In article <[email protected]> you write: >That all seems correct. However, I brought the issue to this mailing list, >instead of to the UltraDNS folks, because I am using tools that expect host >names instead of domain names (in this case, dig); now I have to write shims >around them. Other signing-on-the-fly mechanisms might cause similar issues >for dig or other tools.
But wouldn't that equally fail on a SRV record with a _tcp name or a DKIM key with _domainkey? If you're poking at the DNS I'd think you need to be prepared for anything the DNS can return. It is not clear to me that this stuff is there to prevent enumeration. The funky names allow zone updates without having to keep the zone in canonical order to regenerate the NSEC chain. _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
