Skip to content

Instantly share code, notes, and snippets.

Last active Oct 12, 2016
What would you like to do?
Probe DNS TLDs for NSEC3 usage.
#!/usr/bin/env python3
# Copyright (C) 2012 Internet Systems Consortium.
# Permission to use, copy, modify, and distribute this software for any
# purpose with or without fee is hereby granted, provided that the above
# copyright notice and this permission notice appear in all copies.
import socket, struct, sys
from bundy.dns import *
# The IPv4 address of (of the day), which is known to
# respond to AXFR queries for the root zone.
# These are the types of TLDs in terms of this test. The "descriptions"
# table will be used to generate the final output.
tldtype_descriptions = { TLDTYPE_UNKNOWN : 'unknown',
TLDTYPE_UNSIGNED : 'unsigned',
TLDTYPE_NSEC3_SIGNED : 'signed with NSEC3, no optout',
'signed with NSEC3, optout',
'signed with NSEC3, may/maynot optout' }
# Store statistics about NSEC3 iterations here (this is defined as global
# just for convenience)
iteration_stats = {}
# Fetch the root zone data from a root server that allows AXFR, and retrieve
# top level domains and their glue address records.
def get_tlds(root_server_addr, tlds, v6_glues, v4_glues):
# Build AXFR query
axfr_query = Message(Message.RENDER)
axfr_query.add_question(Question(Name('.'), RRClass.IN, RRType.AXFR))
renderer = MessageRenderer()
# Connect to the specified root server and send the query.
# Since this is TCP, we first need to send 2-byte length data.
gai = socket.getaddrinfo(root_server_addr, 53, socket.AF_UNSPEC,
socket.SOCK_STREAM, 0,
s = socket.socket(gai[0], gai[1], gai[2])
s.send(struct.pack('H', socket.htons(renderer.get_length())))
# Get the response until we see 2 SOAs. Look for all non-root NS
# records, and all AAAA and A records, and remember them in the appropriate
# context.
axfr_response = Message(Message.PARSE)
soa_count = 0
while soa_count < 2:
recv_data = s.recv(2, socket.MSG_WAITALL)
msg_len = socket.htons(struct.unpack('H', recv_data)[0])
rcvd_data = s.recv(msg_len, socket.MSG_WAITALL)
axfr_response.from_wire(rcvd_data, Message.PRESERVE_ORDER)
for rr in axfr_response.get_section(Message.SECTION_ANSWER):
if rr.get_type() == RRType.SOA:
soa_count += 1
owner_txt = rr.get_name().to_text().lower()
if rr.get_type() == RRType.NS and owner_txt != '.':
if owner_txt not in tlds:
tlds[owner_txt] = []
elif rr.get_type() == RRType.AAAA:
if owner_txt not in v6_glues:
v6_glues[owner_txt] = []
elif rr.get_type() == RRType.A:
if owner_txt not in v4_glues:
v4_glues[owner_txt] = []
# A helper function that resolves a given pair of domain name and RR type
# from any of the given IPv6 and IPv4 addresses. If must_be_auth is True,
# it only looks for authoritative answers.
# Return the response (a Message object) that is first found or None if
# all attempts fail.
def do_resolve(name, type, v6addrs, v4addrs, must_be_auth=True):
# Build the query message, with DNSSEC DO bit on, UDP buf size of 4096
query = Message(Message.RENDER)
query.add_question(Question(name, RRClass.IN, type))
edns = EDNS()
# Render the message to wire-format data
query_renderer = MessageRenderer()
# Try all given addresses until we get an expected response. Realistically
# the older version of IP addresses are still more reachable today, so we
# try them first.
response = Message(Message.PARSE)
for addr in v4addrs + v6addrs:
gai = socket.getaddrinfo(addr, 53, socket.AF_UNSPEC, socket.SOCK_DGRAM,
s = socket.socket(gai[0], gai[1], gai[2])
s.sendto(query_renderer.get_data(), gai[4])
s.settimeout(10) # don't wait too long
except socket.timeout: # consider it unreachable, try the next one.
if must_be_auth and \
not response.get_header_flag(Message.HEADERFLAG_AA):
sys.stderr.write('%s returned non authoritative data for %s\n' %
(addr, name.to_text()))
return response
return None
# See if a given type of RR(set) exists in the given section of the message.
def find_rrset(type, msg, section):
for rrset in msg.get_section(section):
if rrset.get_type() == type:
return rrset
return None
# Check if a TLD (that is known to be signed with NSEC3) uses opt-out
# NSEC3.
def check_nsec3(tld, v6addrs, v4addrs):
global iteration_stats
probe_names = [prefix + tld for prefix in
['google.', '', '', 'aaa']]
for probe_name in probe_names:
response = do_resolve(Name(probe_name), RRType.SOA, v6addrs, v4addrs,
if response is None:
# if it's not indicate delegation, ignore it.
if response.get_header_flag(Message.HEADERFLAG_AA) or \
find_rrset(RRType.NS, response,
if find_rrset(RRType.DS, response,
Message.SECTION_AUTHORITY) is not None:
# This issecure delegation
nsec3 = find_rrset(RRType.NSEC3, response, Message.SECTION_AUTHORITY)
if nsec3 is None:
sys.stderr.write('Broken NSEC3 signed zone: %s\n' % tld)
nsec3_fields = nsec3.get_rdata()[0].to_text().split()
if int(nsec3_fields[0]) != 1:
sys.stderr.write('%s uses an unknown NSEC3 algorithm: %s\n' %
(tld, nsec3_fields[0]))
iteration = int(nsec3_fields[2])
if iteration not in iteration_stats:
iteration_stats[iteration] = []
if (int(nsec3_fields[1]) & 1) == 0:
# Check the DNSSEC type of the given TLD with the known NS addresses.
# Sometimes it tries some child zones of the given TLD (see below), and
# to signal such cases to the caller, it returns the actually used zone name
# as well as the identified type.
def check_dnssec(tld, v6addrs, v4addrs):
response = do_resolve(Name(tld), RRType.NSEC, v6addrs, v4addrs)
if response is None:
sys.stderr.write('No information is available for %s\n' % tld)
# If the answer section isn't empty, the zone should be signed with NSEC.
if response.get_rr_count(Message.SECTION_ANSWER) > 0:
# Apply heuristic: sometimes com.$tld and co.$tld exist as separate
# zones, which may be signed with NSEC3. In that case we should
# rather check them. For simplicity we assume the same servers have
# the authority for such child zones.
for sub in ['com.', 'co.']:
response = do_resolve(Name(sub + tld), RRType.NSEC, v6addrs,
if response is not None and \
response.get_rr_count(Message.SECTION_ANSWER) == 0 and \
find_rrset(RRType.NSEC3, response,
Message.SECTION_AUTHORITY) is not None:
return check_nsec3(sub + tld, v6addrs, v4addrs), sub + tld
# Otherwise, check if the authority section has NSEC3. If it does, the
# zone is signed with NSEC3; otherwise, it's unsigned.
if find_rrset(RRType.NSEC3, response,
Message.SECTION_AUTHORITY) is not None:
return check_nsec3(tld, v6addrs, v4addrs), tld
def probe_tld(tld, nameservers, v6_glues, v4_glues, results):
# get the known IPv6 and IPv4 address of the TLD's NS
v6addrs = []
v4addrs = []
for ns in nameservers:
if ns in v6_glues:
if ns in v4_glues:
if len(v4addrs) == 0 and len(v6addrs) == 0:
sys.stderr.write('No NS addresses are available for %s\n' % tld)
check_result, checked_tld = check_dnssec(tld, v6addrs, v4addrs)
if __name__ == '__main__':
tlds = {}
v6_glues = {}
v4_glues = {}
get_tlds(DEFAULT_ROOT_SERVER_ADDRESS, tlds, v6_glues, v4_glues)
sys.stdout.write('found %d TLDs, %d IPv6 addresses, %d IPv4 addresses\n' %
(len(tlds), len(v6_glues), len(v4_glues)))
probe_results = [[] for i in range(0, TLDTYPE_NSEC3_UNKNOWN + 1)]
for tld in sorted(tlds):
nameservers= tlds[tld]
probe_tld(tld, nameservers, v6_glues, v4_glues, probe_results)
for i in range(0, TLDTYPE_NSEC3_UNKNOWN + 1):
sys.stdout.write('%s: %d' % (tldtype_descriptions[i],
sys.stdout.write(' (' + ', '.join(sorted(probe_results[i])) + ')')
sys.stdout.write('\nStatistics about NSEC3 iterations:\n')
for it in sorted(iteration_stats.keys()):
sys.stdout.write('%d: %d' % (it, len(iteration_stats[it])))
sys.stdout.write(' (' + ', '.join(sorted(iteration_stats[it])) + ')')
found 1502 TLDs, 3576 IPv6 addresses, 4150 IPv4 addresses
Broken NSEC3 signed zone: aarp.
Broken NSEC3 signed zone: abb.
Broken NSEC3 signed zone: abc.
Broken NSEC3 signed zone: accenture.
Broken NSEC3 signed zone: aeg.
Broken NSEC3 signed zone: afamilycompany.
Broken NSEC3 signed zone: airbus.
Broken NSEC3 signed zone: airtel.
Broken NSEC3 signed zone: americanfamily.
Broken NSEC3 signed zone: amfam.
Broken NSEC3 signed zone: ar.
Broken NSEC3 signed zone: arte.
Broken NSEC3 signed zone: asda.
Broken NSEC3 signed zone: azure.
Broken NSEC3 signed zone: bank.
Broken NSEC3 signed zone: barefoot.
Broken NSEC3 signed zone: bbt.
Broken NSEC3 signed zone: bbva.
Broken NSEC3 signed zone: beauty.
Broken NSEC3 signed zone: bharti.
Broken NSEC3 signed zone: bing.
Broken NSEC3 signed zone: blanco.
Broken NSEC3 signed zone: bloomberg.
Broken NSEC3 signed zone: bms.
Broken NSEC3 signed zone: bofa.
Broken NSEC3 signed zone: bosch.
Broken NSEC3 signed zone: bw.
Broken NSEC3 signed zone: capitalone.
Broken NSEC3 signed zone: cfa.
Broken NSEC3 signed zone: cfd.
Broken NSEC3 signed zone: chanel.
Broken NSEC3 signed zone: cityeats.
Broken NSEC3 signed zone: clubmed. returned non authoritative data for cm.
Broken NSEC3 signed zone: comsec.
Broken NSEC3 signed zone: cookingchannel.
Broken NSEC3 signed zone: crown.
Broken NSEC3 signed zone: crs.
Broken NSEC3 signed zone: csc.
Broken NSEC3 signed zone: diy.
Broken NSEC3 signed zone: duck.
Broken NSEC3 signed zone: ericsson. returned non authoritative data for et.
Broken NSEC3 signed zone: fairwinds.
Broken NSEC3 signed zone: fidelity.
Broken NSEC3 signed zone: foodnetwork.
Broken NSEC3 signed zone: frontdoor.
Broken NSEC3 signed zone: fujixerox.
Broken NSEC3 signed zone: gallo.
Broken NSEC3 signed zone: genting.
Broken NSEC3 signed zone: george.
Broken NSEC3 signed zone: gi.
Broken NSEC3 signed zone: glade. returned non authoritative data for returned non authoritative data for returned non authoritative data for returned non authoritative data for returned non authoritative data for
2001:4860:4802:32::69 returned non authoritative data for
2001:4860:4802:34::69 returned non authoritative data for
2001:4860:4802:36::69 returned non authoritative data for
2001:4860:4802:38::69 returned non authoritative data for
2001:4860:4805::69 returned non authoritative data for
Broken NSEC3 signed zone: guardian.
Broken NSEC3 signed zone: hgtv.
Broken NSEC3 signed zone: hotmail.
Broken NSEC3 signed zone: ice.
Broken NSEC3 signed zone: il.
Broken NSEC3 signed zone: insurance.
Broken NSEC3 signed zone: jaguar.
Broken NSEC3 signed zone: java.
Broken NSEC3 signed zone: juniper.
Broken NSEC3 signed zone: kerryhotels.
Broken NSEC3 signed zone: kerrylogistics.
Broken NSEC3 signed zone: kerryproperties. returned non authoritative data for
Broken NSEC3 signed zone: kuokgroup.
Broken NSEC3 signed zone: ladbrokes.
Broken NSEC3 signed zone: lancome.
Broken NSEC3 signed zone: landrover.
Broken NSEC3 signed zone: lefrak.
Broken NSEC3 signed zone: lego.
Broken NSEC3 signed zone: liaison.
Broken NSEC3 signed zone: lifestyle.
Broken NSEC3 signed zone: linde.
Broken NSEC3 signed zone: lipsy.
Broken NSEC3 signed zone: living.
Broken NSEC3 signed zone: lundbeck.
Broken NSEC3 signed zone: lupin.
Broken NSEC3 signed zone: macys.
Broken NSEC3 signed zone: maif.
Broken NSEC3 signed zone: makeup.
Broken NSEC3 signed zone: med.
Broken NSEC3 signed zone: microsoft.
Broken NSEC3 signed zone: mls. returned non authoritative data for
Broken NSEC3 signed zone: msd.
Broken NSEC3 signed zone: nab.
Broken NSEC3 signed zone: nadex.
Broken NSEC3 signed zone: nationwide.
Broken NSEC3 signed zone: next.
Broken NSEC3 signed zone: nextdirect.
Broken NSEC3 signed zone: nikon.
Broken NSEC3 signed zone: nissay.
Broken NSEC3 signed zone: norton. returned non authoritative data for nr.
Broken NSEC3 signed zone: obi.
Broken NSEC3 signed zone: off.
Broken NSEC3 signed zone: omega.
Broken NSEC3 signed zone: onyourside.
Broken NSEC3 signed zone: oracle.
Broken NSEC3 signed zone: orange.
Broken NSEC3 signed zone: pictet.
Broken NSEC3 signed zone: raid.
Broken NSEC3 signed zone: realestate.
Broken NSEC3 signed zone: realtor.
Broken NSEC3 signed zone: rexroth.
Broken NSEC3 signed zone: rightathome.
Broken NSEC3 signed zone: rwe.
Broken NSEC3 signed zone: samsclub.
Broken NSEC3 signed zone: sanofi.
Broken NSEC3 signed zone: sbs.
Broken NSEC3 signed zone: sca.
Broken NSEC3 signed zone: scjohnson.
Broken NSEC3 signed zone: sener.
Broken NSEC3 signed zone: ses.
Broken NSEC3 signed zone: shangrila.
Broken NSEC3 signed zone: shell.
Broken NSEC3 signed zone: skin.
Broken NSEC3 signed zone: sky.
Broken NSEC3 signed zone: smart.
Broken NSEC3 signed zone: spreadbetting.
Broken NSEC3 signed zone: statoil.
Broken NSEC3 signed zone: swatch.
Broken NSEC3 signed zone: symantec.
Broken NSEC3 signed zone: tatamotors.
Broken NSEC3 signed zone: tiaa.
Broken NSEC3 signed zone: tiffany.
Broken NSEC3 signed zone: travelchannel.
Broken NSEC3 signed zone: ubank.
Broken NSEC3 signed zone: ubs.
Broken NSEC3 signed zone: vana.
Broken NSEC3 signed zone: vanguard.
Broken NSEC3 signed zone: verisign.
Broken NSEC3 signed zone: visa.
Broken NSEC3 signed zone: walmart.
Broken NSEC3 signed zone: warman.
Broken NSEC3 signed zone: weber.
Broken NSEC3 signed zone: weir.
Broken NSEC3 signed zone: windows.
Broken NSEC3 signed zone: xbox.
Broken NSEC3 signed zone: xerox.
Broken NSEC3 signed zone: xn--11b4c3d.
Broken NSEC3 signed zone: xn--3pxu8k.
Broken NSEC3 signed zone: xn--42c2d9a.
Broken NSEC3 signed zone: xn--5su34j936bgsg.
Broken NSEC3 signed zone: xn--9dbq2a.
Broken NSEC3 signed zone: xn--c2br7g.
Broken NSEC3 signed zone: xn--fhbei.
Broken NSEC3 signed zone: xn--j1aef. returned non authoritative data for xn--j1amh. returned non authoritative data for xn--mgbc0a9azcg.
Broken NSEC3 signed zone: xn--pssy2u. returned non authoritative data for com.xn--q9jyb4c. returned non authoritative data for com.xn--q9jyb4c. returned non authoritative data for com.xn--q9jyb4c. returned non authoritative data for com.xn--q9jyb4c. returned non authoritative data for com.xn--q9jyb4c.
2001:4860:4802:32::69 returned non authoritative data for com.xn--q9jyb4c.
2001:4860:4802:34::69 returned non authoritative data for com.xn--q9jyb4c.
2001:4860:4802:36::69 returned non authoritative data for com.xn--q9jyb4c.
2001:4860:4802:38::69 returned non authoritative data for com.xn--q9jyb4c.
2001:4860:4805::69 returned non authoritative data for com.xn--q9jyb4c.
Broken NSEC3 signed zone: xn--w4r85el8fhu5dnra.
Broken NSEC3 signed zone: xn--w4rs40l.
Broken NSEC3 signed zone: xperia.
unknown: 0 ()
unsigned: 149 (ae., aero., ai., al., ao., aq., as., ax., ba., bb., bd., bf., bh., bi., bj., bm., bn., bo., bs., bt., bv., cd., cf., cg., ci., ck., cm., cu., cv., cw., cy., dj., dm., do., dz., ec., eg., er., et., fj., fk., ga., gb., ge., gf., gg., gh., gm., gp., gq., gt., gu., gy., hm., ht., im., int., iq., ir., it., je., jm., jo., kh., km., kn., kp., kw., kz., ls., ly., mc., md., mh., mk., ml., mo., mp., mq., mr., ms., mt., mu., mv., mw., mz., ne., ng., ni., np., nr., om., pa., pf., pg., ph., pk., pn., ps., py., qa., rs., rw., sa., sd., sk., sm., so., sr., st., sv., sz., tc., td., tel., tg., tj., tk., to., tr., uz., va., ve., vg., vi., vn., ws., xn--54b7fta0cc., xn--80ao21a., xn--90a3ac., xn--90ae., xn--d1alf., xn--j1amh., xn--lgbbat1ad8j., xn--mgb9awbf., xn--mgba3a4f16a., xn--mgbaam7a8h., xn--mgbayh7gpa., xn--mgbc0a9azcg., xn--mgbpl2fh., xn--mgbtx2b., xn--mix891f., xn--node., xn--qxam., xn--wgbl6a., xn--ygbi2ammx., ye., za., zw.)
signed with NSEC: 307 (aaa., able., accountant., ads., aetna., aig., americanexpress., amex., amica., analytics., android., app., aramco., arpa., athleta., au., audible., audio., author., auto., aws., axa., baby., banamex., bananarepublic., best., bg., bible., bid., biz., blackfriday., boo., book., booking., bot., buzz., cal., call., calvinklein., car., caravan., cars., cartier., cbn., cbre., ceo., channel., chase., chintai., chloe., christmas., chrome., circle., cisco., citadel., citi., click., club., co., coupon., cricket., dad., date., day., dclk., deal., dealer., dell., dev., diet., discover., docs., download., drive., duns., dupont., earth., eat., esq., everbank., faith., farmers., fast., ferrero., fire., flickr., flir., flowers., fly., foo., ford., fox., frontier., ftr., game., gap., gbiz., gift., gle., gmail., gn., goog., google., got., grainger., gucci., guge., guitars., hangout., hbo., health., help., here., hiphop., homegoods., homesense., honeywell., hosting., hot., hoteles., how., hsbc., htc., hyatt., id., ieee., imdb., ing., intel., intuit., ipiranga., itau., iwc., jetzt., jlc., jmp., jnj., jot., joy., jpmorgan., juegos., ke., kg., kinder., kindle., kpmg., kred., ky., lanxess., lb., lifeinsurance., like., lilly., lincoln., link., lk., loan., loft., lol., lr., marshalls., mattel., mcd., mcdonalds., meet., meme., mg., mint., mlb., mm., mobily., moe., moi., mom., montblanc., mov., mutual., na., nba., netflix., neustar., new., nexus., nfl., nike., northwesternmutual., now., nyc., office., oldnavy., open., osaka., page., pamperedchef., panerai., party., passagens., pay., pfizer., pharmacy., photo., piaget., pics., pin., ping., play., pr., pramerica., praxi., prime., prod., prof., property., pru., prudential., qpon., qvc., racing., read., review., rocher., room., rsvp., safe., safety., sas., save., science., se., secure., sexy., silk., skype., sl., smile., song., soy., spot., staples., statefarm., stream., swiftcover., taipei., talk., taobao., target., tattoo., tdk., teva., tjmaxx., tjx., tkmaxx., tmall., tn., trade., travel., tube., tunes., tushu., unicom., uno., us., vivo., vuelos., wanggou., watches., weather., weatherchannel., webcam., whoswho., williamhill., win., winners., wow., xn--1ck2e1b., xn--8y0a063a., xn--bck1b9a5dre4c., xn--cck2b3b., xn--eckvdtc9d., xn--fct429k., xn--flw351e., xn--fzc2c9e2c., xn--g2xx48c., xn--gckr3f0f., xn--gk3at1e., xn--jvr189m., xn--kpu716f., xn--l1acc., xn--mgba3a3ejt., xn--mgbb9fbpob., xn--nyqy26a., xn--pbt977c., xn--pgbs0dh., xn--q9jyb4c., xn--qcka1pmc., xn--rhqv96g., xn--rovu88b., xn--xkc2al3hye2a., yahoo., yamaxun., yandex., you., youtube., zappos., zero., zip., zippo.)
signed with NSEC3, no optout: 52 (ad., archi., az., barcelona., barclays., bio., build., by., cam., cat., cloud., cologne., courses., cr., cz., ee., eus., film., frl., gal., gd., gent., gov., is., koeln., luxury., ma., melbourne., men., nrw., nu., one., physio., ruhr., scot., ski., sn., study., style., sucks., sx., sydney., top., tz., vu., xn--3bst00m., xn--45q11c., xn--6qq986b3xl., xn--czr694b., xn--hxt814e., xn--ses554g., zm.)
signed with NSEC3, optout: 426 (abbott., ac., academy., accountants., actor., adult., af., ag., agency., airforce., am., amsterdam., apartments., army., asia., associates., at., attorney., auction., aw., band., bar., bargains., bayern., be., beer., berlin., bet., bike., bingo., black., blog., blue., boutique., broker., brussels., builders., business., bz., ca., cab., cafe., camera., camp., capetown., capital., cards., care., career., careers., casa., cash., casino., catering., cc., center., ch., chat., cheap., church., city., cl., claims., cleaning., clinic., clothing., cn., coach., codes., coffee., college., com.,, community., company., computer., condos., consulting., contractors., cooking., cool., corsica., country., coupons., credit., creditcard., cx., cymru., dance., dating., de., deals., degree., delivery., democrat., dental., design., digital., direct., directory., discount., dk., dog., domains., durban., edu., education., email., energy., engineer., engineering., enterprises., equipment., es., estate., eu., events., exchange., expert., exposed., express., fail., fans., farm., fashion., feedback., fi., finance., financial., fish., fit., fitness., florist., fm., fo., football., forex., forsale., foundation., fr., fund., furniture., futbol., fyi., gallery., games., garden., gdn., gifts., gives., gl., glass., gmbh., gold., golf., gr., graphics., gratis., green., gripe., group., gs., guide., guru., hamburg., haus., healthcare., hiv., hk., hn., hockey., holdings., holiday., horse., host., house., hr., hu., ie., immo., immobilien., in., industries., info., ink., institute., insure., international., investments., io., irish., ist., istanbul., jewelry., jobs., joburg., jp., kaufen., ki., kim., kitchen., kiwi., kr., kyoto., la., land., lat., lawyer., lc., lease., legal., lgbt., li., life., lighting., limited., limo., live., loans., london., love., lt., ltd., ltda., lu., lv., maison., management., market., marketing., markets., mba., me., media., memorial., miami., mn., mobi., moda., money., mortgage., moscow., mx., my., name., navy., net., network., news., nf., ngo., ninja., nl., no., nz., okinawa., ong., onl., online., ooo., org., ovh., paris., partners., parts., pe., pet., photography., photos., pictures., pink., pizza., pl., place., plus., pm., poker., porn., press., pro., productions., promo., properties., protection., pt., pub., pw., re., recipes., red., rehab., reise., reisen., rent., rentals., repair., report., republican., rest., restaurant., reviews., rich., rip., ro., rocks., rodeo., ru., run., ryukyu., sale., salon., sarl., sb., sc., school., schule., security., services., sex., sg., sh., shiksha., shoes., shop., shopping., show., si., singles., site., soccer., social., solar., solutions., space., srl., stada., storage., store., studio., su., supplies., supply., support., surf., surgery., systems., tatar., tax., taxi., team., tech., technology., tennis., tf., th., theater., theatre., tickets., tienda., tips., tirol., tl., tm., today., tokyo., tools., tours., town., toys., trading., training., tt., tv., tw., ua., ug., uk., university., uy., vacations., vc., vegas., ventures., versicherung., vet., viajes., video., villas., vin., vip., vision., vlaanderen., vodka., vote., voto., voyage., wales., watch., website., wedding., wf., wiki., wine., work., works., world., wtf., xn--1qqw23a., xn--3ds443g., xn--55qx5d., xn--6frz82g., xn--fiq228c5hs., xn--fiqs8s., xn--fiqz9s., xn--io0a7i., xn--kput3i., xn--mk1bu44c., xn--t60b56a., xn--tckwe., xn--vuq861b., xn--xhq521b., xxx., xyz., yoga., yt., zone.)
signed with NSEC3, may/maynot optout: 568 (aarp., abarth., abb., abbvie., abc., abogado., abudhabi., accenture., aco., active., adac., aeg., afamilycompany., afl., agakhan., aigo., airbus., airtel., akdn., alfaromeo., alibaba., alipay., allfinanz., allstate., ally., alsace., alstom., americanfamily., amfam., anquan., anz., apple., aquarelle., ar., art., arte., asda., audi., auspost., autos., avianca., azure., baidu., bank., barclaycard., barefoot., bauhaus., bbc., bbt., bbva., bcg., bcn., beats., beauty., bentley., bestbuy., bharti., bing., blanco., blockbuster., bloomberg., bms., bmw., bnl., bnpparibas., boats., boehringer., bofa., bom., bond., boots., bosch., bostik., bradesco., bridgestone., broadway., brother., budapest., bugatti., buy., bw., bzh., cancerresearch., canon., capitalone., cba., cbs., ceb., cern., cfa., cfd., chanel., chrysler., cipriani., citic., cityeats., clinique., clubmed., comcast., commbank., compare., comsec., construction., contact., cookingchannel., coop., creditunion., crown., crs., cruises., csc., cuisinella., cyou., dabur., datsun., dds., deloitte., delta., dentist., desi., dhl., diamonds., dish., diy., dnp., doctor., dodge., doha., dot., dtv., dubai., duck., dunlop., dvag., dvr., eco., edeka., emerck., epost., epson., ericsson., erni., esurance., eurovision., extraspace., fage., fairwinds., family., fan., fedex., ferrari., fiat., fidelity., fido., final., firestone., firmdale., fishing., flights., foodnetwork., forum., fresenius., frogans., frontdoor., fujitsu., fujixerox., gallo., gallup., gea., genting., george., ggee., gi., giving., glade., global., globo., gmo., gmx., godaddy., goldpoint., goo., goodhands., goodyear., gop., guardian., gw., hdfc., hdfcbank., helsinki., hermes., hgtv., hisamitsu., hitachi., hkt., homedepot., homes., honda., hotmail., hughes., hyundai., ibm., icbc., ice., icu., ifm., iinet., ikano., il., imamat., infiniti., insurance., iselect., ismaili., itv., jaguar., java., jcb., jcp., jeep., jll., jprs., juniper., kddi., kerryhotels., kerrylogistics., kerryproperties., kfh., kia., komatsu., kosher., kpn., krd., kuokgroup., lacaixa., ladbrokes., lamborghini., lamer., lancaster., lancia., lancome., landrover., lasalle., latino., latrobe., law., lds., leclerc., lefrak., lego., lexus., liaison., lidl., lifestyle., linde., lipsy., living., lixil., locker., locus., lotte., lotto., lpl., lplfinancial., lundbeck., lupin., luxe., macys., madrid., maif., makeup., man., mango., marriott., maserati., mckinsey., med., menu., meo., metlife., microsoft., mil., mini., mit., mitsubishi., mls., mma., monash., monster., mopar., mormon., motorcycles., movie., movistar., msd., mtn., mtpc., mtr., museum., mutuelle., nab., nadex., nagoya., nationwide., natura., nc., nec., netbank., next., nextdirect., nhk., nico., nikon., nissan., nissay., nokia., norton., nowruz., nowtv., nra., ntt., obi., observer., off., olayan., olayangroup., ollo., omega., onyourside., oracle., orange., organic., orientexpress., origins., otsuka., ott., panasonic., pars., pccw., philips., pictet., pid., pioneer., playstation., plumbing., pnc., pohl., politie., post., progressive., pwc., quebec., quest., radio., raid., realestate., realtor., realty., redstone., redumbrella., reit., ren., rexroth., richardli., ricoh., rightathome., rio., rogers., rwe., saarland., sakura., samsclub., samsung., sandvik., sandvikcoromant., sanofi., sap., sapo., saxo., sbi., sbs., sca., scb., schaeffler., schmidt., scholarships., schwarz., scjohnson., scor., seat., seek., select., sener., ses., seven., sew., sfr., shangrila., sharp., shaw., shell., shia., shouji., showtime., shriram., sina., sj., skin., sky., sling., smart., sncf., softbank., software., sohu., sony., spiegel., spreadbetting., srt., star., starhub., statebank., statoil., stc., stcgroup., stockholm., suzuki., swatch., swiss., sy., symantec., tab., tatamotors., tci., telecity., telefonica., temasek., thd., tiaa., tiffany., tires., toray., toshiba., total., toyota., travelchannel., travelers., travelersinsurance., trust., trv., tui., tvs., ubank., ubs., uconnect., uol., ups., vana., vanguard., verisign., vig., viking., virgin., visa., vista., vistaprint., viva., volkswagen., voting., walmart., walter., wang., warman., weber., wed., weibo., weir., wien., windows., wme., wolterskluwer., woodside., wtc., xbox., xerox., xfinity., xihuan., xin., xn--11b4c3d., xn--30rr7y., xn--3e0b707e., xn--3oq18vl8pn36a., xn--3pxu8k., xn--42c2d9a., xn--45brj9c., xn--4gbrim., xn--55qw42g., xn--5su34j936bgsg., xn--5tzm5g., xn--80adxhks., xn--80asehdb., xn--80aswg., xn--90ais., xn--9dbq2a., xn--9et52u., xn--9krt00a., xn--b4w605ferd., xn--c1avg., xn--c2br7g., xn--cg4bki., xn--clchc0ea0b2g2a9gcd., xn--czrs0t., xn--czru2d., xn--d1acj3b., xn--e1a4c., xn--efvy88h., xn--estv75g., xn--fhbei., xn--fiq64b., xn--fjq720a., xn--fpcrj9c3d., xn--fzys8d69uvgm., xn--gecrj9c., xn--h2brj9c., xn--i1b6b1a6a2e., xn--imr513n., xn--j1aef., xn--j6w193g., xn--jlq61u9w7b., xn--kcrx77d1x4a., xn--kprw13d., xn--kpry57d., xn--mgba7c0bbn0a., xn--mgbab2bd., xn--mgbbh1a71e., xn--mgbca7dzdo., xn--mgberp4a5d4ar., xn--mgbt3dhd., xn--mgbx4cd0ab., xn--mxtq1m., xn--ngbc5azd., xn--ngbe9e0a., xn--nqv7f., xn--nqv7fs00ema., xn--o3cw4h., xn--ogbpf8fl., xn--p1acf., xn--p1ai., xn--pssy2u., xn--s9brj9c., xn--unup4y., xn--vermgensberater-ctb., xn--vermgensberatung-pwb., xn--vhquv., xn--w4r85el8fhu5dnra., xn--w4rs40l., xn--wgbh1c., xn--xkc2dl3a5ee0h., xn--y9a3aq., xn--yfro4i67o., xn--zfr164b., xperia., yachts., yodobashi., yokohama., yun., zara., zuerich.)
Statistics about NSEC3 iterations:
0: 23 (blog., broker., career., cc., com., cymru., edu., forex., jobs., markets., name., net., ooo., trading., tv., uk., wales., xn--3ds443g., xn--fiq228c5hs., xn--mk1bu44c., xn--t60b56a., xn--tckwe., xn--vuq861b.)
1: 317 (abbott., academy., accountants., actor., adult., ag., agency., airforce., apartments., army., asia., associates., attorney., auction., band., bar., barclays., bargains., bet., bike., bingo., black., blue., boutique., build., builders., business., bz., cab., cafe., camera., camp., capital., cards., care., careers., cash., casino., catering., center., chat., cheap., church., city., claims., cleaning., clinic., clothing., cloud., coach., codes., coffee., college., community., company., computer., condos., consulting., contractors., cool., corsica., coupons., courses., credit., creditcard., dance., dating., deals., degree., delivery., democrat., dental., design., digital., direct., directory., discount., dog., domains., education., ee., email., energy., engineer., engineering., enterprises., equipment., estate., eu., events., exchange., expert., exposed., express., fail., fans., farm., feedback., film., finance., financial., fish., fitness., florist., fm., football., forsale., foundation., fr., fund., furniture., futbol., fyi., gallery., games., gifts., gives., glass., gmbh., gold., golf., graphics., gratis., green., gripe., group., guide., guru., haus., healthcare., hockey., holdings., holiday., host., house., immo., immobilien., in., industries., info., ink., institute., insure., international., investments., irish., ist., istanbul., jewelry., kaufen., kim., kitchen., land., lawyer., lc., lease., legal., lgbt., life., lighting., limited., limo., live., loans., love., ltd., ltda., luxury., maison., management., market., marketing., mba., me., media., melbourne., memorial., men., mn., mobi., moda., money., mortgage., navy., network., news., ngo., ninja., one., ong., onl., online., org., ovh., paris., partners., parts., pet., photography., photos., physio., pictures., pink., pizza., place., plus., pm., poker., porn., press., pro., productions., promo., properties., protection., pub., pw., re., recipes., red., rehab., reise., reisen., rent., rentals., repair., report., republican., rest., restaurant., reviews., rich., rip., rocks., run., sale., salon., sarl., sc., school., schule., security., services., sex., shiksha., shoes., shopping., show., singles., site., sn., soccer., social., solar., solutions., space., srl., stada., storage., store., studio., study., style., sucks., supplies., supply., support., surgery., sydney., systems., tax., taxi., team., tech., technology., tennis., tf., theater., theatre., tickets., tienda., tips., today., tools., tours., town., toys., training., university., vacations., vc., vegas., ventures., vet., viajes., video., villas., vin., vision., vote., voto., voyage., vu., watch., website., wf., wiki., wine., works., world., wtf., xn--6frz82g., xn--kput3i., xxx., xyz., yt., zone.)
2: 3 (ch., cl., li.)
3: 6 (az., hiv., lu., ru., su., tatar.)
5: 48 (ac., amsterdam., archi., at., aw., be., berlin., bio., brussels., ca., cam., capetown., durban., es., fi., gd., hamburg., hu., ie., io., is., joburg., kyoto., lt., nl., no., nu., nz., okinawa., ryukyu., sh., shop., si., ski., tirol., tm., tokyo., top., tz., versicherung., vlaanderen., xn--3bst00m., xn--45q11c., xn--6qq986b3xl., xn--czr694b., xn--hxt814e., xn--ses554g., zm.)
8: 3 (gov., jp., lv.)
10: 59 (ad., af., am., bayern., beer., casa., cn.,, cooking., country., cr., cx., cz., fashion., fit., fo., frl., garden., gent., gl., gr., gs., hk., hn., horse., hr., ki., kiwi., kr., london., ma., miami., moscow., my., nf., pe., pt., ro., rodeo., sb., surf., sx., th., tl., tt., tw., ug., uy., vip., vodka., wedding., work., xn--1qqw23a., xn--55qx5d., xn--fiqs8s., xn--fiqz9s., xn--io0a7i., xn--xhq521b., yoga.)
12: 10 (barcelona., cat., cologne., eus., gal., koeln., nrw., pl., ruhr., scot.)
13: 1 (ua.)
15: 1 (de.)
17: 1 (dk.)
20: 2 (gdn., sg.)
100: 3 (by., lat., mx.)
150: 1 (la.)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment