIjYhKKb7UK58jcryOpE12sUZu/Qj9Ev3M3Spat5SyMop7T8okuliYZLWZFtlc3LqKUB8I1RSmifU2WzFIl+gqjzWnDSzwg3j9RKFyTqpjPF2nsGkUgQLj2oFh+X9uQwBiJ6Atz3g89+h/39Qi1mmmhPDdU5c4dwPjWggG37F9oZUVuQZhiDr3iYQZliKlAepBDZDL7JG2fre2a6agfU2edt3lvTZXOBz+Qzk7YM3LnT4o0fmCYWfTOI5JsGln+v96drYkwUgSXRlecnP78iDt26TbuUSYTzXecJg5vJ8XVbPpyW1rWxBJTC8yg9mAKYhltxEHoKwBCKMg0R/CT76xe7DKLkmAjITgzNM+vKps8vfEjOoYNq647k58l5p2fJdi4wGWXWRqhCv98mkLvHBUBaDAmdjrEP7Nk2QRCKN0SZzVXCKEQOjIGFu4wQ8C1bgiUltfytketUrA1kA0HV7/1PcKzhABT4BiHf0RRBa2h+8hhTiX7EtTPVrILVFIDPHZQepxYzlBQv1CQQ1x0ydoCbgyLboEfw0qGjLD4hSGVJtww8voClMhJNVgacHtYtuxgHpmVp7G0T/E9OGfKCXUBAo/2fx8p8=
b.ns.bikeim.com.	259200	IN	A	50.132.7.141
b.ns.bikeim.com.	259200	IN	RRSIG	A 8 4 259200 20150222180705 20150125180705 54945 bikeim.com. bWOez6a3Hqi+GB27nmFN9oWsLF7VnKS4Aht6RxzwkJm/+GkTf4GbxWOSwZR0Qpj/0tOSEy9UygCKtkhpPlibHav03tS21ad/SDQibxnuoX46jnlM7esO71MLWrWtTwVFCYbr3Z0I68rw5dWJsDPqKcOoGu9KX0PxX5jAI3YnpeLRDO2sgVQa0eWC642hxOvnSiUNdJAPV286IvjEmbIAYW1vTyPTwokThiEowZKbn610Cefjh7tIBeVsyd7XBLqHZd21lRppBVcYYKFBY0qSPRcuOSSrCfBLdWGSN3eivtwQvsh23ua5t9Jlc2KkFIdhnKxHZydGZgv9M8O9W1+oL7CcnX+p9P2IdQ3/sqcQ20KZEvvWuSOwtzFseq/xMlsxsPEvyjIkbr3qmw4UHD1aaVkNEYcqgwyCnjFm5hsvu2d1Kzv9+zAmbpBCXgRNg8RxoLBz6o14wRUrTyxP0buK3I2IFDVcOUmRMaNRT4XwIuUNN1PxYv+fZsVtYRHSM/40NXeMVI/m4a5uiVC83QE28LiTB+DYVnaUWeeTI9V4hjdHyhJ35GhpWhZiWd+zKWZgd1Lvkn6w09tIMzbfdyOvL/aljvRnh2/rZNmxugwJ175n8N34LDag8Xu84FbsNHYNyn8lvmalGc0Q4XFsTDiIzIhaBmbWNJVQZ5SHzgJbXRk=
c83dc2ceikqjrj8m2sr5tc4dk97um11s.bikeim.com.	3601	IN	NSEC3	1 0 10 b17e19c0ffee7eafff  j9uhf4t9u2ph12q9a3kfrjn6inflamd5 A RRSIG 
c83dc2ceikqjrj8m2sr5tc4dk97um11s.bikeim.com.	3601	IN	RRSIG	NSEC3 8 3 3601 20150222180705 20150125180705 54945 bikeim.com. Opv7kW+kZiiBvE0keiB9bflsUWFYY1Ik+sUDzfno2P8voAvUUcCnSwKYfdLRkmfcm+pJORq+SyG+sh/1luonO3n9Yype3zhAir3iB3sni5cBDrI8E1jKtpZxrkcEZ1m0X5ZzDvO9Yn8I3FeQah8NnfexTGpXD3kjKzJ3CNJUIF7VTadf6xw8ayh/ccs3VSiES4Y3wR9lz5bWdir/UvDh7S0xaA26eeDBxMm5CrtoccXhuoL/8S0Qs+wXmTyTNL2HxPunT91DBFvWcOtWyz+Akqczp+GkgjOG97Y6i/zA+gb0iNS+9dGwQtPOx1MbNqHwC2hEzC12I2u6UrCWKI1DMNf0mq73jZQ5enNL106ybcKFxBNri7/Bp0aKVk16UKDYEdOqP47pnVffoQTARF0LwrSaa2A8OWHVRNhM/pe8UeJhh4OspJ+U1Djh0ytrkcnmiqQjXF8L/wN2ApRWsWRbNg8M1927CemnZcusDw6wbskbuAeEPbPcaTioBaIEEPxMzA8x6pIMlsv3024uK1VBK6wT2NAMOuXCQpFCDtkPgVO4+CJDK9XpPhD6yTZA4NdjTM3hzzn2L0odbOC54w0hsncpDkq1trJLAZJpB6KnKZciTEJ8RKtMab20h7z1N0utBGc6G961894j47pkO4J5YbVKejeAboDbpQ1l0VVUbuU=
xnko6q0l.bikeim.com.	86400	IN	CNAME	bikeim.com.
xnko6q0l.bikeim.com.	86400	IN	RRSIG	CNAME 8 3 86400 20150222180705 20150125180705 54945 bikeim.com. ExHcrruxDZRYr/It6czWivk8xl9d/Je02rPWeJTCLQwToidTixMA+q6u9NsKW7Tj8xp0Q1mRXdXxzQtxX9/zha/sYhLmwwMfhm8HgIBtb949oF0jZdGjjWMgFEc/2YrvoUUGb+DGm2//26iycuyJEzIgHUacLAB1xHEnkrrAFt2HewtlG3n/N8ly+1Dc+fpuuprAJddVpyNO+YWB9sLfvZUdLIVN2fZRNYmsLwdsIrpqPZD3Ir9BFns3TlULu1Xdk7gdHq7/Q0kMPADwy8pNHxAOdRTLbC2bKw/86+DsKwGNbfIEqvuof3u743niQDiXpcsshC8F5ZRJwD/cAtEArBeNFyQTghH4LLcWhz0fmNtkci9qDAM3Ljbmz2k0o/PIplVYlesv12OTsX4mGVkemN4ssUvAWQ00dwqBWX8yfo0J0ZgNw2dJjF4rqJk97JlBXtrCM2EdOM3g2X4P6/4bJa2X+8I3oJeeLHV42Am+KsNZbcifQI6jap2rrKmPYpjeO0jRIwV5VzmwFMEvICCYkvUhvXMaipZiX/AAl2E4pH8TxE/c6zZK/28hPChHdu3aphe4seGPAE3jPtsWgNIwqT39pTUZcssUoT0+xMNazIfLvry0bo0VrGHbQSX1Mir2mcLige5jovvc6j45I/UgchOUHHt3xUglfhF9Z+EqMQE=
j9uhf4t9u2ph12q9a3kfrjn6inflamd5.bikeim.com.	3601	IN	NSEC3	1 0 10 b17e19c0ffee7eafff  javaf499auko4mrgvkhhj16u8htrqujp CNAME RRSIG 
j9uhf4t9u2ph12q9a3kfrjn6inflamd5.bikeim.com.	3601	IN	RRSIG	NSEC3 8 3 3601 20150222180705 20150125180705 54945 bikeim.com. gFS71eAno5QCNmLCPftHD870SetbNHg+0QogGMFdanrD4xhSwV7X7ZM5Gp4Fz2lj+PYiIodpttmeITRG0uzv+MY2z3i42cMnaMmi88QyDQUsrTkafkmdlermDhBrg9XwOMobWfzGEbKZLR+F0htGEWKEEUXPKiuZSsadNrceENAHW+To1GZ0lAdarH7P6GPSqz0OiGKuikLoWBsEohZO1hokVM9hvc++uG3wAlDt9Fp9rNHo2Dh4r2Thp2U1llqfcFXEK0h66qfp38sAXVsKB/qwsOTUvoK8gY6bw2k+31cAZiWHWyZNlrq8kEsvE2tmY3c4d0YOmrB1aG6HWw3Mz1dGQr1NACydOQJrZGRT/7sWUiMsWOsoGtizxMMwNpjlbI7nUABgvWwrgzAOTIiaRlSUZbAWnCYZpAwNsyc+B5TPPZZQvozD+UZnwzhE0/2DMvSbjr0aTPaAMSzoUN/MoH2UoFxfkPvbvwv5n7XY3YBRiaL0w6lvDpmmRi8dpb0X7deEeS28EHhLvl0VuhfTk8ngrjp9PqRjjMj+CJ3YWiZCHXyHXspG0d5Hddo+caObbgiqIuveCaSeqGz4RdatLQVbW/DyyuYfJvflVPa+UylLflMWCOHsZwYNbso2Pz1qKH5VoQlNnR9MtZdbdfxm1vs/bof+OVVMcgiiE63MNjc=

# Sign bikeim.com with a no salt and no iterations.
ldns-signzone -n -a 1 -t 0 -s '' bikeim.com.zone Kbikeim.com.+008+54945

# Verify the output
cat bikeim.com.zone.signed
bikeim.com.     3600    IN      SOA     dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2014090300 3600 1801 604800 3601
bikeim.com.     3600    IN      RRSIG   SOA 8 2 3600 20150222180854 20150125180854 54945 bikeim.com. itDHqs1WnPewIgTUxP9yqfoYd5rvcGXiBo212rOq6ivTeYK/v9c+mTIYQSKtFO3KBQyuBkR0bxZijDErgSnnloYacoQwd7tANs48rHGZ4crK33d8XSoy/+qCKLaulYUjPdoSbsRJDa9DV2vlnYpU4btrRZbSr6iCurs4BJNLQnEVjhSw41HyBUIL7zHnrnorD9Sn3u9XF7D1obf+wBkeA0ENaT6eG1TY1C5whcyISnxHDn4gX0rjNoV5KQ+Ea3Tnl+yIzV9rxOJ6lwyU5godlBwENkwUlKxKrfBSre0zoi05j+8AJI1wD3mAgWuQdl5sRqZt02mlP5hP9AZex4URLXECpaWvC4iWU0hbK/LU5WryKWTSjNFjmLh9mVIenimI1tFxdupEanfgBS+KVhGJNXI9+oDUiQb5PwUsCIO8lD/QPygGhszyDk6p2N3c5E/fBO14lsDE/Pl9SrG91e+PTy2W+4c2xguVZAkzsu5Mu/QsUjaTRX0zlRAdImfFoPFVnndUIj3Hq616tq/rbeCJvRh/hjOZGgGDxjAXykyoU3SRdhX/ZYpfHj4h1TKA/WKnOEBko4S6kbFjwwDe7u6DL/dhWVYIRIphGIfS8UCTWb8RmCwuQtzDRYJ8F+cmUd/KIFjeQvqoUJRPXuwv04grH9iSmUhmArB+KPGcYPOxUbI=
bikeim.com.     86400   IN      A       216.218.134.11
bikeim.com.     86400   IN      RRSIG   A 8 2 86400 20150222180854 20150125180854 54945 bikeim.com. KqzW38UkAvhUj1U1PVdqckaFIHta1a3BLcmX8LD4mxAVsoRn4OSMbn0Z4TAPc7UfXrNol75w4kz9DS4DsFcQ6jQm7KOPqfDJKSer8/5ZW3S1lIVOLzqXYcVQGynci7ddwsZtkLLpdwXcCRMogpIbvNyO5uXVabxmccoIycMe7NiNDwqh12yFl2+V2AdMHbjq+b8wrWf+bbC+88bGIYA/hA5Yxm4Gox1/NrDgiDjv5TlgI6MOv6E5+HPn4iauqRa/3QUi9KZJPoF49DMAGqRBirk7VHcdNLgDYdE/cnHyUboofq/J/1qCkBKvylfRaPJ7I7Tx8D2uwjY192FkQnomGV8lMPYypxEgvfGDdrVn0nfQh1aZ4AmvXPXPhIEtKtbym4j7X9wdKBcE0TzKop2mPihVNuE40o7jfXfeFlkUAOYAjV4hD8p7TYkBrzjcMFrATQP+rz8QGmmzk8wH65maRGr53Cxwp1EIk7U0FVQSlYGR56h/uJ35xC4WvyrAdllo/qxRWarfvUnORbhzCYyjLrAqsb2X8CFhmtmxneA1JGdEMr+lTuEz3RxoKF7VKvHoA8PP+TaID75qR64OW4mt42At1h9K7njf4kGm5x9GDwLCHwayKFrlcveQZ+O9owdSNoGJlSdIC5/4O4dP/epGj3qUqy+cnPshvs5jq5OlDcw=
bikeim.com.     259200  IN      NS      a.ns.bikeim.com.
bikeim.com.     259200  IN      NS      b.ns.bikeim.com.
bikeim.com.     259200  IN      RRSIG   NS 8 2 259200 20150222180854 20150125180854 54945 bikeim.com. OWmSVyiawMpcJWakpOlpGRPH0Dv2luRpscLG3J37rSEn4WNUncN5nJgy8PMbX6eWc0cG5mSRXBcKlwszJxBKNyeq1dOPHEaZV6836CtnI2wTw5LS8Ail5F+fPkuGgypDmxE+xhrTrOD0KNZ5kfWW+NGLURar0hVo0CBcXZFgqxvNd0g+xchyjLDh+E+0UyQXp9QmozoRBg6QbioqZRB1XgsKQp4T/Dksw2zb2tbAUYjab6nhNDpuets84tmqLvghJAs5s99BFqeb+DKRZvdBWRY6EAvri4iQO1mcVbE6JxzjDd2Bia38O8m22WeTMx2LR80IZWCHEI2Yve4/YRM4k3mTENgiPOfqa5P4raK0bfaLPvuidKfq/9O093hoDGaSQpAsNaIz/KqutzdQSr5FfEJyhItJXELhrAyv38pk9iCKA5/NXYi/rycwlLSXNJ/obMNn+sMiUsW5qwEUIeT9udTyjC0kjfP6AmkxWxAo5zqwe8ORyk+25h79bwHyD6VRzssPWTL3/TEdSCCU5B0Zc/RsAB+J6c2JufCUcmgrF5uMhwHjpfiWUnhcggu21hIYDrqTfNzXkeVV3Pfo5ACu2asnLpYi/sKoOiFs0ID231kLZ9uYK+y9+Zhw0BTfQMecMoRPD/P6h+ctBDDj+y2Dvt8v6b17acAYZb1iy2B5j3c=
bikeim.com.     3600    IN      DNSKEY  256 3 8 AwEAAeNVhvRP3IT79YuJCUOfGm7PyUNZoLmiiuP/oGqkNlF8/9TVoaHPsix6aemFtCvMofLXZ2aBPovXKB0KyVxZ+F2QJHUuVIKOFL5dBe2EbVXkljJRV6M/rbWiPr4RpVNzhNijUHGulAeIJpaZdvEiCrO11hUIHw6v1m46OVgan7zge8ReOdSWVOS/4buQGXech2EXpCQXNPu+SVoOrIkipt3ZYgrzOEY+Qik0+bBoGcHf5YyTvUDQAHTw0/T97T/UIg4u10YnUK/O0QanBfsL1/7OxYoBaseZiuIv7YckGw9P2bSRkgOZvRT7Tm7nAszwvSjN2SawLZ2xd2xg28iwDysVkBA3oZ1q+aqfYo75imB1SEPguzJsonOBIZ8t26NPw3zRahmUGEucQUA2m7RO0ADDNAYBchrTwcOjRSBivd9btI/mC0QhzfhvmkIO4StBKSZdXTa2QM6JcCxk8ZAM4H/mGMEg5tHmJ0C0+fpUEBiFsrWa6PA4wV07JWAsIMX52rUWEVSwe0hN3WBxNAJ11wlzFCFhoYR0h5n1Cc8EHV6aFQ8zcmTF43lx9PtNPrUkYaVWH42Gwsc+tA/HWXbA0o4XdETJDZdVUyyX8OUv3cMBPONbIAZsvOO9DYjg783LaRI0FvISNxudDMzCUzajKvtgXHO4zI36UM67cnbVr1Qh ;{id = 54945 (zsk), size = 4096b}
bikeim.com.     3600    IN      RRSIG   DNSKEY 8 2 3600 20150222180854 20150125180854 54945 bikeim.com. j96agUDZwaWnifj+NxnhXoE3Gt2xkRWsefZvvbWzeJZU4si9RhtBt6KUDHwYrLedMCOfXhXd6OGllRy6kBFoZfGbYyCoZI98o4lEc+fpDq/dDbpzMF288Al71BRrqFtaTchkWxZMpGEiRbk+PKcrw3y8v5PF9x5XWbnXmH+vAMzvkFo7Fz4VxatUlogo7kAdqcRqkseJdg3nG01BYI/5XJYw9ix9CsRFWleQDnKMzTm5zzJdzga8AXyBViOE5Pg+OzfnrYKZvLMP3tUSce3AR+97w00fdi/6FOpTadhMCoS+8sUOwkROAimfk3fL5ZFpbiH5F42kLviiDvBpYaEAafBWn0AXSYpfka5LKoV2/ISSef3gAlJwnve4nEsJ0U4iU/i3x4h0fF12HKQTU/SH359DdjQxYfxItsvP0Vw7nKGU4buR2mkBaInEXdXf6OLVLI95IFVWmFyNuttd4pLVJ9dB0lQiNxl9rflfIT0KCOVwGQ+x3z5n7yTYr0kH5Vx1rmwQNUOYlcAvJef5H5cUBagW5lue3fY/BcdP+jwLfP1jaajeLgToURgDKkq0/htOqhw6sHup8Bvrcs5Oo6+4jnQv+ed/vexzjCuK806DDIGHy1KuesnAMk9qYLlpqaS7KME8OuoZuOByPpyUFkeXJf16M5bJ2TT8SFmpm3qOaLs=
bikeim.com.     3600    IN      NSEC3PARAM      1 0 0 - 
bikeim.com.     3600    IN      RRSIG   NSEC3PARAM 8 2 3600 20150222180854 20150125180854 54945 bikeim.com. DQ/TYF81t/xmUA2BubeOP4aheFiiKi59rKkzm53Kpr3lKkxgldoP/DrzEwNbNqMW89v0aNJPu3HE60Lc+kLZCLEQRBu1JM8nlbI0il+VDYHEmsOT1dY+9b99DEjjYwbIPDch1uZxZgaqaA7mDuuGGrX03Gpe4mpgVRyroae1jGQN6Jfc/um0L5cPdB30L3U/rYeHA+cTbsTlob6dlNIvE5UTdGkl9SX2zfIbetbpCY/g/ga4eS10g0mEiO/mi4DfKD/fRKXfN+xmN/Tmsjs4uf9LVnF4mPimCEra/JQd3jGUoGmIPlgArZIvv7SPaMDXBzhvB0OYZB7coUF+SytvYdAwdsU31Q7tLvrC083AYD8gT1yhRGZfZ2S9nCdPE/UhV6OCYrFVruJJ6VgMJJmr1365xMK9vAotLCrPI07Gj8hMMdx6D6Qlk8J5xTFNKtq3vFwjBeEtFg57LgN65tR6MH9IBUh9mJv/yXebrfgKx+hdLmM2JEuK8c3f/MI9QA8860mY/nsMqykapJ301o+I70jNTb6y5I010sS+QxUh8Eoiw0QZgBpolJ5ubmUHR4bjFpSICmY48oMyZoYQ+F+vZ9g8ear9wQ8MjDeSjotNAJW/mcuwH3K56nmWqK695ki0Njh82m4m7Z3+GibQ4w13gbHfxdcOcfZdaVkkeRENn8E=
dljtttutt6c755amh5fajnufb9l4gtmn.bikeim.com.    3601    IN      NSEC3   1 0 0 -  javac662pltpq3a0rchu1gfk1tkshv7g A NS SOA RRSIG DNSKEY NSEC3PARAM 
dljtttutt6c755amh5fajnufb9l4gtmn.bikeim.com.    3601    IN      RRSIG   NSEC3 8 3 3601 20150222180854 20150125180854 54945 bikeim.com. Mbgu8oHg07B7CfL0Hp4apn1qLAPYXCmXQ7VrzXVjPue0YSa11eOcgwYETspmEyeCSPmJH5z66GJYcsp2IDGAlfTk7ojPGmi0irWJXkvzFIk73I9EAdDlvtkicLhIqaepiZ8OsyCUPs1Karg6pG1z6RHMGRoxkn7RowBOSEpoI9I19JkQLd9a8onCEr4VxHkP9/x8sNR2tnqQU1t/SHGa5t1c2Th1e+cLtZ++wm8COU8WGyfe6ffGIRSEIncGqcvbVX+k3NTV4UBqBNIKlIep0g+C3Pu9UFFSGvndDB4qOGlF9ivB/g4GTrg/H/FoIo9K624GYxbYJfXc3JuMZM2WYZOTlq+fUYAg22BZllumwEyIvY7vJbIzvrza5p38+XP5HSDkxC4VJ4NSe0u54Lb7NrAweC+alrhItY1yFKXf/5fpZDgB+lYfmShB8sVe51PF+oJzpvnhFiUeh7hw1gGyOll1eJ0oyO/CuV6EEELoXd/XWvYO2jSi/x6vNkao8kRllo8zxXkuOslmLjLwCYyDW0wd60jHqRDFio+T+921HV0pEaWWRkW6Nh8cI2I8fjrAEeOX4QtAbUPuML3Oq5uTcpUYdhE0+eVlJykPq56Gn/JJAZOvd2CQLe40V82EB/3qD5NR1rW14LW6MQGD8kU0mwAZa1qh1fsmPC+cFlK5jEU=
c1s5nhr1.bikeim.com.    86400   IN      CNAME   bikeim.com.
c1s5nhr1.bikeim.com.    86400   IN      RRSIG   CNAME 8 3 86400 20150222180854 20150125180854 54945 bikeim.com. k/1v8Bqurunj6TEUZO87+fPdCxDnhaN2pQJDyFFSWfiqu9CVesHcNMMcZGi21r5Mms2ENApwFcLwVGlQYHAwBI4cqsAGjEPSJw+NIDeikweueXlnJXFgbtko94uRlH28Gdbr4jCBqS0o77U7H3fb9scAGPvyVnzUnts1o2P9zTzRgWRC7OOoBRI31nv5zgI+LXMC6geqTXJ34DxY3JXf1RScCzww0MM1QMxQDQH3Re2LQ0cNqZAGJ/RYOZS59/udhxj7/Y8emaeWWsMOoBjum/CVnWAwntdHnQBzU1emIdIATAl579kKFJBz3CZ/k6D0pU07AwzZ/sSsiSV/bFaY64PWH/uRxGoVZ3UfdNXFV4vc5KORTFC4scr8K1CJOEoJmbLBd2rmsdB97Ja5SeAKN4nsPhQQNYCoRYfOo2Wix1GsGykckPM/cgYcerS1/t78zuJDU/2BddDxKANYXS5wO3UnLuU3ykkb727+8oNpzjE5jx2T9slrzYht9rMji+ZpAImHnXUOUDfsuBEt6YduoEKHi037iUs9uKGGUwg7m4OA4EG/TqifdOx6SQQKNJ9g8TlQrEvd2FTzcsmIac2g3mVYBOqZxNQ0FKU4vgIgE+368ylazU5Z+KqaR+IlhbRS/oWMFC9rd+fw/oMd9H5ggbqB0pxWy1UZjTc9HTTlmY0=
7fv7r7h5pft3vmc25vrj67ujhu9mo0kb.bikeim.com.    3601    IN      NSEC3   1 0 0 -  cbnoih4n9np5sdtstdksr5kkihr5cngj CNAME RRSIG 
7fv7r7h5pft3vmc25vrj67ujhu9mo0kb.bikeim.com.    3601    IN      RRSIG   NSEC3 8 3 3601 20150222180854 20150125180854 54945 bikeim.com. KO5zf5om525aEfeXD4izaPhgUb9t8aW1pR7G1GWPNu57DfA/cVFEvOTH9pN3Qux1R1fNFuMjTLciz26LVATjY9zMP5kfrmYxS2XqmeiMRWLtboMfwhSkWV4F/ZNJsNAhboE+TUMLwXJoXQlp5e7HblJW2GG8urMvZf55M4YBuGCQc7qIFJBZlerkwNNY17RSbMeVMNPhK7BVkDwnXqYWGygv7KGmrQSRellyH6hhJ2xrO3IZk0byGOgNs6Jydg6y/1Sgd1KVjcp1Hs5NGSMwfzsO0UtWewQdxKdVsv1f+xAXsippa58J6g4M3lB48ca/A1kAdkN0JTLEO7il+Fhd2zQX3TYA3tofiGOJXo3uyqz/wI0RciFBoQ1xr6Ia5sSdJzJi923mj4xGBPNRtKCVcYaJ2OrVlPRuAy21sqlT7IZgexPBxOAsIQqKo/8vf7u4vkU+Uz/zj2Gerc+he5VF+qF5Lr3ylRIHKuNxX4TUZhM/yCRAeX95AFsukNB89rOMK9d49K8JGZMs+hXrhRai9eqe/LwgZNLsLlWXfF6XF9kmfmQsChu8sO4ykKHN/eRdIo0bBJoEeZYgnDvNo/14wIzbyD8DGzT1fDbkrRZ79B19zzOfJ/N5wRKjmOD/BY/U9ByBrQ11BnH1AVKVjMrrGPoBXnAB6pB10Eq5/OYU2F0=
ou6p4t72g0nh79k09vj48a3pfrqt549s.bikeim.com.    3601    IN      NSEC3   1 0 0 -  78b7lhj4niip8shv86vjca8qacb1c89t
ou6p4t72g0nh79k09vj48a3pfrqt549s.bikeim.com.    3601    IN      RRSIG   NSEC3 8 3 3601 20150222180854 20150125180854 54945 bikeim.com. FHYsFKEO9l6sgZwKlbYSdKTUB3Q3SRsvOy2VhfWR+ZJ9SXhMuIBB7l0DcXC+5t9VBIQR0VCVTGvvzDMBI4x9Xlb3O/ny2oAJHCCDqyKvMKA5dtF6XA/iJ+QY6QgZYnYWonaHF9dkKHGR9T7tddqyQaU4DziQGCBGBmapIloIAqM5fGPbGOvS2DD216HVLt8fUuII6zoaQACebvgxE4118o7bXX524q8vjSdBzRpxNq7rzFMwv0TNzgNaC6aPvoKKJBU/6bJ7te1iOtIIKtSa5CqKZ+8k9o+D0wdF0sAJpBd6m3FUjb3LlozUEsWAhLNu8TyL2JvVsnpicqcyb3F4lk+bdG9EByoN074ve+KXHBRdf7qXKT3jtPJX3+yOhSd/D4UaXOvFFXFRwU2riIZ8PForPIxprobRxIYTjY5IADV2HwE6FJToMPuGQiQOgSB9YClVbyuK7tf4RNQMF53PbSB9q9RbkQXtJqlBFS8W5cCIhqxDkhrvGq8SmtXF5qs5bwj7q+pGb7AjmzTSVWtz+JzT5rZzHNEDbxUJKjcwZeO9qFor5yTq97xNwvHakpMlXSiOVzSndXhF8kaPfxNuayMuprZyFlM0y6kXIs97I+8cUansTgay2pI52U9NA42M05sD1paQjnWRFyW7umN4p1V2aW0mRlWLbQhSZ4x0sZY=
a.ns.bikeim.com.        259200  IN      A       216.218.134.11
a.ns.bikeim.com.        259200  IN      RRSIG   A 8 4 259200 20150222180854 20150125180854 54945 bikeim.com. tpN24eE3yTSPVq1kaegFeT1TQx15rrh+tFQ0Tu+C5zOeHFw/M1UwZ7ZS61Zge0riWgrEVhwoSf7lJ1brOT5+sWd4sWaGoWQaa2PN6hg029BcdCn++s7eSjoDDdh6en1eBHeQjkPB0pksNTDe+3uK3y5U30MVlJcFtQgIcdmkoN+BBUaf+RKDFf6AnuO0sBsBexinV4dBd2dw9SBNF+WAzJnyQiwj5gtHFwhKN6zjKqHK2uQKWTjGVq7WdqvXWvgFWbBGlntMBDaX1PTmeeOHsHxF7v+fNkazEP+/n6kpLpI4zFzJPsw6QR7ASsyybQ3iIvgI4YyobKruiQp3W9MxpldikCwqFoquyrS7df87d9W7HybKTAnZwkTdlLZeIjZLx2Yooi5RCkkiQovTRtpEwQtPUTjVcK5zD+TpqNZqWSi5huFRSCva05gZ0pU6zvke4FtxJnX+06zKqwWAEtqkZI3doMF3iIdqvGmfe2QflJEeUE1m7qrmg8ok6yxMLI87VDC++0+9I+CBf6doDf1ckixYIYyEpdqOQNA2mUW7ew7byPyNT8/o4zn6SN/IBjPMB6agOEXUokXh7669cOd+7q4psYClyHv/OreFp2SRld+b3fgsVeblEJqGWJXRsO3VsQPT5jrgBcHmUoBL158X8ap9EJZb9qhXeub5uh7AXF8=
78b7lhj4niip8shv86vjca8qacb1c89t.bikeim.com.    3601    IN      NSEC3   1 0 0 -  7fv7r7h5pft3vmc25vrj67ujhu9mo0kb A RRSIG 
78b7lhj4niip8shv86vjca8qacb1c89t.bikeim.com.    3601    IN      RRSIG   NSEC3 8 3 3601 20150222180854 20150125180854 54945 bikeim.com. LxkTqWL6um2NCs1aufvsBk4qBWZgvY4sHlTTyHmY3bz0vf5ztgp7KD2Hfo+03DU+uEGThyQRKiU03aWsiXUyW3Zc8Ed3LN8rrfF8ZPKQNe61/npr9W/D3ni7/T9p1nUeD+ZB4Yz2OH6hlHuxRh8OTZSyI/lu2+UqKM5A+EIIj1Cyqg7NMQ/IcY7pTBILYc/Bsx6GHcQqHXXq59LiOAenrAD2uGFQ/C6QIX2Bfh86JNWr0Z4YsR6wGqK8K54n20t5KehQXWVbcyAw/r2Mfn1b9dWJIvhNfV1VL9MkyuNF9ckl2+eKUuYbWJ0pRxmd0A+vvAnHXQv7ElI3g43MJ7B3Z4MC6sc3s0/NZXXcLBDLP02RLpZ1e6++udllBhmSOAO3ExHLaJLa1k+lBE48ylyHz86yH0OzveE7W0KhRi1V2KXsDgALSIC52O87BLPVi46yqHgvHacXbSDC4NfXqieForbaWcb1amNSiK15a+/i/meESiLQ1Nn6LtutZuHC+xC4Ke9HWPO+UgM+BV/P2qa2mZlRX7QOascARKWeimMu/5SBE/e+MMtWwmy9LXNP+2KWs5NdOMlvaZxyOPy+YBkbnUN7pdPFKks/L088wDi7729UiPgApr+kf5yA9nnTnZ04VwhtHJdjjesIkLUoVP1FDdtA3rJ1qdVvK1E6tOWnJKk=
b.ns.bikeim.com.        259200  IN      A       50.132.7.141
b.ns.bikeim.com.        259200  IN      RRSIG   A 8 4 259200 20150222180854 20150125180854 54945 bikeim.com. Fab14ERK4A5Sx6iBLj08MJivNemuVdpeiEOASxeFZAzV5lFrzfIV3cO4kJUFkzcwRtM/8AubwGOd9HOFt8wsc32oe5tBOpR8uWpycm4sdIH31AoXzMVHPwUEUiN/ENk6hUsQ6Nn914CW3nem5rjdtueXSy5pNSsTlP5Q4CSKiUKcsnnbZzD91bCHIl0LMqpodWt75qSuH3jGjmclyxluzOnj4tHkWK1acTIyZKbY1LsHkKOsjVmioWBZWQta+AptHYAIrp3Y6gq7p09VxElVmEZ4j5K+W7pxxJ6yyhe3DhrDwm3q57dRCg+aHg0ph3ao2bJQ5+6VxF+/gnfxifIwl0PEWImqo+xfVECWzuHDrD3HO64dQRLoeMMUWnupJ/7F2gz2Wc4sb0Yi8dci7LKTPFzQfJ8292g64sfCtTM6ZKcKfjVQtxqbvNzO8U6fYbfEYht4bchxEMu0g84D2Gi9gC5Cn8fgd3J72GVL/f6aZ/M4tWm+kG9tGiBzOxUObscx6QTMI7qX6zfdQmbPttCUJ5rkmdLWh0CRT+Wb6W6IiAbZl435f+oZmPrwniqy0mRGcjhgodO6BLHRSnbShA75HCr9nBne9aHdYQFybvPR88cnXKDTSIRg4iJGaBA37vdGy0gctz/RQDQec4Bc5YxlphWesGhBv0cWI7W7g8IG1og=
cbnoih4n9np5sdtstdksr5kkihr5cngj.bikeim.com.    3601    IN      NSEC3   1 0 0 -  dljtttutt6c755amh5fajnufb9l4gtmn A RRSIG 
cbnoih4n9np5sdtstdksr5kkihr5cngj.bikeim.com.    3601    IN      RRSIG   NSEC3 8 3 3601 20150222180854 20150125180854 54945 bikeim.com. grAGPhm61YTaqYrNmnbYoMQjqKcpgtPEOwstD9pdl2KxgVNnIyhLzn3PFMz/wTLgsni08T9ma5r3yFRccFC5nH2R6ZU16r2uA6GDaDrosw5XmJiJP1Vo+mX/yrZJ/WclHznlbXIcosXV1YEoImlOuYXj5kXi+rSZjzOPIuz/Vw2NQ1eB00xWyf/s9B9wmujJnReYyEp3DhSovYlk52ZdYWgU2C3FKp2+LE9GfeDR3gaN/j/mQ9cI4CxpX+Tdf0OjjE99ZC1SCadpQxGoGLGFQwWi17xUgGcagcHEqoxlDABEi/NgdKEtFqCMvQ78CIyLNED4X3/jbdp2GfUx5fGburv3unzyQbX5iCWeflvNQ4J4ytISWydWWdUJugKnWD6rQZnDP8rfFrCXyXkh++mcQ3A5nrGftrI02aguUKEESDhVD2DWCpsFmczShefvpUmMu5TXAR1IhnDMlucwAdqFSha9nQUEgq0k1Rf0/7UuH5pPDEUeHPCpNcZllTQ3lPv6PFHjgcp/YN1QuXWFlV+X7ci+Yz+0FzcW8eerwQSwwmlRVp9txH17WEjb/jtxU62PwpZWUMZvspM0xN7LPaBKEs6ZdXgqmSURK9yAy9temT/Uy9L7b/rwFQbIDdF4G6ag8Kq47HczIDeUJnx7oIaXZhOcth2ChBYYR2FnrcaJ8Ps=
xnko6q0l.bikeim.com.    86400   IN      CNAME   bikeim.com.
xnko6q0l.bikeim.com.    86400   IN      RRSIG   CNAME 8 3 86400 20150222180854 20150125180854 54945 bikeim.com. NYMZyvlp0W4mLUdt1WiPBGmxAFnCxJsbBohw400ZELs1ifcbCSfEQBb0NNFUfGFgVtq4AEU4/wLhJmTnj4DPbNHOBIFTx7HgZMPnaAf7qdTYVvlq3KuVvUX0DBMtfmyGlNBRPrYPiYeXBpOeSVlFEY/GFlRwYZjtxs4uaC6gyOUZOGquErwAXMq1RIXmUix1C4MzvCqfUO3PJT4hdcbvdWYm4AyWT5KmRqlwwRLtGnVZuMAAfOqtC62O8j6h7liye7p1FW1gEtfvUUBlXF40chnju+AguNGnRgMkyLFi/kfm7sLgw2D0zE86XJgv5M/YMy2kcrNKjic2//dkC0jZtLGNgpB4vCI4x89N3hvlXXqqg/4LSsVCG5kBVpFoFDFY73803ev9BF6CN8tS4JdjUskMxKYhZzSHHk4tY/K7cT/RQ9KkFCoj/ZjCGXFYQFPVhMZEDR3a+ukf6ZYHakg4T09FWPklf0n7b/xijn11/o2+62GE1JvhnGHiM65/fB1924TU9uh7i+4OLwhTEfBCUw3t/SApFteefMk98k8qw7ZGKkN9GzF6hBjVlmAhHrpNdNQgNwOk58XkJDBaXsk3AmCrGvHrsqkqyHJlms6cPGvU8MJbxtv/uJgsxrehZfF3WtIXQpg99gkQe8GPEDomOqz0tPzs7H5w4OzjMgOxXro=
javac662pltpq3a0rchu1gfk1tkshv7g.bikeim.com.    3601    IN      NSEC3   1 0 0 -  ou6p4t72g0nh79k09vj48a3pfrqt549s CNAME RRSIG 
javac662pltpq3a0rchu1gfk1tkshv7g.bikeim.com.    3601    IN      RRSIG   NSEC3 8 3 3601 20150222180854 20150125180854 54945 bikeim.com. Rp68xLMZuhkO6nNaYv+7zCq5tiu2oLEftKGnSJuEYK7ddtRT+nmeBRXYrFjIvfykcWy2p/z4bRHp3Gg6Utgfk0B6ah5Nlu/dVLvHi1eNWDhuWOKElCaJ3tURFKFLPXGjgrNT917YKQUbPdd1AjSuSIejVk5qm5lFjhTnH6DKn9q9yCnBLl+Dv1DvJjcMNTOQUhtRQ9pYtzCduA//8Z0FoOA7cB0O3yizpNSjU8iI7MRL49ZjbkJwtPBojYCdZbokh0RNRvVzv+y7BkAotuCq7vt73rtiyBarsMuE/8KqL54MUbzk5JdQ/xoPpvv5llcHoA3F8wt4RpPVrbxE0aP8CSWN+O87xpnh4ePzI1K5y9qLMu/URtcSoG0TTdGTxjRWm/DiuOt+RiBHR2qNd+vw2TdNy0wPxC/HoI2Ffib6+tk6ADNMZASJbkfIIdb7JuiXkfmXTGXj/IMPj5jGX5PzM1rNzexx9LabjjVCdw1huUoCrCp5VrVOrKqIIw3BHr0ia6qlWGLJ8V8pJKNHGBbgZfckg1xKELmzVccfrGyga3O/9xdrzlp60wLb5slXRWBdb2+tMbcnomUmbwr4Hvvgg2jepUNbtH9GPlC8Qafj7kMH0NtvhHggg5gSJAey2pxWQlWzMJ6M9lIqJ/A1GaYh3AU9od/C28zlCAa97vv/QnU=

Now we're ready to deploy this data onto our DNS server. The only modifications to the DNS server that need to be made are the parsers for RRSIG, DS, and DNSKEY, and responses for DNSSEC requests. That means there's no extra cryptography involved on the DNS server. Nice, huh? The only drawback is that if anyone queries my server, it will divulge all subdomains. To make this fun, I have added two subdomains to my zone which CNAME to bikeim.com. As you can see the subdomains are seemingly random. However, when hashed, the NSEC3 record starts with java. For one, the NSEC3 record with the long salt and 10 iterations hashes to javaf499auko4mrgvkhhj16u8htrqujp. For the other, the NSEC3 record with no salt and 0 iterations hashes to javac662pltpq3a0rchu1gfk1tkshv7g. This isn't by coincidence. I used the following script to generate each:

./randomhashes bikeim.com 10 'b17e19c0ffee7eafff' |grep -e '^[^ ]*bike' -e altsci -e java

./randomhashes bikeim.com 0 '' |grep -e '^[^ ]*bike' -e altsci -e java

The program randomhashes comes with nsec3walker-20101223. It is what is used by unhash to crack NSEC3 records. If you do a query for bikeim.com at this time you won't see the DS, NSEC3, or RRSIG records. That's because my nameserver doesn't support DNSSEC and the only other free nameserver I have access to also doesn't support DNSSEC. Should I spin up a VM to run ISC BIND or Unbound? I won't at this point, but perhaps in the future to demonstrate the process of making a server unintentionally support a form of AXFR through NSEC3 or NSEC. For now, we have hundreds of thousands of other people's servers to test on.

Cracking Hashes

Hashes were originally cracked using nsec3walker's unhash script but after time, I decided that it was too inefficient. I wrote an plugin for John the Ripper and later optimized it for SSE2 (using the MySQL plugin and the Salted SHA1 plugin from John the Ripper) so that an efficient effort could be made to crack as many hashes as possible. Since brute force is much less effective than passphrase cracking on domain names, I wrote a set of passphrase cracking programs (originally in Python, and then ported them to C) to make this possible. Using passphrase cracking, I was able to crack 964903 hashes that were 8 or more characters, which would only be possible using wordlists otherwise. This is a majority of hashes cracked. This is evidence that passphrase cracking should be improved for better NSEC3 hash cracking. Brute force cracking is simply less efficient than passphrase cracking in this case.

One very interesting method found during this project was markov chaining of two popular words together. Unlike John the Ripper's Markov mode, this only chooses words or parts of words which means that cracking speed and efficiency is greatly improved. If you wish to look at the code for this, it is in crack_popular2.sh and crack_*_popular.sh in the script directory. To test crack_popular2.sh, I ran it on .uk. crack_popular2.sh cracked 24481 hashes in 7 minutes. In comparison to the most efficient methods I have, 68667 hashes were cracked in the previous 90 minutes using wordlists, passphrase, and brute force of alpha-numeric up to 6 characters. To save you the math, that's a factor of 4.6 faster on hashes that were not cracked by the previous methods. Of course this is not a fair assessment because brute force up to 6 characters is very inefficient.

An interesting note about cracking, the tlds asia, bz, in, info, me, org, and sc all use the same salt: d399eaab. One might think that a rainbow table could be created, but the problem is that each NSEC3 record hashes the tld along with the rest of the domain, so a rainbow table that used .asia could not be used for .bz. There's no good reason to attempt to create a rainbow table across domains, so the tld acts like its own salt. Therefore there's no harm in sharing the salt between different domains. Sharing the salt for a single domain however allows an attacker to create a rainbow table for an entire domain. For example, a rainbow table could be made for .com that with 99.9% success rate with all possible combinations of alphanumeric and dash up to 8 letters and be stored in only 21 GB. When a new hash is found, an average time to crack it would be minutes rather than hours or days for a brute force attempt. This is especially effective against high iteration hashes like la, by, dk, and cat. Rainbow tables are vulnerable to a rehash of the domain. If a domain decided to change their salt and rehash all their names, the rainbow tables become worthless. Thus a managed risk must be taken when creating rainbow tables for NSEC3 records.

Conclusion

I missed the DNSSEC vulnerability craze back in 2009 despite it being right up my alley (UDP, protocol design flaws, amplification attacks, and cryptography). It turns out that 5 years later, the vulnerabilities have become even more ripe for attack. The reason? Bad design doesn't go away when you shine a light on them. Bad design goes away when it makes the user's lives more miserable than they are willing to tolerate. I think you know what to do. Now that I've released the patch and given you a link to ldns, you can learn about DNSSEC yourself. I have also released the output of the domain names found so far so that you don't need to reproduce my work. There is plenty more work to do in enumerating domain names. The results of this crack makes an excellent wordlist to test against hashes that you currently have and hashes that you obtain. It is time to make DNSSEC users' lives a little less private than they currently are.

Interesting results include comcast.net (they use NSEC for their enormous network), Brazilian domains (see above), Czech domains, .nu domains, universities with thousands of records (stanford.edu, berkeley.edu, mst.edu, psc.edu, nau.edu), cmp.com (a public company with 1200 gateways that trades shares at 448.20 GBp), and of course hpc.mil.

As passphrase crackers improve in efficiency, more and more domain hashes can be cracked. Improvements to nsec3walker's collection algorithm may be possible to ensure that collection doesn't require more CPU power as the number of domains increases to the millions and possibly billions of domains owned by a TLD. It should be noted that energy costs money and that running a computer with 8 cores at 100 watts is costly. Therefore the collection and cracking of domains is not completely free to the attacker. Luckily all the research here was done one a computer that had the dual purpose as a heater (during Seattle's winter) and the electricity cost nothing considering the heat it generated would have otherwise need to be generated with a furnace.

If the work were done in the summer, the work done on my desktop would have cost approximately $26 and the work done on my laptop would have cost approx $2 (running markov 250 on all hashes). While this is trivial for anyone who spends that much on on a RTL-SDR, it is unwise to waste electricity that could be saved and spent in the future.

It has not eluded me that the wordlists found by cracking NSEC3 hashes and walking NSEC records will be worthwhile to future hacking efforts. I have made these wordlists available in the tarball as well as seperately here: NSEC3 and NSEC wordlist. The wordlist is a concatenation of words found using NSEC3 and NSEC walking and cracking containing over 3 million words. If you are able to crack more hashes or walk more NSEC records, please send a link to the results so that the wordlist can be updated. Note that some words in the wordlist are widely considered profane and unfit for human consumption. These were not added by a human on this side but were found in the process of NSEC walking and cracking.

Future work will include:

• Rainbow tables
  so that precomputation and cheap storage can benefit crackers when new systems come online
• OpenCL SHA1 cracking in John the Ripper
  So that we don't have to use the closed source oclHashCat
• Improved user interface
  So that we can include users who just want to make DNSSEC a bit less private
• Fixing bugs in ldns-walk so that it can finish .co and .bg
• Fixing collect so that it works on massive domains including parallel cracking and possibly optimized cracking
• Fixing bugs in collect so some domains don't cause it to never exit looking for a hash that cannot be found.
• Improved markov chains
  crack_popular2.sh and crack_*_popular.sh in the scripts directory are the start of a markov chain cracking library but could be improved significantly by using better mathematical models for which words will result in the most possible cracked hashes first.

Until improvements are made, you can use the supplied tools, hashes, John the Ripper, and oclHashcat. If you want to use nsec3walker be sure to patch it before using it though since nsec3walker-20101223 has a lot of bugs that make it not work with newer NSEC3 records (such as com and edu).

If you wish to submit results or patches to this project, send an encrypted e-mail to Javantea.

Works Cited

[1] Bernstein, Daniel J. DNS Database Espionage. http://dnscurve.org/espionage2.html
[2] Back, Adam. Hashcash. http://www.hashcash.org/
[3] IANA. DNSSEC Information. https://www.iana.org/dnssec
[4] Internic. Root Zone Directory List. http://www.internic.net/domain/
[5] Carter, Mike. "FBI created fake Seattle Times Web page to nab bomb-threat suspect". http://seattletimes.com/html/localnews/2024888170_fbinewspaper1xml.html
[6] Dark Mail Technical Alliance. Dark Mail Internet Environment Architecture and Specifications. https://darkmail.info/downloads/dark-internet-mail-environment-december-2014.pdf
[7] Louis, Jack. Namedrop. https://github.com/Neg9/namedrop
[8] Heninger, Nadia, et al. FastGCD. https://factorable.net/
[9] Kaminsky, Dan. Phreebird. http://dankaminsky.com/phreebird/

Permalink