Skip to content

Instantly share code, notes, and snippets.

@dotysan
Last active Oct 12, 2016
Embed
What would you like to do?
Probe DNS TLDs for NSEC3 usage.
#!/usr/bin/env python3
# Copyright (C) 2012 Internet Systems Consortium.
#
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
#
# THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SYSTEMS CONSORTIUM
# DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
# IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
# INTERNET SYSTEMS CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
# INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
# FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
# NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
# WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
import socket, struct, sys
from bundy.dns import *
# The IPv4 address of f.root-servers.net (of the day), which is known to
# respond to AXFR queries for the root zone.
DEFAULT_ROOT_SERVER_ADDRESS = '192.5.5.241'
# These are the types of TLDs in terms of this test. The "descriptions"
# table will be used to generate the final output.
TLDTYPE_UNKNOWN = 0
TLDTYPE_UNSIGNED = 1
TLDTYPE_NSEC_SIGNED = 2
TLDTYPE_NSEC3_SIGNED = 3
TLDTYPE_NSEC3_OPTOUT_SIGNED = 4
TLDTYPE_NSEC3_UNKNOWN = 5
tldtype_descriptions = { TLDTYPE_UNKNOWN : 'unknown',
TLDTYPE_UNSIGNED : 'unsigned',
TLDTYPE_NSEC_SIGNED : 'signed with NSEC',
TLDTYPE_NSEC3_SIGNED : 'signed with NSEC3, no optout',
TLDTYPE_NSEC3_OPTOUT_SIGNED :
'signed with NSEC3, optout',
TLDTYPE_NSEC3_UNKNOWN :
'signed with NSEC3, may/maynot optout' }
# Store statistics about NSEC3 iterations here (this is defined as global
# just for convenience)
iteration_stats = {}
# Fetch the root zone data from a root server that allows AXFR, and retrieve
# top level domains and their glue address records.
def get_tlds(root_server_addr, tlds, v6_glues, v4_glues):
# Build AXFR query
axfr_query = Message(Message.RENDER)
axfr_query.set_opcode(Opcode.QUERY)
axfr_query.set_rcode(Rcode.NOERROR)
axfr_query.add_question(Question(Name('.'), RRClass.IN, RRType.AXFR))
renderer = MessageRenderer()
axfr_query.to_wire(renderer)
# Connect to the specified root server and send the query.
# Since this is TCP, we first need to send 2-byte length data.
gai = socket.getaddrinfo(root_server_addr, 53, socket.AF_UNSPEC,
socket.SOCK_STREAM, 0,
socket.AI_NUMERICHOST|socket.AI_NUMERICSERV)[0]
s = socket.socket(gai[0], gai[1], gai[2])
s.connect(gai[4])
s.send(struct.pack('H', socket.htons(renderer.get_length())))
s.send(renderer.get_data())
# Get the response until we see 2 SOAs. Look for all non-root NS
# records, and all AAAA and A records, and remember them in the appropriate
# context.
axfr_response = Message(Message.PARSE)
soa_count = 0
while soa_count < 2:
recv_data = s.recv(2, socket.MSG_WAITALL)
msg_len = socket.htons(struct.unpack('H', recv_data)[0])
rcvd_data = s.recv(msg_len, socket.MSG_WAITALL)
axfr_response.clear(Message.PARSE)
axfr_response.from_wire(rcvd_data, Message.PRESERVE_ORDER)
for rr in axfr_response.get_section(Message.SECTION_ANSWER):
if rr.get_type() == RRType.SOA:
soa_count += 1
continue
owner_txt = rr.get_name().to_text().lower()
if rr.get_type() == RRType.NS and owner_txt != '.':
if owner_txt not in tlds:
tlds[owner_txt] = []
tlds[owner_txt].append(rr.get_rdata()[0].to_text())
elif rr.get_type() == RRType.AAAA:
if owner_txt not in v6_glues:
v6_glues[owner_txt] = []
v6_glues[owner_txt].append(rr.get_rdata()[0].to_text())
elif rr.get_type() == RRType.A:
if owner_txt not in v4_glues:
v4_glues[owner_txt] = []
v4_glues[owner_txt].append(rr.get_rdata()[0].to_text())
# A helper function that resolves a given pair of domain name and RR type
# from any of the given IPv6 and IPv4 addresses. If must_be_auth is True,
# it only looks for authoritative answers.
# Return the response (a Message object) that is first found or None if
# all attempts fail.
def do_resolve(name, type, v6addrs, v4addrs, must_be_auth=True):
# Build the query message, with DNSSEC DO bit on, UDP buf size of 4096
query = Message(Message.RENDER)
query.set_opcode(Opcode.QUERY)
query.set_rcode(Rcode.NOERROR)
query.add_question(Question(name, RRClass.IN, type))
edns = EDNS()
edns.set_dnssec_awareness(True)
edns.set_udp_size(4096)
query.set_edns(edns)
# Render the message to wire-format data
query_renderer = MessageRenderer()
query.to_wire(query_renderer)
# Try all given addresses until we get an expected response. Realistically
# the older version of IP addresses are still more reachable today, so we
# try them first.
response = Message(Message.PARSE)
for addr in v4addrs + v6addrs:
gai = socket.getaddrinfo(addr, 53, socket.AF_UNSPEC, socket.SOCK_DGRAM,
0,
socket.AI_NUMERICHOST|socket.AI_NUMERICSERV)[0]
s = socket.socket(gai[0], gai[1], gai[2])
s.sendto(query_renderer.get_data(), gai[4])
response.clear(Message.PARSE)
s.settimeout(10) # don't wait too long
try:
response.from_wire(s.recvfrom(4096)[0])
except socket.timeout: # consider it unreachable, try the next one.
continue
if must_be_auth and \
not response.get_header_flag(Message.HEADERFLAG_AA):
sys.stderr.write('%s returned non authoritative data for %s\n' %
(addr, name.to_text()))
continue
return response
return None
# See if a given type of RR(set) exists in the given section of the message.
def find_rrset(type, msg, section):
for rrset in msg.get_section(section):
if rrset.get_type() == type:
return rrset
return None
# Check if a TLD (that is known to be signed with NSEC3) uses opt-out
# NSEC3.
def check_nsec3(tld, v6addrs, v4addrs):
global iteration_stats
probe_names = [prefix + tld for prefix in
['google.', 'google.com.', 'google.co.', 'aaa']]
for probe_name in probe_names:
response = do_resolve(Name(probe_name), RRType.SOA, v6addrs, v4addrs,
False)
if response is None:
continue
# if it's not indicate delegation, ignore it.
if response.get_header_flag(Message.HEADERFLAG_AA) or \
find_rrset(RRType.NS, response,
Message.SECTION_AUTHORITY) is None:
continue
if find_rrset(RRType.DS, response,
Message.SECTION_AUTHORITY) is not None:
# This issecure delegation
continue
nsec3 = find_rrset(RRType.NSEC3, response, Message.SECTION_AUTHORITY)
if nsec3 is None:
sys.stderr.write('Broken NSEC3 signed zone: %s\n' % tld)
continue
nsec3_fields = nsec3.get_rdata()[0].to_text().split()
if int(nsec3_fields[0]) != 1:
sys.stderr.write('%s uses an unknown NSEC3 algorithm: %s\n' %
(tld, nsec3_fields[0]))
iteration = int(nsec3_fields[2])
if iteration not in iteration_stats:
iteration_stats[iteration] = []
iteration_stats[iteration].append(tld)
if (int(nsec3_fields[1]) & 1) == 0:
return TLDTYPE_NSEC3_SIGNED
return TLDTYPE_NSEC3_OPTOUT_SIGNED
return TLDTYPE_NSEC3_UNKNOWN
# Check the DNSSEC type of the given TLD with the known NS addresses.
# Sometimes it tries some child zones of the given TLD (see below), and
# to signal such cases to the caller, it returns the actually used zone name
# as well as the identified type.
def check_dnssec(tld, v6addrs, v4addrs):
response = do_resolve(Name(tld), RRType.NSEC, v6addrs, v4addrs)
if response is None:
sys.stderr.write('No information is available for %s\n' % tld)
return TLDTYPE_UNKNOWN, tld
# If the answer section isn't empty, the zone should be signed with NSEC.
if response.get_rr_count(Message.SECTION_ANSWER) > 0:
# Apply heuristic: sometimes com.$tld and co.$tld exist as separate
# zones, which may be signed with NSEC3. In that case we should
# rather check them. For simplicity we assume the same servers have
# the authority for such child zones.
for sub in ['com.', 'co.']:
response = do_resolve(Name(sub + tld), RRType.NSEC, v6addrs,
v4addrs)
if response is not None and \
response.get_rr_count(Message.SECTION_ANSWER) == 0 and \
find_rrset(RRType.NSEC3, response,
Message.SECTION_AUTHORITY) is not None:
return check_nsec3(sub + tld, v6addrs, v4addrs), sub + tld
return TLDTYPE_NSEC_SIGNED, tld
# Otherwise, check if the authority section has NSEC3. If it does, the
# zone is signed with NSEC3; otherwise, it's unsigned.
if find_rrset(RRType.NSEC3, response,
Message.SECTION_AUTHORITY) is not None:
return check_nsec3(tld, v6addrs, v4addrs), tld
return TLDTYPE_UNSIGNED, tld
def probe_tld(tld, nameservers, v6_glues, v4_glues, results):
# get the known IPv6 and IPv4 address of the TLD's NS
v6addrs = []
v4addrs = []
for ns in nameservers:
if ns in v6_glues:
v6addrs.extend(v6_glues[ns])
if ns in v4_glues:
v4addrs.extend(v4_glues[ns])
if len(v4addrs) == 0 and len(v6addrs) == 0:
sys.stderr.write('No NS addresses are available for %s\n' % tld)
return
check_result, checked_tld = check_dnssec(tld, v6addrs, v4addrs)
results[check_result].append(checked_tld)
if __name__ == '__main__':
tlds = {}
v6_glues = {}
v4_glues = {}
get_tlds(DEFAULT_ROOT_SERVER_ADDRESS, tlds, v6_glues, v4_glues)
sys.stdout.write('found %d TLDs, %d IPv6 addresses, %d IPv4 addresses\n' %
(len(tlds), len(v6_glues), len(v4_glues)))
probe_results = [[] for i in range(0, TLDTYPE_NSEC3_UNKNOWN + 1)]
for tld in sorted(tlds):
nameservers= tlds[tld]
probe_tld(tld, nameservers, v6_glues, v4_glues, probe_results)
for i in range(0, TLDTYPE_NSEC3_UNKNOWN + 1):
sys.stdout.write('%s: %d' % (tldtype_descriptions[i],
len(probe_results[i])))
sys.stdout.write(' (' + ', '.join(sorted(probe_results[i])) + ')')
sys.stdout.write('\n')
sys.stdout.write('\nStatistics about NSEC3 iterations:\n')
for it in sorted(iteration_stats.keys()):
sys.stdout.write('%d: %d' % (it, len(iteration_stats[it])))
sys.stdout.write(' (' + ', '.join(sorted(iteration_stats[it])) + ')')
sys.stdout.write('\n')
found 1502 TLDs, 3576 IPv6 addresses, 4150 IPv4 addresses
Broken NSEC3 signed zone: aarp.
Broken NSEC3 signed zone: abb.
Broken NSEC3 signed zone: abc.
Broken NSEC3 signed zone: accenture.
Broken NSEC3 signed zone: aeg.
Broken NSEC3 signed zone: afamilycompany.
Broken NSEC3 signed zone: airbus.
Broken NSEC3 signed zone: airtel.
Broken NSEC3 signed zone: americanfamily.
Broken NSEC3 signed zone: amfam.
Broken NSEC3 signed zone: ar.
Broken NSEC3 signed zone: arte.
Broken NSEC3 signed zone: asda.
Broken NSEC3 signed zone: azure.
Broken NSEC3 signed zone: bank.
Broken NSEC3 signed zone: barefoot.
Broken NSEC3 signed zone: bbt.
Broken NSEC3 signed zone: bbva.
Broken NSEC3 signed zone: beauty.
Broken NSEC3 signed zone: bharti.
Broken NSEC3 signed zone: bing.
Broken NSEC3 signed zone: blanco.
Broken NSEC3 signed zone: bloomberg.
Broken NSEC3 signed zone: bms.
Broken NSEC3 signed zone: bofa.
Broken NSEC3 signed zone: bosch.
Broken NSEC3 signed zone: bw.
Broken NSEC3 signed zone: capitalone.
Broken NSEC3 signed zone: cfa.
Broken NSEC3 signed zone: cfd.
Broken NSEC3 signed zone: chanel.
Broken NSEC3 signed zone: cityeats.
Broken NSEC3 signed zone: clubmed.
193.0.9.68 returned non authoritative data for cm.
Broken NSEC3 signed zone: comsec.
Broken NSEC3 signed zone: cookingchannel.
Broken NSEC3 signed zone: crown.
Broken NSEC3 signed zone: crs.
Broken NSEC3 signed zone: csc.
Broken NSEC3 signed zone: diy.
Broken NSEC3 signed zone: duck.
Broken NSEC3 signed zone: ericsson.
193.0.9.73 returned non authoritative data for et.
Broken NSEC3 signed zone: fairwinds.
Broken NSEC3 signed zone: fidelity.
Broken NSEC3 signed zone: foodnetwork.
Broken NSEC3 signed zone: frontdoor.
Broken NSEC3 signed zone: fujixerox.
Broken NSEC3 signed zone: gallo.
Broken NSEC3 signed zone: genting.
Broken NSEC3 signed zone: george.
Broken NSEC3 signed zone: gi.
Broken NSEC3 signed zone: glade.
216.239.32.105 returned non authoritative data for com.google.
216.239.34.105 returned non authoritative data for com.google.
216.239.36.105 returned non authoritative data for com.google.
216.239.38.105 returned non authoritative data for com.google.
216.239.60.105 returned non authoritative data for com.google.
2001:4860:4802:32::69 returned non authoritative data for com.google.
2001:4860:4802:34::69 returned non authoritative data for com.google.
2001:4860:4802:36::69 returned non authoritative data for com.google.
2001:4860:4802:38::69 returned non authoritative data for com.google.
2001:4860:4805::69 returned non authoritative data for com.google.
Broken NSEC3 signed zone: guardian.
Broken NSEC3 signed zone: hgtv.
Broken NSEC3 signed zone: hotmail.
Broken NSEC3 signed zone: ice.
Broken NSEC3 signed zone: il.
Broken NSEC3 signed zone: insurance.
Broken NSEC3 signed zone: jaguar.
Broken NSEC3 signed zone: java.
Broken NSEC3 signed zone: juniper.
Broken NSEC3 signed zone: kerryhotels.
Broken NSEC3 signed zone: kerrylogistics.
Broken NSEC3 signed zone: kerryproperties.
193.0.9.84 returned non authoritative data for com.kg.
Broken NSEC3 signed zone: kuokgroup.
Broken NSEC3 signed zone: ladbrokes.
Broken NSEC3 signed zone: lancome.
Broken NSEC3 signed zone: landrover.
Broken NSEC3 signed zone: lefrak.
Broken NSEC3 signed zone: lego.
Broken NSEC3 signed zone: liaison.
Broken NSEC3 signed zone: lifestyle.
Broken NSEC3 signed zone: linde.
Broken NSEC3 signed zone: lipsy.
Broken NSEC3 signed zone: living.
Broken NSEC3 signed zone: lundbeck.
Broken NSEC3 signed zone: lupin.
Broken NSEC3 signed zone: macys.
Broken NSEC3 signed zone: maif.
Broken NSEC3 signed zone: makeup.
Broken NSEC3 signed zone: med.
Broken NSEC3 signed zone: microsoft.
Broken NSEC3 signed zone: mls.
193.0.9.96 returned non authoritative data for com.mm.
Broken NSEC3 signed zone: msd.
Broken NSEC3 signed zone: nab.
Broken NSEC3 signed zone: nadex.
Broken NSEC3 signed zone: nationwide.
Broken NSEC3 signed zone: next.
Broken NSEC3 signed zone: nextdirect.
Broken NSEC3 signed zone: nikon.
Broken NSEC3 signed zone: nissay.
Broken NSEC3 signed zone: norton.
134.159.2.140 returned non authoritative data for nr.
Broken NSEC3 signed zone: obi.
Broken NSEC3 signed zone: off.
Broken NSEC3 signed zone: omega.
Broken NSEC3 signed zone: onyourside.
Broken NSEC3 signed zone: oracle.
Broken NSEC3 signed zone: orange.
Broken NSEC3 signed zone: pictet.
Broken NSEC3 signed zone: raid.
Broken NSEC3 signed zone: realestate.
Broken NSEC3 signed zone: realtor.
Broken NSEC3 signed zone: rexroth.
Broken NSEC3 signed zone: rightathome.
Broken NSEC3 signed zone: rwe.
Broken NSEC3 signed zone: samsclub.
Broken NSEC3 signed zone: sanofi.
Broken NSEC3 signed zone: sbs.
Broken NSEC3 signed zone: sca.
Broken NSEC3 signed zone: scjohnson.
Broken NSEC3 signed zone: sener.
Broken NSEC3 signed zone: ses.
Broken NSEC3 signed zone: shangrila.
Broken NSEC3 signed zone: shell.
Broken NSEC3 signed zone: skin.
Broken NSEC3 signed zone: sky.
Broken NSEC3 signed zone: smart.
Broken NSEC3 signed zone: spreadbetting.
Broken NSEC3 signed zone: statoil.
Broken NSEC3 signed zone: swatch.
Broken NSEC3 signed zone: symantec.
Broken NSEC3 signed zone: tatamotors.
Broken NSEC3 signed zone: tiaa.
Broken NSEC3 signed zone: tiffany.
Broken NSEC3 signed zone: travelchannel.
Broken NSEC3 signed zone: ubank.
Broken NSEC3 signed zone: ubs.
Broken NSEC3 signed zone: vana.
Broken NSEC3 signed zone: vanguard.
Broken NSEC3 signed zone: verisign.
Broken NSEC3 signed zone: visa.
Broken NSEC3 signed zone: walmart.
Broken NSEC3 signed zone: warman.
Broken NSEC3 signed zone: weber.
Broken NSEC3 signed zone: weir.
Broken NSEC3 signed zone: windows.
Broken NSEC3 signed zone: xbox.
Broken NSEC3 signed zone: xerox.
Broken NSEC3 signed zone: xn--11b4c3d.
Broken NSEC3 signed zone: xn--3pxu8k.
Broken NSEC3 signed zone: xn--42c2d9a.
Broken NSEC3 signed zone: xn--5su34j936bgsg.
Broken NSEC3 signed zone: xn--9dbq2a.
Broken NSEC3 signed zone: xn--c2br7g.
Broken NSEC3 signed zone: xn--fhbei.
Broken NSEC3 signed zone: xn--j1aef.
212.1.66.247 returned non authoritative data for xn--j1amh.
192.93.0.4 returned non authoritative data for xn--mgbc0a9azcg.
Broken NSEC3 signed zone: xn--pssy2u.
216.239.32.105 returned non authoritative data for com.xn--q9jyb4c.
216.239.34.105 returned non authoritative data for com.xn--q9jyb4c.
216.239.36.105 returned non authoritative data for com.xn--q9jyb4c.
216.239.38.105 returned non authoritative data for com.xn--q9jyb4c.
216.239.60.105 returned non authoritative data for com.xn--q9jyb4c.
2001:4860:4802:32::69 returned non authoritative data for com.xn--q9jyb4c.
2001:4860:4802:34::69 returned non authoritative data for com.xn--q9jyb4c.
2001:4860:4802:36::69 returned non authoritative data for com.xn--q9jyb4c.
2001:4860:4802:38::69 returned non authoritative data for com.xn--q9jyb4c.
2001:4860:4805::69 returned non authoritative data for com.xn--q9jyb4c.
Broken NSEC3 signed zone: xn--w4r85el8fhu5dnra.
Broken NSEC3 signed zone: xn--w4rs40l.
Broken NSEC3 signed zone: xperia.
unknown: 0 ()
unsigned: 149 (ae., aero., ai., al., ao., aq., as., ax., ba., bb., bd., bf., bh., bi., bj., bm., bn., bo., bs., bt., bv., cd., cf., cg., ci., ck., cm., cu., cv., cw., cy., dj., dm., do., dz., ec., eg., er., et., fj., fk., ga., gb., ge., gf., gg., gh., gm., gp., gq., gt., gu., gy., hm., ht., im., int., iq., ir., it., je., jm., jo., kh., km., kn., kp., kw., kz., ls., ly., mc., md., mh., mk., ml., mo., mp., mq., mr., ms., mt., mu., mv., mw., mz., ne., ng., ni., np., nr., om., pa., pf., pg., ph., pk., pn., ps., py., qa., rs., rw., sa., sd., sk., sm., so., sr., st., sv., sz., tc., td., tel., tg., tj., tk., to., tr., uz., va., ve., vg., vi., vn., ws., xn--54b7fta0cc., xn--80ao21a., xn--90a3ac., xn--90ae., xn--d1alf., xn--j1amh., xn--lgbbat1ad8j., xn--mgb9awbf., xn--mgba3a4f16a., xn--mgbaam7a8h., xn--mgbayh7gpa., xn--mgbc0a9azcg., xn--mgbpl2fh., xn--mgbtx2b., xn--mix891f., xn--node., xn--qxam., xn--wgbl6a., xn--ygbi2ammx., ye., za., zw.)
signed with NSEC: 307 (aaa., able., accountant., ads., aetna., aig., americanexpress., amex., amica., analytics., android., app., aramco., arpa., athleta., au., audible., audio., author., auto., aws., axa., baby., banamex., bananarepublic., best., bg., bible., bid., biz., blackfriday., boo., book., booking., bot., buzz., cal., call., calvinklein., car., caravan., cars., cartier., cbn., cbre., ceo., channel., chase., chintai., chloe., christmas., chrome., circle., cisco., citadel., citi., click., club., co., coupon., cricket., dad., date., day., dclk., deal., dealer., dell., dev., diet., discover., docs., download., drive., duns., dupont., earth., eat., esq., everbank., faith., farmers., fast., ferrero., fire., flickr., flir., flowers., fly., foo., ford., fox., frontier., ftr., game., gap., gbiz., gift., gle., gmail., gn., goog., google., got., grainger., gucci., guge., guitars., hangout., hbo., health., help., here., hiphop., homegoods., homesense., honeywell., hosting., hot., hoteles., how., hsbc., htc., hyatt., id., ieee., imdb., ing., intel., intuit., ipiranga., itau., iwc., jetzt., jlc., jmp., jnj., jot., joy., jpmorgan., juegos., ke., kg., kinder., kindle., kpmg., kred., ky., lanxess., lb., lifeinsurance., like., lilly., lincoln., link., lk., loan., loft., lol., lr., marshalls., mattel., mcd., mcdonalds., meet., meme., mg., mint., mlb., mm., mobily., moe., moi., mom., montblanc., mov., mutual., na., nba., netflix., neustar., new., nexus., nfl., nike., northwesternmutual., now., nyc., office., oldnavy., open., osaka., page., pamperedchef., panerai., party., passagens., pay., pfizer., pharmacy., photo., piaget., pics., pin., ping., play., pr., pramerica., praxi., prime., prod., prof., property., pru., prudential., qpon., qvc., racing., read., review., rocher., room., rsvp., safe., safety., sas., save., science., se., secure., sexy., silk., skype., sl., smile., song., soy., spot., staples., statefarm., stream., swiftcover., taipei., talk., taobao., target., tattoo., tdk., teva., tjmaxx., tjx., tkmaxx., tmall., tn., trade., travel., tube., tunes., tushu., unicom., uno., us., vivo., vuelos., wanggou., watches., weather., weatherchannel., webcam., whoswho., williamhill., win., winners., wow., xn--1ck2e1b., xn--8y0a063a., xn--bck1b9a5dre4c., xn--cck2b3b., xn--eckvdtc9d., xn--fct429k., xn--flw351e., xn--fzc2c9e2c., xn--g2xx48c., xn--gckr3f0f., xn--gk3at1e., xn--jvr189m., xn--kpu716f., xn--l1acc., xn--mgba3a3ejt., xn--mgbb9fbpob., xn--nyqy26a., xn--pbt977c., xn--pgbs0dh., xn--q9jyb4c., xn--qcka1pmc., xn--rhqv96g., xn--rovu88b., xn--xkc2al3hye2a., yahoo., yamaxun., yandex., you., youtube., zappos., zero., zip., zippo.)
signed with NSEC3, no optout: 52 (ad., archi., az., barcelona., barclays., bio., build., by., cam., cat., cloud., cologne., courses., cr., cz., ee., eus., film., frl., gal., gd., gent., gov., is., koeln., luxury., ma., melbourne., men., nrw., nu., one., physio., ruhr., scot., ski., sn., study., style., sucks., sx., sydney., top., tz., vu., xn--3bst00m., xn--45q11c., xn--6qq986b3xl., xn--czr694b., xn--hxt814e., xn--ses554g., zm.)
signed with NSEC3, optout: 426 (abbott., ac., academy., accountants., actor., adult., af., ag., agency., airforce., am., amsterdam., apartments., army., asia., associates., at., attorney., auction., aw., band., bar., bargains., bayern., be., beer., berlin., bet., bike., bingo., black., blog., blue., boutique., broker., brussels., builders., business., bz., ca., cab., cafe., camera., camp., capetown., capital., cards., care., career., careers., casa., cash., casino., catering., cc., center., ch., chat., cheap., church., city., cl., claims., cleaning., clinic., clothing., cn., coach., codes., coffee., college., com., com.br., community., company., computer., condos., consulting., contractors., cooking., cool., corsica., country., coupons., credit., creditcard., cx., cymru., dance., dating., de., deals., degree., delivery., democrat., dental., design., digital., direct., directory., discount., dk., dog., domains., durban., edu., education., email., energy., engineer., engineering., enterprises., equipment., es., estate., eu., events., exchange., expert., exposed., express., fail., fans., farm., fashion., feedback., fi., finance., financial., fish., fit., fitness., florist., fm., fo., football., forex., forsale., foundation., fr., fund., furniture., futbol., fyi., gallery., games., garden., gdn., gifts., gives., gl., glass., gmbh., gold., golf., gr., graphics., gratis., green., gripe., group., gs., guide., guru., hamburg., haus., healthcare., hiv., hk., hn., hockey., holdings., holiday., horse., host., house., hr., hu., ie., immo., immobilien., in., industries., info., ink., institute., insure., international., investments., io., irish., ist., istanbul., jewelry., jobs., joburg., jp., kaufen., ki., kim., kitchen., kiwi., kr., kyoto., la., land., lat., lawyer., lc., lease., legal., lgbt., li., life., lighting., limited., limo., live., loans., london., love., lt., ltd., ltda., lu., lv., maison., management., market., marketing., markets., mba., me., media., memorial., miami., mn., mobi., moda., money., mortgage., moscow., mx., my., name., navy., net., network., news., nf., ngo., ninja., nl., no., nz., okinawa., ong., onl., online., ooo., org., ovh., paris., partners., parts., pe., pet., photography., photos., pictures., pink., pizza., pl., place., plus., pm., poker., porn., press., pro., productions., promo., properties., protection., pt., pub., pw., re., recipes., red., rehab., reise., reisen., rent., rentals., repair., report., republican., rest., restaurant., reviews., rich., rip., ro., rocks., rodeo., ru., run., ryukyu., sale., salon., sarl., sb., sc., school., schule., security., services., sex., sg., sh., shiksha., shoes., shop., shopping., show., si., singles., site., soccer., social., solar., solutions., space., srl., stada., storage., store., studio., su., supplies., supply., support., surf., surgery., systems., tatar., tax., taxi., team., tech., technology., tennis., tf., th., theater., theatre., tickets., tienda., tips., tirol., tl., tm., today., tokyo., tools., tours., town., toys., trading., training., tt., tv., tw., ua., ug., uk., university., uy., vacations., vc., vegas., ventures., versicherung., vet., viajes., video., villas., vin., vip., vision., vlaanderen., vodka., vote., voto., voyage., wales., watch., website., wedding., wf., wiki., wine., work., works., world., wtf., xn--1qqw23a., xn--3ds443g., xn--55qx5d., xn--6frz82g., xn--fiq228c5hs., xn--fiqs8s., xn--fiqz9s., xn--io0a7i., xn--kput3i., xn--mk1bu44c., xn--t60b56a., xn--tckwe., xn--vuq861b., xn--xhq521b., xxx., xyz., yoga., yt., zone.)
signed with NSEC3, may/maynot optout: 568 (aarp., abarth., abb., abbvie., abc., abogado., abudhabi., accenture., aco., active., adac., aeg., afamilycompany., afl., agakhan., aigo., airbus., airtel., akdn., alfaromeo., alibaba., alipay., allfinanz., allstate., ally., alsace., alstom., americanfamily., amfam., anquan., anz., apple., aquarelle., ar., art., arte., asda., audi., auspost., autos., avianca., azure., baidu., bank., barclaycard., barefoot., bauhaus., bbc., bbt., bbva., bcg., bcn., beats., beauty., bentley., bestbuy., bharti., bing., blanco., blockbuster., bloomberg., bms., bmw., bnl., bnpparibas., boats., boehringer., bofa., bom., bond., boots., bosch., bostik., bradesco., bridgestone., broadway., brother., budapest., bugatti., buy., bw., bzh., cancerresearch., canon., capitalone., cba., cbs., ceb., cern., cfa., cfd., chanel., chrysler., cipriani., citic., cityeats., clinique., clubmed., comcast., commbank., compare., comsec., construction., contact., cookingchannel., coop., creditunion., crown., crs., cruises., csc., cuisinella., cyou., dabur., datsun., dds., deloitte., delta., dentist., desi., dhl., diamonds., dish., diy., dnp., doctor., dodge., doha., dot., dtv., dubai., duck., dunlop., dvag., dvr., eco., edeka., emerck., epost., epson., ericsson., erni., esurance., eurovision., extraspace., fage., fairwinds., family., fan., fedex., ferrari., fiat., fidelity., fido., final., firestone., firmdale., fishing., flights., foodnetwork., forum., fresenius., frogans., frontdoor., fujitsu., fujixerox., gallo., gallup., gea., genting., george., ggee., gi., giving., glade., global., globo., gmo., gmx., godaddy., goldpoint., goo., goodhands., goodyear., gop., guardian., gw., hdfc., hdfcbank., helsinki., hermes., hgtv., hisamitsu., hitachi., hkt., homedepot., homes., honda., hotmail., hughes., hyundai., ibm., icbc., ice., icu., ifm., iinet., ikano., il., imamat., infiniti., insurance., iselect., ismaili., itv., jaguar., java., jcb., jcp., jeep., jll., jprs., juniper., kddi., kerryhotels., kerrylogistics., kerryproperties., kfh., kia., komatsu., kosher., kpn., krd., kuokgroup., lacaixa., ladbrokes., lamborghini., lamer., lancaster., lancia., lancome., landrover., lasalle., latino., latrobe., law., lds., leclerc., lefrak., lego., lexus., liaison., lidl., lifestyle., linde., lipsy., living., lixil., locker., locus., lotte., lotto., lpl., lplfinancial., lundbeck., lupin., luxe., macys., madrid., maif., makeup., man., mango., marriott., maserati., mckinsey., med., menu., meo., metlife., microsoft., mil., mini., mit., mitsubishi., mls., mma., monash., monster., mopar., mormon., motorcycles., movie., movistar., msd., mtn., mtpc., mtr., museum., mutuelle., nab., nadex., nagoya., nationwide., natura., nc., nec., netbank., next., nextdirect., nhk., nico., nikon., nissan., nissay., nokia., norton., nowruz., nowtv., nra., ntt., obi., observer., off., olayan., olayangroup., ollo., omega., onyourside., oracle., orange., organic., orientexpress., origins., otsuka., ott., panasonic., pars., pccw., philips., pictet., pid., pioneer., playstation., plumbing., pnc., pohl., politie., post., progressive., pwc., quebec., quest., radio., raid., realestate., realtor., realty., redstone., redumbrella., reit., ren., rexroth., richardli., ricoh., rightathome., rio., rogers., rwe., saarland., sakura., samsclub., samsung., sandvik., sandvikcoromant., sanofi., sap., sapo., saxo., sbi., sbs., sca., scb., schaeffler., schmidt., scholarships., schwarz., scjohnson., scor., seat., seek., select., sener., ses., seven., sew., sfr., shangrila., sharp., shaw., shell., shia., shouji., showtime., shriram., sina., sj., skin., sky., sling., smart., sncf., softbank., software., sohu., sony., spiegel., spreadbetting., srt., star., starhub., statebank., statoil., stc., stcgroup., stockholm., suzuki., swatch., swiss., sy., symantec., tab., tatamotors., tci., telecity., telefonica., temasek., thd., tiaa., tiffany., tires., toray., toshiba., total., toyota., travelchannel., travelers., travelersinsurance., trust., trv., tui., tvs., ubank., ubs., uconnect., uol., ups., vana., vanguard., verisign., vig., viking., virgin., visa., vista., vistaprint., viva., volkswagen., voting., walmart., walter., wang., warman., weber., wed., weibo., weir., wien., windows., wme., wolterskluwer., woodside., wtc., xbox., xerox., xfinity., xihuan., xin., xn--11b4c3d., xn--30rr7y., xn--3e0b707e., xn--3oq18vl8pn36a., xn--3pxu8k., xn--42c2d9a., xn--45brj9c., xn--4gbrim., xn--55qw42g., xn--5su34j936bgsg., xn--5tzm5g., xn--80adxhks., xn--80asehdb., xn--80aswg., xn--90ais., xn--9dbq2a., xn--9et52u., xn--9krt00a., xn--b4w605ferd., xn--c1avg., xn--c2br7g., xn--cg4bki., xn--clchc0ea0b2g2a9gcd., xn--czrs0t., xn--czru2d., xn--d1acj3b., xn--e1a4c., xn--efvy88h., xn--estv75g., xn--fhbei., xn--fiq64b., xn--fjq720a., xn--fpcrj9c3d., xn--fzys8d69uvgm., xn--gecrj9c., xn--h2brj9c., xn--i1b6b1a6a2e., xn--imr513n., xn--j1aef., xn--j6w193g., xn--jlq61u9w7b., xn--kcrx77d1x4a., xn--kprw13d., xn--kpry57d., xn--mgba7c0bbn0a., xn--mgbab2bd., xn--mgbbh1a71e., xn--mgbca7dzdo., xn--mgberp4a5d4ar., xn--mgbt3dhd., xn--mgbx4cd0ab., xn--mxtq1m., xn--ngbc5azd., xn--ngbe9e0a., xn--nqv7f., xn--nqv7fs00ema., xn--o3cw4h., xn--ogbpf8fl., xn--p1acf., xn--p1ai., xn--pssy2u., xn--s9brj9c., xn--unup4y., xn--vermgensberater-ctb., xn--vermgensberatung-pwb., xn--vhquv., xn--w4r85el8fhu5dnra., xn--w4rs40l., xn--wgbh1c., xn--xkc2dl3a5ee0h., xn--y9a3aq., xn--yfro4i67o., xn--zfr164b., xperia., yachts., yodobashi., yokohama., yun., zara., zuerich.)
Statistics about NSEC3 iterations:
0: 23 (blog., broker., career., cc., com., cymru., edu., forex., jobs., markets., name., net., ooo., trading., tv., uk., wales., xn--3ds443g., xn--fiq228c5hs., xn--mk1bu44c., xn--t60b56a., xn--tckwe., xn--vuq861b.)
1: 317 (abbott., academy., accountants., actor., adult., ag., agency., airforce., apartments., army., asia., associates., attorney., auction., band., bar., barclays., bargains., bet., bike., bingo., black., blue., boutique., build., builders., business., bz., cab., cafe., camera., camp., capital., cards., care., careers., cash., casino., catering., center., chat., cheap., church., city., claims., cleaning., clinic., clothing., cloud., coach., codes., coffee., college., community., company., computer., condos., consulting., contractors., cool., corsica., coupons., courses., credit., creditcard., dance., dating., deals., degree., delivery., democrat., dental., design., digital., direct., directory., discount., dog., domains., education., ee., email., energy., engineer., engineering., enterprises., equipment., estate., eu., events., exchange., expert., exposed., express., fail., fans., farm., feedback., film., finance., financial., fish., fitness., florist., fm., football., forsale., foundation., fr., fund., furniture., futbol., fyi., gallery., games., gifts., gives., glass., gmbh., gold., golf., graphics., gratis., green., gripe., group., guide., guru., haus., healthcare., hockey., holdings., holiday., host., house., immo., immobilien., in., industries., info., ink., institute., insure., international., investments., irish., ist., istanbul., jewelry., kaufen., kim., kitchen., land., lawyer., lc., lease., legal., lgbt., life., lighting., limited., limo., live., loans., love., ltd., ltda., luxury., maison., management., market., marketing., mba., me., media., melbourne., memorial., men., mn., mobi., moda., money., mortgage., navy., network., news., ngo., ninja., one., ong., onl., online., org., ovh., paris., partners., parts., pet., photography., photos., physio., pictures., pink., pizza., place., plus., pm., poker., porn., press., pro., productions., promo., properties., protection., pub., pw., re., recipes., red., rehab., reise., reisen., rent., rentals., repair., report., republican., rest., restaurant., reviews., rich., rip., rocks., run., sale., salon., sarl., sc., school., schule., security., services., sex., shiksha., shoes., shopping., show., singles., site., sn., soccer., social., solar., solutions., space., srl., stada., storage., store., studio., study., style., sucks., supplies., supply., support., surgery., sydney., systems., tax., taxi., team., tech., technology., tennis., tf., theater., theatre., tickets., tienda., tips., today., tools., tours., town., toys., training., university., vacations., vc., vegas., ventures., vet., viajes., video., villas., vin., vision., vote., voto., voyage., vu., watch., website., wf., wiki., wine., works., world., wtf., xn--6frz82g., xn--kput3i., xxx., xyz., yt., zone.)
2: 3 (ch., cl., li.)
3: 6 (az., hiv., lu., ru., su., tatar.)
5: 48 (ac., amsterdam., archi., at., aw., be., berlin., bio., brussels., ca., cam., capetown., durban., es., fi., gd., hamburg., hu., ie., io., is., joburg., kyoto., lt., nl., no., nu., nz., okinawa., ryukyu., sh., shop., si., ski., tirol., tm., tokyo., top., tz., versicherung., vlaanderen., xn--3bst00m., xn--45q11c., xn--6qq986b3xl., xn--czr694b., xn--hxt814e., xn--ses554g., zm.)
8: 3 (gov., jp., lv.)
10: 59 (ad., af., am., bayern., beer., casa., cn., com.br., cooking., country., cr., cx., cz., fashion., fit., fo., frl., garden., gent., gl., gr., gs., hk., hn., horse., hr., ki., kiwi., kr., london., ma., miami., moscow., my., nf., pe., pt., ro., rodeo., sb., surf., sx., th., tl., tt., tw., ug., uy., vip., vodka., wedding., work., xn--1qqw23a., xn--55qx5d., xn--fiqs8s., xn--fiqz9s., xn--io0a7i., xn--xhq521b., yoga.)
12: 10 (barcelona., cat., cologne., eus., gal., koeln., nrw., pl., ruhr., scot.)
13: 1 (ua.)
15: 1 (de.)
17: 1 (dk.)
20: 2 (gdn., sg.)
100: 3 (by., lat., mx.)
150: 1 (la.)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment