Enumerating DNSSEC NSEC and NSEC3 Records

Introduction

By the way we're not any geeks, we hack into NASA

-- Dual Core "All The Things"

[sig] 279MBGit repository for passphrase: git clone https://www.altsci.com/repo/passphrase.git

DNSSEC has an interesting design flaw where it was designed around precomputation of all data. The keys are held offline so they cannot be seized in a compromise of the server. This presents a problem because the non-existence of a domain cannot be easily precomputed (Does abcdefg1234567.yourdomain.com exist? No, abcdefg1234567.yourdomain.com doesn't exist. If the response was "No" an attacker could replay that response on a domain that did exist. If the response was not signed, an attacker could generate their own No responses. If the server didn't respond, the resolver would have to wait until a timeout occurred which could take a minute depending on the implementation). To solve this problem, they created NXT records and then after that they created NSEC records. Almost no servers use NXT, but it's easy enough to parse those. NSEC records list the two nearest matches in the database to the requested record. Hackers found that this results in name enumeration and they wrote tools to use that. Dan J. Bernstein describes this attack on his page: DNS database espionage [1]. In response, Dan Kaminsky's DNSSEC proxy Phreebird dynamically generates NSEC3 responses that do not divulge any information. This research shows that no TLDs currently use Phreebird. What can you get out of NSEC and NSEC3 records? Every subdomain of nasa.gov? See below. Every subdomain of .br? Every subdomain of hpc.mil? Every subdomain of paypal.com? It turns out that there are millions of domains that can be enumerated with NSEC3 and NSEC walkers. That is exactly what I have done. ldns-walk allows enumeration of NSEC records and a patch to nsec3walker is available above. A bug in ldns-walk causes an endless while loop for some domains, a workaround has been made available until a fix is found.

All of these methods and attacks are 5 years old. What's the deal? Since 2009, the government of the United States and many other NICs have mandated the use of DNSSEC on many servers or simply signed all domains below their TLD. Adoption of DNSSEC has increased by orders of magnitude. In fact, nsec3walker is unable to collect all of .com in a single attempt, as one might expect. Patches are necessary to get nsec3walker to collect com NSEC3 records because it has no salt (nsec3walker was designed to assume that a salt was required). As more and more hashes are added, it becomes exponentially slower looking for hashes that fall between two hashes. For example, try finding a domain name that hashes between 00000000aaaaaaaaaaaaaaaaaaaaaaaa and 00000000bbbbbbbbbbbbbbbbbbbbbbbb . The odds of you finding a hash between those two are approximately 2 44 :1. That means it will take trillions of hashes to find such a hash. This is the basis for the proof of work that has been very popular in programming since its use in Bitcoin (and before that, HashCash [2]).

The entirety of com was only 396191 domains, which means that only nameservers that have opted-in to DNSSEC are possible to enumerate. However, this shows that systems that opt-in to DNSSEC are uncovered by hash cracking, giving users a clear reason not to use DNSSEC. Furthermore, the results that come from NSEC walking show that if a nameserver chooses to use DNSSEC, NSEC3 costs people who wish to enumerate NSEC3 cpu time. Targeted attacks are much more effective against NSEC3 than generic attacks because an attacker can add a word to the cracking practically for free. For example testing the three domains:

microsofta.com

microsoftb.com

microsoftc.com

against all hashes in com is as easy as hashing the three domains:

a.com

b.com

c.com

This makes it possible to guarantee that none of the hashes are name + letter * 7 because given only 37 valid characters in domain names, there are only 95 billion unique name + letter * 7 combinations. It takes minutes to crack all possible values. Similarly, letter * 7 + name and letter * 4 + name + letter * 3 take the same amount of time. The entire wordlist from AI3 that are valid domain names is only 3678794 words long. This means that we can crack word + word + name, name + word + word, and word + name + word for 13.5 trillion SHA1 hashes (assuming that the domain uses a single iteration like com does). This takes weeks on a CPU but less time on a GPU. I spent a month and a half doing exactly this with the first 8000 words from the AI3 wordlist as well as brute force, with incredible success. I was able to crack 226346 of the 396932 com hashes found (57%). By using brute force, I was guaranteed to find all short domain names which leaves only long domain names for Markov chain cracking and passphrase cracking. As I said before, the AI3 wordlist is very effective against weak passphrases. Therefore we can only expect long or complex domains to remain. While you may reject the notion that over 43% of domain names that use DNSSEC are long and complex enough to make cracking difficult, I recommend trying oclHashcat against these NSEC3 hashes to verify my findings.

The relevancy of this project may seem slight when you first hear about it. Domain enumeration is fun but it is not a very productive use of time. DNSSEC is not a priority in the eyes of millions of users who don't benefit from it because their servers don't employ it. Google doesn't sign their domain (though the Google public DNS server supports DNSSEC), Microsoft doesn't sign their domain, Apple doesn't sign their domain, and Amazon doesn't sign their domain. Who then has picked it up? Governments, ICANN [3], NICs, and a select number of nameservers. Governments and ICANN have a broad vision of security for everyone where the keys are held by a few. This trust model where ICANN can sign any key they wish sounds awfully familiar. It is reminiscent of X.509 where every root CA can create a certificate for any domain they wish. Instead of sharing the trust between N untrusted entities, we only need to trust ICANN, Verisign, and the registrar to trust a signature. Thus the trust model reduces from M-to-N to M-to-3. How convenient for ICANN and Verisign that they hold the keys. Of course a single signature that is found that shouldn't exist will topple the trust in DNSSEC. This is why computer security researchers like Dan Kaminsky found themselves enamored with DNSSEC: it is a solution to the DNS man-in-the-middle problem that only requires trust in three entities.[9] That trust could easily be saved for months on caches, so an attacker would have to wait for months for the cache to renew even if they had a key signed by the root [4]. Dan Kaminsky spent a lot of time writing Phreeshell and Phreeload, two programs that use DNSSEC to give users and servers authentication for free.

This system does not fit in our attack model though. Keys are easily turned over to the government when a warrant is given or even when a warrant isn't given. By all likelihood, the NSA probably has the private keys for the root and most if not all TLDs. Don't think this is a slippery slope argument because the government has already used poisoning of names to serve malware [5] (whether they used DNS or not). The United States government is not a benign entity and it seeks power in any way it can. Indeed the US government is the very entity which we need secure software to defend against. Adding DNSSEC is not a vulnerability to our networks but it is yet another broken protocol with insufficient security added to the landscape taking the place of real solutions. The amount of backing and support that DNSSEC has received is actually deserved by other solutions. Since the start of this project in October 2014, 27 tlds have adopted DNSSEC. That means that DNSSEC adoption is hastening, not slowing. If we want this protocol to not exist in the future we have to ensure that those who use it wish that they did not. We can replace DNS with a protocol that has real security without requiring trust in a few large entities.

The fact that DIME relies upon DNSSEC to provide end-to-end e-mail encryption [6] is a serious flaw in the design of the protocol. Since DNSSEC can be replaced with a similar technology that is able to verify the authenticity of data using a root of trust, this is a fixable problem. However, it will not be fixed until the replacement technology is adopted by users of DIME.

Data

Subdomains found using NSEC walking

Note that this list is only lists a handful of the thousands of domains that support NSEC.

Download *.nasa.gov

Download *.hpc.mil

Download *.paypal.com

Download *.comcast.net

Download *.berkeley.edu

Download *.stanford.edu

Download *.upenn.edu

Download *.bucknell.edu

Download *.ucsc.edu

Download *.iastate.edu

Download *.csumb.edu

Download *.gsu.edu

Download *.pacificu.edu

Download *.umbc.edu

Download *.fhsu.edu

Download *.drake.edu

Download *.gotpantheon.com

Download *.mst.edu

Download *.bradley.edu

Download *.chattanoogastate.edu

Download *.psc.edu

Download *.yandex.com

Download *.desales.edu

Download *.sakh.com

Download *.nau.edu

Download *.nau.edu

Download *.gov.br

Download *.cmp.com

Download *.upf.edu

Download *.vmware.com

Download *.iu.edu

Download *.br

Download *.iupui.edu

Download *.tjhsst.edu

Download *.umc.edu

Download *.weber.edu

Download *.uiowa.edu

Download *.torchboxapps.com

Download *.espace2001.com

Download *.indiana.edu

Download *.cmu.edu

Download *.socrata.com

Download *.fluig.com

Download *.fixeads.com

Download *.star2star.com

Download *.monmouth.edu

Download *.gtc.edu

Download *.us

Download *.au

Download *.id



TLDs that support NSEC3:

Success TLD Download Notes X ac Results Hashes X af Results Hashes Afghanistan only has 7 domains hashed: af, com.af, net.af, edu.af, org.af, gov.af, and posteo.af. ag X am Results Hashes X asia Results Hashes X at Results Hashes at may have signed their subdomains. X aw Results Hashes X be Results Hashes be may have signed their subdomains. X by Results Hashes Belarus has 100 iterations. X bz Results Hashes X ca Results Hashes X cat Results Hashes cat may have signed their subdomains. X cc Results Hashes X ch Results Hashes Dig doesn't accept the request for nameservers (dig ns ch). I had to fix collect for this domain (dig ns ch.). ! cl Results Hashes Chile caused a bug in John due its long salt, which means only unhash results exist. Despite this, 82% of 45 names were cracked. X cn Results Hashes X com Results Hashes 57% completion in cracking 396932 hashes X cr Results Hashes 82% completion in cracking 7456 hashes X cx Results Hashes 100% completion in cracking 17 hashes X cz Results Hashes 48% completion in cracking 1043262 hashes. cz may have signed their subdomains. X de Results Hashes 17% completion in cracking 13618 hashes. This is likely the same problem as jp. X dk Results Hashes X edu Results Hashes X ee Results Hashes X es Results Hashes X eu Results Hashes eu may have signed their subdomains. X fi Results Hashes ! fo Results Hashes Faroe Islands is a small country and collect gets stuck trying to enumerate it. X fr Results Hashes fr may have signed their subdomains. gd gi X gl Results Hashes 98% completion in cracking 167 hashes X gov Results Hashes X gr Results Hashes X gs Results Hashes South Georgia and the South Sandwich Islands only has gs, la.gs, and ur.gs. X hn Results Hashes Honduras only has other top domains under hn: hn, gob.hn, org.hn, com.hn, mil.hn, net.hn, edu.hn, and coop.hn. X hr Results Hashes hu ie ! in Dig doesn't accept the request for nameservers (dig ns in). I had to fix collect for this domain (dig ns in.). X info Results Hashes X io Results Hashes 95% completion in cracking 699 hashes iq X is Results Hashes is may have signed their subdomains. X jp Results Hashes 5% completion in cracking 3639 hashes due to language barrier and possibly other reasons ! ki Results Hashes Kirbati does not respond as expected. It returns only ki hashed which means its NSEC3 records are worthless. X kr Results Hashes X la Results Hashes Laos has 150 iterations. lc X li Results Hashes 89% completion in cracking 359 hashes X lt Results Hashes X lu Results Hashes X lv Results Hashes ma X me Results Hashes X mil Results Hashes 93% completion in cracking 235 hashes mn X museum Results Hashes X my Results Hashes X name Hashes Hashes X nc Results Hashes X net Results Hashes 60% completion in cracking 79400 hashes. This was the only domain I attempted alphanumeric brute force up to 8 characters currently at 83% finished using over 15 days of cpu time (should finish in ~3 days). X nf Results Hashes Norfolk Island only contains two domains: nf and nic.nf. nl no X nu Results Hashes Niue took over 3 days and still didn't collect them all, this massive tld needs more work, but I cracked as many as I could. nu may have signed their subdomains. X nz Results Hashes nz may have signed their subdomains. X org Results Hashes X pe Results Hashes X pl Results Hashes pm X pt Results Hashes X pw Results Hashes X re Results Hashes X ru Results Hashes X sb Results Hashes Solomon Islands only hashes other top domains hashed under sb: com.sb, nic.sb, net.sb, org.sb, and gov.sb X sc Results Hashes X sh Results Hashes 96% completion in cracking 45 hashes X si Results Hashes X sj Results Hashes Svalbard and Jan Mayen Islands does not respond as expected. It returns only sj hashed likely due to having no domains. This is the same response as Kirbati. su X tf Results Hashes 93% completion in cracking 432 hashes X th Results Hashes X tl Results Hashes X tm Results Hashes X tt Results Hashes X tv Results Hashes X tw Results Hashes Taiwan took 23 hours and still didn't collect them all, this massive tld needs more work, but I cracked as many as I could. tw may have signed their subdomains. X ua Results Hashes X ug Results Hashes Uganda does not respond as expected. It returns only ug hashed likely due to having no domains. This is the same response as Kirbati. X uk Results Hashes vc vu X wf Results Hashes 93% completion in cracking 320 hashes 한국 Korea ভারত India Bengali X 中国 Results Hashes China simplified X 中國 Results Hashes China traditional X भारत Results Hashes India Hindi భారత్ India Telugu ભારત India Gujarati 台灣 Taiwan بھارت India Urdu ไทย Thailand рф Russian Federation ਭਾਰਤ India Punjabi இந்தியா India Tamil yt

TLDs that support NSEC:

Success TLD Download Notes X arpa Results ad X au Results ! bg Results ldns-walk failed due to a bug after carrent\000.bg. ! biz Results ldns-walk failed due to a bug after hcdata\000.biz. X br Results Partial co Results ldns-walk failed due to a bug after audah\000.co. X id Results X kg Results ! lk Results ldns-walk failed due to a bug after 6senses\000.lk. na pr se tn X us Results X ලංකා Results Sinhala X تونس Results Tunisia Arabic ! இலங்கை Results Sri Lanka Tamil. ldns-walk failed due to a bug after \000.xn--xkc2al3hye2a. Data comes from nsecwalker.py. Apologies for the formatting issues.

Selected level 2 domains that support NSEC3:

Success TLD Download Notes X com.br Results Hashes 11% completion of 1810081 hashes, possibly due to a bug, subdomains, or invalid hashes. com.br may have signed most of their subdomains. X org.br Results Hashes 51% completion of 5615 hashes X dod.mil Results Hashes 51% completion of 63 hashes X anthrax.mil Results Hashes 100% completion of 9 hashes X fbi.gov Results Hashes 81% completion of 137 hashes X riaa.com Results Hashes 27% completion of 11 hashes X mil.cn Results Hashes 75% completion of 4 hashes

All domains collected that support NSEC:

*.in-addr.arpa 1ru.com 3cx.com 3cx.com 3di.com acejewelers.com apros.com.br astellas.com baker.edu bancfirst.com banktech.com barneysfarm.com berkeley.edu besthotelonline.com bie.edu bradley.edu bucknell.edu cashbacksavers.com cashnetusa.com chattanoogastate.edu chelloo.com cipydo.com cmcsa.com cmp.com cmu.edu cn8.com cnk.com coisas.com coloradomesa.edu comcast.com comcast.net comcastaddeliverylite.com comcastbundledeals.com comcastconnect.com comcastdigital.com comcastspotlight.com comcastsupport.com csumb.edu curry.com danahermail.com darkreading.com datasheets.com ddj.com desales.edu devtools-paypal.com directbox.com djeego.com drake.edu drdobbs.com dutchbodybuilding.com edn.com eet.com eetimes.com emailpros.com embedded.com empirecls.com enova.com enovacorp.com espace2001.com eulerian.com example.com faturavirtual.com fhsu.edu fhtc.edu fixeads.com fluig.com gamasutra.com gdceurope.com gdconf.com getpantheon.com gostorego.com gotpantheon.com gov.br growjob.com gsu.edu gtc.edu hansoft.com hexageek.com highlands.edu highwaycabs.com hotdealsclub.com hpc.mil httrack.com iastate.edu igf.com imgrap.com imovirtual.com in-addr.arpa indiana.edu indianatech.edu infoblox.com informationweek.com insurancetech.com internetessentials.com interop.com ish.com iu.edu iub.edu iupui.edu jmeeting.com kolabsys.com kuapay.com letsgopens.com ltc.edu magentotrial.com matousec.com mfi.com mohela.com monmouth.edu moodlethemes.com msj.com mst.edu mujjo.com myeddebt.com mykolab.com nasa.gov nau.edu netcredit.com networkcomputing.com networking4all.com nuvoli.com.br nwc.com1 online-domain-tools.com onlineapplyadvance.com outfit7.com outils-webmaster.com pacificu.edu packetizer.com palisadesmedia.com parachat.com parsons.com paypal-activate.com paypal-apac.com paypal-biz.com paypal-cash.com paypal-communication.com paypal-community.com paypal-customerfeedback.com paypal-engineering.com paypal-europe.com paypal-forward.com paypal-gifts.com paypal-labs.com paypal-marketing.com paypal-media.com paypal-mena.com paypal-notify.com paypal-prepaid.com paypal-promo.com paypal-research.com paypal-special.com paypal-survey.com paypal-viewpoints.com paypal-wujinggou.com paypal.com paypalobjects.com powerdns.com practicallygreen.com premiumoutlets.com pro-epic.com psc.edu psg.com qruiser.com rainvac.com realredskins.com recroom.com redfoundry.com rhyolite.com rospravosudie.com safelite.com sakh.com savagebeast.com scales-chords.com scl.edu scriptcam.com simon.com snelis.com socrata.com standvirtual.com stanford.edu star2star.com supermarktaanbiedingen.com taxatietarieven.com tci.com teamcomcast.com techonline.com techweb.com the700level.com thepaypalblog.com thevoiceofholland.com thinkforexasia.com thinkhdi.com tiss.edu tjhsst.edu todoeduca.com torchbox.com torchboxapps.com truman.edu ubm-us.com ucb.edu ucdavis.edu ucsc.edu uiowa.edu umbc.edu umc.edu uofk.edu upenn.edu upf.edu uvp.com vehix.com verisigninc.com vitral-vidrieras.com vmware.com wallstreetandtech.com weareblis.com weber.edu wsi-models.com x.com xfinity.com xfinityauthorizedoffers.com xfinityhomesecurity.com xfinitytv.com xod.com xse.com yandex.com

Progress is indicated in the left column, X as finished initial cracking, / as finished collecting, ! as an error occurred, and blank as not collected due to time constraints but could be collected and cracked by a reader.

Wikipedia's List of Internet top-level domains is a good resource for information about TLDs that support DNSSEC and which do not. It also contains detailed information about international domain names (IDN).

NASA.gov subdomains found using NSEC walking:

nasa.gov 3D-Printing.nasa.gov _spf-ip4.nasa.gov _spf-ip6.nasa.gov _tcp.nasa.gov _tls.nasa.gov a-train.nasa.gov above.nasa.gov www.academy.nasa.gov accesstospace.nasa.gov www.acqp2.nasa.gov adcc.nasa.gov www.aee.nasa.gov aen.nasa.gov www.aero.nasa.gov www.aero-space.nasa.gov www.aeronautics.nasa.gov aeronauticstestprogram.nasa.gov www.aerospace.nasa.gov afrc.nasa.gov agencytokens.nasa.gov airbornescience.nasa.gov airspace.nasa.gov airspacesystems.nasa.gov www.alerts.nasa.gov amn.nasa.gov www.ams.nasa.gov www.aos.nasa.gov apm.nasa.gov apmcpr.nasa.gov apod.nasa.gov www.appel.nasa.gov appl.nasa.gov appliedsciences.nasa.gov applyonline.nasa.gov m.apps.nasa.gov apt.nasa.gov www.aqua.nasa.gov www.aquarius.nasa.gov arc.nasa.gov archimedes.nasa.gov areslaunchvehicles.nasa.gov artifacts.nasa.gov www.as.nasa.gov www.asap.nasa.gov www.asc.nasa.gov asevents.nasa.gov askacademy.nasa.gov askalibrarian.nasa.gov askmagazine.nasa.gov askmcc.nasa.gov asp.nasa.gov asteroid.nasa.gov astro.nasa.gov www.astrobiology.nasa.gov www.astrogravs.nasa.gov Astronauts.nasa.gov astronomy2009.nasa.gov asus-staging.nasa.gov at.nasa.gov www.atcsim.nasa.gov www.atcviztool.nasa.gov Athena.nasa.gov atp.nasa.gov atrain.nasa.gov autodiscover.nasa.gov www.autofeed.nasa.gov aviationsafety.nasa.gov awrs.nasa.gov awrs-dev.nasa.gov awrs-staging.nasa.gov awslogin.nasa.gov www.benefits.nasa.gov www.benefitshandbook.nasa.gov www.benefitstatement.nasa.gov benefitstatement-dev.nasa.gov benefitstatement-test.nasa.gov bep.nasa.gov bep-an-db.nasa.gov bep-col-db.nasa.gov bep-port-db.nasa.gov bep-prod-col.nasa.gov bep-prod-pub.nasa.gov bep-prod-src.nasa.gov bep-pub-db.nasa.gov bep-stage.nasa.gov bep-stage-col.nasa.gov bep-stage-pub.nasa.gov bep-stage-src.nasa.gov bep-studio-db.nasa.gov bep-wf-db.nasa.gov bet.nasa.gov bet-staging.nasa.gov beyondeinstein.nasa.gov www.bioastroroadmap.nasa.gov www.biomaterials.nasa.gov bizready.nasa.gov bizready-staging.nasa.gov blogs.nasa.gov www.bluemarble.nasa.gov booster.nasa.gov brainbites.nasa.gov brainbites-staging.nasa.gov brainbites1.nasa.gov blog.bready.nasa.gov bready-dev.nasa.gov bready-rra.nasa.gov bready-sbx.nasa.gov bready-test.nasa.gov bsearch.nasa.gov bsearch1.nasa.gov budget.nasa.gov budgetinfo.nasa.gov buzzroom.nasa.gov c3.nasa.gov www.caib.nasa.gov www.caib1.nasa.gov calendar.nasa.gov calendar1.nasa.gov captcha.nasa.gov cara.nasa.gov carbon.nasa.gov www.cas.nasa.gov casc.nasa.gov cce.nasa.gov ccp.nasa.gov ccs.nasa.gov www.cdb.nasa.gov cddis.nasa.gov www.cdms.nasa.gov cdscc.nasa.gov www.ceh.nasa.gov ceh1.nasa.gov www.centennialchallenge.nasa.gov www.centennialchallenges.nasa.gov cev.nasa.gov chandra.nasa.gov chandra1.nasa.gov chaucer.nasa.gov www.chemistry.nasa.gov www.ciencia.nasa.gov ciencia1.nasa.gov m.cima.nasa.gov www.climate.nasa.gov climatekids.nasa.gov climatesimulation.nasa.gov staging1.cms.nasa.gov cms-dev.nasa.gov cms-insidenasa.nasa.gov cms-prod.nasa.gov cms-test.nasa.gov cms-tools.nasa.gov cms-training.nasa.gov cms2.nasa.gov cmsdemo.nasa.gov cmsdev.nasa.gov cmstest.nasa.gov cmstool.nasa.gov cmswebsvc.nasa.gov code.nasa.gov codeb.nasa.gov columbia.nasa.gov comet.nasa.gov comments.nasa.gov comments-admin.nasa.gov comments-submit.nasa.gov comments1.nasa.gov www.commercial.nasa.gov commercialcrew.nasa.gov communicating.nasa.gov Communications.nasa.gov science.community.nasa.gov compass.nasa.gov computer-security.nasa.gov conference.nasa.gov www.congressionaldata.nasa.gov constellation-x.nasa.gov constellationx.nasa.gov cop.nasa.gov www.core.nasa.gov core1.nasa.gov corecatalog.nasa.gov corecatalog-staging.nasa.gov cos.nasa.gov cp4smpcommunity.nasa.gov www.cpa.nasa.gov cpgmip.nasa.gov cphazard.nasa.gov cphs.nasa.gov cpoms.nasa.gov cppraca.nasa.gov cptrace.nasa.gov crm1.nasa.gov crusr.nasa.gov www.cryotanks.nasa.gov csbf.nasa.gov csfmea-cil.nasa.gov csg005.nasa.gov cso.nasa.gov cso-staging.nasa.gov www.csuprojectalert.nasa.gov www.ct562.nasa.gov cube.nasa.gov cxadp.nasa.gov cxfmea-cil.nasa.gov cxgmip.nasa.gov cxhazard.nasa.gov cxpraca.nasa.gov darwin.nasa.gov www.data.nasa.gov www.daveml.nasa.gov www.dawg.nasa.gov dc8.nasa.gov desktop-standards.nasa.gov esb.dev.nasa.gov mobile.dev.nasa.gov dev-communications.nasa.gov dev-im.nasa.gov dev-insidenasa.nasa.gov dev-mediaservices.nasa.gov dev-nen.nasa.gov dev-npars.nasa.gov dev-www.nasa.gov dfrc.nasa.gov www.dfs.nasa.gov dftsrv.nasa.gov dialin.nasa.gov dir.nasa.gov dir-rra.nasa.gov www.directory.nasa.gov www.discovery.nasa.gov discoverynewfrontiers.nasa.gov discoverynewfrontiersnews.nasa.gov disposal.nasa.gov dln.nasa.gov dln-staging.nasa.gov *.dnet.nasa.gov www.dockingstandard.nasa.gov docs-nen.nasa.gov dsds.nasa.gov www.dsf.nasa.gov dsn.nasa.gov dspl.nasa.gov www.dtd.nasa.gov ducksewp.nasa.gov earth.nasa.gov earthdata.nasa.gov earthdata-dev.nasa.gov earthdata-uat.nasa.gov www.earthobservatory.nasa.gov echo.nasa.gov stmd.eci.nasa.gov www.eclipse99.nasa.gov ecs.nasa.gov ecs-program.nasa.gov ecsprogram.nasa.gov edc.nasa.gov edos.nasa.gov mgmt.edspace.nasa.gov new.edspace.nasa.gov proto.edspace.nasa.gov www1.edspace.nasa.gov www.education.nasa.gov education1.nasa.gov www.educatormissionspecialist.nasa.gov efoia.nasa.gov www.employeebenefits.nasa.gov employeeorientation.nasa.gov enasa.nasa.gov enceladus.nasa.gov engineeringforcomplexsystems.nasa.gov ens.nasa.gov www.ensemble.nasa.gov www.entre.nasa.gov www.enzo.nasa.gov eo3.nasa.gov eods.nasa.gov eon.nasa.gov eos.nasa.gov eosdis.nasa.gov eospso.nasa.gov ep.nasa.gov eparts.nasa.gov epbs.nasa.gov epbs-dvp.nasa.gov epbs-tst.nasa.gov epds.nasa.gov epds-staging.nasa.gov www.epims.nasa.gov epms.nasa.gov epss.nasa.gov equipment.nasa.gov esas.nasa.gov esb.nasa.gov esc.nasa.gov www.esd.nasa.gov esdpubs.nasa.gov www.eseepo.nasa.gov esm.nasa.gov esmd.nasa.gov esmo.nasa.gov discapps-ts2.gesdisc.esodis.nasa.gov www.espo.nasa.gov www.espoarchive.nasa.gov www.essp.nasa.gov www.estips.nasa.gov www.esto.nasa.gov etads.nasa.gov eto.nasa.gov etsapprover.nasa.gov europa.nasa.gov www.evm.nasa.gov execdev.nasa.gov execsummit.nasa.gov execsummit-dev.nasa.gov execsummit-staging.nasa.gov execsummit-test.nasa.gov www.exobiology.nasa.gov experts.nasa.gov www.exploration.nasa.gov explorationscience.nasa.gov www.explorationsystems.nasa.gov www.explorerschools.nasa.gov externalsip.nasa.gov eyes.nasa.gov www.f2m.nasa.gov www.faballiance.nasa.gov faceinspace-staging.nasa.gov www.family.nasa.gov fastntts.nasa.gov Fellowship.nasa.gov finger.nasa.gov fixedwing.nasa.gov www.flight.nasa.gov www.flightopportunities.nasa.gov foia.nasa.gov foiadev.nasa.gov forms.nasa.gov freecycle.nasa.gov www.freedomtomanage.nasa.gov fsa.nasa.gov gaia.nasa.gov gameon.nasa.gov www.gapps.nasa.gov gapps-groups.nasa.gov gcgo.nasa.gov gcmd.nasa.gov gdscc.nasa.gov genelab.nasa.gov www.genome.nasa.gov www.genomics.nasa.gov www.gidep.nasa.gov giss.nasa.gov globalchange.nasa.gov globe.nasa.gov go.nasa.gov googleapps.nasa.gov gpm.nasa.gov grail.nasa.gov www.gravbio.nasa.gov www.gravityprobeb.nasa.gov graymarble.nasa.gov grc.nasa.gov grcfrkap2.grcfr.nasa.gov greymarble.nasa.gov gsearch.nasa.gov gsearch1.nasa.gov gsfc.nasa.gov gss1.nasa.gov gss2.nasa.gov gulfofmexicoinitiative.nasa.gov hacd.nasa.gov hc.nasa.gov hc-dev.nasa.gov hc-test.nasa.gov hcie.nasa.gov hcie-dev.nasa.gov hcie-sbx.nasa.gov hcie-staging.nasa.gov hcie-temp.nasa.gov hcie-test.nasa.gov hcie-wctest.nasa.gov hcieweb.nasa.gov hciewebstaging.nasa.gov heasarc.nasa.gov hec.nasa.gov hedsadvprograms.nasa.gov hedsadvsystems.nasa.gov hefd.nasa.gov heliophysics.nasa.gov 3dns.herndon.nasa.gov hhp.nasa.gov www.history.nasa.gov extest.lmes.hop.nasa.gov www.lmes.hop.nasa.gov hpc.nasa.gov www.hpcc.nasa.gov hpps.nasa.gov hq.nasa.gov hq-flexnet.nasa.gov hq-msc.nasa.gov www.hqgiftshop.nasa.gov hr.nasa.gov hr-dev.nasa.gov hr-rra.nasa.gov hr-sbx.nasa.gov hr-staging.nasa.gov hr-test.nasa.gov hrext-tst.nasa.gov hrgo.nasa.gov hris.nasa.gov hrisconops.nasa.gov hrisdev.nasa.gov hrisdev3.nasa.gov hrisstaging.nasa.gov hrmes.nasa.gov hrmobile.nasa.gov hrmobile-tst.nasa.gov hrr.nasa.gov www.hrsm.nasa.gov hsf.nasa.gov hsfstage.nasa.gov hspd12.nasa.gov hspd121.nasa.gov hst.nasa.gov hubble.nasa.gov humanresearchroadmap.nasa.gov www.hurricanes.nasa.gov www.hypered.nasa.gov hypersonics.nasa.gov i3p.nasa.gov i3p-acq.nasa.gov www.iam.nasa.gov icam.nasa.gov www.icb.nasa.gov ice.nasa.gov www.ice-tool.nasa.gov www.icetool.nasa.gov id.nasa.gov www.idc.nasa.gov idea-nasaspacebook.nasa.gov idmax.nasa.gov idp.nasa.gov idsbx.nasa.gov iemp.nasa.gov ifmp.nasa.gov ifsuss.nasa.gov ildp.nasa.gov ildp1.nasa.gov im.nasa.gov images.nasa.gov imageseer.nasa.gov imdc.nasa.gov imdpc.nasa.gov indigo.nasa.gov innovate.nasa.gov innovation.nasa.gov insidenasa.nasa.gov insight.nasa.gov m.intern.nasa.gov intern-staging.nasa.gov intranet.nasa.gov intranetsearch.nasa.gov intranetsearch2.nasa.gov www.invention.nasa.gov invitation.nasa.gov inwiki.nasa.gov io.nasa.gov www.ip.nasa.gov ipam.nasa.gov ipam1.nasa.gov ipam2.nasa.gov ipamcli.nasa.gov ipao.nasa.gov iplat.nasa.gov www.ipp.nasa.gov ipv6.nasa.gov www.ipy.nasa.gov irb.nasa.gov iris.nasa.gov www.isal.nasa.gov www.ises.nasa.gov www.isfr.nasa.gov www.isosdata.nasa.gov iss.nasa.gov issresearchproject.nasa.gov itlabs.nasa.gov itportfolio.nasa.gov itportfoliotest.nasa.gov itsc.nasa.gov www.itsecurity.nasa.gov itsg.nasa.gov ivv.nasa.gov iws.nasa.gov jesnic.nasa.gov jpl.nasa.gov www.jplwater.nasa.gov jsc.nasa.gov jscdns2.nasa.gov jsceng.nasa.gov jscer.nasa.gov jscpao.nasa.gov www.juno.nasa.gov jupiter.nasa.gov jwst.nasa.gov kamikaze.nasa.gov www.kepler.nasa.gov www.kims.nasa.gov www.km.nasa.gov km1.nasa.gov ks-kdc-sqlc1022.nasa.gov ksc.nasa.gov ksctechnology.nasa.gov labs.nasa.gov lance.nasa.gov larc.nasa.gov lasse.nasa.gov latinawomen.nasa.gov launchpad.nasa.gov cv.launchpad-dev.nasa.gov launchpad-sbx.nasa.gov launchpad-test.nasa.gov lc.nasa.gov lc-dev.nasa.gov lc-test.nasa.gov ldap.nasa.gov www.ldcm.nasa.gov www.ldp.nasa.gov www.leadership.nasa.gov www.leag.nasa.gov leap.nasa.gov legalteam.nasa.gov www.legislative.nasa.gov www.lepag.nasa.gov lerc.nasa.gov www.lexec.nasa.gov lifeonearth.nasa.gov www.lifevents.nasa.gov lima.nasa.gov www.lisa.nasa.gov lists.nasa.gov live.nasa.gov liveips.nasa.gov liveipsup.nasa.gov llis.nasa.gov www.lmmp.nasa.gov lmr.nasa.gov lssc.nasa.gov lsweb.nasa.gov lsweb02.nasa.gov www.lunarscience.nasa.gov lyncdiscover.nasa.gov lyncweb.nasa.gov maf.nasa.gov mafmaximo.nasa.gov mafmaximotest.nasa.gov mail.nasa.gov managemyndc.nasa.gov mangrove.nasa.gov map.nasa.gov maps.nasa.gov maptis.nasa.gov mars.nasa.gov marsrover.nasa.gov marsrovers.nasa.gov mas.nasa.gov www.materials.nasa.gov materialsinspace.nasa.gov maxdev.nasa.gov maximo.nasa.gov mcast.nasa.gov mccs.nasa.gov mdi.nasa.gov mdr.nasa.gov mdscc.nasa.gov me2.nasa.gov mediaservices.nasa.gov meet.nasa.gov mems.nasa.gov meo.nasa.gov mepag.nasa.gov mercury.nasa.gov metahouse.nasa.gov mhp.nasa.gov microbiology.nasa.gov mil-hp.mil.nasa.gov mindmapr.nasa.gov Misse.nasa.gov mission-madness.nasa.gov missionscience.nasa.gov missionstem.nasa.gov mobile.nasa.gov mobile1.nasa.gov mobilewebproxy.nasa.gov modear.nasa.gov modelingguru.nasa.gov modelinguru.nasa.gov moon.nasa.gov moontours.nasa.gov www.move.nasa.gov MSAT.nasa.gov msfc.nasa.gov msfcns2.nasa.gov msfcns4.nasa.gov msfcns6.nasa.gov mtlo.nasa.gov tiles.mts.nasa.gov saml2.mynasa.nasa.gov mynasa1.nasa.gov mysites.nasa.gov n-arc-kvm1-ipam.nasa.gov n-gsfc-kvm1-ipam.nasa.gov n-jsc-kvm1-ipam.nasa.gov n-msfc-kvm2-ipam.nasa.gov n0fwi09u.nasa.gov naas.nasa.gov naasdev.nasa.gov naastest.nasa.gov naastraining.nasa.gov nacc.nasa.gov www.nai.nasa.gov naic.nasa.gov nais.nasa.gov nams.nasa.gov nars.nasa.gov nas.nasa.gov nasa-ca-forum.nasa.gov nasa-ice.nasa.gov nasa-ice-esb.nasa.gov nasa-ice-esbint.nasa.gov nasa-ice-esbstage.nasa.gov nasa-iceint.nasa.gov nasa-icestage.nasa.gov nasa-mis.nasa.gov nasaartifacts.nasa.gov nasaca.nasa.gov www.nasacdb.nasa.gov nasadc01.nasa.gov nasadc02.nasa.gov www.nasaeronauticsspacedatabase.nasa.gov nasajobs.nasa.gov nasapeople.nasa.gov www.nasaprojectalert.nasa.gov www.nasarecycles.nasa.gov www.nasascience.nasa.gov nasasearch.nasa.gov nasaspacebook.nasa.gov www.nasastars.nasa.gov nasatechnology.nasa.gov nasatv.nasa.gov nascom.nasa.gov www.naturalhazards.nasa.gov ncad.nasa.gov ncadinternal.nasa.gov nccs.nasa.gov www.ncis.nasa.gov ncts.nasa.gov nd.nasa.gov ndc.nasa.gov ndclab.nasa.gov ndl.nasa.gov ndmscollab.nasa.gov ndmspub.nasa.gov ndmssrc.nasa.gov ndmsstgcollab.nasa.gov ndmsstgpub.nasa.gov ndmsstgsrc.nasa.gov ndmswcdevimg.nasa.gov ndmswcprdb7.nasa.gov ndmswcprdimg.nasa.gov ndmswcrtimg.nasa.gov ndmswcsbximg.nasa.gov ndmswcstgimg.nasa.gov ndmswctstimg.nasa.gov public.forms.neacc.nasa.gov mobile.neacc.nasa.gov forms.test.neacc.nasa.gov near.nasa.gov near-staging.nasa.gov neba.nasa.gov nebula.nasa.gov ned.nasa.gov www.nef.nasa.gov nen.nasa.gov www.nepp.nasa.gov neps-dev.nasa.gov neptune.nasa.gov www.nesc.nasa.gov nescacademy.nasa.gov www.netcssi.nasa.gov netman2.nasa.gov netman4.nasa.gov www.neurolab.nasa.gov newdelhi.nasa.gov www.newemployee.nasa.gov newfrontiers.nasa.gov www.news.nasa.gov www.newsletters.nasa.gov newsletters1.nasa.gov newtechnology.nasa.gov nex.nasa.gov nexpass.nasa.gov next.nasa.gov nexus.nasa.gov nfac.nasa.gov ngi.nasa.gov www.ngst.nasa.gov www.nhhpc.nasa.gov nic.nasa.gov nics.nasa.gov niks.nasa.gov nipo.nasa.gov nis.nasa.gov nisn.nasa.gov nisn-web.nasa.gov nix.nasa.gov nmis.nasa.gov nmo.nasa.gov nmo-apl.nasa.gov nmo-cms.nasa.gov nmp.nasa.gov noca1.nasa.gov noca2.nasa.gov node1-nasaspacebook.nasa.gov node2-nasaspacebook.nasa.gov nods.nasa.gov nomad.nasa.gov nomadinternal.nasa.gov www.nops.nasa.gov nops-dev.nasa.gov nops-test.nasa.gov www.nors.nasa.gov www.npdm.nasa.gov www.npg2820.nasa.gov nprop.nasa.gov nrd.nasa.gov nren.nasa.gov ns.nasa.gov ns-ext1.nasa.gov ns1.nasa.gov ns2.nasa.gov ns3.nasa.gov nsbf.nasa.gov nsc.nasa.gov nsckn.nasa.gov nscs.nasa.gov nscstep.nasa.gov nsi.nasa.gov nsipo.nasa.gov nsirelay.nasa.gov nsisrv.nasa.gov nsminfo.nasa.gov nsms.nasa.gov nsms-dev.nasa.gov nsms-test.nasa.gov nsoc.nasa.gov nss.nasa.gov nssc.nasa.gov nsstc.nasa.gov ntp.nasa.gov ntpio.nasa.gov ntr.nasa.gov www.ntrs.nasa.gov ntrsreg.nasa.gov nttsaw.nasa.gov vendors.nvdb.nasa.gov oacc.nasa.gov www.obpr.nasa.gov observer.nasa.gov observer-tools.nasa.gov observer1.nasa.gov oce.nasa.gov oceans.nasa.gov oceexternal.nasa.gov ocsp.nasa.gov ocsp-dev.nasa.gov ocsp-rra.nasa.gov ocsp-test.nasa.gov ocsp-test-rra.nasa.gov octpartneringtool.nasa.gov octreviewer.nasa.gov odin-dev.nasa.gov odin-test.nasa.gov oedc.nasa.gov oedc-staging.nasa.gov oela.nasa.gov oepm.nasa.gov www.ohp.nasa.gov oig.nasa.gov oiglab.nasa.gov oltaris.nasa.gov www.onemis.nasa.gov onenasa-jsc.nasa.gov onenasa-msfc.nasa.gov onmoon-1.nasa.gov www.open.nasa.gov Open-Manufacturing.nasa.gov OpenManufacturing.nasa.gov opensource.nasa.gov opo.nasa.gov opo2.nasa.gov optics.nasa.gov www.osbp.nasa.gov oscar.nasa.gov www.osdbu.nasa.gov www.irma.osp.nasa.gov www.outgassing.nasa.gov outside-nde.nasa.gov outside-se.nasa.gov outside-software.nasa.gov outside-structures.nasa.gov outsidenasa.nasa.gov parweb.nasa.gov patches.nasa.gov www.patentstats.nasa.gov pbma.nasa.gov pcat.nasa.gov pdns1.nasa.gov pds.nasa.gov people.nasa.gov www.pep.nasa.gov perf.nasa.gov ph.nasa.gov pigiceshelf.nasa.gov piv.nasa.gov aplabpdc.pki.nasa.gov www.planetaryprotection.nasa.gov planetaryscience.nasa.gov www.plans.nasa.gov plasmasphere.nasa.gov pluto.nasa.gov pmm.nasa.gov pmt.nasa.gov pobox.nasa.gov poif.nasa.gov www.polaris.nasa.gov polls.nasa.gov pomegranate.nasa.gov portal.nasa.gov portalforums.nasa.gov portfolio.nasa.gov prism.nasa.gov prism-rra.nasa.gov prismcn1.nasa.gov prismia1.nasa.gov prismlb2.nasa.gov prismqa1.nasa.gov prismqa2.nasa.gov prismye0.nasa.gov privacy.nasa.gov privacyimpact.nasa.gov www.process.nasa.gov procurement.nasa.gov prognostics.nasa.gov www.projectalert.nasa.gov property.nasa.gov psi.nasa.gov pubdir.nasa.gov publicforms.nasa.gov publicportal.nasa.gov pumas.nasa.gov qa-insidenasa.nasa.gov qa-nasaspacebook.nasa.gov www.quality.nasa.gov quantum.nasa.gov www.quest.nasa.gov www.questeam.nasa.gov quicklaunch.nasa.gov radio.nasa.gov rapid.nasa.gov rasc.nasa.gov ready.nasa.gov ready-staging.nasa.gov redplanet.nasa.gov Retiree.nasa.gov www.rmc.nasa.gov rms.nasa.gov rms-dev.nasa.gov rms-test.nasa.gov rms-train.nasa.gov rmsdb.nasa.gov robot.nasa.gov www.robotics.nasa.gov robots.nasa.gov rockettest.nasa.gov rotarywing.nasa.gov rps.nasa.gov rpt.nasa.gov rsatest.nasa.gov russia.nasa.gov saam.nasa.gov saam-staging.nasa.gov sage.nasa.gov sara.nasa.gov sas.nasa.gov saterinfo-dev.nasa.gov satern.nasa.gov saterninfo.nasa.gov saterninfo-dev.nasa.gov saterninfo-test.nasa.gov saternproject.nasa.gov saternproject-dev.nasa.gov saternproject-test.nasa.gov saternreporting.nasa.gov saternwebsvc.nasa.gov saternwebsvc-test.nasa.gov sats.nasa.gov saturn.nasa.gov www.sbir.nasa.gov id.sbx.nasa.gov 3dns.sc.nasa.gov scan.nasa.gov www.science.nasa.gov science1.nasa.gov www.sciencecast.nasa.gov www.sciencecasts.nasa.gov www.scijinks.nasa.gov scm.nasa.gov scm-test.nasa.gov SCMOK.nasa.gov inl.sddl.nasa.gov search.nasa.gov search1.nasa.gov www.section508.nasa.gov sensorweb.nasa.gov sewp.nasa.gov www.sfa.nasa.gov share.nasa.gov sharepoint.nasa.gov shfe.nasa.gov www.shuttle.nasa.gov shuttle-mir.nasa.gov shuttle-station1.nasa.gov shuttlealumni.nasa.gov sip.nasa.gov www.sm3b.nasa.gov www.sm4.nasa.gov sma.nasa.gov smap.nasa.gov www.smart.nasa.gov www.smartskies.nasa.gov smp.nasa.gov snas.nasa.gov soc.nasa.gov socialforms.nasa.gov www.sofia.nasa.gov software.nasa.gov www.softwarereuse.nasa.gov soi.nasa.gov solar.nasa.gov solarsystem.nasa.gov space-geodesy.nasa.gov spacebook.nasa.gov www.spacecomm.nasa.gov www.spacecommunications.nasa.gov spacecube.nasa.gov www.spaceflight.nasa.gov spaceflight1.nasa.gov www.spacejobs.nasa.gov spacelifesciences.nasa.gov spacelink.nasa.gov spacemed.nasa.gov www.spaceoperations.nasa.gov www.spaceplace.nasa.gov spacerace.nasa.gov www.spaceresearch.nasa.gov www.spaceresearchgallery.nasa.gov www.spacescience.nasa.gov spacestationlive.nasa.gov spacestationlive1.nasa.gov spacetox.nasa.gov spacewardbound.nasa.gov spaceyourface.nasa.gov span.nasa.gov www.spds.nasa.gov www.spectrum.nasa.gov spinoff.nasa.gov spotthestation.nasa.gov src.nasa.gov ssc.nasa.gov sscmiranda.nasa.gov ssds.nasa.gov els2014.sservi.nasa.gov sso.nasa.gov sssaas.nasa.gov www.ssurteam.nasa.gov st5.nasa.gov stage-communications.nasa.gov stage-docsnen.nasa.gov stage-im.nasa.gov stage-insidenasa.nasa.gov stage-inwiki.nasa.gov stage-ipao.nasa.gov stage-mediaservices.nasa.gov stage-nasaspacebook.nasa.gov stage-nen.nasa.gov stage-oepm.nasa.gov stage-outsidenasa.nasa.gov stage-pia.nasa.gov stage-planetaryscience.nasa.gov stage-spacebook.nasa.gov staging.nasa.gov staging-science.nasa.gov standards.nasa.gov starbrite.nasa.gov www.starcam.nasa.gov stars.nasa.gov stars-dev.nasa.gov stars-ps.nasa.gov stars-test.nasa.gov www.station.nasa.gov www.step.nasa.gov sti.nasa.gov stidaa.nasa.gov straw.nasa.gov straw-staging.nasa.gov suborbital.nasa.gov www.sunearthday.nasa.gov www.sunearthday1.nasa.gov supersonics.nasa.gov support.nasa.gov swehb.nasa.gov swg.nasa.gov swmetrics.nasa.gov www.swpal.nasa.gov tagconnect.nasa.gov tdrss.nasa.gov tech.nasa.gov www.technology.nasa.gov technologygateway.nasa.gov technologyplan.nasa.gov techport.nasa.gov www.techsurvey.nasa.gov www.teerm.nasa.gov www.terra.nasa.gov test.nasa.gov www.tfaws.nasa.gov www.thursdaysclassroom.nasa.gov time.nasa.gov titan.nasa.gov titian.nasa.gov earth-science.tracker.nasa.gov lesson-plans.tracker.nasa.gov pictures.tracker.nasa.gov training-oepm.nasa.gov www.transition.nasa.gov trmm.nasa.gov tu.nasa.gov www.tv.nasa.gov tvschedule.nasa.gov tvschedule1.nasa.gov equipment.uat.nasa.gov m.intern.uat.nasa.gov iris.uat.nasa.gov mdr.uat.nasa.gov nef.uat.nasa.gov portfolio.uat.nasa.gov www.ueet.nasa.gov www.unites.nasa.gov www.universe.nasa.gov uranus.nasa.gov userdocuments.nasa.gov utility.nasa.gov vafb.nasa.gov vendor.nasa.gov venus.nasa.gov venustransit.nasa.gov veritas.nasa.gov vho.nasa.gov video.nasa.gov video-images.nasa.gov videofiles.nasa.gov videofiles1.nasa.gov videoshare.nasa.gov www.visibleearth.nasa.gov www.visionforum.nasa.gov vmo.nasa.gov voicetelecon.nasa.gov voicetelecon-test.nasa.gov vpn.nasa.gov www.vsde.nasa.gov vsearch.nasa.gov vsearch1.nasa.gov vwo.nasa.gov wat.nasa.gov www.webb.nasa.gov webdir.nasa.gov www.webentre.nasa.gov webmail.nasa.gov www.weboflife.nasa.gov webregister.nasa.gov webregistration.nasa.gov webregistrationfob.nasa.gov webservices.nasa.gov www.webtads.nasa.gov webwork.nasa.gov wff.nasa.gov wiki.nasa.gov www.wims.nasa.gov wind.nasa.gov wingsinorbit.nasa.gov www.wire.nasa.gov wise.nasa.gov www.women.nasa.gov www.workforcetransformation.nasa.gov workforcetransition.nasa.gov workmans.nasa.gov www.workmanship.nasa.gov wright.nasa.gov wsc.nasa.gov wsmr.nasa.gov wsprodb.nasa.gov wsprodc.nasa.gov wsprodd.nasa.gov wstf.nasa.gov wstf-ns1.nasa.gov wstf-ns2.nasa.gov www.wtts.nasa.gov wtts-stg.nasa.gov wwt.nasa.gov log.www.nasa.gov www1.nasa.gov www2.nasa.gov x500.nasa.gov www.xml.nasa.gov

Analysis

NASA.gov

The domains intranet.nasa.gov and intranetsearch.nasa.gov are obvious targets for unauthorized access to documents. We'll examine them closer.

dig intranet.nasa.gov ; <<>> DiG 9.10.1 <<>> intranet.nasa.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29075 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;intranet.nasa.gov. IN A ;; ANSWER SECTION: intranet.nasa.gov. 599 IN CNAME intranet.nasawestprime.com. intranet.nasawestprime.com. 299 IN CNAME redirects.nasawestprime.com. redirects.nasawestprime.com. 299 IN CNAME dualstack.redirects-backup-330949873.us-east-1.elb.amazonaws.com. dualstack.redirects-backup-330949873.us-east-1.elb.amazonaws.com. 59 IN A 50.16.224.76 dualstack.redirects-backup-330949873.us-east-1.elb.amazonaws.com. 59 IN A 54.225.198.227 ;; Query time: 142 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Sun Oct 26 09:38:48 PDT 2014 ;; MSG SIZE rcvd: 217

Connecting redirects to https://outsidenasa.nasa.gov/ which disconnects when you connect to it. This is an example of an internal service found by the NSEC walking technique. It doesn't have an obvious vulnerability, but the fact that it can be found but not accessed means that it's not for public consumption. By using a program like namedrop [7], you could find this address, but you wouldn't be able to find more complex names like spaceresearchgallery.nasa.gov. Another name that could be found by namedrop, but much more slowly, would be sharepoint.nasa.gov. This redirects to http://www.nasa.gov/centers/ames/home/index.html, which probably means that it uses F5 BigIP to redirect unauthorized IPs to their public website. Or it could be that their Sharepoint site was taken down.

A search for intranet.nasa.gov finds an unexpected VPN endpoint: https://intranet.jpl.nasa.gov/dana-na/auth/url_default/welcome.cgi This subdomain wasn't found because jpl.nasa.gov doesn't support DNSSEC, so this attack doesn't work against that subdomain. This doesn't phase the attacker.

www.nasaeronauticsspacedatabase.nasa.gov

The domain userdocuments.nasa.gov is an interesting site definitely for employees. The domain voicetelecon.nasa.gov is probably a teleconference system, so an nmap scan may turn up SIP, Skype, H.323, or similar services. It turns out that voicetelecon.nasa.gov has an authenticated HTTPS site which seems to be connected to CenturyLink (the company that bought Qwest). The domain staging.nasa.gov doesn't resolve which probably means that staging is an internal domain. The same is true for stage-*.nasa.gov. stage-communications.nasa.gov and many others resolve. They don't seem to be externally accessible though.

www.nasaeronauticsspacedatabase.nasa.gov turned out to be an interesting internal domain.

http://www.nasaeronauticsspacedatabase.nasa.gov/

redirects to:

https://dmzsrv.larc.nasa.gov/

redirects to:

https://ntrsreg.nasa.gov/

redirects to:

https://launchpad.nasa.gov/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1378321770&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A50%3A33Z

redirects to:

https://launchpad.nasa.gov/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1378321770&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A50%3A33Z&service=Level20NoNcad

Note that all of these server's certificates except for launchpad.nasa.gov are signed by NASA, not a trusted root certificate. Users who work for NASA would have this certificate installed on their work computers assuming they trust NASA's root certificate to not be compromised. launchpad.nasa.gov has the header: Www-authenticate: Negotiate which is indicitive of Kerberos. This assumes that the person who is visiting the page has authentication to NASA.gov. This proves beyond any doubt that all these systems are internal systems. larc.nasa.gov is in the ldns-walk results, but dmzsrv.larc.nasa.gov is not. The two are on completely different networks, so this domain name is an important omission from the NSEC results. The subdomains ntrsreg and launchpad are both in the NSEC results.

curl -i -k http://www.nasaeronauticsspacedatabase.nasa.gov/ HTTP/1.1 302 Found Date: Thu, 19 Feb 2015 00:56:31 GMT Server: Apache/2.2.15 (Red Hat) mod_jk/1.2.37 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Location: https://dmzsrv.larc.nasa.gov/ Content-Length: 213 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://dmzsrv.larc.nasa.gov/">here</a>.</p> </body></html>

curl -i -k https://dmzsrv.larc.nasa.gov/ HTTP/1.1 302 Found Date: Thu, 19 Feb 2015 00:57:18 GMT Server: Apache/2.2.15 (Red Hat) mod_jk/1.2.37 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Location: https://ntrsreg.nasa.gov:443/ Content-Length: 213 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://ntrsreg.nasa.gov:443/">here</a>.</p> </body></html>

curl -i -k https://ntrsreg.nasa.gov/ HTTP/1.1 302 Found Date: Thu, 19 Feb 2015 00:53:25 GMT Server: Apache/2.2.15 (Red Hat) mod_jk/1.2.37 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips Set-Cookie: Apache_NTRS=;Path=/;Secure Set-Cookie: Apache_NTRS=;Path=/;Secure Location: https://launchpad.nasa.gov:443/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1683939677&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A53%3A25Z Content-Length: 446 Content-Type: text/html; charset=iso-8859-1 <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> <html><head> <title>302 Found</title> </head><body> <h1>Found</h1> <p>The document has moved <a href="https://launchpad.nasa.gov:443/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1683939677&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A53%3A25Z">here</a>.</p> </body></html>

curl -i -k 'https://launchpad.nasa.gov/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1378321770&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A50%3A33Z' HTTP/1.1 401 Unauthorized Set-Cookie: ACE-insert=R1617759527; path=/ Server: Oracle-iPlanet-Web-Server/7.0 Date: Thu, 19 Feb 2015 00:58:49 GMT Cache-control: private Pragma: no-cache X-dsameversion: Oracle OpenSSO 8.0 Update 2 Patch3 Build 6.1(2011-June-8 05:24) Am_client_type: genericHTML Www-authenticate: Negotiate Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwH5U%2FBfCXlZl8HYPqgP56f2hISXjxnzcA%3D%40AAJTSQACMDIAAlMxAAIwOA%3D%3D%23; Domain=launchpad.nasa.gov; Path=/ Set-cookie: amlbcookie=08; Domain=launchpad.nasa.gov; Path=/ Transfer-encoding: chunked <!-- /** * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER. * * Copyright (c) 2009 eTouch Federal Systems. All Rights Reserved * * The contents of this file are subject to the terms * of the eTouch Federal Systems License * (the License). You may not use this file except in * compliance with the License. * * You can obtain a copy of the License from eTouch Federal Systems * by emailing to license@etouchfederal.com * See the License for the specific language governing * permission and limitations under the License. * */ --> <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN"> <html> <head> <title>Please Wait While Redirecting to Login page</title> <script language="JavaScript"> <!-- function redirectToAuth() { var url = window.location.href; var serviceName = "Level20NoNcad"; if (url.indexOf("?") == -1) { url = url + "?" + "service=" + serviceName; } else { if (url.indexOf("?SAMLRequest=") > -1) { var protocol = window.location.protocol; var host = window.location.host; var contextPath = "/amserver"; var loginURL = protocol + "//" + host + contextPath + "/UI/Login?service=" + serviceName + "&goto="; var gotoURL = escape(url); url = loginURL + gotoURL; } else if (url.indexOf("?service=") > -1) { url = url.replace(/\?service=[^&?#]*/,"?service=" + serviceName); } else if (url.indexOf("&service=") > -1) { url = url.replace(/\&service=[^&?#]*/, "&service=" + serviceName); }else { url =url.concat("&service=" + serviceName); } } top.location.replace(url); } function getQueryParameters() { var loc = window.location.href; return loc; } //--> </script> </head> <body bgcolor="#FFFFFF" onLoad="redirectToAuth();"> </body> </html>

curl -i -k 'https://launchpad.nasa.gov/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1378321770&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A50%3A33Z&service=Level20NoNcad' HTTP/1.1 200 OK Set-Cookie: ACE-insert=R1617758438; path=/ Server: Oracle-iPlanet-Web-Server/7.0 Date: Thu, 19 Feb 2015 01:08:25 GMT Set-cookie: amlbcookie=06; Domain=launchpad.nasa.gov; Path=/ Content-type: text/html;charset=UTF-8 Set-cookie: JSESSIONID=ABE2731A73016D3B5BBB307816AC628D; Path=/amserver; Secure ; HttpOnly X-dsameversion: Oracle OpenSSO 8.0 Update 2 Patch3 Build 6.1(2011-June-8 05:24) Am_client_type: genericHTML Set-cookie: AMAuthCookie=AQIC5wM2LY4Sfcw3xT7ONFSzXl9OSCrrCLrVF5%2BiIAOciAk%3D%40AAJTSQACMDIAAlMxAAIwNg%3D%3D%23; Domain=launchpad.nasa.gov; Path=/ Pragma: no-cache Expires: Thu, 01 Jan 1970 00:00:00 GMT Cache-control: no-store Transfer-encoding: chunked ...

This page is too long to put into an essay. Here are a few interesting strings:

<!-- App URL is https://ntrsreg.nasa.gov:443/; Server Id is ndkseasso02.ndc.nasa.gov --> <!-- IE(8) requires the <td> and <img> to be on the same line, or else there will be a small gap (rolls eyes) --> <div style="float:left;width:38%;color:#FFFFFF"><b>Need Help?</b> Call 1-866-419-6297 or <a style="color: #FFFFFF" href="mailto:MSFC-DL-HelpdeskMSFC@mail.nasa.gov?subject=Launchpad Help"><u>email the help desk</u></a><br/> <a style="color: #FFFFFF" href="https://inwiki.nasa.gov/cm/wiki/?id=639" target="_blank">Want to Integrate? (Internal NASA only)</a></div></td>

This page allows you to login with a smartcard, RSA token, or username and password, or create an account. It contains this warning:

This is a US Government computer. This system is for authorized users only. By accessing and using this computer system, you are consenting to full system monitoring of your process -- including keystrokes. Be forewarned that unauthorized use of, or access to this computer system may subject you to disciplinary action and/or criminal prosecution.

From the FAQ:



1. What is Access Launchpad?

The NASA Access Launchpad, also called "Launchpad," is an online tool that you can use to create and update your NASA user profile or reset a forgotten password in just a few steps.



2. Whom do I contact if I need help or have questions about Launchpad?

Call the NASA Information Support Center at (866) 419-6297.



9. Can I use the Launchpad to update other personal information, like my e-mail address and last name?

Not at this time. Instead, visit NASA's User Self-Service (USS) tool [https://idmax.nasa.gov/idm/user/login.jsp], located within the Identity Management and Account Exchange (IdMAX) system. User Self‐Service allows you to change your display name, e‐mail addresses, or common names in the Agency directory.



14. What do I do if my browser indicates that there is a "certificate error" and I am unable to login to the Launchpad?

On some NASA Web browsers there is a configuration issue that results in this security certificate error. To resolve this issue, follow this two-step process:



Step 1: Visit the NASA PKI Operations Web site [http://pki.nasa.gov/index.php/tech-support/ca-root-certificates/] to download the NOCA and Treasury root certificates.



Click on the Download NOCA and Treasury root Certificates link and follow the prompts to open and install these CA certificates into your browser. If you receive a security warning about the US Treasury Root CA, this is normal: proceed with the certificate installation.

Note the use of http for pki.nasa.gov which is vulnerable to sslstrip. pki.nasa.gov is an internal system and apparently uses PHP.

*.gov Hashes Cracked

An example of a domain that I was able to find with brute force of all 7-character domains against .gov that I was not able to find using unhash is http://pdbcecc.gov/. This site gives a 404 which shows that it's not public (at least yet). Vital information for pdbcecc.gov lies below:

curl -i pdbcecc.gov HTTP/1.1 404 Not Found Content-Type: text/html; charset=us-ascii Server: Microsoft-HTTPAPI/2.0 Date: Fri, 23 Jan 2015 01:20:22 GMT Connection: close Content-Length: 315 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd"> <HTML><HEAD><TITLE>Not Found</TITLE> <META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD> <BODY><h2>Not Found</h2> <hr><p>HTTP Error 404. The requested resource is not found.</p> </BODY></HTML> dig ns pdbcecc.gov ; <<>> DiG 9.10.1-P1 <<>> ns pdbcecc.gov ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1150 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;pdbcecc.gov. IN NS ;; ANSWER SECTION: pdbcecc.gov. 599 IN NS ns1.blackmesh.com. pdbcecc.gov. 599 IN NS ns2.blackmesh.com. ;; Query time: 105 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Jan 22 17:21:04 PST 2015 ;; MSG SIZE rcvd: 89 dig ns1.blackmesh.com. ; <<>> DiG 9.10.1-P1 <<>> ns1.blackmesh.com. ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55362 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;ns1.blackmesh.com. IN A ;; ANSWER SECTION: ns1.blackmesh.com. 299 IN A 74.121.197.78 ;; Query time: 101 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) ;; WHEN: Thu Jan 22 17:22:37 PST 2015 ;; MSG SIZE rcvd: 62 whois 74.121.197.78 # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # # If you see inaccuracies in the results, please report at # http://www.arin.net/public/whoisinaccuracy/index.xhtml # # # The following results may also be obtained via: # http://whois.arin.net/rest/nets;q=74.121.197.78?showDetails=true&showARIN=false&ext=netref2 # NetRange: 74.121.192.0 - 74.121.199.255 CIDR: 74.121.192.0/21 NetName: BLACKMESH-1 NetHandle: NET-74-121-192-0-1 Parent: NET74 (NET-74-0-0-0-0) NetType: Direct Allocation OriginAS: AS36473 Organization: BlackMesh Inc. (BLACK-25) RegDate: 2010-01-25 Updated: 2012-03-02 Ref: http://whois.arin.net/rest/net/NET-74-121-192-0-1 OrgName: BlackMesh Inc. OrgId: BLACK-25 Address: 2465 J-17 Centreville Road Address: #720 City: Herndon StateProv: VA PostalCode: 20171 Country: US RegDate: 2006-03-21 Updated: 2011-09-24 Comment: BlackMesh Managed Hosting Ref: http://whois.arin.net/rest/org/BLACK-25 OrgTechHandle: BNO34-ARIN OrgTechName: BlackMesh Network Operations OrgTechPhone: +1-888-473-0854 OrgTechEmail: noc@blackmesh.com OrgTechRef: http://whois.arin.net/rest/poc/BNO34-ARIN OrgAbuseHandle: BNO34-ARIN OrgAbuseName: BlackMesh Network Operations OrgAbusePhone: +1-888-473-0854 OrgAbuseEmail: noc@blackmesh.com OrgAbuseRef: http://whois.arin.net/rest/poc/BNO34-ARIN RNOCHandle: BNO34-ARIN RNOCName: BlackMesh Network Operations RNOCPhone: +1-888-473-0854 RNOCEmail: noc@blackmesh.com RNOCRef: http://whois.arin.net/rest/poc/BNO34-ARIN RTechHandle: BNO34-ARIN RTechName: BlackMesh Network Operations RTechPhone: +1-888-473-0854 RTechEmail: noc@blackmesh.com RTechRef: http://whois.arin.net/rest/poc/BNO34-ARIN RAbuseHandle: BLACK5-ARIN RAbuseName: BlackMesh Abuse RAbusePhone: +1-888-473-0854 RAbuseEmail: abuse@blackmesh.com RAbuseRef: http://whois.arin.net/rest/poc/BLACK5-ARIN # # ARIN WHOIS data and services are subject to the Terms of Use # available at: https://www.arin.net/whois_tou.html # # If you see inaccuracies in the results, please report at # http://www.arin.net/public/whoisinaccuracy/index.xhtml # dig +dnssec @74.121.197.78 pdbcecc.gov ; <<>> DiG 9.10.1-P1 <<>> +dnssec @74.121.197.78 pdbcecc.gov ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14228 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;pdbcecc.gov. IN A ;; ANSWER SECTION: pdbcecc.gov. 600 IN A 74.121.201.181 ;; AUTHORITY SECTION: pdbcecc.gov. 600 IN NS ns1.blackmesh.com. pdbcecc.gov. 600 IN NS ns2.blackmesh.com. ;; ADDITIONAL SECTION: ns1.blackmesh.com. 300 IN A 74.121.197.78 ns2.blackmesh.com. 300 IN A 74.121.192.67 ;; Query time: 91 msec ;; SERVER: 74.121.197.78#53(74.121.197.78) ;; WHEN: Thu Jan 22 17:24:04 PST 2015 ;; MSG SIZE rcvd: 137 dig +dnssec @69.36.157.30 pdbcecc.gov ; <<>> DiG 9.10.1-P1 <<>> +dnssec @69.36.157.30 pdbcecc.gov ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15874 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 1472 ;; QUESTION SECTION: ;pdbcecc.gov. IN A ;; AUTHORITY SECTION: pdbcecc.gov. 86400 IN NS ns1.blackmesh.com. pdbcecc.gov. 86400 IN NS ns2.blackmesh.com. j5kqrti1gdqgv88konuq2qsuhshv60io.gov. 86400 IN NSEC3 1 0 8 4C44934802D3 J5N9AJJ79PQ4UVMESSBVONNK5QR5189S NS j5kqrti1gdqgv88konuq2qsuhshv60io.gov. 86400 IN RRSIG NSEC3 8 2 86400 20150129221014 20150122221014 4352 gov. CvwShLn22m6o086Id9ythpPECag30WGD7IzUtWQ/Qo2fhKzurbpw3dFo J8dg/RyD6gZ/Rn7v4w/AlcpyE6Q6MiE7VMhbUtBUh9s8aHW6V9HPY3Xz fwicyxcDxfhpxzZKKoogJEGh5WATxAfe1n5fuAt///LXnQDXVJ47wc35 t1c= ;; Query time: 79 msec ;; SERVER: 69.36.157.30#53(69.36.157.30) ;; WHEN: Thu Jan 22 17:26:10 PST 2015 ;; MSG SIZE rcvd: 332 traceroute 74.121.201.181 traceroute to 74.121.201.181 (74.121.201.181), 30 hops max, 60 byte packets 1 v10.core1.fmt2.he.net (64.62.180.89) 3.538 ms 3.532 ms 3.527 ms 2 10ge1-1.core1.sjc2.he.net (72.52.92.74) 19.319 ms 19.318 ms 19.316 ms 3 mpr1.sjc7.us (206.223.116.86) 0.848 ms 3.747 ms 0.836 ms 4 ae9.cr1.sjc2.us.zip.zayo.com (64.125.31.201) 1.074 ms 1.065 ms 1.304 ms 5 ae8.cr2.sjc2.us.zip.zayo.com (64.125.20.254) 1.577 ms 1.299 ms 1.298 ms 6 ae1.cr2.lax112.us.zip.zayo.com (64.125.31.234) 9.344 ms 9.769 ms 10.261 ms 7 ae3.cr2.iah1.us.zip.zayo.com (64.125.21.85) 44.680 ms 44.177 ms 43.938 ms 8 ae14.cr2.dca2.us.zip.zayo.com (64.125.21.53) 68.638 ms 68.638 ms 68.984 ms 9 ae1.er2.iad10.us.zip.zayo.com (64.125.20.122) 72.950 ms 75.889 ms 76.215 ms 10 64.125.198.77.t00053.above.net (64.125.198.77) 71.637 ms 69.384 ms 69.365 ms 11 aggr2-g10-va.net.hostventures.com (208.85.174.252) 69.902 ms 69.345 ms 69.609 ms 12 * * * 13 * * * 14 * * *

As you can see, there isn't any authenticated A record for pdbcecc.gov, which means that it's not valid. In fact, we see an NSEC3 record returned from the gov servers. The hash for pdbcecc.gov is j5kqrti1gdqgv88konuq2qsuhshv60io and the hash they give us j5n9ajj79pq4uvmessbvonnk5qr5189s look similar in the first two characters, but then change. So what this NSEC3 record is telling us is that they don't have a signed NS for pdbcecc.gov. That means that NSEC3 records we get from the .gov nameservers include all domains for .gov. Unlike .com which is opt-in, .gov NSEC3 records seems to be opt-out. Therefore the list of hashes I have collected are a definitive list of domains that had not opted-out from .gov NSEC3. Since I was able to brute force 7 characters of alpha-numeric domains, I can definitively say that my list of cracked domains are the full list of .gov domains that are less than 8 characters. If someone wants to run 8 or more characters on the hashes, we can build a list of almost every .gov domain. My guess is that there are longer domain names that can be found with the passphrase cracker which I only used up to a certain point on domains other than com. Two values found by passphrase3 are: richlandms.gov and richlandsnc.gov. This seems to point to names of cities and their respective state may be a pattern worth checking. However, seattlewa.gov doesn't make sense because there's only one Seattle. It turns out that bellevuewa.gov does exist, which makes perfect sense. I was able to crack that hash manually. As you can see, it would make sense to use a wordlist of all state abbreviations and all words in the AI3 wordlist (since all city names are in the AI3 wordlist). I was able to do this using passphrase7 and Wikipedia's List of U.S. state abbreviations. It turned up a very large number of hits as expected.

Brazil

Brazil has an interesting setup. The top level ccTLD .br uses NSEC, so that's how I discovered all those domains. I believe that the list is authoritative and equivalent to an AXFR (I have no counter-examples to prove otherwise so far). The most popular subdomain com.br uses NSEC3 with a long salt and 10 iterations, almost unheard of in DNSSEC other than a few .mil subdomains, org.br, by (Belarus) which unexplicably uses 100 iterations, probably to stop people like me (despite their efforts, I was able to crack 584 out of 1017 hashes), and la (Laos) which uses 150 iterations (despite their efforts I was able to 398 out of 746 hashes). The government tld gov.br uses NSEC. Note that all of these reside on the same DNS servers: [a-f].dns.br. What's more interesting is that there are more DNSSEC enabled com.br domains than there are DNSSEC enabled com domains. Why is this? In the way that gov.br signs all its domains with one key, com.br can sign all its domains with one key. This doesn't give anyone any less trust because the person with the private key can override any value in the database. com.br is in a special place where they can choose to put good known values for every domain in com.br and sign them thus giving everyone a correct representation of the entirety of com.br just like gov.br has done with NSEC. The reason we don't get a full representation of the entirety of com is because com chooses not to sign any of domains under it. Let's look at the data from a few signatures under com.br.

dig +dnssec @200.219.154.10 apros.com.br. ; <<>> DiG 9.10.1-P1 <<>> +dnssec @200.219.154.10 apros.com.br. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27275 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 5 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;apros.com.br. IN A ;; AUTHORITY SECTION: apros.com.br. 86400 IN NS c.sec.dns.br. apros.com.br. 86400 IN NS b.sec.dns.br. apros.com.br. 3600 IN DS 64627 5 1 A56441015582BAEB5013AF87B203C2C86B461E3D apros.com.br. 3600 IN RRSIG DS 7 3 3600 20141223100000 20141216100000 33018 com.br. mVYd7IidGO5i1KceUMaBn1xy7mKpHfJcZtHh6i4R/tbso9nRvxiiWoce hGmBxuFXYGlelHWH76SDAOnyzk2dAn768fy9r0X3bQOln1Kvv8fb4XUR COvjv4SS/6RZhf8KVU4fHFrABtg+O5nQG6bE66/Td7MdT9RNOE3LsiKm hUY= ;; ADDITIONAL SECTION: b.sec.dns.br. 172800 IN A 200.192.232.11 c.sec.dns.br. 172800 IN A 200.189.40.11 b.sec.dns.br. 172800 IN RRSIG A 5 4 172800 20150123084353 20141114084353 943 dns.br. P5sdQem+wzVyD+0wycTVcP8FFp4H/XIOZa2yR8kr0uxQKRYPQJyhp6bW cbyFwFVnKCOapTsiWOtYztghFPn2oaF1s6K1rL1mWNIeyHLFXANQzRnj Zri3WGh61ZzvKz5KipxCXfnH+ZRLxsJVTcI0FCphUh9KfWLKhzd3czsm EF0sldY1retqDb9w5s3kC0Ao c.sec.dns.br. 172800 IN RRSIG A 5 4 172800 20150123084353 20141114084353 943 dns.br. 41k1GaDsRFm2j9FbsVJwFSvoj7w73+8nGkq4UGV1EViAl2h5BfMtEXum CW4034v0WDzIp/FQl1OZ60EAaSnNIx/OnCb01AYX9olTOBAjEOKv6KFa 3muR/8Y9BOsDn9IIkSkRiZysYfDkWo3J8G6P58wjMe1MgNopUlaycXPL mXBOszg6YYj3/ZY/I5uO47dZ ;; Query time: 68 msec ;; SERVER: 200.219.154.10#53(200.219.154.10) ;; WHEN: Wed Dec 17 15:22:42 PST 2014 ;; MSG SIZE rcvd: 679

dig +dnssec @200.219.154.10 nuvoli.com.br. ; <<>> DiG 9.10.1-P1 <<>> +dnssec @200.219.154.10 nuvoli.com.br. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17235 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 7 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;nuvoli.com.br. IN A ;; AUTHORITY SECTION: nuvoli.com.br. 86400 IN NS a.sec.dns.br. nuvoli.com.br. 86400 IN NS b.sec.dns.br. nuvoli.com.br. 3600 IN DS 41021 5 1 735B1DB6F7EDEA0A5FC9E35D35F6B4ECA7F6E520 nuvoli.com.br. 3600 IN RRSIG DS 7 3 3600 20141223100000 20141216100000 33018 com.br. bg9YXXkjsRFDWdr9duEVB+QNtzy7OH1vMPLtv6nT5hLg5JRSlhYT0wPI MjqqkYqXxwS3vBaZ9uoRxSnAJT1i63g0fYctcAPocfGgxmEN1kVsNTRr 1iA3VkaKeqvmbvOz3PRY+doVOXlCeVFWNONiDQlvmFrKim3/ohnWYRBQ 9wk= ;; ADDITIONAL SECTION: a.sec.dns.br. 172800 IN A 200.160.0.11 a.sec.dns.br. 172800 IN AAAA 2001:12ff::11 b.sec.dns.br. 172800 IN A 200.192.232.11 a.sec.dns.br. 172800 IN RRSIG A 5 4 172800 20150123084353 20141114084353 943 dns.br. roMyXYw+pNs/Yv9FwDnAJNxKecAGjPDoUD/x1EXvDPsfBENPH8GIYifL kLGfdjtSWn0/hnpGl0GJbSzSeYVSqp+56CM07TRnNQNjnEan+UXPEgoy ztUPUibyelsbCXX9fuqD8yQNCHeZU/Cf0X1XVdUf9/k6MEKmTl1cfHgz DFcW6GekmhT4BIt2vjn5BX9x a.sec.dns.br. 172800 IN RRSIG AAAA 5 4 172800 20150123084353 20141114084353 943 dns.br. Ku8c3YR8L/VVf0cePAlUGTb6ASKYrUpGMF0ajLE9THc6JDezJ2BR8Jz4 vxH1zOe911ssH3UxEL2+CDjCTjBwUa/A9BDdp0JMDCLciOactV8JME+F 7R1+Pr7lfTlbd8yf1NR5QjSNXu4w54EW95EbBaFWeV3vAWgYQJVNgW+x 6hP1qozZanbuQIBE8rn+T/8T b.sec.dns.br. 172800 IN RRSIG A 5 4 172800 20150123084353 20141114084353 943 dns.br. P5sdQem+wzVyD+0wycTVcP8FFp4H/XIOZa2yR8kr0uxQKRYPQJyhp6bW cbyFwFVnKCOapTsiWOtYztghFPn2oaF1s6K1rL1mWNIeyHLFXANQzRnj Zri3WGh61ZzvKz5KipxCXfnH+ZRLxsJVTcI0FCphUh9KfWLKhzd3czsm EF0sldY1retqDb9w5s3kC0Ao ;; Query time: 68 msec ;; SERVER: 200.219.154.10#53(200.219.154.10) ;; WHEN: Wed Dec 17 15:23:28 PST 2014 ;; MSG SIZE rcvd: 890

You don't need to be able to do RSA or SHA1 to find out what's going on in this record. Simply look at the signer's name, which is 'dns.br' for all records. Then look at the DS records for each, they are different, which means each domain was signed by a different key. Then look at the nameservers: a.sec.dns.br and b.sec.dns.br, they are the same. Now we need to query each of the nameservers.

dig +dnssec @200.189.40.11 apros.com.br ; <<>> DiG 9.10.1-P1 <<>> +dnssec @200.189.40.11 apros.com.br ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8553 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;apros.com.br. IN A ;; AUTHORITY SECTION: apros.com.br. 900 IN SOA b.sec.dns.br. hostmaster.registro.br. 2015008000 345600 900 604800 900 apros.com.br. 900 IN RRSIG SOA 5 3 86400 20150217004706 20150108004706 64627 apros.com.br. S/ja/KYwj1UElZwHMTFF038BI5KQkmdMUS50nlYyxSGllPJdI0u3jU02 LaScCmBO6gwOfKE53C2El8OKUePenta2lL+NwEEpUV59m32R5dIMHYTU ayJzv1pQDRecM5qRd5q1QtIudt/CcCWUcz5OiqqrgTN7PMcYSDIuDEKH f2k= apros.com.br. 900 IN NSEC email.apros.com.br. NS SOA MX RRSIG NSEC DNSKEY apros.com.br. 900 IN RRSIG NSEC 5 3 900 20150217004706 20150108004706 64627 apros.com.br. jieFIGYg7SO2CULv8gkf/D9VcNtKe3d7uwaBCV3LAuIgiiwt2E2lJmVT 0IP4Ci6xUYySssYHeNpq0K3j8QHXLmU0tgxZvthN5yHPr9OqUSUioKz9 uOyFEOCjAzOGZuGeib4NCP0D9ilpM6pYNwwNJol14ANtqwMkAUQsCLLS BxY= ;; Query time: 202 msec ;; SERVER: 200.189.40.11#53(200.189.40.11) ;; WHEN: Sun Jan 25 01:27:07 PST 2015 ;; MSG SIZE rcvd: 492

dig +dnssec @200.160.0.11 nuvoli.com.br ; <<>> DiG 9.10.1-P1 <<>> +dnssec @200.160.0.11 nuvoli.com.br ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4387 ;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;nuvoli.com.br. IN A ;; AUTHORITY SECTION: nuvoli.com.br. 900 IN SOA a.sec.dns.br. hostmaster.registro.br. 2015007000 345600 900 604800 900 nuvoli.com.br. 900 IN RRSIG SOA 5 3 86400 20150216190722 20150107190722 41021 nuvoli.com.br. SYwi7I9Qmvr97J/5tzYN2lMwDJ8EhjjG9F+DfRNzeHtA1SUy3IubNGow YUmLBBOIg+7hwFHFcnp5IAdFLYq+w4HcpQWAYwj7AOGd2lW2ZtLj5EcH 5xHF13UD2Dh3IpEa0YNjGpE2pLJO7xD62EzJWMzYBE3ikcr3TJROi5Rk dO4= nuvoli.com.br. 900 IN NSEC agenda.nuvoli.com.br. NS SOA MX TXT RRSIG NSEC DNSKEY nuvoli.com.br. 900 IN RRSIG NSEC 5 3 900 20150216190722 20150107190722 41021 nuvoli.com.br. cqOap8X6JXpae52CcAu/i94c9SLYX2sW4jo04PvFuDGRPgmwP86eW1Ey iayHOEe7gp5KfGnzcKBcm3dwp7EaVY5tugHb6UMndFLsw5i+Xw5JKNPU adxMaem/VtacyECtNMP2tW18Hhs4x85vItibZzqEBZNSCdJ8J6cEYpNj hzo= ;; Query time: 202 msec ;; SERVER: 200.160.0.11#53(200.160.0.11) ;; WHEN: Sun Jan 25 01:30:44 PST 2015 ;; MSG SIZE rcvd: 497

These results are totally unexpected. What you're seeing here is a.sec.dns.br using NSEC records (the totally insecure ones) to respond to a request for both subdomains of .com.br which uses NSEC3. Allow me to illustrate with a table.

Domain NSEC NSEC3 .br NSEC .com.br NSEC3 nuvoli.com.br NSEC

To prove the concept, here are the subdomains of apros.com.br and nuvoli.com.br:

ldns-walk @200.189.40.11 apros.com.br apros.com.br. apros.com.br. NS SOA MX RRSIG NSEC DNSKEY www.email.apros.com.br. CNAME RRSIG NSEC www.apros.com.br. A RRSIG NSEC xxx.apros.com.br. A RRSIG NSEC ldns-walk @200.160.0.11 nuvoli.com.br nuvoli.com.br. nuvoli.com.br. NS SOA MX TXT RRSIG NSEC DNSKEY agenda.nuvoli.com.br. CNAME RRSIG NSEC docs.nuvoli.com.br. CNAME RRSIG NSEC mail.nuvoli.com.br. CNAME RRSIG NSEC pop.nuvoli.com.br. CNAME RRSIG NSEC site.nuvoli.com.br. CNAME RRSIG NSEC videos.nuvoli.com.br. CNAME RRSIG NSEC www.nuvoli.com.br. CNAME RRSIG NSEC

Plenty of examples exist of sites that have not opted-in to DNSSEC are in the cracked NSEC3 hash list, so there doesn't seem to be a rhyme or reason to which sites have NSEC3 records and which do not. It appears that many but not all domains have DS records which doesn't make sense considering the tech savvy of the domain owners (no offense but it is apparent). An explanation of how DNSSEC key generation works in Brazil would be helpful.

Let's look at com.

dig +dnssec @192.43.172.30 paypal.com ; <<>> DiG 9.10.1-P1 <<>> +dnssec @192.43.172.30 paypal.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4005 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;paypal.com. IN A ;; AUTHORITY SECTION: paypal.com. 172800 IN NS ns1.isc-sns.net. paypal.com. 172800 IN NS ns2.isc-sns.com. paypal.com. 172800 IN NS ns3.isc-sns.info. paypal.com. 86400 IN DS 21037 5 2 0DF17B28554954D819E0CEEAB98FCFCD56572A4CF4F551F0A9BE6D04 DB2F65C3 paypal.com. 86400 IN RRSIG DS 8 2 86400 20141223051543 20141216040543 48758 com. S3PBUN3MGHFhwl8z4QpUQLkcoPmj+UdRbMaCV/uzYqSs0vXj7PDfhEcx SM39OCsV+Vb0PyynoxSdF8R3Ef5RQR6T50b7EA/rqrwHobRX3MqqAaK3 HP5Ooc7m1Vzn262dQMyDswmwKOC70AbbZG/B7/wrA4/yBBcsVv/7nkSJ tE8= ;; ADDITIONAL SECTION: ns1.isc-sns.net. 172800 IN AAAA 2001:470:1a::1 ns1.isc-sns.net. 172800 IN A 72.52.71.1 ns2.isc-sns.com. 172800 IN A 38.103.2.1 ;; Query time: 148 msec ;; SERVER: 192.43.172.30#53(192.43.172.30) ;; WHEN: Wed Dec 17 15:30:36 PST 2014 ;; MSG SIZE rcvd: 395

Instead of giving an A record like we requested, it gives us NS records and a DS record. The DS record is a hash of the public key's important parts so that we can validate answers from the correct nameservers. The RRSIG is that signature. Therefore, we can see quite clearly that paypal is signed by com and that no NSEC3 or NSEC record should be signed by com saying that paypal.com doesn't have a DS record. If you search for most com names, you will find that an NSEC3 is the response. That is because they have not given a DS record to their DNS nameserver.

Too many counterexamples exist for this theory of opt-out to be true. One is uol.com.br. Most domains in the massive list of 353059 hashes are unpopular domains despite being short and easy to remember. But there are too many popular .com.br domain names that are missing from this list.

dig +dnssec @200.160.0.10 uol.com.br ; <<>> DiG 9.10.1-P1 <<>> +dnssec @200.160.0.10 uol.com.br ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24620 ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 4 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags: do; udp: 4096 ;; QUESTION SECTION: ;uol.com.br. IN A ;; AUTHORITY SECTION: uol.com.br. 86400 IN NS eliot.uol.com.br. uol.com.br. 86400 IN NS borges.uol.com.br. uol.com.br. 86400 IN NS charles.uol.com.br. 5lj9r0juabvl3fe63ct5htuvvo36m541.com.br. 900 IN NSEC3 1 1 10 4CD2F2C437FF9B524572 5LJAMJNGRUHAV21OCLKU21CKT0AK0HU0 NS SOA RRSIG DNSKEY NSEC3PARAM 5lj9r0juabvl3fe63ct5htuvvo36m541.com.br. 900 IN RRSIG NSEC3 7 3 900 20150130100000 20150123100000 42678 com.br. wHByHzFhMzeHruEDApx30RYJZ+oFal2u+pBBNSF7LmsG4P4FsAXMIqrP 8mPkvCjODuN4bDhsifipGPRBX9wcxIxT1u+JsXsRRpkzSHWsaFr+R4Hd 2TZzPnlFvsg2A7eOZP2FmCODpbfR0tjPhORUrgPuAlHmIDLsb5o/FJZs tJg= knvms0s1vbe556jfbf1vu3gbomgc7vtl.com.br. 900 IN NSEC3 1 1 10 4CD2F2C437FF9B524572 KNVQAUF72RDCQP1NH79TPHN33SH39N06 NS DS RRSIG knvms0s1vbe556jfbf1vu3gbomgc7vtl.com.br. 900 IN RRSIG NSEC3 7 3 900 20150130100000 20150123100000 42678 com.br. SIZ9NXptxLQsmZc0PjMVyTGVwFo3aU/J9cQ8p0chapikmrm++8B9P6Pt 8iYaQwHp1dvIaxH1wQrvvtX+Jmw1+t8V9K0fXSWgNriOBsyTndedjpbx jnXnS7k453JQlCnxR7s4sCfjOKqdsrVyUFJciOiEMeGDfjuf/WOxAkFC oKY= ;; ADDITIONAL SECTION: eliot.uol.com.br. 86400 IN A 200.221.11.98 borges.uol.com.br. 86400 IN A 200.147.255.105 charles.uol.com.br. 86400 IN A 200.147.38.8 ;; Query time: 206 msec ;; SERVER: 200.160.0.10#53(200.160.0.10) ;; WHEN: Sun Jan 25 00:45:13 PST 2015 ;; MSG SIZE rcvd: 661

The system used by Brazil is mirrored by the European Union tld .eu and the German tld .de and possibly many others. What is more confusing is that the American tld .us supports NSEC and is opt-out, which makes the entire .us DNS database available to everyone with ldns-walk in a few days time. USA is a strange place and it seems that the company that chose NSEC for .us is Neustar, Inc. and the company that chose NSEC3 for .com is Verisign. That makes perfect sense in an America sort of way. Another strange example is .net which is also owned by Verisign. .net seems to be opt-out unlike .com. My evidence for this is the same as above for .com.br. There is however an easy counterexample in google.net.

This leaves us with an unsatisfactory answer to our question of how authoritative our list is. On the other hand, we did manage to unconver enough domains that if we need to test something on servers (say another Wordpress vulnerability), we have a list of domain names to try it on (not actually exploit, but test the version number and such passively).

Setting up a DNSSEC domain

If you want to setup DNSSEC on your domain to do testing or to add yourself to the great NSEC3 list, this should help. I have my own nameserver on altsci.com (using tinydns aka djbdns) which doesn't support DS records, so I can't put my DNSSEC records onto a server. I chose to create a DS for bikeim.com using ldns-keygen.

ldns-keygen -a RSASHA256 -b 4096 bikeim.com

After a while (5 minutes to hours depending on your RNG entropy), this gives you three files, Kbikeim.com.+008+54945.ds, Kbikeim.com.+008+54945.key, and Kbikeim.com.+008+54945.private. The ds file is the record that you would add to a bind-compatible nameserver. The key file is the public DNSKEY record. In the key data we see 516 bytes. Clearly there are 4 bytes of header 03010001 and 512 bytes of N. Using Python, we can check if this value is easily factorable. It would be easier if we had p and q from the private file, but let's take a look from the perspective of the attacker.

Kbikeim.com.+008+54945.ds

bikeim.com. IN DS 54945 8 2 ccc45143a5ef6f37a92a7c3875403aeb32d9d9507fd642745970e2320725e5b4

Kbikeim.com.+008+54945.key

bikeim.com. IN DNSKEY 256 3 8 AwEAAeNVhvRP3IT79YuJCUOfGm7PyUNZoLmiiuP/oGqkNlF8/9TVoaHPsix6aemFtCvMofLXZ2aBPovXKB0KyVxZ+F2QJHUuVIKOFL5dBe2EbVXkljJRV6M/rbWiPr4RpVNzhNijUHGulAeIJpaZdvEiCrO11hUIHw6v1m46OVgan7zge8ReOdSWVOS/4buQGXech2EXpCQXNPu+SVoOrIkipt3ZYgrzOEY+Qik0+bBoGcHf5YyTvUDQAHTw0/T97T/UIg4u10YnUK/O0QanBfsL1/7OxYoBaseZiuIv7YckGw9P2bSRkgOZvRT7Tm7nAszwvSjN2SawLZ2xd2xg28iwDysVkBA3oZ1q+aqfYo75imB1SEPguzJsonOBIZ8t26NPw3zRahmUGEucQUA2m7RO0ADDNAYBchrTwcOjRSBivd9btI/mC0QhzfhvmkIO4StBKSZdXTa2QM6JcCxk8ZAM4H/mGMEg5tHmJ0C0+fpUEBiFsrWa6PA4wV07JWAsIMX52rUWEVSwe0hN3WBxNAJ11wlzFCFhoYR0h5n1Cc8EHV6aFQ8zcmTF43lx9PtNPrUkYaVWH42Gwsc+tA/HWXbA0o4XdETJDZdVUyyX8OUv3cMBPONbIAZsvOO9DYjg783LaRI0FvISNxudDMzCUzajKvtgXHO4zI36UM67cnbVr1Qh ;{id = 54945 (zsk), size = 4096b} python3 import binascii import Crypto.Util.number import gnfs1 import fermat1 import gmpy2 a = binascii.a2b_base64( 'AwEAAeNVhvRP3IT79YuJCUOfGm7PyUNZoLmiiuP/oGqkNlF8/9TVoaHPsix6aemFtCvMofLXZ2aBPovXKB0KyVxZ+F2QJHUuVIKOFL5dBe2EbVXkljJRV6M/rbWiPr4RpVNzhNijUHGulAeIJpaZdvEiCrO11hUIHw6v1m46OVgan7zge8ReOdSWVOS/4buQGXech2EXpCQXNPu+SVoOrIkipt3ZYgrzOEY+Qik0+bBoGcHf5YyTvUDQAHTw0/T97T/UIg4u10YnUK/O0QanBfsL1/7OxYoBaseZiuIv7YckGw9P2bSRkgOZvRT7Tm7nAszwvSjN2SawLZ2xd2xg28iwDysVkBA3oZ1q+aqfYo75imB1SEPguzJsonOBIZ8t26NPw3zRahmUGEucQUA2m7RO0ADDNAYBchrTwcOjRSBivd9btI/mC0QhzfhvmkIO4StBKSZdXTa2QM6JcCxk8ZAM4H/mGMEg5tHmJ0C0+fpUEBiFsrWa6PA4wV07JWAsIMX52rUWEVSwe0hN3WBxNAJ11wlzFCFhoYR0h5n1Cc8EHV6aFQ8zcmTF43lx9PtNPrUkYaVWH42Gwsc+tA/HWXbA0o4XdETJDZdVUyyX8OUv3cMBPONbIAZsvOO9DYjg783LaRI0FvISNxudDMzCUzajKvtgXHO4zI36UM67cnbVr1Qh' ) print ( len (a)) pubkey = a[ 4 :] n = Crypto.Util.number.bytes_to_long(pubkey) sqrt_n_o = gmpy2.iroot(n, 2 ) if sqrt_n_o[ 1 ] == True : # This should never happen. print ( "sqrt(n) is an integer?" , sqrt_n_o[ 0 ]) sys.exit( 1 ) #end if sqrt_n = int (sqrt_n_o[ 0 ]) # Test all prime numbers between 2 and 100M print ( "GNFS says:" ) print (gnfs1.factor(n)) # Test all prime numbers between sqrt(n) - 100M and sqrt(n) print (gnfs1.factor(n, sqrt_n- 100000000 )) # Test all prime numbers between sqrt(n) and sqrt(n) + 100M print (gnfs1.factor(n, sqrt_n)) # This value is approximately avg(sqrt(n) - p) + random.randint(0, 10**612) avg_dp = 5122621145277382969688872128728426311319062916369918553744475614137822128239111751511353800314424459393476073980222150875349214710113862716194143053700184839673329656916889528635540134824278796927552362314001739150979238910191197111793930789004332947626374399240746727048988580610116795558298839179459332579243595730226757884170938325481810783810414537512228088268372374961399100459554498981122225289301577799243710164897122021636246364828374395456301972549651900145263264668266694965564885028867313397309361132566062306265233613744832958703039138364820470503224523842264939229233952565654153686812604490002207694 # Test all prime numbers between sqrt(n) - 100M - avg_dp and sqrt(n) - avg_dp print (gnfs1.factor(n, sqrt_n- 100000000 -avg_dp)) # Test all prime numbers between sqrt(n) - avg_dp and sqrt(n) - avg_dp + 100M print (gnfs1.factor(n, sqrt_n-avg_dp)) # Use Fermat's factorization method to attempt to factor n. # This can take a long time, so stop it after a few hours. print (fermat1.fermat2(n, False ))

Since all of these fail, we can look at factoring using a real GNFS on a realistic amount of time or GCD using a large number of collected public keys. The fastgcd software written by Nadia Heninger's group would be a good place to start. [8] To gather public keys like above, simply query DNSSEC servers: dig DNSKEY paypal.com

Until the code is written to test the keys and the protocols we won't know if DNSSEC actually provides any security to those who use it.

On the other hand, we do know how to sign the zone. Here is how to sign a simple zone. Note that this doesn't have MX records or AAAA records, but the process would be the same if it did.

# Get the A record and the NS record from its nameserver, in this case AltSci.com. dig @216.218.134.11 bikeim.com >bikeim.com.zone # Add the SOA record from a default server. dig SOA bikeim.com >>bikeim.com.zone # Actually sign the zone with your private key. ldns-signzone bikeim.com.zone Kbikeim.com.+008+54945 # Verify the output. cat bikeim.com.zone.signed bikeim.com. 3600 IN SOA dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2014090300 3600 1801 604800 3601 bikeim.com. 3600 IN RRSIG SOA 8 2 3600 20150222173448 20150125173448 54945 bikeim.com. GFySqrmik3sE+UexBsXcB3jOJVi2Ia34Px0o5vh4rheCRjoYfYOTN0NjGeurSxHQTvHYyr6N2vtTkXtAnCv0X7Nl6O+iDlC9CwXtWoXzb/LygUYQjYQcEKypipvp6DowgH0/gCTYr2JCza69WDF6wz98k2WOOEq0HVgicu1v2t9SMBUkf0he6XyNLsw3juNA2kS48ZpZ1CZ+wSN6k/m8vvQ+mIxgTo4XeYZm9zQvrz/hXujEKzVBcjHRv+eQDtEAx5riptSpiIJFPUaHdyXEUc2P9mnq0/RxVo1JxchZpNNSk9vMZ0TcDQ2PGacbVtV1SlnhZ53iT2jrIqQSb7e4bJTVd6uJLRkkTFSOlylYQhIGHVbh14LWpdl/ntva8sC4UKK+LEBGHe6S0mhLB5XJB2RZJ/m8mJqqHFa2kE9jvWoxXvLeDfQoajZhcwuQD510X4TJBiFzC+tj1lXpVRE1PchGUPjSC/+O3yqfYIEFukfv17VhaA/BCGHenjdj8yDyxP+Bdh/5WuIQOuw7eWw3orCCk2nA/OS82MmB694TLYK/T4pIOGn1Ve4dAghCUmgaZWnamlTMjX5VgObQ8q31DxBOoC1mH7sUIMDWH6bjs/rmaPn6o04LdhtJhLKR4fWTz1mQP0qUGFK+QSM8k8G79GTrdha8cumNM2D7c1Pqi9g= bikeim.com. 86400 IN A 216.218.134.11 bikeim.com. 86400 IN RRSIG A 8 2 86400 20150222173448 20150125173448 54945 bikeim.com. qF5iig+Eb7HhgIwyOJIabVKq6MwD20Pi6KP+48qRPFAX5GzjEi8BjTHEBIlDaHKQ1zTdQjPE06ikUuCBln9ZxrqZWBF/NCYiCmQc3rQHzquMMX+NrFltW8X21IMXPsjiOHBygfUMeH8vGEXs/MvDyiO39OvIIB+Q5dHPu+0biB/TNJhdHVT4e3WC6A7AT7+X3p+6nLT3Q7FC1/cIKeX6nB7kAivcPUJdmoCw30v8csZnuDBYf3U2Nf91GGZJGRzA304f3GPOJ43bh6HK+K3ODIPHRfx00dXMdH5GR6j0mG1yeoUXKQaL1Ji7ydIr/SW3Zzq7HZJp8Qb3ZdCAmQDceN+mPWRPZPpU6gwvbCeL8+VZFCsdfRx8qmRFJXWTVtXa2dl9Bm6RVYQLNry4U4h8ljBmie19+PHAb0SWFy89llu2lMKetFKJjhtPBHIMZ6AxDUHiV3i4qPThkUaqkP2U37GUlf+3PWyh8oADAhQBMgKSKKFNGOpa6mMi15FeBPBMKOMujzdPW+158xOzTyLYD3XqAkUR+2MlFOe1wGJj+yQg34zLScWVcq91B3Z70F8uskLbxDya2GaNj7TvKa35eP6B/xYncCMwyBPv8X/5vH7qN9pf3MJTsrVA3jFcmxacD+LeMJr6ylhqIrD7zJppTyzGa6U7hmMIvyG97Nj00Ho= bikeim.com. 259200 IN NS a.ns.bikeim.com. bikeim.com. 259200 IN NS b.ns.bikeim.com. bikeim.com. 259200 IN RRSIG NS 8 2 259200 20150222173448 20150125173448 54945 bikeim.com. H3DzLBtjhY61scgXmrHDqhZ5g3PwkjgJoTRtA3fsRa0f5CM3b7oF7q5GSSgNpZmlxsibn+G4w7xNE+yC5Ukcj6aNfTY59ABDjtRbX3DXe8sIKOdOZOLBp0GON0oUmmDt78nUmyHWvMhuoy5ylEbW0QP+4fgzIzaWpluK2CIhAShM7bdBgkz4QoRIy6g02UL+4qfDC8eRu01aXaK19JDFISicrd8OHbD4KeAvrhNRoCS1U73vWTu7sTwk7eCg13ajQJDUOfmwSISeL46lfu+A6v4lGPcpe1X6vOU3jdvu13oEO+AYokjiyP/wFW62FS3gsHQeyDscyncyQkNpZcntAFYCWvp2d4HGhHaB4kupLGE1lsoi6bM2fy0LCZOWzWVKBm3D9JMJA7vR72Q1V/ndmQnj2L/ziiaraoVLZ866lan/AdlwoSKrgOwLPLropvlnMWuem+z9cKOpyxD2mFDpveoeW14PtX070YO2f7+xpgBsJPZcFDHLHYm6r/2sAC569Wkh20sdxDaxq3V6FRF74uSuROlvECA1GWNlydoVyxtREvjliOEJPEBHqbzBGqRGhAteTpcnR47l35FHeDN3gc8iA0P3/WglLiAtu3vONKthX3IybZeQQxmcapQLK9Zu+3Y5OvL0QDKaxqeGcNf/tD/STzvYJB4/I26ewOvSBLY= bikeim.com. 3600 IN DNSKEY 256 3 8 AwEAAeNVhvRP3IT79YuJCUOfGm7PyUNZoLmiiuP/oGqkNlF8/9TVoaHPsix6aemFtCvMofLXZ2aBPovXKB0KyVxZ+F2QJHUuVIKOFL5dBe2EbVXkljJRV6M/rbWiPr4RpVNzhNijUHGulAeIJpaZdvEiCrO11hUIHw6v1m46OVgan7zge8ReOdSWVOS/4buQGXech2EXpCQXNPu+SVoOrIkipt3ZYgrzOEY+Qik0+bBoGcHf5YyTvUDQAHTw0/T97T/UIg4u10YnUK/O0QanBfsL1/7OxYoBaseZiuIv7YckGw9P2bSRkgOZvRT7Tm7nAszwvSjN2SawLZ2xd2xg28iwDysVkBA3oZ1q+aqfYo75imB1SEPguzJsonOBIZ8t26NPw3zRahmUGEucQUA2m7RO0ADDNAYBchrTwcOjRSBivd9btI/mC0QhzfhvmkIO4StBKSZdXTa2QM6JcCxk8ZAM4H/mGMEg5tHmJ0C0+fpUEBiFsrWa6PA4wV07JWAsIMX52rUWEVSwe0hN3WBxNAJ11wlzFCFhoYR0h5n1Cc8EHV6aFQ8zcmTF43lx9PtNPrUkYaVWH42Gwsc+tA/HWXbA0o4XdETJDZdVUyyX8OUv3cMBPONbIAZsvOO9DYjg783LaRI0FvISNxudDMzCUzajKvtgXHO4zI36UM67cnbVr1Qh ;{id = 54945 (zsk), size = 4096b} bikeim.com. 3600 IN RRSIG DNSKEY 8 2 3600 20150222173448 20150125173448 54945 bikeim.com. b7KO83zWg8DeXEaU/axcsvQvT04wACPisH0keqgYajUPvYUV0mOqOoBCBQpt8wD+3TVCkI8nReRY04PvagIY9wKkGdVAXAv063uX24MK2+nVzXvR96TK8m5HG1fHQRnPc6aBdKKj+TIxWK5zJjwWJx+LGwzYvb6hFYyuty/8ji0EIBtDrHIPtSAFEJQsHCbSwm+OTvn2anz3MALvG3SAcGyy/Dxr/OCUMikGSuBgGiGQgPl7np8EIH8G9fVl/gRcyOMwfhgjKfYWWx6B2hShzVrJH/buClrUcxg+D4aGtGPM1JvoGKLv0flURIV58iSzoZZpuXa0EhhyQp/5D6h5QM/Hk7ULvR70zzNj//X9YRKdMM9ijwF11r1w8yCyDiFrs7LKSY/OFeHR1/XIsM40xPlJe5WyvJtOU9OCYsTLMtuNmFHSZrjq2mmXvPRHA72ctKunpGzpDukhUVjYMWJRLnIB7jZPYMkSyIwKrDcVBa13VIDJCzqNFtftlBq8ZAZdwiyKNPeuhPIg1TE+5u+DOErRXjSxOdww8yJaiFU8AZPBWH6QdD1vC5Q6aeFuGjrYpRfxX9Ty9LsnBFEv0Vv10pNBLLr3yRwcZM2qIW1U580GpHamzs2q0zXLbOLplYnzm0n+uQeBPSYfa9ykBECdPoWmpiK0i6U4dmNetfa36J8= bikeim.com. 3601 IN NSEC a.ns.bikeim.com. A NS SOA RRSIG NSEC DNSKEY bikeim.com. 3601 IN RRSIG NSEC 8 2 3601 20150222173448 20150125173448 54945 bikeim.com. s1mG8xnwcYhoYaemwLWpUz/Cnsc0DZ1dgQauuhe2MQMq3WO+BJMZzLHVbZZWMrEQy9kwe/L722XJ1QASPJfQJIdGtAFElBZObtfJB219xLe8HbaDsZ1jnbND23E3eYemWnvyFyJ2UFWenOO0FpuCq2Jnu1Crqu3mmfIXtqiwI/ZcMKSYBh5GITHRK04wRRYv2D5hK4tl6Um/RRIBpL/+3OeYLn1dQQXsoHiF7ewYI1hIRxVDdg37m9QHA4Bc0AqZVMrxDU+a/9XYdDlPeHn9jGjb3dGgvgeWCgfQ6aR2yO4r/AbxtZrzg06GddsuCBZltuTmXe2kGiIVEgmW7SPVDxeCfwuHo3l4DaTl3N99WepzKbZnSinfuwb3LvY/FwMa6d/wRol7MbbrsgvaKKlvGb/Xmqvi1S3WvbhM8cTnMhhraYj5TkWhF/r9UB0wlooMh66MV2HQAJSdTIsHUxEn22unZ5RT7nv7Ss9DKBst5nRS8qQjsFfBbCOr6LFK9zP6GVMXRlQVN+8fgYfoUl79CGEfZ2CoAhutiXYR3gG4s5OHew8eACQR2MgUQQzwt8lF70E4WVsa0HXj9ElIs6pVdcwb35aiuEZdTySTbQIgeCY/9u452vjF/j+fMvCvwBhoVEFSwjoOWSQwrUuZs8+tBuXeNbTAXXYggv/YMOGciW4= a.ns.bikeim.com. 259200 IN A 216.218.134.11 a.ns.bikeim.com. 259200 IN RRSIG A 8 4 259200 20150222173448 20150125173448 54945 bikeim.com. qNnJUhx+LjvS+EbcnX0hUhuY/RUQuFsxwezcRYYpCPgmtBGC7Xq3MW9ARSjeAxHYPgnWJ0CQpzytgb6qTyt1+VtgILlF00u3LzTHa3r+l1JhF8fLuwfZaiL2xs4mVeXZEpw6u04yCa6kUWwgdGzjkxgj8JTqKXPIvHFU+5ByzEaDa7ZP5CHI74hhOHjrAVeDQEOPHott8JsYQU9oP54NvGrfYBYKOl610riwwIL35YwmjEAC4fM6kbZv9V1Gai8kbcmKVC0neDKc8JvgBy0t9eAxqZS9t+XOiH437JJzCE5UNELcnlKQh2ZBLcrUtW7AoEgwm3eCavWxMhBfNn8M8UnWhVldC0Y/1k7BBzczSz5Jo3mz3pSOFHEunseBOb1a1+nDVmY64Zvt9sU96wFYK3N/QkRT5TzvE/pDBzD+dWIBylNBKjiCnzhPQBkfaYVyb8IAjMuOJseC8TndvtnHN2ExsuSZSSC86cm2rca00+zXRcs3UNP4KASrNgUYVK8PgKoMstssonM7bh+ZIJbDMpFk8RyTXOjLZKoCCgbBQCgeez6BsaS2vEB3EVq6N3aeruqeHepMuzMqUNEwQxgw1w5uC8bOD4tfrE3WLGM3ZX9aOQWS+Zt71jXY+tJ60EKQ7asSG8ybCNGfbSu476lw6xkdjAQOK4bYm2S13cjgQP4= a.ns.bikeim.com. 3601 IN NSEC b.ns.bikeim.com. A RRSIG NSEC a.ns.bikeim.com. 3601 IN RRSIG NSEC 8 4 3601 20150222173448 20150125173448 54945 bikeim.com. Sd+QashxB8P2IIdMviQcoUnrwkN5FxZLLfbh8xochGIHjuE+BKILZ5VVi9p+bRW0cAWkkY1bxkcN0GHG9V2M/oJ5ganvZWxoD6jI7YegLuSsz58Nwz0H+x405du0cyx+H3IsvKZkJ+4CPzTUmdgJoWKFjdgF1KVE/KWDvwagmQVrRTap5p4B/MSSQtFdCd1+3sBt+8FWzN3opozZCyGqwSz4TDQ6eVjrAjCVAnw+0RNphn8yceverdRkSq6cxncZds0bQzUB6Gkd6aP+/QZRHfGsZ7XFHtsYY/6vz7Ddmd7GhwZ+EaidiGPiC0OzoEbl/hMCfI+7I5Wn/4MHHRIK2wkzrLxpZaHA/FH0sH+BfGsyfUksk/H4Ys3u8TX0B99VfWmvNI7cObr7TQJToPGCtn49uyoTjfDJQJOH10jSY0FfeINz5ZTtBv+iW0y7A46Y4cYhpJKQLFanio//cKWx7ZhVJpEjgXLmmzvW1CNH9bxdngvaaEhJs+LLCCJkbemUWWyh8O8WCE//ZfI4/bzwtY52bWyZKG6jvJnrhhRIl6ZQYEPEaITfZz6uNU7x9AdcLI8JHkpyc2b7uXwEKmsgadGPyebA4FW2UTW72no8nnAtPHdAE1LYQOCAXjvb9r5Feq9GRvMpk/uW/VBLvNiC9QxWsVAYXjZ3FwpgFP/rZzQ= b.ns.bikeim.com. 259200 IN A 50.132.7.141 b.ns.bikeim.com. 259200 IN RRSIG A 8 4 259200 20150222173448 20150125173448 54945 bikeim.com. yy6Y+Zcj4bM1EtEPeQcR0fPRSWLA0E2l0Nmjs0Ztwyn+Y4L1y0OoBKQP2+PlZtuwKbjO+Umjd3bC1N8haRuFPIpt7n5JriASKZxWBTA0NP0b+1Gs5Kj1T61xDLFLi64JGA8AuwN/EliO7DyPywufnHcafF2a7Ve3O9xL+2AWCt4pL8/Y1JW3ALAGO/vQ/Hg8Bj5IQhkFpBhXN1Aujsj/g+vkxn56C6bWpJr9+Mwo1AaGpr1ebVpQdbmaI0NIqAhVhvgxkVyNKudlor/ZF0jaIk2AGLNl8+ptmV/yJ29cFdnCX2LnIw7WH4y/hXPs2sEL2GV2R1wcCeDzZo9GIGtki62r2XPil+vbByLlzB04q+sJrNR3VaWTGu2BoHFQpTqmfdocUUFSTFAOzdu5qKbvMp2i4VJWZuPiPCkP2TSanTX58cO7XkqaKdq2Mg+DjgD8T0Z3kNFOaK8ryHTNcc+GLEMNcjuq6WFT7r/8uZaHm9mfH5ma91Z3pTYwxtB4OFWJVC2eSRYvDmbn9hOZjcSwXdZaVxPyhScCvyPKwromB0/os37Z6YHIjyg+fqhLbq2ntmmBhzT31OedCmxtcRzIGkO+JdCzQxx6ljuGwsTgUCoCG3P3vHdphZ491Dar/3duPkizKPuWJqUsaTvRjpoJLyRhAted0D91iHvau0xdVno= b.ns.bikeim.com. 3601 IN NSEC bikeim.com. A RRSIG NSEC b.ns.bikeim.com. 3601 IN RRSIG NSEC 8 4 3601 20150222173448 20150125173448 54945 bikeim.com. VzZF/Wua5GSlfRcFzBjAhQply9arSjsNBhYWwE1FGMSchKsMA+ajzT8JhRldxcraHz1J+Ytkj9iPubtJ8V9VjbJ3ahhZZpKCEWGCi8+xyYsBPwtZRlBzPwu0eUuul18+OocqtJBCUWzmv6bRGOBhWZCNbW3W6vIDz8fOzFHVOIDireouDTvlePoxKHDi4MPQXKOnrEODqv4A9PZKpubOriJ4mUhsnUjFLynUr8FlwG/kSSf42X50GTIGubQvq63DXWaN2wiA2i6VduMrmqmm2VETh6AbYxo8Esc2XnqVc1NZgzBobOuJx6bSjhbE1oULClFFyUSHUdyhVOKmmlfh1m/K+Up+dxtfKmDrE2Nt2k4QpMnBEx+IwhO4Oi5fQxZFkEle6NDnrPdMFwETeKpfzZvSp3fieTJRlsKOW8apw5O3A8EIJEwdTKVcVdy/Q43xEgtmVWGd4PV7pHcf8bQOkAiGhnzSy+PVwsyAKfITW2M8v8dTadkBMTdrk9+L6lk9lJyeQTsEgAX3PX1d2HNcSgTee0vzQPCKTTnlJIqbr45HUuw8vXYzQXeS0RdtQ7pl/qbGtW/tCcaYysNfG/LiXP2Aoss5hEEcU/8vc5EUz6kERN4mIAi5IAMHZFsjU7O8FxETkVbuvJl+PaUhlpIIVDpfFj0TGUOHSzPvYgw55kY=

Note how ldns create NSEC records instead of NSEC3 records. You have to specify extra flags for that, so let's do that. Since it's so easy to do, let's do one with a strong salt and 10 iterations and another with no salt and 0 iterations.

# Sign bikeim.com with a 9 byte salt and 10 iterations. ldns-signzone -n -a 1 -t 10 -s b17e19c0ffee7eafff bikeim.com.zone Kbikeim.com.+008+54945 # Verify the output cat bikeim.com.zone.signed bikeim.com. 3600 IN SOA dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2014090300 3600 1801 604800 3601 bikeim.com. 3600 IN RRSIG SOA 8 2 3600 20150222180705 20150125180705 54945 bikeim.com. NFQxpvKb8u0v349IdxOLpup6jtO4NJB6bF/CDgUgC6he3K8ws6978VkjtXa5UcKGPe7FscsujsdAm4RGLB82m9uhNV1dpyhpl3NW/ScupnW1BpdeAnUtO2P2CVgySsy6TcyNK8atXHLvkbPBTJnWcTWq8fvaTPHeNufNRwjb1GmiiOWfq1MFTwzZqyqKjsYNZh7/lQ4hlZ3hIcNkF74poMfddU6OZyAx0UitYS3ffvnqELwYdVz0Ws3zuTES0RqrAYDJ4RilvO5zPhx7m5ckibNSICYquEVZeHc4mjpSVMUxs6bD4CP+98nrUogH64K3Ay5ZNhkdl/JW7KfzXm2a+OGjY6VOm1hMX0vSmossnw7mL8PEu+EPsLuRcppPuJi1MXRV8HVyfeicYzthJCxq8VpZIWsA/p06GXWq7qArbcGA4SsUqcRVzVk1AWzIse7oGRB0NfczfDcsE+L+B/7nw2/gfKHqYbWWwMGKJlNGFLn3Pt60PpuC9sjV1q8FEqNMtEtCNKX6lFsV7yqKbtJtnk6sKJqbHwG4kVvIflZPdd0wpX8Oy1ZVnbGdEzkvbvdCqdTfnUuy0EBgSTwCrvvrkG1gj6kwNaSt35JWPq4+u+yKiaRL8ldHqrzyJIT3S6Yvym1YBYDoiyVYsJYEzx6nHfzGK1KE2ZozG+/wb881Bho= bikeim.com. 86400 IN A 216.218.134.11 bikeim.com. 86400 IN RRSIG A 8 2 86400 20150222180705 20150125180705 54945 bikeim.com. M4h9KRE4VKagpCkdbBIai5fgeO1Z6rxpa1lBlVH0wzjAhRJ636cKz8ti2Qjm1WLgHutUwYKqHgt5TPJMtHnjU1m7IYn11nX8oA9/P17VcIeucBwlV2X8mLTpzKPz+CWFG7iByL9WgX/BbXLTDqbrdwbIob6tQncf8rpSBYxUymhQukL+Bh38/qQBKQKKocfYAI9ktQ5nYFF9M3b6wJ9obqlvMbddqWVIElTrGbWCQuyfRwQObmIpF21o/L5L3ak4JBOVUeUgGUzDeItfWm8mpg4nlxDmXhJpHTqYEmyX00EWaAQZiZeJRdHFDVFnBXxhyca/iWcp/QUoCKvhm4dWZIiLPPOap5Y0N5ls9JO6Cw3lNvHXtr2Gh9TIRZh2LdiTyn+ZXhdJA33OisgnrRVam6KSxbEcgyXQEu83dl3hmz/5Q3PwVXwagOs/RasK8BR1MS9zdo3CgcWldKQJjHZ6n7mcMGpkCoI8CNl1HE8CrMLkZzDXCo6ylMsINzBNCrsCfwCgOqD2w16ARhHRuBHJYRbdazA1v0i7i6LtA18X9fNsCmsgjua9teag2e28swNWMIj3bNVr33g8k8PbEzGiE/WkLARWxzokL1tsIUKfCe/Fvx5rVNJQrXLOQdh/9rd0qyMtADRqpEx1Fq6YDpw7DUwGcIUp1xAsyiCzGfkw9rg= bikeim.com. 259200 IN NS a.ns.bikeim.com. bikeim.com. 259200 IN NS b.ns.bikeim.com. bikeim.com. 259200 IN RRSIG NS 8 2 259200 20150222180705 20150125180705 54945 bikeim.com. xrVSwvms2nGjuAWs3DrN7dLrn5o2JvYhRS2D3PkzaSA0Hap3+BdQMbfxUHqnQVYHm2XC1b2mgugHzMhU4UEtwPfnwF5YmnHda1crPo4or16HmiD4o4e31I7kPTPutFXdEGVCxRQkaEnECSgMhM3Qxhj54FqR5rLgQJQ8uGxJDuAyl43epmjxEoPXrosZ/bvJWdgyADJHBQRImYrGbnu+TzZpQrFMETAC1fSEECVFT9cEwPLL9gsgBE09b9fok5CpiPpsM7djDkxmm7k/sOydBrJ/ORMPsA+0EEfOYVAm4es3vCVWM1OUkVzSM5AdlsVcPUjR94Wt8J/ggdK+WK//HYU5k7HNpCvu2U3m/C1kGku0TLdCJkftvhHSsawTu33/plmPz6IJMIKLTNnxjuXUih7KLf+P0UMPgNL9ZOSLX29GF+CjE4JYQXNfhTUYqdBTDNFpcuyiNcUA6gy2PMWBToIRvD8h82v0gjuJ8lhsjncbj6twmkIhAPkjqjm/ygDNf5SxUln5eU9BjnobkmYL1sU/+MPddpattRoK3c4MVpqmWSwRqYyWC5aKKOubpbZdLFd1LrO6fECLhkX52S/plwhH/ZI4aUpLwX4FEtA/g0lN5HxafLwrfdCqlQpSiLap1eJbU2NpX7enTfkyt3pft0kxzXUekLUDNoV8YagL8Ck= bikeim.com. 3600 IN DNSKEY 256 3 8 AwEAAeNVhvRP3IT79YuJCUOfGm7PyUNZoLmiiuP/oGqkNlF8/9TVoaHPsix6aemFtCvMofLXZ2aBPovXKB0KyVxZ+F2QJHUuVIKOFL5dBe2EbVXkljJRV6M/rbWiPr4RpVNzhNijUHGulAeIJpaZdvEiCrO11hUIHw6v1m46OVgan7zge8ReOdSWVOS/4buQGXech2EXpCQXNPu+SVoOrIkipt3ZYgrzOEY+Qik0+bBoGcHf5YyTvUDQAHTw0/T97T/UIg4u10YnUK/O0QanBfsL1/7OxYoBaseZiuIv7YckGw9P2bSRkgOZvRT7Tm7nAszwvSjN2SawLZ2xd2xg28iwDysVkBA3oZ1q+aqfYo75imB1SEPguzJsonOBIZ8t26NPw3zRahmUGEucQUA2m7RO0ADDNAYBchrTwcOjRSBivd9btI/mC0QhzfhvmkIO4StBKSZdXTa2QM6JcCxk8ZAM4H/mGMEg5tHmJ0C0+fpUEBiFsrWa6PA4wV07JWAsIMX52rUWEVSwe0hN3WBxNAJ11wlzFCFhoYR0h5n1Cc8EHV6aFQ8zcmTF43lx9PtNPrUkYaVWH42Gwsc+tA/HWXbA0o4XdETJDZdVUyyX8OUv3cMBPONbIAZsvOO9DYjg783LaRI0FvISNxudDMzCUzajKvtgXHO4zI36UM67cnbVr1Qh ;{id = 54945 (zsk), size = 4096b} bikeim.com. 3600 IN RRSIG DNSKEY 8 2 3600 20150222180705 20150125180705 54945 bikeim.com. nIKgI8pZMmf/dQfi0kAqF3VAvEi7EMClWZT0hvAGGSMkiS3FydcLd3YEICX8EdDewsVR+Uvd76ToLQeMMJEdR7JhXpd/Iemt0DK9RZhaTvXlio6+S/xok60HAg52V0l5PL2K5IQk+fpOxAtZvNY8cAykFKnf6qCCskrKl3VL684sW+VtaCt7/osupmkJ8M/yu5SKJUIcv4pGQv0oW84Xnr6ir59TeJNjFUr1Q7KgkzjN0QkIgXSJMKJ/0+rHemOlGx40n8df9YsQQRBiT0slju/Z/j8jviLhV1fsHKLirYy4/YZi7tUB+M4KkUSrFA8DE42CNN0H8lltqV7Q373hUjOGQoovEDKcbPvON/7pZ1NsEw5fIao8t0svCbdltdjsx/59PHGZQ25pGcKuXKHqdz+lrP9g+J8ipG5OwWfomUtOl2DQQ7YZEWmU3vAU3+EKXh3Zb29+KpXouWzlkih8OxE91PR9T1jMY3JDZUiQfeloBkwR6EwSqGXJCw0JR/XLEDgRrhWLAdH3w7xNIZrBqrWewoT8wChFX4CGk/OoEVg1IjHtec5SXkRfmLQNInODi0r0GXDHooDZwkrj7EUX07epqtdn6sScRNqJm7RQEkJficWUw9mcHqBV+3oRB4r3ErcQfJUUyQw6c3ZdpOe9WPoAKhUyHdKWs1NddD49izQ= bikeim.com. 3600 IN NSEC3PARAM 1 0 10 b17e19c0ffee7eafff bikeim.com. 3600 IN RRSIG NSEC3PARAM 8 2 3600 20150222180705 20150125180705 54945 bikeim.com. tZvUNvHoZwENgLnqv5Hpoleh6qjMonmg6sEz5+L12OnZppxDXyNEL724+TAsuR0K1YYg+PzVn6NnjZLrgCs+B0/f2G9bFb3BwTgfawTJPoYtppEOJlUBnnhjyTb9T1Wb08pnIkkNMZMFd6DhG/g0CiCFUdYPEk4/jMPvbmiGdAuDvejG7OZETjcXHLDBM7tbjbHFDatZ296DXo1sM1v+o07aj4T4qJcL529LWv9DnggCw4hKkh5LAZ9gkxIeUtau2R3jOP5sOUjR8zHivzXnzz9AUB3jC7nI2/x0nV8GK7VwGq3CsEoKWPZOHDgekXAe1RFAprtYwGB7UC6bIm/O2NnWRMzmCIEYBZsQP07pFKB2k6J3lKb7/72lvmPtl2o4bFHjJBW+FkCiwHTVIi19F++ELvy85jx8S0eJ5mQcvGUfVxl1QVDyxiOZhoIMM4u2S8PUotMCIpEmZvlJl/OnPib9xrDfeRJnEamMQvKjA/C43XTdbHruX70O1PO7gxJfPvoQCbmLzRPeUQRhLuSzsJ3WH4ZES9JNd3oF6IMrwuP0kGMRx/qKcTmg9ToBx3bRQfIM7q5GQFM/DGR7CE+GkG/z6FYdK1kO1xuT55DboUFhLHy9HEJjnk0HHGrrvR4I/RMEp106e7wb5MtzS+EC8BQbTqoTsm+MtkuefCtIMeU= 25m7umcbbcep021gup624cp6khao90qi.bikeim.com. 3601 IN NSEC3 1 0 10 b17e19c0ffee7eafff 495hmaukgs0mcuu66e68iib1alrpdfr8 A NS SOA RRSIG DNSKEY NSEC3PARAM 25m7umcbbcep021gup624cp6khao90qi.bikeim.com. 3601 IN RRSIG NSEC3 8 3 3601 20150222180705 20150125180705 54945 bikeim.com. V9tCtO4Qhgz4q22pXrQEc0gMNwfGwAfpMWOk45+4XHiYiSIpBYjQ23z2TpIpak5HyLg8Ol3vmMzcJEXg2a4qczcCr7aPjwAHvN2aWKTToM+YCY8UpSKP4M6az2r6/htDLHO58xQNmQ0IWwBrMRiCAEEe9iTQxz7Hv83RUogNNmHVWcULo6YWET9fgQdv8qEgGZ0cm0cC6QSpQtS9fzgApzGNbV667JYNfQvRhQb38K81AA0PLWiNZwMKSaCnmSEFK0AEhDMyLyGSDE5E9+2NrgKCZuTeh71nk8tKDISVJxJ1g7fnTitH1qA450eO5xhYLHrG7Ud6aP5bJLkmnqR4mF2r71LfEAWlhhkaDkkvz1Av4BA68M5JYtH/P00YOaSdf7+EuJWyOZT1ZhuLCfh/ox1iWQouw4K76ayQFGJfafEHDvxOsuaUBoDFaNf8kWl0p8uYl4xUJ9v2ZYaV/YEjc3DXXPTvGjb4r7VWeRTNnRLr9TpAcgsRbgGhzfpLgO193rl/JN2tE2hekLWKKkt3V90G19Wj0nYsxVkOh5561UEjgj4cwa2GTTOeuLnadDaCfcb7C+02xnJOFqGV/pZB0UVCVMfiKfPPuOdg8GXEMi2Y1xn6jszFUrUjl3V1i4QsvucFFcOsJxC+SsPgH4kUTRWJuhUBy6RgfM/GhG/3h20= c1s5nhr1.bikeim.com. 86400 IN CNAME bikeim.com. c1s5nhr1.bikeim.com. 86400 IN RRSIG CNAME 8 3 86400 20150222180705 20150125180705 54945 bikeim.com. fIxbj0MzvFXMwSITRzZBStN0nxnyk749y2AeUAOZh+aXkxB53QSpAITrXPzjDMgXy6RB2S6Cnisvf+MfC4Y7KwXufZ/eGyijNsANzwMRUeRg/J/CkPCec7z0BI04pFiczIdFcLYSFsza/zrdNUC/sPZD2P0A/I5C7AgEDfGoTm+HQgQz7ejbsiFe0Jbyp/Wm8B/xF2XaSUq57A7IMOCM9UcBdBeMgCxGyvaXZa/N9HduB9CFNs3bHp1fRAd43nxQwiERgExwmSN1NEEy5aTNaHcImbc4LD5/lqWqsXq32ToaXsTxULd/nrqI1hfmE5Rjyr+2se5ktOYhB4VIMlyv8geaZmKMQVny+DBE2YgMnwgdJgvQxo2o5biC6YWvMhr3AtGG8eSNw6+LccRQvRuohT8wrtdeMBasLTpgXqtYNhe2M/hnasrMjy242CV3zOwbSyUg4cmEuk2r6Wy1l08tSQWCpCmgB9R45Xh4uIvXTukPL58RodV4aVkigLzr1gK6Ui+YSaSD5PMvAAzYvmZYMg5SCiQpnee6VfRLxZyQJv3W8baC4p9Q7UYoSUU/xGouOTigU8u/c0uCjkyaxZXO2yGvfCNZdN8np0h3AcwDfTI3pYTpVg37pnyMiqPKcnn+cp2rRgWW5wO+3yika0L8k0S+QuSI0JIgAV3gvZCUIpc= javaf499auko4mrgvkhhj16u8htrqujp.bikeim.com. 3601 IN NSEC3 1 0 10 b17e19c0ffee7eafff km6plui7sdj3rliepi2ppahubmm4b3ue CNAME RRSIG javaf499auko4mrgvkhhj16u8htrqujp.bikeim.com. 3601 IN RRSIG NSEC3 8 3 3601 20150222180705 20150125180705 54945 bikeim.com. LgiQe+B50Fn8W+JDsGzCddQjG8+kzddzrMRcURqgvHvo/e+W6JA785iu+eh87M3KI9+h08VHTbd7RtJqpq5hozEZmP5rNdyZKRN1+P9OmGH+k0wsPHGQ7GsNZifF9phrfKRLXo0gqKnAmV/HWtXUob567YmEE4z2WgU8xsQlQKZfHvptp+y0G0sqxXh3CBHevlzhS5ZFb/6zfgMgsPt+TFemCHsjFBCc9KP6VkXSvQbwRPgjZKcs8NSIStgh7+DiK2SpjvXMS367xDTXlzspx1VcZriaoLK9Tpj4+jHX2gBSN9q3GqVUOa6D4lRgOzBvuBmBAEFT2xbIY8ShSDz6pkSGjGliIUuR6PyBzhKAyF5UTfPo1hCwZwlGZ/NuRwz0NObnn5h9MS8HD+408qI2hM/2p/Cu3U6i9n/oJ/cJQOIhATPtr1SneBiMXWmI2cHv75eSgcUfV8wmKC2XL8zE0DFy3uwHe1dhpuUjwQaZ7Be9hgP+IQXVUjM3nnWJ70OzgmD4EsZYcuEPHrpLYNnfyNUvwbEWj8XMLUPMXZgCNDT8OqfdhQfIuSn6YMtzhW94kaIri/pRGq3RgoOUsMXKa5F/Ox9OlortxXSBCUt0Ql2g5YDZ484Fm0zgjrEeQcagUGF6g7bWRYCEkvibqL74C8nWp4aMad+2WcNU+fNXCFA= 495hmaukgs0mcuu66e68iib1alrpdfr8.bikeim.com. 3601 IN NSEC3 1 0 10 b17e19c0ffee7eafff c83dc2ceikqjrj8m2sr5tc4dk97um11s 495hmaukgs0mcuu66e68iib1alrpdfr8.bikeim.com. 3601 IN RRSIG NSEC3 8 3 3601 20150222180705 20150125180705 54945 bikeim.com. tnEDCosDIHxWdgevVId6MG//5LUX8Z4DGc4nqSqaOSLyiSwBnekRnFFYqGbb+kW7j2GzHQ24esyWEAhGSH0wslbnxD++sGdwuUpUrP1vlo+Iejqn07LgXuL4A9IwkNoIzVYBIZwWpLidi23xYTIgNxHF4UEzUrorMIam6s0rLvj08IJBfpSPue7VP6GaNGJE+lxT29wrpUxQVgOu3vda65j26b0M6VcVoofb7OZjrseNjJCA2IntOWiuiDqJrJwh1N0ghKxBW3A9zMLyU9tO0qlRjXu/jatirls3SJvG+1OP5AWSXrS94YqOJ7MhjqV9w32+UxfUftsAta76JLDiE51++sFVEH2qs0aTF6hWeS6sb8WEpyo6O/ItPl5oZ/EgjjnGrcayGOB0MOJReUTF4C/MFhFtMfQqTOcz5WlJMeDA80+5pI+IhYZuz0/D3wy99nd7Ic9U6IMyxcZP1tdDXFfyTZaLh1gxUXhWmCLhmV5duAYr+O1gustXJB7eyHDmlfxhSQaelFO6xjJJ3BasctSRsezHg2VqhMtPOogCl+EK61x5U/YlHYJm9yaVPVpiv9QQk/wkDrC/aln9vf57E4T4tsUE85R16O2ZtNwjKW1hW/16liQ6y7C7E+7PvscgiF4HxKpAW7X1aoNBqAxeV5GhOuZN1Ih2j0OqSAzr4WU= a.ns.bikeim.com. 259200 IN A 216.218.134.11 a.ns.bikeim.com. 259200 IN RRSIG A 8 4 259200 20150222180705 20150125180705 54945 bikeim.com. EeFMneX2L77pUnYz0HOwir/q77V5Fxa5pYLR75EUoT6/3GJlGw+slIrDHRLFjaJVLwf4KnBRmCPrzgipoeCh99xpawwtYwbI5rXpkgccJLmxYKUoE+k97hnpe8c4GHVgmkVzqc/A7U40LsVC5H3paxpirZqxT9reKWlYLP98bTN0BgKnBsN7gv5N8FTl3t0z6rAEMk5HimcKOxpaarvc+L8DdxEq6olcomAca1JDvrbsyZ4NlOP0YC+JulCYreVFWoeObeVv9BQMIvbiNehGM9jDoIVEdjJZJTMNFUpjP//rV626vKS8WwDyRmz+aYWAS/vylEwq3AkdMXy7RBHnJPmN9JPfaov78B6vlhP/gfaOnOVuVbHxjEA2PuXOtYMgqb2dWCpi3abIHusQHd4KRNIMlQYwPa0BQ8z/HL0w4pFqLfAurFQeNp58NR6fPfJvaLzLGGmnsTZSuMXsmS8CFTzY/8Rvj2oRP+BUcNOTJ6MdnOscmYk30K0maaikKll1Mix8Y+QRCwshPqLolX+I0fY+v66btY8jhuA07Rai5+vinOdCxgGoFYFN22cpgHSYt64CgBQRdPStyiB5W7udBjQpo7P5ZRJScUinxaUuU//0dT9dee5Ya6WIMc7K9Vtm3Qaa2OttI9kwdfbfRLIIF09pjA3wzIaNjAEmso+axrA= km6plui7sdj3rliepi2ppahubmm4b3ue.bikeim.com. 3601 IN NSEC3 1 0 10 b17e19c0ffee7eafff 25m7umcbbcep021gup624cp6khao90qi A RRSIG km6plui7sdj3rliepi2ppahubmm4b3ue.bikeim.com. 3601 IN RRSIG NSEC3 8 3 3601 20150222180705 20150125180705 54945 bikeim.com. dHkHtrxu987Fnio9oSsp35FOjS0Kc0LyKV0ohZ2dOO1zTJeBcnikhSzyXlX4qoh4ocRn8FkLKKfcIjYhKKb7UK58jcryOpE12sUZu/Qj9Ev3M3Spat5SyMop7T8okuliYZLWZFtlc3LqKUB8I1RSmifU2WzFIl+gqjzWnDSzwg3j9RKFyTqpjPF2nsGkUgQLj2oFh+X9uQwBiJ6Atz3g89+h/39