29Ara
Understanding DNSSEC NSEC3 output for valid domain name
I am trying to understand NSEC3 record when querying for existing domain name, for NXDOMAIN I understand how it works. RFC has example about WildCard, NODATA & NXDOMAIN
So I fired these queries using dig for google and netflix
and noticed that fist NSEC3 record(CK0POJMG874LJREF7EFN8430QVIT8BSM.com.) is same , is that for com parent ? So how these NSEC3 records proves the existence of domain ?
~$ dig netflix.com +dnssec +trace | grep -F "NSEC3" | grep -Fv "RRSIG NSEC3"
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM
JE0TVGCLMH8H8ILM2EV3J191C1NE1732.com. 86400 IN NSEC3 1 1 0 - JE0U3HGFS79EBI40445ELSFU0JTKK4PP NS DS RRSIG
~$ dig google.com +dnssec +trace | grep -F "NSEC3" | grep -Fv "RRSIG NSEC3"
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM
S84BKCIBC38P58340AKVNFN5KR9O59QC.com. 86400 IN NSEC3 1 1 0 - S84BR9CIB2A20L3ETR1M2415ENPP99L8 NS DS RRSIG
