Hello, While watching some parked domains, I recently observed one which has a TXT field containing some crypto value, something like a ssh key/RSA 512 or 1024 output (only the crypto part 'cvxvcvcxvcxv=' ). For now, I have referenced the following usage of TXT - DNS Server information/version - SPF (format like "v=spf1 a mx -all") [1] - DKIM (format like "k=rsa\; t=y\; p=MIGfMA0GCSqGSIb3 [...] YA+OwSMWQIDAQAB", but always in _domainkey.<domain>) [2] - not DNSSec as I supposed first (only DNSKEY, RR, RSIG, NSEC, not TXT) Does someone know at what kind of usage this kind of value could correspond ? (even if, nearly everything is possible) Maybe somebody knows of a webpage referencing common usage of DNS fields ? I found http://www.iana.org/assignments/dns-parameters but it points only on RFC not practical usage. Thanks a lot. Best regards, Jul [1] http://en.wikipedia.org/wiki/Sender_Policy_Framework [2] http://www.ietf.org/rfc/rfc4871.txt (7.4) Note: current RFC referencing TXT field is http://www.ietf.org/rfc/rfc1035.txt "TXT RRs are used to hold descriptive text."
On Sun, Mar 28, 2010 at 02:04:39PM +0200, jul wrote:
Hello,
While watching some parked domains, I recently observed one which has a TXT field containing some crypto value, something like a ssh key/RSA 512 or 1024 output (only the crypto part 'cvxvcvcxvcxv=' ).
If the TXT data is a large wodge which changes, and/or there are fluctuating interesting labels within the zone, then it isn't parked but is being used for IP-over-DNS tunneling. Cheers, Joe -- RSUC / GweepNet / Spunk / FnB / Usenix / SAGE
Hi Jul Dkim , SPF ,and Domainkey are sender authentication methods for email system. Which use Public Key Cryptography. The mail server apends signiture to every outgoing message using private key. the recepient mail server to verify needs the public key which placed in the sender DNS server. see dig suin.edu.sd txt --> for SPF dig _domainkey.suin.edu.sd txt --> for DKIM regards, -- Tarig Y. Adam Chief Technology Officer Sudanese Universities' Information Network (SUIN) T: +249925659149 w: www.suin.edu.sd
Date: Sun, 28 Mar 2010 14:04:39 +0200 From: jul_bsd@yahoo.fr To: nanog@nanog.org Subject: DNS TXT field usage ?
Hello,
While watching some parked domains, I recently observed one which has a TXT field containing some crypto value, something like a ssh key/RSA 512 or 1024 output (only the crypto part 'cvxvcvcxvcxv=' ).
For now, I have referenced the following usage of TXT - DNS Server information/version - SPF (format like "v=spf1 a mx -all") [1] - DKIM (format like "k=rsa\; t=y\; p=MIGfMA0GCSqGSIb3 [...] YA+OwSMWQIDAQAB", but always in _domainkey.<domain>) [2] - not DNSSec as I supposed first (only DNSKEY, RR, RSIG, NSEC, not TXT)
Does someone know at what kind of usage this kind of value could correspond ? (even if, nearly everything is possible)
Maybe somebody knows of a webpage referencing common usage of DNS fields ? I found http://www.iana.org/assignments/dns-parameters but it points only on RFC not practical usage.
Thanks a lot. Best regards,
Jul
[1] http://en.wikipedia.org/wiki/Sender_Policy_Framework [2] http://www.ietf.org/rfc/rfc4871.txt (7.4)
Note: current RFC referencing TXT field is http://www.ietf.org/rfc/rfc1035.txt "TXT RRs are used to hold descriptive text."
_________________________________________________________________ Hotmail: Powerful Free email with security by Microsoft. https://signup.live.com/signup.aspx?id=60969
On 3/29/10 12:06 PM, Tarig Yassin wrote:
Hi Jul
Dkim, SPF, and Domainkey are sender authentication methods for email system. Which use Public Key Cryptography.
DKIM and Domainkeys use public key cryptography to authenticate signature sources used for signing at least email From headers and signature headers. However, SPF uses chained IP address lists to establish source authorization, but not authentication. Since outbound MTAs might handle multiple domains, it would be incorrect to assume authorization implies authentication and to expect email domains have been previously verified by the source. For example, Sender-ID might use the same SPF record, but this expects Purported Responsible Addresses (PRA) rather than Mail Froms have been verified. On the other hand, SPF was designed to ignore the PRA, and neither section 2.2 or 2.4 of RFC4408 imposes prior verification demands on Mail From or HELO, which would conflict with normal forwarding. :^( Both DKIM and Domainkey share the same domain label of "<domain-holding-key>._domainkey.<admin-domain>", whereas the first SPF record in a chain would be accessed without any prefix label. While bad actors could use either scheme to obscure encoded DNS tunnel traffic, ascertaining abnormal use would be especially difficult whenever the first SPF records in a chain includes local-part encoding for subsequent SPF record prefixes. :^( -Doug
participants (4)
-
Douglas Otis
-
Joe Provo
-
jul
-
Tarig Yassin