169 comments

Enumerating DNSSEC NSEC and NSEC3 Records

by Javantea
Oct 25, 2014 - Jan 25, 2015

Introduction

By the way we're not any geeks, we hack into NASA
-- Dual Core "All The Things"
Permalink
dnssec-research-0.2.tar.xz [sig] 279MB
torrent [magnet]
nsec3walker-javantea.patch [sig]
ldns-endless-workaround.patch [sig]
passphrase-0.1.tar.xz [sig]
Git repository for passphrase: git clone https://www.altsci.com/repo/passphrase.git

DNSSEC has an interesting design flaw where it was designed around precomputation of all data. The keys are held offline so they cannot be seized in a compromise of the server. This presents a problem because the non-existence of a domain cannot be easily precomputed (Does abcdefg1234567.yourdomain.com exist? No, abcdefg1234567.yourdomain.com doesn't exist. If the response was "No" an attacker could replay that response on a domain that did exist. If the response was not signed, an attacker could generate their own No responses. If the server didn't respond, the resolver would have to wait until a timeout occurred which could take a minute depending on the implementation). To solve this problem, they created NXT records and then after that they created NSEC records. Almost no servers use NXT, but it's easy enough to parse those. NSEC records list the two nearest matches in the database to the requested record. Hackers found that this results in name enumeration and they wrote tools to use that. Dan J. Bernstein describes this attack on his page: DNS database espionage [1]. In response, Dan Kaminsky's DNSSEC proxy Phreebird dynamically generates NSEC3 responses that do not divulge any information. This research shows that no TLDs currently use Phreebird. What can you get out of NSEC and NSEC3 records? Every subdomain of nasa.gov? See below. Every subdomain of .br? Every subdomain of hpc.mil? Every subdomain of paypal.com? It turns out that there are millions of domains that can be enumerated with NSEC3 and NSEC walkers. That is exactly what I have done. ldns-walk allows enumeration of NSEC records and a patch to nsec3walker is available above. A bug in ldns-walk causes an endless while loop for some domains, a workaround has been made available until a fix is found.

All of these methods and attacks are 5 years old. What's the deal? Since 2009, the government of the United States and many other NICs have mandated the use of DNSSEC on many servers or simply signed all domains below their TLD. Adoption of DNSSEC has increased by orders of magnitude. In fact, nsec3walker is unable to collect all of .com in a single attempt, as one might expect. Patches are necessary to get nsec3walker to collect com NSEC3 records because it has no salt (nsec3walker was designed to assume that a salt was required). As more and more hashes are added, it becomes exponentially slower looking for hashes that fall between two hashes. For example, try finding a domain name that hashes between 00000000aaaaaaaaaaaaaaaaaaaaaaaa and 00000000bbbbbbbbbbbbbbbbbbbbbbbb. The odds of you finding a hash between those two are approximately 244:1. That means it will take trillions of hashes to find such a hash. This is the basis for the proof of work that has been very popular in programming since its use in Bitcoin (and before that, HashCash [2]).

The entirety of com was only 396191 domains, which means that only nameservers that have opted-in to DNSSEC are possible to enumerate. However, this shows that systems that opt-in to DNSSEC are uncovered by hash cracking, giving users a clear reason not to use DNSSEC. Furthermore, the results that come from NSEC walking show that if a nameserver chooses to use DNSSEC, NSEC3 costs people who wish to enumerate NSEC3 cpu time. Targeted attacks are much more effective against NSEC3 than generic attacks because an attacker can add a word to the cracking practically for free. For example testing the three domains:
microsofta.com
microsoftb.com
microsoftc.com
against all hashes in com is as easy as hashing the three domains:
a.com
b.com
c.com
This makes it possible to guarantee that none of the hashes are name + letter * 7 because given only 37 valid characters in domain names, there are only 95 billion unique name + letter * 7 combinations. It takes minutes to crack all possible values. Similarly, letter * 7 + name and letter * 4 + name + letter * 3 take the same amount of time. The entire wordlist from AI3 that are valid domain names is only 3678794 words long. This means that we can crack word + word + name, name + word + word, and word + name + word for 13.5 trillion SHA1 hashes (assuming that the domain uses a single iteration like com does). This takes weeks on a CPU but less time on a GPU. I spent a month and a half doing exactly this with the first 8000 words from the AI3 wordlist as well as brute force, with incredible success. I was able to crack 226346 of the 396932 com hashes found (57%). By using brute force, I was guaranteed to find all short domain names which leaves only long domain names for Markov chain cracking and passphrase cracking. As I said before, the AI3 wordlist is very effective against weak passphrases. Therefore we can only expect long or complex domains to remain. While you may reject the notion that over 43% of domain names that use DNSSEC are long and complex enough to make cracking difficult, I recommend trying oclHashcat against these NSEC3 hashes to verify my findings.

The relevancy of this project may seem slight when you first hear about it. Domain enumeration is fun but it is not a very productive use of time. DNSSEC is not a priority in the eyes of millions of users who don't benefit from it because their servers don't employ it. Google doesn't sign their domain (though the Google public DNS server supports DNSSEC), Microsoft doesn't sign their domain, Apple doesn't sign their domain, and Amazon doesn't sign their domain. Who then has picked it up? Governments, ICANN [3], NICs, and a select number of nameservers. Governments and ICANN have a broad vision of security for everyone where the keys are held by a few. This trust model where ICANN can sign any key they wish sounds awfully familiar. It is reminiscent of X.509 where every root CA can create a certificate for any domain they wish. Instead of sharing the trust between N untrusted entities, we only need to trust ICANN, Verisign, and the registrar to trust a signature. Thus the trust model reduces from M-to-N to M-to-3. How convenient for ICANN and Verisign that they hold the keys. Of course a single signature that is found that shouldn't exist will topple the trust in DNSSEC. This is why computer security researchers like Dan Kaminsky found themselves enamored with DNSSEC: it is a solution to the DNS man-in-the-middle problem that only requires trust in three entities.[9] That trust could easily be saved for months on caches, so an attacker would have to wait for months for the cache to renew even if they had a key signed by the root [4]. Dan Kaminsky spent a lot of time writing Phreeshell and Phreeload, two programs that use DNSSEC to give users and servers authentication for free.

This system does not fit in our attack model though. Keys are easily turned over to the government when a warrant is given or even when a warrant isn't given. By all likelihood, the NSA probably has the private keys for the root and most if not all TLDs. Don't think this is a slippery slope argument because the government has already used poisoning of names to serve malware [5] (whether they used DNS or not). The United States government is not a benign entity and it seeks power in any way it can. Indeed the US government is the very entity which we need secure software to defend against. Adding DNSSEC is not a vulnerability to our networks but it is yet another broken protocol with insufficient security added to the landscape taking the place of real solutions. The amount of backing and support that DNSSEC has received is actually deserved by other solutions. Since the start of this project in October 2014, 27 tlds have adopted DNSSEC. That means that DNSSEC adoption is hastening, not slowing. If we want this protocol to not exist in the future we have to ensure that those who use it wish that they did not. We can replace DNS with a protocol that has real security without requiring trust in a few large entities.

The fact that DIME relies upon DNSSEC to provide end-to-end e-mail encryption [6] is a serious flaw in the design of the protocol. Since DNSSEC can be replaced with a similar technology that is able to verify the authenticity of data using a root of trust, this is a fixable problem. However, it will not be fixed until the replacement technology is adopted by users of DIME.

Data

Subdomains found using NSEC walking

Note that this list is only lists a handful of the thousands of domains that support NSEC.
Download *.nasa.gov
Download *.hpc.mil
Download *.paypal.com
Download *.comcast.net
Download *.berkeley.edu
Download *.stanford.edu
Download *.upenn.edu
Download *.bucknell.edu
Download *.ucsc.edu
Download *.iastate.edu
Download *.csumb.edu
Download *.gsu.edu
Download *.pacificu.edu
Download *.umbc.edu
Download *.fhsu.edu
Download *.drake.edu
Download *.gotpantheon.com
Download *.mst.edu
Download *.bradley.edu
Download *.chattanoogastate.edu
Download *.psc.edu
Download *.yandex.com
Download *.desales.edu
Download *.sakh.com
Download *.nau.edu
Download *.nau.edu
Download *.gov.br
Download *.cmp.com
Download *.upf.edu
Download *.vmware.com
Download *.iu.edu
Download *.br
Download *.iupui.edu
Download *.tjhsst.edu
Download *.umc.edu
Download *.weber.edu
Download *.uiowa.edu
Download *.torchboxapps.com
Download *.espace2001.com
Download *.indiana.edu
Download *.cmu.edu
Download *.socrata.com
Download *.fluig.com
Download *.fixeads.com
Download *.star2star.com
Download *.monmouth.edu
Download *.gtc.edu
Download *.us
Download *.au
Download *.id

TLDs that support NSEC3:

Progress is indicated in the left column, X as finished initial cracking, / as finished collecting, ! as an error occurred, and blank as not collected due to time constraints but could be collected and cracked by a reader.
SuccessTLDDownloadNotes
XacResultsHashes
XafResultsHashesAfghanistan only has 7 domains hashed: af, com.af, net.af, edu.af, org.af, gov.af, and posteo.af.
 ag  
XamResultsHashes
XasiaResultsHashes
XatResultsHashesat may have signed their subdomains.
XawResultsHashes
XbeResultsHashesbe may have signed their subdomains.
XbyResultsHashesBelarus has 100 iterations.
XbzResultsHashes
XcaResultsHashes
XcatResultsHashescat may have signed their subdomains.
XccResultsHashes
XchResultsHashesDig doesn't accept the request for nameservers (dig ns ch). I had to fix collect for this domain (dig ns ch.).
!clResultsHashesChile caused a bug in John due its long salt, which means only unhash results exist. Despite this, 82% of 45 names were cracked.
XcnResultsHashes
XcomResultsHashes57% completion in cracking 396932 hashes
XcrResultsHashes82% completion in cracking 7456 hashes
XcxResultsHashes100% completion in cracking 17 hashes
XczResultsHashes48% completion in cracking 1043262 hashes. cz may have signed their subdomains.
XdeResultsHashes17% completion in cracking 13618 hashes. This is likely the same problem as jp.
XdkResultsHashes
XeduResultsHashes
XeeResultsHashes
XesResultsHashes
XeuResultsHasheseu may have signed their subdomains.
XfiResultsHashes
!foResultsHashesFaroe Islands is a small country and collect gets stuck trying to enumerate it.
XfrResultsHashesfr may have signed their subdomains.
 gd  
 gi  
XglResultsHashes98% completion in cracking 167 hashes
XgovResultsHashes
XgrResultsHashes
XgsResultsHashesSouth Georgia and the South Sandwich Islands only has gs, la.gs, and ur.gs.
XhnResultsHashesHonduras only has other top domains under hn: hn, gob.hn, org.hn, com.hn, mil.hn, net.hn, edu.hn, and coop.hn.
XhrResultsHashes
 hu  
 ie  
!in  Dig doesn't accept the request for nameservers (dig ns in). I had to fix collect for this domain (dig ns in.).
XinfoResultsHashes
XioResultsHashes95% completion in cracking 699 hashes
 iq  
XisResultsHashesis may have signed their subdomains.
XjpResultsHashes5% completion in cracking 3639 hashes due to language barrier and possibly other reasons
!kiResultsHashesKirbati does not respond as expected. It returns only ki hashed which means its NSEC3 records are worthless.
XkrResultsHashes
XlaResultsHashesLaos has 150 iterations.
 lc  
XliResultsHashes89% completion in cracking 359 hashes
XltResultsHashes
XluResultsHashes
XlvResultsHashes
 ma  
XmeResultsHashes
XmilResultsHashes93% completion in cracking 235 hashes
 mn  
XmuseumResultsHashes
XmyResultsHashes
XnameHashesHashes
XncResultsHashes
XnetResultsHashes60% completion in cracking 79400 hashes. This was the only domain I attempted alphanumeric brute force up to 8 characters currently at 83% finished using over 15 days of cpu time (should finish in ~3 days).
XnfResultsHashesNorfolk Island only contains two domains: nf and nic.nf.
 nl  
 no  
XnuResultsHashesNiue took over 3 days and still didn't collect them all, this massive tld needs more work, but I cracked as many as I could. nu may have signed their subdomains.
XnzResultsHashesnz may have signed their subdomains.
XorgResultsHashes
XpeResultsHashes
XplResultsHashes
 pm  
XptResultsHashes
XpwResultsHashes
XreResultsHashes
XruResultsHashes
XsbResultsHashesSolomon Islands only hashes other top domains hashed under sb: com.sb, nic.sb, net.sb, org.sb, and gov.sb
XscResultsHashes
XshResultsHashes96% completion in cracking 45 hashes
XsiResultsHashes
XsjResultsHashesSvalbard and Jan Mayen Islands does not respond as expected. It returns only sj hashed likely due to having no domains. This is the same response as Kirbati.
 su  
XtfResultsHashes93% completion in cracking 432 hashes
XthResultsHashes
XtlResultsHashes
XtmResultsHashes
XttResultsHashes
XtvResultsHashes
XtwResultsHashesTaiwan took 23 hours and still didn't collect them all, this massive tld needs more work, but I cracked as many as I could. tw may have signed their subdomains.
XuaResultsHashes
XugResultsHashesUganda does not respond as expected. It returns only ug hashed likely due to having no domains. This is the same response as Kirbati.
XukResultsHashes
 vc  
 vu  
XwfResultsHashes93% completion in cracking 320 hashes
 한국  Korea
 ভারত  India Bengali
X中国ResultsHashesChina simplified
X中國ResultsHashesChina traditional
XभारतResultsHashesIndia Hindi
 భారత్  India Telugu
 ભારત  India Gujarati
 台灣  Taiwan
  بھارت  India Urdu
 ไทย  Thailand
 рф  Russian Federation
 ਭਾਰਤ  India Punjabi
 இந்தியா  India Tamil
 yt  

TLDs that support NSEC:

SuccessTLDDownloadNotes
XarpaResults
 ad 
XauResults
!bgResultsldns-walk failed due to a bug after carrent\000.bg.
!bizResultsldns-walk failed due to a bug after hcdata\000.biz.
XbrResults
PartialcoResultsldns-walk failed due to a bug after audah\000.co.
XidResults
XkgResults
!lkResultsldns-walk failed due to a bug after 6senses\000.lk.
 na 
 pr 
 se 
 tn 
XusResults
XලංකාResultsSinhala
XتونسResultsTunisia Arabic
!இலங்கைResultsSri Lanka Tamil. ldns-walk failed due to a bug after \000.xn--xkc2al3hye2a. Data comes from nsecwalker.py. Apologies for the formatting issues.

Selected level 2 domains that support NSEC3:

SuccessTLDDownloadNotes
Xcom.brResultsHashes11% completion of 1810081 hashes, possibly due to a bug, subdomains, or invalid hashes. com.br may have signed most of their subdomains.
Xorg.brResultsHashes51% completion of 5615 hashes
Xdod.milResultsHashes51% completion of 63 hashes
Xanthrax.milResultsHashes100% completion of 9 hashes
Xfbi.govResultsHashes81% completion of 137 hashes
Xriaa.comResultsHashes27% completion of 11 hashes
Xmil.cnResultsHashes75% completion of 4 hashes

All domains collected that support NSEC:

*.in-addr.arpa
1ru.com
3cx.com
3cx.com
3di.com
acejewelers.com
apros.com.br
astellas.com
baker.edu
bancfirst.com
banktech.com
barneysfarm.com
berkeley.edu
besthotelonline.com
bie.edu
bradley.edu
bucknell.edu
cashbacksavers.com
cashnetusa.com
chattanoogastate.edu
chelloo.com
cipydo.com
cmcsa.com
cmp.com
cmu.edu
cn8.com
cnk.com
coisas.com
coloradomesa.edu
comcast.com
comcast.net
comcastaddeliverylite.com
comcastbundledeals.com
comcastconnect.com
comcastdigital.com
comcastspotlight.com
comcastsupport.com
csumb.edu
curry.com
danahermail.com
darkreading.com
datasheets.com
ddj.com
desales.edu
devtools-paypal.com
directbox.com
djeego.com
drake.edu
drdobbs.com
dutchbodybuilding.com
edn.com
eet.com
eetimes.com
emailpros.com
embedded.com
empirecls.com
enova.com
enovacorp.com
espace2001.com
eulerian.com
example.com
faturavirtual.com
fhsu.edu
fhtc.edu
fixeads.com
fluig.com
gamasutra.com
gdceurope.com
gdconf.com
getpantheon.com
gostorego.com
gotpantheon.com
gov.br
growjob.com
gsu.edu
gtc.edu
hansoft.com
hexageek.com
highlands.edu
highwaycabs.com
hotdealsclub.com
hpc.mil
httrack.com
iastate.edu
igf.com
imgrap.com
imovirtual.com
in-addr.arpa
indiana.edu
indianatech.edu
infoblox.com
informationweek.com
insurancetech.com
internetessentials.com
interop.com
ish.com
iu.edu
iub.edu
iupui.edu
jmeeting.com
kolabsys.com
kuapay.com
letsgopens.com
ltc.edu
magentotrial.com
matousec.com
mfi.com
mohela.com
monmouth.edu
moodlethemes.com
msj.com
mst.edu
mujjo.com
myeddebt.com
mykolab.com
nasa.gov
nau.edu
netcredit.com
networkcomputing.com
networking4all.com
nuvoli.com.br
nwc.com1
online-domain-tools.com
onlineapplyadvance.com
outfit7.com
outils-webmaster.com
pacificu.edu
packetizer.com
palisadesmedia.com
parachat.com
parsons.com
paypal-activate.com
paypal-apac.com
paypal-biz.com
paypal-cash.com
paypal-communication.com
paypal-community.com
paypal-customerfeedback.com
paypal-engineering.com
paypal-europe.com
paypal-forward.com
paypal-gifts.com
paypal-labs.com
paypal-marketing.com
paypal-media.com
paypal-mena.com
paypal-notify.com
paypal-prepaid.com
paypal-promo.com
paypal-research.com
paypal-special.com
paypal-survey.com
paypal-viewpoints.com
paypal-wujinggou.com
paypal.com
paypalobjects.com
powerdns.com
practicallygreen.com
premiumoutlets.com
pro-epic.com
psc.edu
psg.com
qruiser.com
rainvac.com
realredskins.com
recroom.com
redfoundry.com
rhyolite.com
rospravosudie.com
safelite.com
sakh.com
savagebeast.com
scales-chords.com
scl.edu
scriptcam.com
simon.com
snelis.com
socrata.com
standvirtual.com
stanford.edu
star2star.com
supermarktaanbiedingen.com
taxatietarieven.com
tci.com
teamcomcast.com
techonline.com
techweb.com
the700level.com
thepaypalblog.com
thevoiceofholland.com
thinkforexasia.com
thinkhdi.com
tiss.edu
tjhsst.edu
todoeduca.com
torchbox.com
torchboxapps.com
truman.edu
ubm-us.com
ucb.edu
ucdavis.edu
ucsc.edu
uiowa.edu
umbc.edu
umc.edu
uofk.edu
upenn.edu
upf.edu
uvp.com
vehix.com
verisigninc.com
vitral-vidrieras.com
vmware.com
wallstreetandtech.com
weareblis.com
weber.edu
wsi-models.com
x.com
xfinity.com
xfinityauthorizedoffers.com
xfinityhomesecurity.com
xfinitytv.com
xod.com
xse.com
yandex.com

Wikipedia's List of Internet top-level domains is a good resource for information about TLDs that support DNSSEC and which do not. It also contains detailed information about international domain names (IDN).

NASA.gov subdomains found using NSEC walking:

nasa.gov
3D-Printing.nasa.gov
_spf-ip4.nasa.gov
_spf-ip6.nasa.gov
_tcp.nasa.gov
_tls.nasa.gov
a-train.nasa.gov
above.nasa.gov
www.academy.nasa.gov
accesstospace.nasa.gov
www.acqp2.nasa.gov
adcc.nasa.gov
www.aee.nasa.gov
aen.nasa.gov
www.aero.nasa.gov
www.aero-space.nasa.gov
www.aeronautics.nasa.gov
aeronauticstestprogram.nasa.gov
www.aerospace.nasa.gov
afrc.nasa.gov
agencytokens.nasa.gov
airbornescience.nasa.gov
airspace.nasa.gov
airspacesystems.nasa.gov
www.alerts.nasa.gov
amn.nasa.gov
www.ams.nasa.gov
www.aos.nasa.gov
apm.nasa.gov
apmcpr.nasa.gov
apod.nasa.gov
www.appel.nasa.gov
appl.nasa.gov
appliedsciences.nasa.gov
applyonline.nasa.gov
m.apps.nasa.gov
apt.nasa.gov
www.aqua.nasa.gov
www.aquarius.nasa.gov
arc.nasa.gov
archimedes.nasa.gov
areslaunchvehicles.nasa.gov
artifacts.nasa.gov
www.as.nasa.gov
www.asap.nasa.gov
www.asc.nasa.gov
asevents.nasa.gov
askacademy.nasa.gov
askalibrarian.nasa.gov
askmagazine.nasa.gov
askmcc.nasa.gov
asp.nasa.gov
asteroid.nasa.gov
astro.nasa.gov
www.astrobiology.nasa.gov
www.astrogravs.nasa.gov
Astronauts.nasa.gov
astronomy2009.nasa.gov
asus-staging.nasa.gov
at.nasa.gov
www.atcsim.nasa.gov
www.atcviztool.nasa.gov
Athena.nasa.gov
atp.nasa.gov
atrain.nasa.gov
autodiscover.nasa.gov
www.autofeed.nasa.gov
aviationsafety.nasa.gov
awrs.nasa.gov
awrs-dev.nasa.gov
awrs-staging.nasa.gov
awslogin.nasa.gov
www.benefits.nasa.gov
www.benefitshandbook.nasa.gov
www.benefitstatement.nasa.gov
benefitstatement-dev.nasa.gov
benefitstatement-test.nasa.gov
bep.nasa.gov
bep-an-db.nasa.gov
bep-col-db.nasa.gov
bep-port-db.nasa.gov
bep-prod-col.nasa.gov
bep-prod-pub.nasa.gov
bep-prod-src.nasa.gov
bep-pub-db.nasa.gov
bep-stage.nasa.gov
bep-stage-col.nasa.gov
bep-stage-pub.nasa.gov
bep-stage-src.nasa.gov
bep-studio-db.nasa.gov
bep-wf-db.nasa.gov
bet.nasa.gov
bet-staging.nasa.gov
beyondeinstein.nasa.gov
www.bioastroroadmap.nasa.gov
www.biomaterials.nasa.gov
bizready.nasa.gov
bizready-staging.nasa.gov
blogs.nasa.gov
www.bluemarble.nasa.gov
booster.nasa.gov
brainbites.nasa.gov
brainbites-staging.nasa.gov
brainbites1.nasa.gov
blog.bready.nasa.gov
bready-dev.nasa.gov
bready-rra.nasa.gov
bready-sbx.nasa.gov
bready-test.nasa.gov
bsearch.nasa.gov
bsearch1.nasa.gov
budget.nasa.gov
budgetinfo.nasa.gov
buzzroom.nasa.gov
c3.nasa.gov
www.caib.nasa.gov
www.caib1.nasa.gov
calendar.nasa.gov
calendar1.nasa.gov
captcha.nasa.gov
cara.nasa.gov
carbon.nasa.gov
www.cas.nasa.gov
casc.nasa.gov
cce.nasa.gov
ccp.nasa.gov
ccs.nasa.gov
www.cdb.nasa.gov
cddis.nasa.gov
www.cdms.nasa.gov
cdscc.nasa.gov
www.ceh.nasa.gov
ceh1.nasa.gov
www.centennialchallenge.nasa.gov
www.centennialchallenges.nasa.gov
cev.nasa.gov
chandra.nasa.gov
chandra1.nasa.gov
chaucer.nasa.gov
www.chemistry.nasa.gov
www.ciencia.nasa.gov
ciencia1.nasa.gov
m.cima.nasa.gov
www.climate.nasa.gov
climatekids.nasa.gov
climatesimulation.nasa.gov
staging1.cms.nasa.gov
cms-dev.nasa.gov
cms-insidenasa.nasa.gov
cms-prod.nasa.gov
cms-test.nasa.gov
cms-tools.nasa.gov
cms-training.nasa.gov
cms2.nasa.gov
cmsdemo.nasa.gov
cmsdev.nasa.gov
cmstest.nasa.gov
cmstool.nasa.gov
cmswebsvc.nasa.gov
code.nasa.gov
codeb.nasa.gov
columbia.nasa.gov
comet.nasa.gov
comments.nasa.gov
comments-admin.nasa.gov
comments-submit.nasa.gov
comments1.nasa.gov
www.commercial.nasa.gov
commercialcrew.nasa.gov
communicating.nasa.gov
Communications.nasa.gov
science.community.nasa.gov
compass.nasa.gov
computer-security.nasa.gov
conference.nasa.gov
www.congressionaldata.nasa.gov
constellation-x.nasa.gov
constellationx.nasa.gov
cop.nasa.gov
www.core.nasa.gov
core1.nasa.gov
corecatalog.nasa.gov
corecatalog-staging.nasa.gov
cos.nasa.gov
cp4smpcommunity.nasa.gov
www.cpa.nasa.gov
cpgmip.nasa.gov
cphazard.nasa.gov
cphs.nasa.gov
cpoms.nasa.gov
cppraca.nasa.gov
cptrace.nasa.gov
crm1.nasa.gov
crusr.nasa.gov
www.cryotanks.nasa.gov
csbf.nasa.gov
csfmea-cil.nasa.gov
csg005.nasa.gov
cso.nasa.gov
cso-staging.nasa.gov
www.csuprojectalert.nasa.gov
www.ct562.nasa.gov
cube.nasa.gov
cxadp.nasa.gov
cxfmea-cil.nasa.gov
cxgmip.nasa.gov
cxhazard.nasa.gov
cxpraca.nasa.gov
darwin.nasa.gov
www.data.nasa.gov
www.daveml.nasa.gov
www.dawg.nasa.gov
dc8.nasa.gov
desktop-standards.nasa.gov
esb.dev.nasa.gov
mobile.dev.nasa.gov
dev-communications.nasa.gov
dev-im.nasa.gov
dev-insidenasa.nasa.gov
dev-mediaservices.nasa.gov
dev-nen.nasa.gov
dev-npars.nasa.gov
dev-www.nasa.gov
dfrc.nasa.gov
www.dfs.nasa.gov
dftsrv.nasa.gov
dialin.nasa.gov
dir.nasa.gov
dir-rra.nasa.gov
www.directory.nasa.gov
www.discovery.nasa.gov
discoverynewfrontiers.nasa.gov
discoverynewfrontiersnews.nasa.gov
disposal.nasa.gov
dln.nasa.gov
dln-staging.nasa.gov
*.dnet.nasa.gov
www.dockingstandard.nasa.gov
docs-nen.nasa.gov
dsds.nasa.gov
www.dsf.nasa.gov
dsn.nasa.gov
dspl.nasa.gov
www.dtd.nasa.gov
ducksewp.nasa.gov
earth.nasa.gov
earthdata.nasa.gov
earthdata-dev.nasa.gov
earthdata-uat.nasa.gov
www.earthobservatory.nasa.gov
echo.nasa.gov
stmd.eci.nasa.gov
www.eclipse99.nasa.gov
ecs.nasa.gov
ecs-program.nasa.gov
ecsprogram.nasa.gov
edc.nasa.gov
edos.nasa.gov
mgmt.edspace.nasa.gov
new.edspace.nasa.gov
proto.edspace.nasa.gov
www1.edspace.nasa.gov
www.education.nasa.gov
education1.nasa.gov
www.educatormissionspecialist.nasa.gov
efoia.nasa.gov
www.employeebenefits.nasa.gov
employeeorientation.nasa.gov
enasa.nasa.gov
enceladus.nasa.gov
engineeringforcomplexsystems.nasa.gov
ens.nasa.gov
www.ensemble.nasa.gov
www.entre.nasa.gov
www.enzo.nasa.gov
eo3.nasa.gov
eods.nasa.gov
eon.nasa.gov
eos.nasa.gov
eosdis.nasa.gov
eospso.nasa.gov
ep.nasa.gov
eparts.nasa.gov
epbs.nasa.gov
epbs-dvp.nasa.gov
epbs-tst.nasa.gov
epds.nasa.gov
epds-staging.nasa.gov
www.epims.nasa.gov
epms.nasa.gov
epss.nasa.gov
equipment.nasa.gov
esas.nasa.gov
esb.nasa.gov
esc.nasa.gov
www.esd.nasa.gov
esdpubs.nasa.gov
www.eseepo.nasa.gov
esm.nasa.gov
esmd.nasa.gov
esmo.nasa.gov
discapps-ts2.gesdisc.esodis.nasa.gov
www.espo.nasa.gov
www.espoarchive.nasa.gov
www.essp.nasa.gov
www.estips.nasa.gov
www.esto.nasa.gov
etads.nasa.gov
eto.nasa.gov
etsapprover.nasa.gov
europa.nasa.gov
www.evm.nasa.gov
execdev.nasa.gov
execsummit.nasa.gov
execsummit-dev.nasa.gov
execsummit-staging.nasa.gov
execsummit-test.nasa.gov
www.exobiology.nasa.gov
experts.nasa.gov
www.exploration.nasa.gov
explorationscience.nasa.gov
www.explorationsystems.nasa.gov
www.explorerschools.nasa.gov
externalsip.nasa.gov
eyes.nasa.gov
www.f2m.nasa.gov
www.faballiance.nasa.gov
faceinspace-staging.nasa.gov
www.family.nasa.gov
fastntts.nasa.gov
Fellowship.nasa.gov
finger.nasa.gov
fixedwing.nasa.gov
www.flight.nasa.gov
www.flightopportunities.nasa.gov
foia.nasa.gov
foiadev.nasa.gov
forms.nasa.gov
freecycle.nasa.gov
www.freedomtomanage.nasa.gov
fsa.nasa.gov
gaia.nasa.gov
gameon.nasa.gov
www.gapps.nasa.gov
gapps-groups.nasa.gov
gcgo.nasa.gov
gcmd.nasa.gov
gdscc.nasa.gov
genelab.nasa.gov
www.genome.nasa.gov
www.genomics.nasa.gov
www.gidep.nasa.gov
giss.nasa.gov
globalchange.nasa.gov
globe.nasa.gov
go.nasa.gov
googleapps.nasa.gov
gpm.nasa.gov
grail.nasa.gov
www.gravbio.nasa.gov
www.gravityprobeb.nasa.gov
graymarble.nasa.gov
grc.nasa.gov
grcfrkap2.grcfr.nasa.gov
greymarble.nasa.gov
gsearch.nasa.gov
gsearch1.nasa.gov
gsfc.nasa.gov
gss1.nasa.gov
gss2.nasa.gov
gulfofmexicoinitiative.nasa.gov
hacd.nasa.gov
hc.nasa.gov
hc-dev.nasa.gov
hc-test.nasa.gov
hcie.nasa.gov
hcie-dev.nasa.gov
hcie-sbx.nasa.gov
hcie-staging.nasa.gov
hcie-temp.nasa.gov
hcie-test.nasa.gov
hcie-wctest.nasa.gov
hcieweb.nasa.gov
hciewebstaging.nasa.gov
heasarc.nasa.gov
hec.nasa.gov
hedsadvprograms.nasa.gov
hedsadvsystems.nasa.gov
hefd.nasa.gov
heliophysics.nasa.gov
3dns.herndon.nasa.gov
hhp.nasa.gov
www.history.nasa.gov
extest.lmes.hop.nasa.gov
www.lmes.hop.nasa.gov
hpc.nasa.gov
www.hpcc.nasa.gov
hpps.nasa.gov
hq.nasa.gov
hq-flexnet.nasa.gov
hq-msc.nasa.gov
www.hqgiftshop.nasa.gov
hr.nasa.gov
hr-dev.nasa.gov
hr-rra.nasa.gov
hr-sbx.nasa.gov
hr-staging.nasa.gov
hr-test.nasa.gov
hrext-tst.nasa.gov
hrgo.nasa.gov
hris.nasa.gov
hrisconops.nasa.gov
hrisdev.nasa.gov
hrisdev3.nasa.gov
hrisstaging.nasa.gov
hrmes.nasa.gov
hrmobile.nasa.gov
hrmobile-tst.nasa.gov
hrr.nasa.gov
www.hrsm.nasa.gov
hsf.nasa.gov
hsfstage.nasa.gov
hspd12.nasa.gov
hspd121.nasa.gov
hst.nasa.gov
hubble.nasa.gov
humanresearchroadmap.nasa.gov
www.hurricanes.nasa.gov
www.hypered.nasa.gov
hypersonics.nasa.gov
i3p.nasa.gov
i3p-acq.nasa.gov
www.iam.nasa.gov
icam.nasa.gov
www.icb.nasa.gov
ice.nasa.gov
www.ice-tool.nasa.gov
www.icetool.nasa.gov
id.nasa.gov
www.idc.nasa.gov
idea-nasaspacebook.nasa.gov
idmax.nasa.gov
idp.nasa.gov
idsbx.nasa.gov
iemp.nasa.gov
ifmp.nasa.gov
ifsuss.nasa.gov
ildp.nasa.gov
ildp1.nasa.gov
im.nasa.gov
images.nasa.gov
imageseer.nasa.gov
imdc.nasa.gov
imdpc.nasa.gov
indigo.nasa.gov
innovate.nasa.gov
innovation.nasa.gov
insidenasa.nasa.gov
insight.nasa.gov
m.intern.nasa.gov
intern-staging.nasa.gov
intranet.nasa.gov
intranetsearch.nasa.gov
intranetsearch2.nasa.gov
www.invention.nasa.gov
invitation.nasa.gov
inwiki.nasa.gov
io.nasa.gov
www.ip.nasa.gov
ipam.nasa.gov
ipam1.nasa.gov
ipam2.nasa.gov
ipamcli.nasa.gov
ipao.nasa.gov
iplat.nasa.gov
www.ipp.nasa.gov
ipv6.nasa.gov
www.ipy.nasa.gov
irb.nasa.gov
iris.nasa.gov
www.isal.nasa.gov
www.ises.nasa.gov
www.isfr.nasa.gov
www.isosdata.nasa.gov
iss.nasa.gov
issresearchproject.nasa.gov
itlabs.nasa.gov
itportfolio.nasa.gov
itportfoliotest.nasa.gov
itsc.nasa.gov
www.itsecurity.nasa.gov
itsg.nasa.gov
ivv.nasa.gov
iws.nasa.gov
jesnic.nasa.gov
jpl.nasa.gov
www.jplwater.nasa.gov
jsc.nasa.gov
jscdns2.nasa.gov
jsceng.nasa.gov
jscer.nasa.gov
jscpao.nasa.gov
www.juno.nasa.gov
jupiter.nasa.gov
jwst.nasa.gov
kamikaze.nasa.gov
www.kepler.nasa.gov
www.kims.nasa.gov
www.km.nasa.gov
km1.nasa.gov
ks-kdc-sqlc1022.nasa.gov
ksc.nasa.gov
ksctechnology.nasa.gov
labs.nasa.gov
lance.nasa.gov
larc.nasa.gov
lasse.nasa.gov
latinawomen.nasa.gov
launchpad.nasa.gov
cv.launchpad-dev.nasa.gov
launchpad-sbx.nasa.gov
launchpad-test.nasa.gov
lc.nasa.gov
lc-dev.nasa.gov
lc-test.nasa.gov
ldap.nasa.gov
www.ldcm.nasa.gov
www.ldp.nasa.gov
www.leadership.nasa.gov
www.leag.nasa.gov
leap.nasa.gov
legalteam.nasa.gov
www.legislative.nasa.gov
www.lepag.nasa.gov
lerc.nasa.gov
www.lexec.nasa.gov
lifeonearth.nasa.gov
www.lifevents.nasa.gov
lima.nasa.gov
www.lisa.nasa.gov
lists.nasa.gov
live.nasa.gov
liveips.nasa.gov
liveipsup.nasa.gov
llis.nasa.gov
www.lmmp.nasa.gov
lmr.nasa.gov
lssc.nasa.gov
lsweb.nasa.gov
lsweb02.nasa.gov
www.lunarscience.nasa.gov
lyncdiscover.nasa.gov
lyncweb.nasa.gov
maf.nasa.gov
mafmaximo.nasa.gov
mafmaximotest.nasa.gov
mail.nasa.gov
managemyndc.nasa.gov
mangrove.nasa.gov
map.nasa.gov
maps.nasa.gov
maptis.nasa.gov
mars.nasa.gov
marsrover.nasa.gov
marsrovers.nasa.gov
mas.nasa.gov
www.materials.nasa.gov
materialsinspace.nasa.gov
maxdev.nasa.gov
maximo.nasa.gov
mcast.nasa.gov
mccs.nasa.gov
mdi.nasa.gov
mdr.nasa.gov
mdscc.nasa.gov
me2.nasa.gov
mediaservices.nasa.gov
meet.nasa.gov
mems.nasa.gov
meo.nasa.gov
mepag.nasa.gov
mercury.nasa.gov
metahouse.nasa.gov
mhp.nasa.gov
microbiology.nasa.gov
mil-hp.mil.nasa.gov
mindmapr.nasa.gov
Misse.nasa.gov
mission-madness.nasa.gov
missionscience.nasa.gov
missionstem.nasa.gov
mobile.nasa.gov
mobile1.nasa.gov
mobilewebproxy.nasa.gov
modear.nasa.gov
modelingguru.nasa.gov
modelinguru.nasa.gov
moon.nasa.gov
moontours.nasa.gov
www.move.nasa.gov
MSAT.nasa.gov
msfc.nasa.gov
msfcns2.nasa.gov
msfcns4.nasa.gov
msfcns6.nasa.gov
mtlo.nasa.gov
tiles.mts.nasa.gov
saml2.mynasa.nasa.gov
mynasa1.nasa.gov
mysites.nasa.gov
n-arc-kvm1-ipam.nasa.gov
n-gsfc-kvm1-ipam.nasa.gov
n-jsc-kvm1-ipam.nasa.gov
n-msfc-kvm2-ipam.nasa.gov
n0fwi09u.nasa.gov
naas.nasa.gov
naasdev.nasa.gov
naastest.nasa.gov
naastraining.nasa.gov
nacc.nasa.gov
www.nai.nasa.gov
naic.nasa.gov
nais.nasa.gov
nams.nasa.gov
nars.nasa.gov
nas.nasa.gov
nasa-ca-forum.nasa.gov
nasa-ice.nasa.gov
nasa-ice-esb.nasa.gov
nasa-ice-esbint.nasa.gov
nasa-ice-esbstage.nasa.gov
nasa-iceint.nasa.gov
nasa-icestage.nasa.gov
nasa-mis.nasa.gov
nasaartifacts.nasa.gov
nasaca.nasa.gov
www.nasacdb.nasa.gov
nasadc01.nasa.gov
nasadc02.nasa.gov
www.nasaeronauticsspacedatabase.nasa.gov
nasajobs.nasa.gov
nasapeople.nasa.gov
www.nasaprojectalert.nasa.gov
www.nasarecycles.nasa.gov
www.nasascience.nasa.gov
nasasearch.nasa.gov
nasaspacebook.nasa.gov
www.nasastars.nasa.gov
nasatechnology.nasa.gov
nasatv.nasa.gov
nascom.nasa.gov
www.naturalhazards.nasa.gov
ncad.nasa.gov
ncadinternal.nasa.gov
nccs.nasa.gov
www.ncis.nasa.gov
ncts.nasa.gov
nd.nasa.gov
ndc.nasa.gov
ndclab.nasa.gov
ndl.nasa.gov
ndmscollab.nasa.gov
ndmspub.nasa.gov
ndmssrc.nasa.gov
ndmsstgcollab.nasa.gov
ndmsstgpub.nasa.gov
ndmsstgsrc.nasa.gov
ndmswcdevimg.nasa.gov
ndmswcprdb7.nasa.gov
ndmswcprdimg.nasa.gov
ndmswcrtimg.nasa.gov
ndmswcsbximg.nasa.gov
ndmswcstgimg.nasa.gov
ndmswctstimg.nasa.gov
public.forms.neacc.nasa.gov
mobile.neacc.nasa.gov
forms.test.neacc.nasa.gov
near.nasa.gov
near-staging.nasa.gov
neba.nasa.gov
nebula.nasa.gov
ned.nasa.gov
www.nef.nasa.gov
nen.nasa.gov
www.nepp.nasa.gov
neps-dev.nasa.gov
neptune.nasa.gov
www.nesc.nasa.gov
nescacademy.nasa.gov
www.netcssi.nasa.gov
netman2.nasa.gov
netman4.nasa.gov
www.neurolab.nasa.gov
newdelhi.nasa.gov
www.newemployee.nasa.gov
newfrontiers.nasa.gov
www.news.nasa.gov
www.newsletters.nasa.gov
newsletters1.nasa.gov
newtechnology.nasa.gov
nex.nasa.gov
nexpass.nasa.gov
next.nasa.gov
nexus.nasa.gov
nfac.nasa.gov
ngi.nasa.gov
www.ngst.nasa.gov
www.nhhpc.nasa.gov
nic.nasa.gov
nics.nasa.gov
niks.nasa.gov
nipo.nasa.gov
nis.nasa.gov
nisn.nasa.gov
nisn-web.nasa.gov
nix.nasa.gov
nmis.nasa.gov
nmo.nasa.gov
nmo-apl.nasa.gov
nmo-cms.nasa.gov
nmp.nasa.gov
noca1.nasa.gov
noca2.nasa.gov
node1-nasaspacebook.nasa.gov
node2-nasaspacebook.nasa.gov
nods.nasa.gov
nomad.nasa.gov
nomadinternal.nasa.gov
www.nops.nasa.gov
nops-dev.nasa.gov
nops-test.nasa.gov
www.nors.nasa.gov
www.npdm.nasa.gov
www.npg2820.nasa.gov
nprop.nasa.gov
nrd.nasa.gov
nren.nasa.gov
ns.nasa.gov
ns-ext1.nasa.gov
ns1.nasa.gov
ns2.nasa.gov
ns3.nasa.gov
nsbf.nasa.gov
nsc.nasa.gov
nsckn.nasa.gov
nscs.nasa.gov
nscstep.nasa.gov
nsi.nasa.gov
nsipo.nasa.gov
nsirelay.nasa.gov
nsisrv.nasa.gov
nsminfo.nasa.gov
nsms.nasa.gov
nsms-dev.nasa.gov
nsms-test.nasa.gov
nsoc.nasa.gov
nss.nasa.gov
nssc.nasa.gov
nsstc.nasa.gov
ntp.nasa.gov
ntpio.nasa.gov
ntr.nasa.gov
www.ntrs.nasa.gov
ntrsreg.nasa.gov
nttsaw.nasa.gov
vendors.nvdb.nasa.gov
oacc.nasa.gov
www.obpr.nasa.gov
observer.nasa.gov
observer-tools.nasa.gov
observer1.nasa.gov
oce.nasa.gov
oceans.nasa.gov
oceexternal.nasa.gov
ocsp.nasa.gov
ocsp-dev.nasa.gov
ocsp-rra.nasa.gov
ocsp-test.nasa.gov
ocsp-test-rra.nasa.gov
octpartneringtool.nasa.gov
octreviewer.nasa.gov
odin-dev.nasa.gov
odin-test.nasa.gov
oedc.nasa.gov
oedc-staging.nasa.gov
oela.nasa.gov
oepm.nasa.gov
www.ohp.nasa.gov
oig.nasa.gov
oiglab.nasa.gov
oltaris.nasa.gov
www.onemis.nasa.gov
onenasa-jsc.nasa.gov
onenasa-msfc.nasa.gov
onmoon-1.nasa.gov
www.open.nasa.gov
Open-Manufacturing.nasa.gov
OpenManufacturing.nasa.gov
opensource.nasa.gov
opo.nasa.gov
opo2.nasa.gov
optics.nasa.gov
www.osbp.nasa.gov
oscar.nasa.gov
www.osdbu.nasa.gov
www.irma.osp.nasa.gov
www.outgassing.nasa.gov
outside-nde.nasa.gov
outside-se.nasa.gov
outside-software.nasa.gov
outside-structures.nasa.gov
outsidenasa.nasa.gov
parweb.nasa.gov
patches.nasa.gov
www.patentstats.nasa.gov
pbma.nasa.gov
pcat.nasa.gov
pdns1.nasa.gov
pds.nasa.gov
people.nasa.gov
www.pep.nasa.gov
perf.nasa.gov
ph.nasa.gov
pigiceshelf.nasa.gov
piv.nasa.gov
aplabpdc.pki.nasa.gov
www.planetaryprotection.nasa.gov
planetaryscience.nasa.gov
www.plans.nasa.gov
plasmasphere.nasa.gov
pluto.nasa.gov
pmm.nasa.gov
pmt.nasa.gov
pobox.nasa.gov
poif.nasa.gov
www.polaris.nasa.gov
polls.nasa.gov
pomegranate.nasa.gov
portal.nasa.gov
portalforums.nasa.gov
portfolio.nasa.gov
prism.nasa.gov
prism-rra.nasa.gov
prismcn1.nasa.gov
prismia1.nasa.gov
prismlb2.nasa.gov
prismqa1.nasa.gov
prismqa2.nasa.gov
prismye0.nasa.gov
privacy.nasa.gov
privacyimpact.nasa.gov
www.process.nasa.gov
procurement.nasa.gov
prognostics.nasa.gov
www.projectalert.nasa.gov
property.nasa.gov
psi.nasa.gov
pubdir.nasa.gov
publicforms.nasa.gov
publicportal.nasa.gov
pumas.nasa.gov
qa-insidenasa.nasa.gov
qa-nasaspacebook.nasa.gov
www.quality.nasa.gov
quantum.nasa.gov
www.quest.nasa.gov
www.questeam.nasa.gov
quicklaunch.nasa.gov
radio.nasa.gov
rapid.nasa.gov
rasc.nasa.gov
ready.nasa.gov
ready-staging.nasa.gov
redplanet.nasa.gov
Retiree.nasa.gov
www.rmc.nasa.gov
rms.nasa.gov
rms-dev.nasa.gov
rms-test.nasa.gov
rms-train.nasa.gov
rmsdb.nasa.gov
robot.nasa.gov
www.robotics.nasa.gov
robots.nasa.gov
rockettest.nasa.gov
rotarywing.nasa.gov
rps.nasa.gov
rpt.nasa.gov
rsatest.nasa.gov
russia.nasa.gov
saam.nasa.gov
saam-staging.nasa.gov
sage.nasa.gov
sara.nasa.gov
sas.nasa.gov
saterinfo-dev.nasa.gov
satern.nasa.gov
saterninfo.nasa.gov
saterninfo-dev.nasa.gov
saterninfo-test.nasa.gov
saternproject.nasa.gov
saternproject-dev.nasa.gov
saternproject-test.nasa.gov
saternreporting.nasa.gov
saternwebsvc.nasa.gov
saternwebsvc-test.nasa.gov
sats.nasa.gov
saturn.nasa.gov
www.sbir.nasa.gov
id.sbx.nasa.gov
3dns.sc.nasa.gov
scan.nasa.gov
www.science.nasa.gov
science1.nasa.gov
www.sciencecast.nasa.gov
www.sciencecasts.nasa.gov
www.scijinks.nasa.gov
scm.nasa.gov
scm-test.nasa.gov
SCMOK.nasa.gov
inl.sddl.nasa.gov
search.nasa.gov
search1.nasa.gov
www.section508.nasa.gov
sensorweb.nasa.gov
sewp.nasa.gov
www.sfa.nasa.gov
share.nasa.gov
sharepoint.nasa.gov
shfe.nasa.gov
www.shuttle.nasa.gov
shuttle-mir.nasa.gov
shuttle-station1.nasa.gov
shuttlealumni.nasa.gov
sip.nasa.gov
www.sm3b.nasa.gov
www.sm4.nasa.gov
sma.nasa.gov
smap.nasa.gov
www.smart.nasa.gov
www.smartskies.nasa.gov
smp.nasa.gov
snas.nasa.gov
soc.nasa.gov
socialforms.nasa.gov
www.sofia.nasa.gov
software.nasa.gov
www.softwarereuse.nasa.gov
soi.nasa.gov
solar.nasa.gov
solarsystem.nasa.gov
space-geodesy.nasa.gov
spacebook.nasa.gov
www.spacecomm.nasa.gov
www.spacecommunications.nasa.gov
spacecube.nasa.gov
www.spaceflight.nasa.gov
spaceflight1.nasa.gov
www.spacejobs.nasa.gov
spacelifesciences.nasa.gov
spacelink.nasa.gov
spacemed.nasa.gov
www.spaceoperations.nasa.gov
www.spaceplace.nasa.gov
spacerace.nasa.gov
www.spaceresearch.nasa.gov
www.spaceresearchgallery.nasa.gov
www.spacescience.nasa.gov
spacestationlive.nasa.gov
spacestationlive1.nasa.gov
spacetox.nasa.gov
spacewardbound.nasa.gov
spaceyourface.nasa.gov
span.nasa.gov
www.spds.nasa.gov
www.spectrum.nasa.gov
spinoff.nasa.gov
spotthestation.nasa.gov
src.nasa.gov
ssc.nasa.gov
sscmiranda.nasa.gov
ssds.nasa.gov
els2014.sservi.nasa.gov
sso.nasa.gov
sssaas.nasa.gov
www.ssurteam.nasa.gov
st5.nasa.gov
stage-communications.nasa.gov
stage-docsnen.nasa.gov
stage-im.nasa.gov
stage-insidenasa.nasa.gov
stage-inwiki.nasa.gov
stage-ipao.nasa.gov
stage-mediaservices.nasa.gov
stage-nasaspacebook.nasa.gov
stage-nen.nasa.gov
stage-oepm.nasa.gov
stage-outsidenasa.nasa.gov
stage-pia.nasa.gov
stage-planetaryscience.nasa.gov
stage-spacebook.nasa.gov
staging.nasa.gov
staging-science.nasa.gov
standards.nasa.gov
starbrite.nasa.gov
www.starcam.nasa.gov
stars.nasa.gov
stars-dev.nasa.gov
stars-ps.nasa.gov
stars-test.nasa.gov
www.station.nasa.gov
www.step.nasa.gov
sti.nasa.gov
stidaa.nasa.gov
straw.nasa.gov
straw-staging.nasa.gov
suborbital.nasa.gov
www.sunearthday.nasa.gov
www.sunearthday1.nasa.gov
supersonics.nasa.gov
support.nasa.gov
swehb.nasa.gov
swg.nasa.gov
swmetrics.nasa.gov
www.swpal.nasa.gov
tagconnect.nasa.gov
tdrss.nasa.gov
tech.nasa.gov
www.technology.nasa.gov
technologygateway.nasa.gov
technologyplan.nasa.gov
techport.nasa.gov
www.techsurvey.nasa.gov
www.teerm.nasa.gov
www.terra.nasa.gov
test.nasa.gov
www.tfaws.nasa.gov
www.thursdaysclassroom.nasa.gov
time.nasa.gov
titan.nasa.gov
titian.nasa.gov
earth-science.tracker.nasa.gov
lesson-plans.tracker.nasa.gov
pictures.tracker.nasa.gov
training-oepm.nasa.gov
www.transition.nasa.gov
trmm.nasa.gov
tu.nasa.gov
www.tv.nasa.gov
tvschedule.nasa.gov
tvschedule1.nasa.gov
equipment.uat.nasa.gov
m.intern.uat.nasa.gov
iris.uat.nasa.gov
mdr.uat.nasa.gov
nef.uat.nasa.gov
portfolio.uat.nasa.gov
www.ueet.nasa.gov
www.unites.nasa.gov
www.universe.nasa.gov
uranus.nasa.gov
userdocuments.nasa.gov
utility.nasa.gov
vafb.nasa.gov
vendor.nasa.gov
venus.nasa.gov
venustransit.nasa.gov
veritas.nasa.gov
vho.nasa.gov
video.nasa.gov
video-images.nasa.gov
videofiles.nasa.gov
videofiles1.nasa.gov
videoshare.nasa.gov
www.visibleearth.nasa.gov
www.visionforum.nasa.gov
vmo.nasa.gov
voicetelecon.nasa.gov
voicetelecon-test.nasa.gov
vpn.nasa.gov
www.vsde.nasa.gov
vsearch.nasa.gov
vsearch1.nasa.gov
vwo.nasa.gov
wat.nasa.gov
www.webb.nasa.gov
webdir.nasa.gov
www.webentre.nasa.gov
webmail.nasa.gov
www.weboflife.nasa.gov
webregister.nasa.gov
webregistration.nasa.gov
webregistrationfob.nasa.gov
webservices.nasa.gov
www.webtads.nasa.gov
webwork.nasa.gov
wff.nasa.gov
wiki.nasa.gov
www.wims.nasa.gov
wind.nasa.gov
wingsinorbit.nasa.gov
www.wire.nasa.gov
wise.nasa.gov
www.women.nasa.gov
www.workforcetransformation.nasa.gov
workforcetransition.nasa.gov
workmans.nasa.gov
www.workmanship.nasa.gov
wright.nasa.gov
wsc.nasa.gov
wsmr.nasa.gov
wsprodb.nasa.gov
wsprodc.nasa.gov
wsprodd.nasa.gov
wstf.nasa.gov
wstf-ns1.nasa.gov
wstf-ns2.nasa.gov
www.wtts.nasa.gov
wtts-stg.nasa.gov
wwt.nasa.gov
log.www.nasa.gov
www1.nasa.gov
www2.nasa.gov
x500.nasa.gov
www.xml.nasa.gov

Analysis

NASA.gov

The domains intranet.nasa.gov and intranetsearch.nasa.gov are obvious targets for unauthorized access to documents. We'll examine them closer.

dig intranet.nasa.gov

; <<>> DiG 9.10.1 <<>> intranet.nasa.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29075
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;intranet.nasa.gov.             IN      A

;; ANSWER SECTION:
intranet.nasa.gov.      599     IN      CNAME   intranet.nasawestprime.com.
intranet.nasawestprime.com. 299 IN      CNAME   redirects.nasawestprime.com.
redirects.nasawestprime.com. 299 IN     CNAME   dualstack.redirects-backup-330949873.us-east-1.elb.amazonaws.com.
dualstack.redirects-backup-330949873.us-east-1.elb.amazonaws.com. 59 IN A 50.16.224.76
dualstack.redirects-backup-330949873.us-east-1.elb.amazonaws.com. 59 IN A 54.225.198.227

;; Query time: 142 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Sun Oct 26 09:38:48 PDT 2014
;; MSG SIZE  rcvd: 217

Connecting redirects to https://outsidenasa.nasa.gov/ which disconnects when you connect to it. This is an example of an internal service found by the NSEC walking technique. It doesn't have an obvious vulnerability, but the fact that it can be found but not accessed means that it's not for public consumption. By using a program like namedrop [7], you could find this address, but you wouldn't be able to find more complex names like spaceresearchgallery.nasa.gov. Another name that could be found by namedrop, but much more slowly, would be sharepoint.nasa.gov. This redirects to http://www.nasa.gov/centers/ames/home/index.html, which probably means that it uses F5 BigIP to redirect unauthorized IPs to their public website. Or it could be that their Sharepoint site was taken down.

A search for intranet.nasa.gov finds an unexpected VPN endpoint: https://intranet.jpl.nasa.gov/dana-na/auth/url_default/welcome.cgi This subdomain wasn't found because jpl.nasa.gov doesn't support DNSSEC, so this attack doesn't work against that subdomain. This doesn't phase the attacker.

The domain userdocuments.nasa.gov is an interesting site definitely for employees.

The domain voicetelecon.nasa.gov is probably a teleconference system, so an nmap scan may turn up SIP, Skype, H.323, or similar services. It turns out that voicetelecon.nasa.gov has an authenticated HTTPS site which seems to be connected to CenturyLink (the company that bought Qwest).

The domain staging.nasa.gov doesn't resolve which probably means that staging is an internal domain. The same is true for stage-*.nasa.gov. stage-communications.nasa.gov and many others resolve. They don't seem to be externally accessible though.

www.nasaeronauticsspacedatabase.nasa.gov

www.nasaeronauticsspacedatabase.nasa.gov turned out to be an interesting internal domain.

http://www.nasaeronauticsspacedatabase.nasa.gov/
redirects to:
https://dmzsrv.larc.nasa.gov/
redirects to:
https://ntrsreg.nasa.gov/
redirects to:
https://launchpad.nasa.gov/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1378321770&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A50%3A33Z
redirects to:
https://launchpad.nasa.gov/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1378321770&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A50%3A33Z&service=Level20NoNcad

Note that all of these server's certificates except for launchpad.nasa.gov are signed by NASA, not a trusted root certificate. Users who work for NASA would have this certificate installed on their work computers assuming they trust NASA's root certificate to not be compromised. launchpad.nasa.gov has the header: Www-authenticate: Negotiate which is indicitive of Kerberos. This assumes that the person who is visiting the page has authentication to NASA.gov. This proves beyond any doubt that all these systems are internal systems. larc.nasa.gov is in the ldns-walk results, but dmzsrv.larc.nasa.gov is not. The two are on completely different networks, so this domain name is an important omission from the NSEC results. The subdomains ntrsreg and launchpad are both in the NSEC results.

curl -i -k http://www.nasaeronauticsspacedatabase.nasa.gov/
HTTP/1.1 302 Found
Date: Thu, 19 Feb 2015 00:56:31 GMT
Server: Apache/2.2.15 (Red Hat) mod_jk/1.2.37 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips
Location: https://dmzsrv.larc.nasa.gov/
Content-Length: 213
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://dmzsrv.larc.nasa.gov/">here</a>.</p>
</body></html>
curl -i -k https://dmzsrv.larc.nasa.gov/
HTTP/1.1 302 Found
Date: Thu, 19 Feb 2015 00:57:18 GMT
Server: Apache/2.2.15 (Red Hat) mod_jk/1.2.37 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips
Location: https://ntrsreg.nasa.gov:443/
Content-Length: 213
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://ntrsreg.nasa.gov:443/">here</a>.</p>
</body></html>
curl -i -k https://ntrsreg.nasa.gov/
HTTP/1.1 302 Found
Date: Thu, 19 Feb 2015 00:53:25 GMT
Server: Apache/2.2.15 (Red Hat) mod_jk/1.2.37 mod_ssl/2.2.15 OpenSSL/1.0.1e-fips
Set-Cookie:  Apache_NTRS=;Path=/;Secure
Set-Cookie:  Apache_NTRS=;Path=/;Secure
Location: https://launchpad.nasa.gov:443/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1683939677&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A53%3A25Z
Content-Length: 446
Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="https://launchpad.nasa.gov:443/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1683939677&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A53%3A25Z">here</a>.</p>
</body></html>
curl -i -k 'https://launchpad.nasa.gov/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1378321770&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A50%3A33Z'
HTTP/1.1 401 Unauthorized
Set-Cookie: ACE-insert=R1617759527; path=/
Server: Oracle-iPlanet-Web-Server/7.0
Date: Thu, 19 Feb 2015 00:58:49 GMT
Cache-control: private
Pragma: no-cache
X-dsameversion: Oracle OpenSSO 8.0 Update 2 Patch3 Build 6.1(2011-June-8 05:24)
Am_client_type: genericHTML
Www-authenticate: Negotiate
Set-cookie: AMAuthCookie=AQIC5wM2LY4SfcwH5U%2FBfCXlZl8HYPqgP56f2hISXjxnzcA%3D%40AAJTSQACMDIAAlMxAAIwOA%3D%3D%23; Domain=launchpad.nasa.gov; Path=/
Set-cookie: amlbcookie=08; Domain=launchpad.nasa.gov; Path=/
Transfer-encoding: chunked

<!--
/**
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS HEADER.
*
* Copyright (c) 2009 eTouch Federal Systems. All Rights Reserved
*
* The contents of this file are subject to the terms
* of the eTouch Federal Systems License
* (the License). You may not use this file except in
* compliance with the License.
*
* You can obtain a copy of the License from eTouch Federal Systems
* by emailing to license@etouchfederal.com
* See the License for the specific language governing
* permission and limitations under the License.
*
*/
-->




<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML//EN">
<html>
<head>
<title>Please Wait While Redirecting to Login page</title>

<script language="JavaScript"> <!--

function redirectToAuth() {
    var url = window.location.href;
        var serviceName = "Level20NoNcad";
        if (url.indexOf("?") == -1) {
                url = url + "?" + "service=" + serviceName;
        } else  {
                if (url.indexOf("?SAMLRequest=") > -1) {
                        var protocol = window.location.protocol;
                        var host = window.location.host;
                        var contextPath = "/amserver";
                        var loginURL = protocol + "//" + host + contextPath + "/UI/Login?service=" + serviceName + "&goto=";
                        var gotoURL = escape(url);
                        url = loginURL + gotoURL;
                } else if (url.indexOf("?service=") > -1) {
                url = url.replace(/\?service=[^&?#]*/,"?service=" + serviceName);
                } else if (url.indexOf("&service=") > -1) {
                url = url.replace(/\&service=[^&?#]*/, "&service=" + serviceName);
                }else {
                url =url.concat("&service=" + serviceName);
                }
        }
    top.location.replace(url);
}

function getQueryParameters() {
    var loc = window.location.href;
        return loc;
    
}
//-->
</script>
</head>

<body bgcolor="#FFFFFF" onLoad="redirectToAuth();">
</body>
</html>
curl -i -k 'https://launchpad.nasa.gov/amserver/cdcservlet?goto=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2F&RequestID=1378321770&MajorVersion=1&MinorVersion=0&ProviderID=https%3A%2F%2Fntrsreg.nasa.gov%3A443%2Famagent&IssueInstant=2015-02-18T19%3A50%3A33Z&service=Level20NoNcad'
HTTP/1.1 200 OK
Set-Cookie: ACE-insert=R1617758438; path=/
Server: Oracle-iPlanet-Web-Server/7.0
Date: Thu, 19 Feb 2015 01:08:25 GMT
Set-cookie: amlbcookie=06; Domain=launchpad.nasa.gov; Path=/
Content-type: text/html;charset=UTF-8
Set-cookie: JSESSIONID=ABE2731A73016D3B5BBB307816AC628D; Path=/amserver; Secure ; HttpOnly
X-dsameversion: Oracle OpenSSO 8.0 Update 2 Patch3 Build 6.1(2011-June-8 05:24)
Am_client_type: genericHTML
Set-cookie: AMAuthCookie=AQIC5wM2LY4Sfcw3xT7ONFSzXl9OSCrrCLrVF5%2BiIAOciAk%3D%40AAJTSQACMDIAAlMxAAIwNg%3D%3D%23; Domain=launchpad.nasa.gov; Path=/
Pragma: no-cache
Expires: Thu, 01 Jan 1970 00:00:00 GMT
Cache-control: no-store
Transfer-encoding: chunked

...

This page is too long to put into an essay. Here are a few interesting strings:

<!-- App URL is https://ntrsreg.nasa.gov:443/; Server Id is ndkseasso02.ndc.nasa.gov -->
<!-- IE(8) requires the <td> and <img> to be on the same line, or else there will be a small gap (rolls eyes) -->
<div style="float:left;width:38%;color:#FFFFFF"><b>Need Help?</b> Call 1-866-419-6297 or 
<a style="color: #FFFFFF" href="mailto:MSFC-DL-HelpdeskMSFC@mail.nasa.gov?subject=Launchpad Help"><u>email the help desk</u></a><br/>
<a style="color: #FFFFFF" href="https://inwiki.nasa.gov/cm/wiki/?id=639" target="_blank">Want to Integrate? (Internal NASA only)</a></div></td>

This page allows you to login with a smartcard, RSA token, or username and password, or create an account. It contains this warning:

This is a US Government computer. This system is for authorized users only. By accessing and using this computer system, you are consenting to full system monitoring of your process -- including keystrokes. Be forewarned that unauthorized use of, or access to this computer system may subject you to disciplinary action and/or criminal prosecution.

From the FAQ:

1. What is Access Launchpad?
The NASA Access Launchpad, also called "Launchpad," is an online tool that you can use to create and update your NASA user profile or reset a forgotten password in just a few steps.

2. Whom do I contact if I need help or have questions about Launchpad?
Call the NASA Information Support Center at (866) 419-6297.

9. Can I use the Launchpad to update other personal information, like my e-mail address and last name?
Not at this time. Instead, visit NASA's User Self-Service (USS) tool [https://idmax.nasa.gov/idm/user/login.jsp], located within the Identity Management and Account Exchange (IdMAX) system. User Self‐Service allows you to change your display name, e‐mail addresses, or common names in the Agency directory.

14. What do I do if my browser indicates that there is a "certificate error" and I am unable to login to the Launchpad?
On some NASA Web browsers there is a configuration issue that results in this security certificate error. To resolve this issue, follow this two-step process:

Step 1: Visit the NASA PKI Operations Web site [http://pki.nasa.gov/index.php/tech-support/ca-root-certificates/] to download the NOCA and Treasury root certificates.

Click on the Download NOCA and Treasury root Certificates link and follow the prompts to open and install these CA certificates into your browser. If you receive a security warning about the US Treasury Root CA, this is normal: proceed with the certificate installation.

Note the use of http for pki.nasa.gov which is vulnerable to sslstrip. pki.nasa.gov is an internal system and apparently uses PHP.

*.gov Hashes Cracked

An example of a domain that I was able to find with brute force of all 7-character domains against .gov that I was not able to find using unhash is http://pdbcecc.gov/. This site gives a 404 which shows that it's not public (at least yet). Vital information for pdbcecc.gov lies below:


curl -i pdbcecc.gov
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Fri, 23 Jan 2015 01:20:22 GMT
Connection: close
Content-Length: 315

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""http://www.w3.org/TR/html4/strict.dtd">
<HTML><HEAD><TITLE>Not Found</TITLE>
<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>
<BODY><h2>Not Found</h2>
<hr><p>HTTP Error 404. The requested resource is not found.</p>
</BODY></HTML>

dig ns pdbcecc.gov

; <<>> DiG 9.10.1-P1 <<>> ns pdbcecc.gov
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1150
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;pdbcecc.gov.                   IN      NS

;; ANSWER SECTION:
pdbcecc.gov.            599     IN      NS      ns1.blackmesh.com.
pdbcecc.gov.            599     IN      NS      ns2.blackmesh.com.

;; Query time: 105 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 22 17:21:04 PST 2015
;; MSG SIZE  rcvd: 89

dig ns1.blackmesh.com.

; <<>> DiG 9.10.1-P1 <<>> ns1.blackmesh.com.
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55362
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;ns1.blackmesh.com.             IN      A

;; ANSWER SECTION:
ns1.blackmesh.com.      299     IN      A       74.121.197.78

;; Query time: 101 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Thu Jan 22 17:22:37 PST 2015
;; MSG SIZE  rcvd: 62

whois 74.121.197.78

#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#


#
# The following results may also be obtained via:
# http://whois.arin.net/rest/nets;q=74.121.197.78?showDetails=true&showARIN=false&ext=netref2
#

NetRange:       74.121.192.0 - 74.121.199.255
CIDR:           74.121.192.0/21
NetName:        BLACKMESH-1
NetHandle:      NET-74-121-192-0-1
Parent:         NET74 (NET-74-0-0-0-0)
NetType:        Direct Allocation
OriginAS:       AS36473
Organization:   BlackMesh Inc. (BLACK-25)
RegDate:        2010-01-25
Updated:        2012-03-02
Ref:            http://whois.arin.net/rest/net/NET-74-121-192-0-1

OrgName:        BlackMesh Inc.
OrgId:          BLACK-25
Address:        2465 J-17 Centreville Road
Address:        #720
City:           Herndon
StateProv:      VA
PostalCode:     20171
Country:        US
RegDate:        2006-03-21
Updated:        2011-09-24
Comment:        BlackMesh Managed Hosting
Ref:            http://whois.arin.net/rest/org/BLACK-25

OrgTechHandle: BNO34-ARIN
OrgTechName:   BlackMesh Network Operations
OrgTechPhone:  +1-888-473-0854 
OrgTechEmail:  noc@blackmesh.com
OrgTechRef:    http://whois.arin.net/rest/poc/BNO34-ARIN

OrgAbuseHandle: BNO34-ARIN
OrgAbuseName:   BlackMesh Network Operations
OrgAbusePhone:  +1-888-473-0854 
OrgAbuseEmail:  noc@blackmesh.com
OrgAbuseRef:    http://whois.arin.net/rest/poc/BNO34-ARIN

RNOCHandle: BNO34-ARIN
RNOCName:   BlackMesh Network Operations
RNOCPhone:  +1-888-473-0854 
RNOCEmail:  noc@blackmesh.com
RNOCRef:    http://whois.arin.net/rest/poc/BNO34-ARIN

RTechHandle: BNO34-ARIN
RTechName:   BlackMesh Network Operations
RTechPhone:  +1-888-473-0854 
RTechEmail:  noc@blackmesh.com
RTechRef:    http://whois.arin.net/rest/poc/BNO34-ARIN

RAbuseHandle: BLACK5-ARIN
RAbuseName:   BlackMesh Abuse
RAbusePhone:  +1-888-473-0854 
RAbuseEmail:  abuse@blackmesh.com
RAbuseRef:    http://whois.arin.net/rest/poc/BLACK5-ARIN


#
# ARIN WHOIS data and services are subject to the Terms of Use
# available at: https://www.arin.net/whois_tou.html
#
# If you see inaccuracies in the results, please report at
# http://www.arin.net/public/whoisinaccuracy/index.xhtml
#

dig +dnssec @74.121.197.78 pdbcecc.gov

; <<>> DiG 9.10.1-P1 <<>> +dnssec @74.121.197.78 pdbcecc.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14228
;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;pdbcecc.gov.                   IN      A

;; ANSWER SECTION:
pdbcecc.gov.            600     IN      A       74.121.201.181

;; AUTHORITY SECTION:
pdbcecc.gov.            600     IN      NS      ns1.blackmesh.com.
pdbcecc.gov.            600     IN      NS      ns2.blackmesh.com.

;; ADDITIONAL SECTION:
ns1.blackmesh.com.      300     IN      A       74.121.197.78
ns2.blackmesh.com.      300     IN      A       74.121.192.67

;; Query time: 91 msec
;; SERVER: 74.121.197.78#53(74.121.197.78)
;; WHEN: Thu Jan 22 17:24:04 PST 2015
;; MSG SIZE  rcvd: 137

dig +dnssec @69.36.157.30 pdbcecc.gov

; <<>> DiG 9.10.1-P1 <<>> +dnssec @69.36.157.30 pdbcecc.gov
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15874
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1472
;; QUESTION SECTION:
;pdbcecc.gov.                   IN      A

;; AUTHORITY SECTION:
pdbcecc.gov.            86400   IN      NS      ns1.blackmesh.com.
pdbcecc.gov.            86400   IN      NS      ns2.blackmesh.com.
j5kqrti1gdqgv88konuq2qsuhshv60io.gov. 86400 IN NSEC3 1 0 8 4C44934802D3 J5N9AJJ79PQ4UVMESSBVONNK5QR5189S NS
j5kqrti1gdqgv88konuq2qsuhshv60io.gov. 86400 IN RRSIG NSEC3 8 2 86400 20150129221014 20150122221014 4352 gov. CvwShLn22m6o086Id9ythpPECag30WGD7IzUtWQ/Qo2fhKzurbpw3dFo J8dg/RyD6gZ/Rn7v4w/AlcpyE6Q6MiE7VMhbUtBUh9s8aHW6V9HPY3Xz fwicyxcDxfhpxzZKKoogJEGh5WATxAfe1n5fuAt///LXnQDXVJ47wc35 t1c=

;; Query time: 79 msec
;; SERVER: 69.36.157.30#53(69.36.157.30)
;; WHEN: Thu Jan 22 17:26:10 PST 2015
;; MSG SIZE  rcvd: 332

traceroute 74.121.201.181
traceroute to 74.121.201.181 (74.121.201.181), 30 hops max, 60 byte packets
 1  v10.core1.fmt2.he.net (64.62.180.89)  3.538 ms  3.532 ms  3.527 ms
 2  10ge1-1.core1.sjc2.he.net (72.52.92.74)  19.319 ms  19.318 ms  19.316 ms
 3  mpr1.sjc7.us (206.223.116.86)  0.848 ms  3.747 ms  0.836 ms
 4  ae9.cr1.sjc2.us.zip.zayo.com (64.125.31.201)  1.074 ms  1.065 ms  1.304 ms
 5  ae8.cr2.sjc2.us.zip.zayo.com (64.125.20.254)  1.577 ms  1.299 ms  1.298 ms
 6  ae1.cr2.lax112.us.zip.zayo.com (64.125.31.234)  9.344 ms  9.769 ms  10.261 ms
 7  ae3.cr2.iah1.us.zip.zayo.com (64.125.21.85)  44.680 ms  44.177 ms  43.938 ms
 8  ae14.cr2.dca2.us.zip.zayo.com (64.125.21.53)  68.638 ms  68.638 ms  68.984 ms
 9  ae1.er2.iad10.us.zip.zayo.com (64.125.20.122)  72.950 ms  75.889 ms  76.215 ms
10  64.125.198.77.t00053.above.net (64.125.198.77)  71.637 ms  69.384 ms  69.365 ms
11  aggr2-g10-va.net.hostventures.com (208.85.174.252)  69.902 ms  69.345 ms  69.609 ms
12  * * *
13  * * *
14  * * *

As you can see, there isn't any authenticated A record for pdbcecc.gov, which means that it's not valid. In fact, we see an NSEC3 record returned from the gov servers. The hash for pdbcecc.gov is j5kqrti1gdqgv88konuq2qsuhshv60io and the hash they give us j5n9ajj79pq4uvmessbvonnk5qr5189s look similar in the first two characters, but then change. So what this NSEC3 record is telling us is that they don't have a signed NS for pdbcecc.gov. That means that NSEC3 records we get from the .gov nameservers include all domains for .gov. Unlike .com which is opt-in, .gov NSEC3 records seems to be opt-out. Therefore the list of hashes I have collected are a definitive list of domains that had not opted-out from .gov NSEC3. Since I was able to brute force 7 characters of alpha-numeric domains, I can definitively say that my list of cracked domains are the full list of .gov domains that are less than 8 characters. If someone wants to run 8 or more characters on the hashes, we can build a list of almost every .gov domain. My guess is that there are longer domain names that can be found with the passphrase cracker which I only used up to a certain point on domains other than com. Two values found by passphrase3 are: richlandms.gov and richlandsnc.gov. This seems to point to names of cities and their respective state may be a pattern worth checking. However, seattlewa.gov doesn't make sense because there's only one Seattle. It turns out that bellevuewa.gov does exist, which makes perfect sense. I was able to crack that hash manually. As you can see, it would make sense to use a wordlist of all state abbreviations and all words in the AI3 wordlist (since all city names are in the AI3 wordlist). I was able to do this using passphrase7 and Wikipedia's List of U.S. state abbreviations. It turned up a very large number of hits as expected.

Brazil

Brazil has an interesting setup. The top level ccTLD .br uses NSEC, so that's how I discovered all those domains. I believe that the list is authoritative and equivalent to an AXFR (I have no counter-examples to prove otherwise so far). The most popular subdomain com.br uses NSEC3 with a long salt and 10 iterations, almost unheard of in DNSSEC other than a few .mil subdomains, org.br, by (Belarus) which unexplicably uses 100 iterations, probably to stop people like me (despite their efforts, I was able to crack 584 out of 1017 hashes), and la (Laos) which uses 150 iterations (despite their efforts I was able to 398 out of 746 hashes). The government tld gov.br uses NSEC. Note that all of these reside on the same DNS servers: [a-f].dns.br. What's more interesting is that there are more DNSSEC enabled com.br domains than there are DNSSEC enabled com domains. Why is this? In the way that gov.br signs all its domains with one key, com.br can sign all its domains with one key. This doesn't give anyone any less trust because the person with the private key can override any value in the database. com.br is in a special place where they can choose to put good known values for every domain in com.br and sign them thus giving everyone a correct representation of the entirety of com.br just like gov.br has done with NSEC. The reason we don't get a full representation of the entirety of com is because com chooses not to sign any of domains under it. Let's look at the data from a few signatures under com.br.

dig +dnssec @200.219.154.10 apros.com.br.

; <<>> DiG 9.10.1-P1 <<>> +dnssec @200.219.154.10 apros.com.br.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 27275
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 5
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;apros.com.br.                  IN      A

;; AUTHORITY SECTION:
apros.com.br.           86400   IN      NS      c.sec.dns.br.
apros.com.br.           86400   IN      NS      b.sec.dns.br.
apros.com.br.           3600    IN      DS      64627 5 1 A56441015582BAEB5013AF87B203C2C86B461E3D
apros.com.br.           3600    IN      RRSIG   DS 7 3 3600 20141223100000 20141216100000 33018 com.br. mVYd7IidGO5i1KceUMaBn1xy7mKpHfJcZtHh6i4R/tbso9nRvxiiWoce hGmBxuFXYGlelHWH76SDAOnyzk2dAn768fy9r0X3bQOln1Kvv8fb4XUR COvjv4SS/6RZhf8KVU4fHFrABtg+O5nQG6bE66/Td7MdT9RNOE3LsiKm hUY=

;; ADDITIONAL SECTION:
b.sec.dns.br.           172800  IN      A       200.192.232.11
c.sec.dns.br.           172800  IN      A       200.189.40.11
b.sec.dns.br.           172800  IN      RRSIG   A 5 4 172800 20150123084353 20141114084353 943 dns.br. P5sdQem+wzVyD+0wycTVcP8FFp4H/XIOZa2yR8kr0uxQKRYPQJyhp6bW cbyFwFVnKCOapTsiWOtYztghFPn2oaF1s6K1rL1mWNIeyHLFXANQzRnj Zri3WGh61ZzvKz5KipxCXfnH+ZRLxsJVTcI0FCphUh9KfWLKhzd3czsm EF0sldY1retqDb9w5s3kC0Ao
c.sec.dns.br.           172800  IN      RRSIG   A 5 4 172800 20150123084353 20141114084353 943 dns.br. 41k1GaDsRFm2j9FbsVJwFSvoj7w73+8nGkq4UGV1EViAl2h5BfMtEXum CW4034v0WDzIp/FQl1OZ60EAaSnNIx/OnCb01AYX9olTOBAjEOKv6KFa 3muR/8Y9BOsDn9IIkSkRiZysYfDkWo3J8G6P58wjMe1MgNopUlaycXPL mXBOszg6YYj3/ZY/I5uO47dZ

;; Query time: 68 msec
;; SERVER: 200.219.154.10#53(200.219.154.10)
;; WHEN: Wed Dec 17 15:22:42 PST 2014
;; MSG SIZE  rcvd: 679
dig +dnssec @200.219.154.10 nuvoli.com.br.

; <<>> DiG 9.10.1-P1 <<>> +dnssec @200.219.154.10 nuvoli.com.br.
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17235
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 7
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nuvoli.com.br.                 IN      A

;; AUTHORITY SECTION:
nuvoli.com.br.          86400   IN      NS      a.sec.dns.br.
nuvoli.com.br.          86400   IN      NS      b.sec.dns.br.
nuvoli.com.br.          3600    IN      DS      41021 5 1 735B1DB6F7EDEA0A5FC9E35D35F6B4ECA7F6E520
nuvoli.com.br.          3600    IN      RRSIG   DS 7 3 3600 20141223100000 20141216100000 33018 com.br. bg9YXXkjsRFDWdr9duEVB+QNtzy7OH1vMPLtv6nT5hLg5JRSlhYT0wPI MjqqkYqXxwS3vBaZ9uoRxSnAJT1i63g0fYctcAPocfGgxmEN1kVsNTRr 1iA3VkaKeqvmbvOz3PRY+doVOXlCeVFWNONiDQlvmFrKim3/ohnWYRBQ 9wk=

;; ADDITIONAL SECTION:
a.sec.dns.br.           172800  IN      A       200.160.0.11
a.sec.dns.br.           172800  IN      AAAA    2001:12ff::11
b.sec.dns.br.           172800  IN      A       200.192.232.11
a.sec.dns.br.           172800  IN      RRSIG   A 5 4 172800 20150123084353 20141114084353 943 dns.br. roMyXYw+pNs/Yv9FwDnAJNxKecAGjPDoUD/x1EXvDPsfBENPH8GIYifL kLGfdjtSWn0/hnpGl0GJbSzSeYVSqp+56CM07TRnNQNjnEan+UXPEgoy ztUPUibyelsbCXX9fuqD8yQNCHeZU/Cf0X1XVdUf9/k6MEKmTl1cfHgz DFcW6GekmhT4BIt2vjn5BX9x
a.sec.dns.br.           172800  IN      RRSIG   AAAA 5 4 172800 20150123084353 20141114084353 943 dns.br. Ku8c3YR8L/VVf0cePAlUGTb6ASKYrUpGMF0ajLE9THc6JDezJ2BR8Jz4 vxH1zOe911ssH3UxEL2+CDjCTjBwUa/A9BDdp0JMDCLciOactV8JME+F 7R1+Pr7lfTlbd8yf1NR5QjSNXu4w54EW95EbBaFWeV3vAWgYQJVNgW+x 6hP1qozZanbuQIBE8rn+T/8T
b.sec.dns.br.           172800  IN      RRSIG   A 5 4 172800 20150123084353 20141114084353 943 dns.br. P5sdQem+wzVyD+0wycTVcP8FFp4H/XIOZa2yR8kr0uxQKRYPQJyhp6bW cbyFwFVnKCOapTsiWOtYztghFPn2oaF1s6K1rL1mWNIeyHLFXANQzRnj Zri3WGh61ZzvKz5KipxCXfnH+ZRLxsJVTcI0FCphUh9KfWLKhzd3czsm EF0sldY1retqDb9w5s3kC0Ao

;; Query time: 68 msec
;; SERVER: 200.219.154.10#53(200.219.154.10)
;; WHEN: Wed Dec 17 15:23:28 PST 2014
;; MSG SIZE  rcvd: 890

You don't need to be able to do RSA or SHA1 to find out what's going on in this record. Simply look at the signer's name, which is 'dns.br' for all records. Then look at the DS records for each, they are different, which means each domain was signed by a different key. Then look at the nameservers: a.sec.dns.br and b.sec.dns.br, they are the same. Now we need to query each of the nameservers.

dig +dnssec @200.189.40.11 apros.com.br

; <<>> DiG 9.10.1-P1 <<>> +dnssec @200.189.40.11 apros.com.br
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8553
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;apros.com.br.                  IN      A

;; AUTHORITY SECTION:
apros.com.br.           900     IN      SOA     b.sec.dns.br. hostmaster.registro.br. 2015008000 345600 900 604800 900
apros.com.br.           900     IN      RRSIG   SOA 5 3 86400 20150217004706 20150108004706 64627 apros.com.br. S/ja/KYwj1UElZwHMTFF038BI5KQkmdMUS50nlYyxSGllPJdI0u3jU02 LaScCmBO6gwOfKE53C2El8OKUePenta2lL+NwEEpUV59m32R5dIMHYTU ayJzv1pQDRecM5qRd5q1QtIudt/CcCWUcz5OiqqrgTN7PMcYSDIuDEKH f2k=
apros.com.br.           900     IN      NSEC    email.apros.com.br. NS SOA MX RRSIG NSEC DNSKEY
apros.com.br.           900     IN      RRSIG   NSEC 5 3 900 20150217004706 20150108004706 64627 apros.com.br. jieFIGYg7SO2CULv8gkf/D9VcNtKe3d7uwaBCV3LAuIgiiwt2E2lJmVT 0IP4Ci6xUYySssYHeNpq0K3j8QHXLmU0tgxZvthN5yHPr9OqUSUioKz9 uOyFEOCjAzOGZuGeib4NCP0D9ilpM6pYNwwNJol14ANtqwMkAUQsCLLS BxY=

;; Query time: 202 msec
;; SERVER: 200.189.40.11#53(200.189.40.11)
;; WHEN: Sun Jan 25 01:27:07 PST 2015
;; MSG SIZE  rcvd: 492
dig +dnssec @200.160.0.11 nuvoli.com.br

; <<>> DiG 9.10.1-P1 <<>> +dnssec @200.160.0.11 nuvoli.com.br
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4387
;; flags: qr aa rd; QUERY: 1, ANSWER: 0, AUTHORITY: 4, ADDITIONAL: 1
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;nuvoli.com.br.                 IN      A

;; AUTHORITY SECTION:
nuvoli.com.br.          900     IN      SOA     a.sec.dns.br. hostmaster.registro.br. 2015007000 345600 900 604800 900
nuvoli.com.br.          900     IN      RRSIG   SOA 5 3 86400 20150216190722 20150107190722 41021 nuvoli.com.br. SYwi7I9Qmvr97J/5tzYN2lMwDJ8EhjjG9F+DfRNzeHtA1SUy3IubNGow YUmLBBOIg+7hwFHFcnp5IAdFLYq+w4HcpQWAYwj7AOGd2lW2ZtLj5EcH 5xHF13UD2Dh3IpEa0YNjGpE2pLJO7xD62EzJWMzYBE3ikcr3TJROi5Rk dO4=
nuvoli.com.br.          900     IN      NSEC    agenda.nuvoli.com.br. NS SOA MX TXT RRSIG NSEC DNSKEY
nuvoli.com.br.          900     IN      RRSIG   NSEC 5 3 900 20150216190722 20150107190722 41021 nuvoli.com.br. cqOap8X6JXpae52CcAu/i94c9SLYX2sW4jo04PvFuDGRPgmwP86eW1Ey iayHOEe7gp5KfGnzcKBcm3dwp7EaVY5tugHb6UMndFLsw5i+Xw5JKNPU adxMaem/VtacyECtNMP2tW18Hhs4x85vItibZzqEBZNSCdJ8J6cEYpNj hzo=

;; Query time: 202 msec
;; SERVER: 200.160.0.11#53(200.160.0.11)
;; WHEN: Sun Jan 25 01:30:44 PST 2015
;; MSG SIZE  rcvd: 497

These results are totally unexpected. What you're seeing here is a.sec.dns.br using NSEC records (the totally insecure ones) to respond to a request for both subdomains of .com.br which uses NSEC3. Allow me to illustrate with a table.

DomainNSECNSEC3
.brNSEC 
.com.br NSEC3
nuvoli.com.brNSEC 

To prove the concept, here are the subdomains of apros.com.br and nuvoli.com.br:

ldns-walk @200.189.40.11 apros.com.br
apros.com.br.   apros.com.br. NS SOA MX RRSIG NSEC DNSKEY 
www.email.apros.com.br. CNAME RRSIG NSEC 
www.apros.com.br. A RRSIG NSEC 
xxx.apros.com.br. A RRSIG NSEC 

ldns-walk @200.160.0.11 nuvoli.com.br
nuvoli.com.br.  nuvoli.com.br. NS SOA MX TXT RRSIG NSEC DNSKEY 
agenda.nuvoli.com.br. CNAME RRSIG NSEC 
docs.nuvoli.com.br. CNAME RRSIG NSEC 
mail.nuvoli.com.br. CNAME RRSIG NSEC 
pop.nuvoli.com.br. CNAME RRSIG NSEC 
site.nuvoli.com.br. CNAME RRSIG NSEC 
videos.nuvoli.com.br. CNAME RRSIG NSEC 
www.nuvoli.com.br. CNAME RRSIG NSEC 

Plenty of examples exist of sites that have not opted-in to DNSSEC are in the cracked NSEC3 hash list, so there doesn't seem to be a rhyme or reason to which sites have NSEC3 records and which do not. It appears that many but not all domains have DS records which doesn't make sense considering the tech savvy of the domain owners (no offense but it is apparent). An explanation of how DNSSEC key generation works in Brazil would be helpful.

Let's look at com.

dig +dnssec @192.43.172.30 paypal.com

; <<>> DiG 9.10.1-P1 <<>> +dnssec @192.43.172.30 paypal.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4005
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 5, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;paypal.com.                    IN      A

;; AUTHORITY SECTION:
paypal.com.             172800  IN      NS      ns1.isc-sns.net.
paypal.com.             172800  IN      NS      ns2.isc-sns.com.
paypal.com.             172800  IN      NS      ns3.isc-sns.info.
paypal.com.             86400   IN      DS      21037 5 2 0DF17B28554954D819E0CEEAB98FCFCD56572A4CF4F551F0A9BE6D04 DB2F65C3
paypal.com.             86400   IN      RRSIG   DS 8 2 86400 20141223051543 20141216040543 48758 com. S3PBUN3MGHFhwl8z4QpUQLkcoPmj+UdRbMaCV/uzYqSs0vXj7PDfhEcx SM39OCsV+Vb0PyynoxSdF8R3Ef5RQR6T50b7EA/rqrwHobRX3MqqAaK3 HP5Ooc7m1Vzn262dQMyDswmwKOC70AbbZG/B7/wrA4/yBBcsVv/7nkSJ tE8=

;; ADDITIONAL SECTION:
ns1.isc-sns.net.        172800  IN      AAAA    2001:470:1a::1
ns1.isc-sns.net.        172800  IN      A       72.52.71.1
ns2.isc-sns.com.        172800  IN      A       38.103.2.1

;; Query time: 148 msec
;; SERVER: 192.43.172.30#53(192.43.172.30)
;; WHEN: Wed Dec 17 15:30:36 PST 2014
;; MSG SIZE  rcvd: 395

Instead of giving an A record like we requested, it gives us NS records and a DS record. The DS record is a hash of the public key's important parts so that we can validate answers from the correct nameservers. The RRSIG is that signature. Therefore, we can see quite clearly that paypal is signed by com and that no NSEC3 or NSEC record should be signed by com saying that paypal.com doesn't have a DS record. If you search for most com names, you will find that an NSEC3 is the response. That is because they have not given a DS record to their DNS nameserver.

Too many counterexamples exist for this theory of opt-out to be true. One is uol.com.br. Most domains in the massive list of 353059 hashes are unpopular domains despite being short and easy to remember. But there are too many popular .com.br domain names that are missing from this list.

dig +dnssec @200.160.0.10 uol.com.br

; <<>> DiG 9.10.1-P1 <<>> +dnssec @200.160.0.10 uol.com.br
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 24620
;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 7, ADDITIONAL: 4
;; WARNING: recursion requested but not available

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 4096
;; QUESTION SECTION:
;uol.com.br.                    IN      A

;; AUTHORITY SECTION:
uol.com.br.             86400   IN      NS      eliot.uol.com.br.
uol.com.br.             86400   IN      NS      borges.uol.com.br.
uol.com.br.             86400   IN      NS      charles.uol.com.br.
5lj9r0juabvl3fe63ct5htuvvo36m541.com.br. 900 IN NSEC3 1 1 10 4CD2F2C437FF9B524572 5LJAMJNGRUHAV21OCLKU21CKT0AK0HU0 NS SOA RRSIG DNSKEY NSEC3PARAM
5lj9r0juabvl3fe63ct5htuvvo36m541.com.br. 900 IN RRSIG NSEC3 7 3 900 20150130100000 20150123100000 42678 com.br. wHByHzFhMzeHruEDApx30RYJZ+oFal2u+pBBNSF7LmsG4P4FsAXMIqrP 8mPkvCjODuN4bDhsifipGPRBX9wcxIxT1u+JsXsRRpkzSHWsaFr+R4Hd 2TZzPnlFvsg2A7eOZP2FmCODpbfR0tjPhORUrgPuAlHmIDLsb5o/FJZs tJg=
knvms0s1vbe556jfbf1vu3gbomgc7vtl.com.br. 900 IN NSEC3 1 1 10 4CD2F2C437FF9B524572 KNVQAUF72RDCQP1NH79TPHN33SH39N06 NS DS RRSIG
knvms0s1vbe556jfbf1vu3gbomgc7vtl.com.br. 900 IN RRSIG NSEC3 7 3 900 20150130100000 20150123100000 42678 com.br. SIZ9NXptxLQsmZc0PjMVyTGVwFo3aU/J9cQ8p0chapikmrm++8B9P6Pt 8iYaQwHp1dvIaxH1wQrvvtX+Jmw1+t8V9K0fXSWgNriOBsyTndedjpbx jnXnS7k453JQlCnxR7s4sCfjOKqdsrVyUFJciOiEMeGDfjuf/WOxAkFC oKY=

;; ADDITIONAL SECTION:
eliot.uol.com.br.       86400   IN      A       200.221.11.98
borges.uol.com.br.      86400   IN      A       200.147.255.105
charles.uol.com.br.     86400   IN      A       200.147.38.8

;; Query time: 206 msec
;; SERVER: 200.160.0.10#53(200.160.0.10)
;; WHEN: Sun Jan 25 00:45:13 PST 2015
;; MSG SIZE  rcvd: 661

The system used by Brazil is mirrored by the European Union tld .eu and the German tld .de and possibly many others. What is more confusing is that the American tld .us supports NSEC and is opt-out, which makes the entire .us DNS database available to everyone with ldns-walk in a few days time. USA is a strange place and it seems that the company that chose NSEC for .us is Neustar, Inc. and the company that chose NSEC3 for .com is Verisign. That makes perfect sense in an America sort of way. Another strange example is .net which is also owned by Verisign. .net seems to be opt-out unlike .com. My evidence for this is the same as above for .com.br. There is however an easy counterexample in google.net.

This leaves us with an unsatisfactory answer to our question of how authoritative our list is. On the other hand, we did manage to unconver enough domains that if we need to test something on servers (say another Wordpress vulnerability), we have a list of domain names to try it on (not actually exploit, but test the version number and such passively).

Setting up a DNSSEC domain

If you want to setup DNSSEC on your domain to do testing or to add yourself to the great NSEC3 list, this should help. I have my own nameserver on altsci.com (using tinydns aka djbdns) which doesn't support DS records, so I can't put my DNSSEC records onto a server. I chose to create a DS for bikeim.com using ldns-keygen.

ldns-keygen -a RSASHA256 -b 4096 bikeim.com

After a while (5 minutes to hours depending on your RNG entropy), this gives you three files, Kbikeim.com.+008+54945.ds, Kbikeim.com.+008+54945.key, and Kbikeim.com.+008+54945.private. The ds file is the record that you would add to a bind-compatible nameserver. The key file is the public DNSKEY record. In the key data we see 516 bytes. Clearly there are 4 bytes of header 03010001 and 512 bytes of N. Using Python, we can check if this value is easily factorable. It would be easier if we had p and q from the private file, but let's take a look from the perspective of the attacker.

Kbikeim.com.+008+54945.ds
bikeim.com.     IN      DS      54945 8 2 ccc45143a5ef6f37a92a7c3875403aeb32d9d9507fd642745970e2320725e5b4
Kbikeim.com.+008+54945.key
bikeim.com.     IN      DNSKEY  256 3 8 AwEAAeNVhvRP3IT79YuJCUOfGm7PyUNZoLmiiuP/oGqkNlF8/9TVoaHPsix6aemFtCvMofLXZ2aBPovXKB0KyVxZ+F2QJHUuVIKOFL5dBe2EbVXkljJRV6M/rbWiPr4RpVNzhNijUHGulAeIJpaZdvEiCrO11hUIHw6v1m46OVgan7zge8ReOdSWVOS/4buQGXech2EXpCQXNPu+SVoOrIkipt3ZYgrzOEY+Qik0+bBoGcHf5YyTvUDQAHTw0/T97T/UIg4u10YnUK/O0QanBfsL1/7OxYoBaseZiuIv7YckGw9P2bSRkgOZvRT7Tm7nAszwvSjN2SawLZ2xd2xg28iwDysVkBA3oZ1q+aqfYo75imB1SEPguzJsonOBIZ8t26NPw3zRahmUGEucQUA2m7RO0ADDNAYBchrTwcOjRSBivd9btI/mC0QhzfhvmkIO4StBKSZdXTa2QM6JcCxk8ZAM4H/mGMEg5tHmJ0C0+fpUEBiFsrWa6PA4wV07JWAsIMX52rUWEVSwe0hN3WBxNAJ11wlzFCFhoYR0h5n1Cc8EHV6aFQ8zcmTF43lx9PtNPrUkYaVWH42Gwsc+tA/HWXbA0o4XdETJDZdVUyyX8OUv3cMBPONbIAZsvOO9DYjg783LaRI0FvISNxudDMzCUzajKvtgXHO4zI36UM67cnbVr1Qh ;{id = 54945 (zsk), size = 4096b}

python3
import binascii
import Crypto.Util.number
import gnfs1
import fermat1
import gmpy2

a = binascii.a2b_base64('AwEAAeNVhvRP3IT79YuJCUOfGm7PyUNZoLmiiuP/oGqkNlF8/9TVoaHPsix6aemFtCvMofLXZ2aBPovXKB0KyVxZ+F2QJHUuVIKOFL5dBe2EbVXkljJRV6M/rbWiPr4RpVNzhNijUHGulAeIJpaZdvEiCrO11hUIHw6v1m46OVgan7zge8ReOdSWVOS/4buQGXech2EXpCQXNPu+SVoOrIkipt3ZYgrzOEY+Qik0+bBoGcHf5YyTvUDQAHTw0/T97T/UIg4u10YnUK/O0QanBfsL1/7OxYoBaseZiuIv7YckGw9P2bSRkgOZvRT7Tm7nAszwvSjN2SawLZ2xd2xg28iwDysVkBA3oZ1q+aqfYo75imB1SEPguzJsonOBIZ8t26NPw3zRahmUGEucQUA2m7RO0ADDNAYBchrTwcOjRSBivd9btI/mC0QhzfhvmkIO4StBKSZdXTa2QM6JcCxk8ZAM4H/mGMEg5tHmJ0C0+fpUEBiFsrWa6PA4wV07JWAsIMX52rUWEVSwe0hN3WBxNAJ11wlzFCFhoYR0h5n1Cc8EHV6aFQ8zcmTF43lx9PtNPrUkYaVWH42Gwsc+tA/HWXbA0o4XdETJDZdVUyyX8OUv3cMBPONbIAZsvOO9DYjg783LaRI0FvISNxudDMzCUzajKvtgXHO4zI36UM67cnbVr1Qh')
print(len(a))
pubkey = a[4:]
n = Crypto.Util.number.bytes_to_long(pubkey)
sqrt_n_o = gmpy2.iroot(n, 2)
if sqrt_n_o[1] == True:
	# This should never happen.
	print("sqrt(n) is an integer?", sqrt_n_o[0])
	sys.exit(1)
#end if
sqrt_n = int(sqrt_n_o[0])
# Test all prime numbers between 2 and 100M
print("GNFS says:")
print(gnfs1.factor(n))
# Test all prime numbers between sqrt(n) - 100M and sqrt(n)
print(gnfs1.factor(n, sqrt_n-100000000))
# Test all prime numbers between sqrt(n) and sqrt(n) + 100M
print(gnfs1.factor(n, sqrt_n))

# This value is approximately avg(sqrt(n) - p) + random.randint(0, 10**612)
avg_dp = 5122621145277382969688872128728426311319062916369918553744475614137822128239111751511353800314424459393476073980222150875349214710113862716194143053700184839673329656916889528635540134824278796927552362314001739150979238910191197111793930789004332947626374399240746727048988580610116795558298839179459332579243595730226757884170938325481810783810414537512228088268372374961399100459554498981122225289301577799243710164897122021636246364828374395456301972549651900145263264668266694965564885028867313397309361132566062306265233613744832958703039138364820470503224523842264939229233952565654153686812604490002207694
# Test all prime numbers between sqrt(n) - 100M - avg_dp and sqrt(n) - avg_dp
print(gnfs1.factor(n, sqrt_n-100000000-avg_dp))
# Test all prime numbers between sqrt(n) - avg_dp and sqrt(n) - avg_dp + 100M
print(gnfs1.factor(n, sqrt_n-avg_dp))

# Use Fermat's factorization method to attempt to factor n.
# This can take a long time, so stop it after a few hours.
print(fermat1.fermat2(n, False))

Since all of these fail, we can look at factoring using a real GNFS on a realistic amount of time or GCD using a large number of collected public keys. The fastgcd software written by Nadia Heninger's group would be a good place to start. [8] To gather public keys like above, simply query DNSSEC servers: dig DNSKEY paypal.com

Until the code is written to test the keys and the protocols we won't know if DNSSEC actually provides any security to those who use it.

On the other hand, we do know how to sign the zone. Here is how to sign a simple zone. Note that this doesn't have MX records or AAAA records, but the process would be the same if it did.

# Get the A record and the NS record from its nameserver, in this case AltSci.com.
dig @216.218.134.11 bikeim.com >bikeim.com.zone
# Add the SOA record from a default server.
dig SOA bikeim.com >>bikeim.com.zone

# Actually sign the zone with your private key.
ldns-signzone bikeim.com.zone Kbikeim.com.+008+54945

# Verify the output.
cat bikeim.com.zone.signed
bikeim.com.	3600	IN	SOA	dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2014090300 3600 1801 604800 3601
bikeim.com.	3600	IN	RRSIG	SOA 8 2 3600 20150222173448 20150125173448 54945 bikeim.com. GFySqrmik3sE+UexBsXcB3jOJVi2Ia34Px0o5vh4rheCRjoYfYOTN0NjGeurSxHQTvHYyr6N2vtTkXtAnCv0X7Nl6O+iDlC9CwXtWoXzb/LygUYQjYQcEKypipvp6DowgH0/gCTYr2JCza69WDF6wz98k2WOOEq0HVgicu1v2t9SMBUkf0he6XyNLsw3juNA2kS48ZpZ1CZ+wSN6k/m8vvQ+mIxgTo4XeYZm9zQvrz/hXujEKzVBcjHRv+eQDtEAx5riptSpiIJFPUaHdyXEUc2P9mnq0/RxVo1JxchZpNNSk9vMZ0TcDQ2PGacbVtV1SlnhZ53iT2jrIqQSb7e4bJTVd6uJLRkkTFSOlylYQhIGHVbh14LWpdl/ntva8sC4UKK+LEBGHe6S0mhLB5XJB2RZJ/m8mJqqHFa2kE9jvWoxXvLeDfQoajZhcwuQD510X4TJBiFzC+tj1lXpVRE1PchGUPjSC/+O3yqfYIEFukfv17VhaA/BCGHenjdj8yDyxP+Bdh/5WuIQOuw7eWw3orCCk2nA/OS82MmB694TLYK/T4pIOGn1Ve4dAghCUmgaZWnamlTMjX5VgObQ8q31DxBOoC1mH7sUIMDWH6bjs/rmaPn6o04LdhtJhLKR4fWTz1mQP0qUGFK+QSM8k8G79GTrdha8cumNM2D7c1Pqi9g=
bikeim.com.	86400	IN	A	216.218.134.11
bikeim.com.	86400	IN	RRSIG	A 8 2 86400 20150222173448 20150125173448 54945 bikeim.com. qF5iig+Eb7HhgIwyOJIabVKq6MwD20Pi6KP+48qRPFAX5GzjEi8BjTHEBIlDaHKQ1zTdQjPE06ikUuCBln9ZxrqZWBF/NCYiCmQc3rQHzquMMX+NrFltW8X21IMXPsjiOHBygfUMeH8vGEXs/MvDyiO39OvIIB+Q5dHPu+0biB/TNJhdHVT4e3WC6A7AT7+X3p+6nLT3Q7FC1/cIKeX6nB7kAivcPUJdmoCw30v8csZnuDBYf3U2Nf91GGZJGRzA304f3GPOJ43bh6HK+K3ODIPHRfx00dXMdH5GR6j0mG1yeoUXKQaL1Ji7ydIr/SW3Zzq7HZJp8Qb3ZdCAmQDceN+mPWRPZPpU6gwvbCeL8+VZFCsdfRx8qmRFJXWTVtXa2dl9Bm6RVYQLNry4U4h8ljBmie19+PHAb0SWFy89llu2lMKetFKJjhtPBHIMZ6AxDUHiV3i4qPThkUaqkP2U37GUlf+3PWyh8oADAhQBMgKSKKFNGOpa6mMi15FeBPBMKOMujzdPW+158xOzTyLYD3XqAkUR+2MlFOe1wGJj+yQg34zLScWVcq91B3Z70F8uskLbxDya2GaNj7TvKa35eP6B/xYncCMwyBPv8X/5vH7qN9pf3MJTsrVA3jFcmxacD+LeMJr6ylhqIrD7zJppTyzGa6U7hmMIvyG97Nj00Ho=
bikeim.com.	259200	IN	NS	a.ns.bikeim.com.
bikeim.com.	259200	IN	NS	b.ns.bikeim.com.
bikeim.com.	259200	IN	RRSIG	NS 8 2 259200 20150222173448 20150125173448 54945 bikeim.com. H3DzLBtjhY61scgXmrHDqhZ5g3PwkjgJoTRtA3fsRa0f5CM3b7oF7q5GSSgNpZmlxsibn+G4w7xNE+yC5Ukcj6aNfTY59ABDjtRbX3DXe8sIKOdOZOLBp0GON0oUmmDt78nUmyHWvMhuoy5ylEbW0QP+4fgzIzaWpluK2CIhAShM7bdBgkz4QoRIy6g02UL+4qfDC8eRu01aXaK19JDFISicrd8OHbD4KeAvrhNRoCS1U73vWTu7sTwk7eCg13ajQJDUOfmwSISeL46lfu+A6v4lGPcpe1X6vOU3jdvu13oEO+AYokjiyP/wFW62FS3gsHQeyDscyncyQkNpZcntAFYCWvp2d4HGhHaB4kupLGE1lsoi6bM2fy0LCZOWzWVKBm3D9JMJA7vR72Q1V/ndmQnj2L/ziiaraoVLZ866lan/AdlwoSKrgOwLPLropvlnMWuem+z9cKOpyxD2mFDpveoeW14PtX070YO2f7+xpgBsJPZcFDHLHYm6r/2sAC569Wkh20sdxDaxq3V6FRF74uSuROlvECA1GWNlydoVyxtREvjliOEJPEBHqbzBGqRGhAteTpcnR47l35FHeDN3gc8iA0P3/WglLiAtu3vONKthX3IybZeQQxmcapQLK9Zu+3Y5OvL0QDKaxqeGcNf/tD/STzvYJB4/I26ewOvSBLY=
bikeim.com.	3600	IN	DNSKEY	256 3 8 AwEAAeNVhvRP3IT79YuJCUOfGm7PyUNZoLmiiuP/oGqkNlF8/9TVoaHPsix6aemFtCvMofLXZ2aBPovXKB0KyVxZ+F2QJHUuVIKOFL5dBe2EbVXkljJRV6M/rbWiPr4RpVNzhNijUHGulAeIJpaZdvEiCrO11hUIHw6v1m46OVgan7zge8ReOdSWVOS/4buQGXech2EXpCQXNPu+SVoOrIkipt3ZYgrzOEY+Qik0+bBoGcHf5YyTvUDQAHTw0/T97T/UIg4u10YnUK/O0QanBfsL1/7OxYoBaseZiuIv7YckGw9P2bSRkgOZvRT7Tm7nAszwvSjN2SawLZ2xd2xg28iwDysVkBA3oZ1q+aqfYo75imB1SEPguzJsonOBIZ8t26NPw3zRahmUGEucQUA2m7RO0ADDNAYBchrTwcOjRSBivd9btI/mC0QhzfhvmkIO4StBKSZdXTa2QM6JcCxk8ZAM4H/mGMEg5tHmJ0C0+fpUEBiFsrWa6PA4wV07JWAsIMX52rUWEVSwe0hN3WBxNAJ11wlzFCFhoYR0h5n1Cc8EHV6aFQ8zcmTF43lx9PtNPrUkYaVWH42Gwsc+tA/HWXbA0o4XdETJDZdVUyyX8OUv3cMBPONbIAZsvOO9DYjg783LaRI0FvISNxudDMzCUzajKvtgXHO4zI36UM67cnbVr1Qh ;{id = 54945 (zsk), size = 4096b}
bikeim.com.	3600	IN	RRSIG	DNSKEY 8 2 3600 20150222173448 20150125173448 54945 bikeim.com. b7KO83zWg8DeXEaU/axcsvQvT04wACPisH0keqgYajUPvYUV0mOqOoBCBQpt8wD+3TVCkI8nReRY04PvagIY9wKkGdVAXAv063uX24MK2+nVzXvR96TK8m5HG1fHQRnPc6aBdKKj+TIxWK5zJjwWJx+LGwzYvb6hFYyuty/8ji0EIBtDrHIPtSAFEJQsHCbSwm+OTvn2anz3MALvG3SAcGyy/Dxr/OCUMikGSuBgGiGQgPl7np8EIH8G9fVl/gRcyOMwfhgjKfYWWx6B2hShzVrJH/buClrUcxg+D4aGtGPM1JvoGKLv0flURIV58iSzoZZpuXa0EhhyQp/5D6h5QM/Hk7ULvR70zzNj//X9YRKdMM9ijwF11r1w8yCyDiFrs7LKSY/OFeHR1/XIsM40xPlJe5WyvJtOU9OCYsTLMtuNmFHSZrjq2mmXvPRHA72ctKunpGzpDukhUVjYMWJRLnIB7jZPYMkSyIwKrDcVBa13VIDJCzqNFtftlBq8ZAZdwiyKNPeuhPIg1TE+5u+DOErRXjSxOdww8yJaiFU8AZPBWH6QdD1vC5Q6aeFuGjrYpRfxX9Ty9LsnBFEv0Vv10pNBLLr3yRwcZM2qIW1U580GpHamzs2q0zXLbOLplYnzm0n+uQeBPSYfa9ykBECdPoWmpiK0i6U4dmNetfa36J8=
bikeim.com.	3601	IN	NSEC	a.ns.bikeim.com. A NS SOA RRSIG NSEC DNSKEY 
bikeim.com.	3601	IN	RRSIG	NSEC 8 2 3601 20150222173448 20150125173448 54945 bikeim.com. s1mG8xnwcYhoYaemwLWpUz/Cnsc0DZ1dgQauuhe2MQMq3WO+BJMZzLHVbZZWMrEQy9kwe/L722XJ1QASPJfQJIdGtAFElBZObtfJB219xLe8HbaDsZ1jnbND23E3eYemWnvyFyJ2UFWenOO0FpuCq2Jnu1Crqu3mmfIXtqiwI/ZcMKSYBh5GITHRK04wRRYv2D5hK4tl6Um/RRIBpL/+3OeYLn1dQQXsoHiF7ewYI1hIRxVDdg37m9QHA4Bc0AqZVMrxDU+a/9XYdDlPeHn9jGjb3dGgvgeWCgfQ6aR2yO4r/AbxtZrzg06GddsuCBZltuTmXe2kGiIVEgmW7SPVDxeCfwuHo3l4DaTl3N99WepzKbZnSinfuwb3LvY/FwMa6d/wRol7MbbrsgvaKKlvGb/Xmqvi1S3WvbhM8cTnMhhraYj5TkWhF/r9UB0wlooMh66MV2HQAJSdTIsHUxEn22unZ5RT7nv7Ss9DKBst5nRS8qQjsFfBbCOr6LFK9zP6GVMXRlQVN+8fgYfoUl79CGEfZ2CoAhutiXYR3gG4s5OHew8eACQR2MgUQQzwt8lF70E4WVsa0HXj9ElIs6pVdcwb35aiuEZdTySTbQIgeCY/9u452vjF/j+fMvCvwBhoVEFSwjoOWSQwrUuZs8+tBuXeNbTAXXYggv/YMOGciW4=
a.ns.bikeim.com.	259200	IN	A	216.218.134.11
a.ns.bikeim.com.	259200	IN	RRSIG	A 8 4 259200 20150222173448 20150125173448 54945 bikeim.com. qNnJUhx+LjvS+EbcnX0hUhuY/RUQuFsxwezcRYYpCPgmtBGC7Xq3MW9ARSjeAxHYPgnWJ0CQpzytgb6qTyt1+VtgILlF00u3LzTHa3r+l1JhF8fLuwfZaiL2xs4mVeXZEpw6u04yCa6kUWwgdGzjkxgj8JTqKXPIvHFU+5ByzEaDa7ZP5CHI74hhOHjrAVeDQEOPHott8JsYQU9oP54NvGrfYBYKOl610riwwIL35YwmjEAC4fM6kbZv9V1Gai8kbcmKVC0neDKc8JvgBy0t9eAxqZS9t+XOiH437JJzCE5UNELcnlKQh2ZBLcrUtW7AoEgwm3eCavWxMhBfNn8M8UnWhVldC0Y/1k7BBzczSz5Jo3mz3pSOFHEunseBOb1a1+nDVmY64Zvt9sU96wFYK3N/QkRT5TzvE/pDBzD+dWIBylNBKjiCnzhPQBkfaYVyb8IAjMuOJseC8TndvtnHN2ExsuSZSSC86cm2rca00+zXRcs3UNP4KASrNgUYVK8PgKoMstssonM7bh+ZIJbDMpFk8RyTXOjLZKoCCgbBQCgeez6BsaS2vEB3EVq6N3aeruqeHepMuzMqUNEwQxgw1w5uC8bOD4tfrE3WLGM3ZX9aOQWS+Zt71jXY+tJ60EKQ7asSG8ybCNGfbSu476lw6xkdjAQOK4bYm2S13cjgQP4=
a.ns.bikeim.com.	3601	IN	NSEC	b.ns.bikeim.com. A RRSIG NSEC 
a.ns.bikeim.com.	3601	IN	RRSIG	NSEC 8 4 3601 20150222173448 20150125173448 54945 bikeim.com. Sd+QashxB8P2IIdMviQcoUnrwkN5FxZLLfbh8xochGIHjuE+BKILZ5VVi9p+bRW0cAWkkY1bxkcN0GHG9V2M/oJ5ganvZWxoD6jI7YegLuSsz58Nwz0H+x405du0cyx+H3IsvKZkJ+4CPzTUmdgJoWKFjdgF1KVE/KWDvwagmQVrRTap5p4B/MSSQtFdCd1+3sBt+8FWzN3opozZCyGqwSz4TDQ6eVjrAjCVAnw+0RNphn8yceverdRkSq6cxncZds0bQzUB6Gkd6aP+/QZRHfGsZ7XFHtsYY/6vz7Ddmd7GhwZ+EaidiGPiC0OzoEbl/hMCfI+7I5Wn/4MHHRIK2wkzrLxpZaHA/FH0sH+BfGsyfUksk/H4Ys3u8TX0B99VfWmvNI7cObr7TQJToPGCtn49uyoTjfDJQJOH10jSY0FfeINz5ZTtBv+iW0y7A46Y4cYhpJKQLFanio//cKWx7ZhVJpEjgXLmmzvW1CNH9bxdngvaaEhJs+LLCCJkbemUWWyh8O8WCE//ZfI4/bzwtY52bWyZKG6jvJnrhhRIl6ZQYEPEaITfZz6uNU7x9AdcLI8JHkpyc2b7uXwEKmsgadGPyebA4FW2UTW72no8nnAtPHdAE1LYQOCAXjvb9r5Feq9GRvMpk/uW/VBLvNiC9QxWsVAYXjZ3FwpgFP/rZzQ=
b.ns.bikeim.com.	259200	IN	A	50.132.7.141
b.ns.bikeim.com.	259200	IN	RRSIG	A 8 4 259200 20150222173448 20150125173448 54945 bikeim.com. yy6Y+Zcj4bM1EtEPeQcR0fPRSWLA0E2l0Nmjs0Ztwyn+Y4L1y0OoBKQP2+PlZtuwKbjO+Umjd3bC1N8haRuFPIpt7n5JriASKZxWBTA0NP0b+1Gs5Kj1T61xDLFLi64JGA8AuwN/EliO7DyPywufnHcafF2a7Ve3O9xL+2AWCt4pL8/Y1JW3ALAGO/vQ/Hg8Bj5IQhkFpBhXN1Aujsj/g+vkxn56C6bWpJr9+Mwo1AaGpr1ebVpQdbmaI0NIqAhVhvgxkVyNKudlor/ZF0jaIk2AGLNl8+ptmV/yJ29cFdnCX2LnIw7WH4y/hXPs2sEL2GV2R1wcCeDzZo9GIGtki62r2XPil+vbByLlzB04q+sJrNR3VaWTGu2BoHFQpTqmfdocUUFSTFAOzdu5qKbvMp2i4VJWZuPiPCkP2TSanTX58cO7XkqaKdq2Mg+DjgD8T0Z3kNFOaK8ryHTNcc+GLEMNcjuq6WFT7r/8uZaHm9mfH5ma91Z3pTYwxtB4OFWJVC2eSRYvDmbn9hOZjcSwXdZaVxPyhScCvyPKwromB0/os37Z6YHIjyg+fqhLbq2ntmmBhzT31OedCmxtcRzIGkO+JdCzQxx6ljuGwsTgUCoCG3P3vHdphZ491Dar/3duPkizKPuWJqUsaTvRjpoJLyRhAted0D91iHvau0xdVno=
b.ns.bikeim.com.	3601	IN	NSEC	bikeim.com. A RRSIG NSEC 
b.ns.bikeim.com.	3601	IN	RRSIG	NSEC 8 4 3601 20150222173448 20150125173448 54945 bikeim.com. VzZF/Wua5GSlfRcFzBjAhQply9arSjsNBhYWwE1FGMSchKsMA+ajzT8JhRldxcraHz1J+Ytkj9iPubtJ8V9VjbJ3ahhZZpKCEWGCi8+xyYsBPwtZRlBzPwu0eUuul18+OocqtJBCUWzmv6bRGOBhWZCNbW3W6vIDz8fOzFHVOIDireouDTvlePoxKHDi4MPQXKOnrEODqv4A9PZKpubOriJ4mUhsnUjFLynUr8FlwG/kSSf42X50GTIGubQvq63DXWaN2wiA2i6VduMrmqmm2VETh6AbYxo8Esc2XnqVc1NZgzBobOuJx6bSjhbE1oULClFFyUSHUdyhVOKmmlfh1m/K+Up+dxtfKmDrE2Nt2k4QpMnBEx+IwhO4Oi5fQxZFkEle6NDnrPdMFwETeKpfzZvSp3fieTJRlsKOW8apw5O3A8EIJEwdTKVcVdy/Q43xEgtmVWGd4PV7pHcf8bQOkAiGhnzSy+PVwsyAKfITW2M8v8dTadkBMTdrk9+L6lk9lJyeQTsEgAX3PX1d2HNcSgTee0vzQPCKTTnlJIqbr45HUuw8vXYzQXeS0RdtQ7pl/qbGtW/tCcaYysNfG/LiXP2Aoss5hEEcU/8vc5EUz6kERN4mIAi5IAMHZFsjU7O8FxETkVbuvJl+PaUhlpIIVDpfFj0TGUOHSzPvYgw55kY=

Note how ldns create NSEC records instead of NSEC3 records. You have to specify extra flags for that, so let's do that. Since it's so easy to do, let's do one with a strong salt and 10 iterations and another with no salt and 0 iterations.

# Sign bikeim.com with a 9 byte salt and 10 iterations.
ldns-signzone -n -a 1 -t 10 -s b17e19c0ffee7eafff bikeim.com.zone Kbikeim.com.+008+54945

# Verify the output
cat bikeim.com.zone.signed
bikeim.com.	3600	IN	SOA	dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2014090300 3600 1801 604800 3601
bikeim.com.	3600	IN	RRSIG	SOA 8 2 3600 20150222180705 20150125180705 54945 bikeim.com. NFQxpvKb8u0v349IdxOLpup6jtO4NJB6bF/CDgUgC6he3K8ws6978VkjtXa5UcKGPe7FscsujsdAm4RGLB82m9uhNV1dpyhpl3NW/ScupnW1BpdeAnUtO2P2CVgySsy6TcyNK8atXHLvkbPBTJnWcTWq8fvaTPHeNufNRwjb1GmiiOWfq1MFTwzZqyqKjsYNZh7/lQ4hlZ3hIcNkF74poMfddU6OZyAx0UitYS3ffvnqELwYdVz0Ws3zuTES0RqrAYDJ4RilvO5zPhx7m5ckibNSICYquEVZeHc4mjpSVMUxs6bD4CP+98nrUogH64K3Ay5ZNhkdl/JW7KfzXm2a+OGjY6VOm1hMX0vSmossnw7mL8PEu+EPsLuRcppPuJi1MXRV8HVyfeicYzthJCxq8VpZIWsA/p06GXWq7qArbcGA4SsUqcRVzVk1AWzIse7oGRB0NfczfDcsE+L+B/7nw2/gfKHqYbWWwMGKJlNGFLn3Pt60PpuC9sjV1q8FEqNMtEtCNKX6lFsV7yqKbtJtnk6sKJqbHwG4kVvIflZPdd0wpX8Oy1ZVnbGdEzkvbvdCqdTfnUuy0EBgSTwCrvvrkG1gj6kwNaSt35JWPq4+u+yKiaRL8ldHqrzyJIT3S6Yvym1YBYDoiyVYsJYEzx6nHfzGK1KE2ZozG+/wb881Bho=
bikeim.com.	86400	IN	A	216.218.134.11
bikeim.com.	86400	IN	RRSIG	A 8 2 86400 20150222180705 20150125180705 54945 bikeim.com. M4h9KRE4VKagpCkdbBIai5fgeO1Z6rxpa1lBlVH0wzjAhRJ636cKz8ti2Qjm1WLgHutUwYKqHgt5TPJMtHnjU1m7IYn11nX8oA9/P17VcIeucBwlV2X8mLTpzKPz+CWFG7iByL9WgX/BbXLTDqbrdwbIob6tQncf8rpSBYxUymhQukL+Bh38/qQBKQKKocfYAI9ktQ5nYFF9M3b6wJ9obqlvMbddqWVIElTrGbWCQuyfRwQObmIpF21o/L5L3ak4JBOVUeUgGUzDeItfWm8mpg4nlxDmXhJpHTqYEmyX00EWaAQZiZeJRdHFDVFnBXxhyca/iWcp/QUoCKvhm4dWZIiLPPOap5Y0N5ls9JO6Cw3lNvHXtr2Gh9TIRZh2LdiTyn+ZXhdJA33OisgnrRVam6KSxbEcgyXQEu83dl3hmz/5Q3PwVXwagOs/RasK8BR1MS9zdo3CgcWldKQJjHZ6n7mcMGpkCoI8CNl1HE8CrMLkZzDXCo6ylMsINzBNCrsCfwCgOqD2w16ARhHRuBHJYRbdazA1v0i7i6LtA18X9fNsCmsgjua9teag2e28swNWMIj3bNVr33g8k8PbEzGiE/WkLARWxzokL1tsIUKfCe/Fvx5rVNJQrXLOQdh/9rd0qyMtADRqpEx1Fq6YDpw7DUwGcIUp1xAsyiCzGfkw9rg=
bikeim.com.	259200	IN	NS	a.ns.bikeim.com.
bikeim.com.	259200	IN	NS	b.ns.bikeim.com.
bikeim.com.	259200	IN	RRSIG	NS 8 2 259200 20150222180705 20150125180705 54945 bikeim.com. xrVSwvms2nGjuAWs3DrN7dLrn5o2JvYhRS2D3PkzaSA0Hap3+BdQMbfxUHqnQVYHm2XC1b2mgugHzMhU4UEtwPfnwF5YmnHda1crPo4or16HmiD4o4e31I7kPTPutFXdEGVCxRQkaEnECSgMhM3Qxhj54FqR5rLgQJQ8uGxJDuAyl43epmjxEoPXrosZ/bvJWdgyADJHBQRImYrGbnu+TzZpQrFMETAC1fSEECVFT9cEwPLL9gsgBE09b9fok5CpiPpsM7djDkxmm7k/sOydBrJ/ORMPsA+0EEfOYVAm4es3vCVWM1OUkVzSM5AdlsVcPUjR94Wt8J/ggdK+WK//HYU5k7HNpCvu2U3m/C1kGku0TLdCJkftvhHSsawTu33/plmPz6IJMIKLTNnxjuXUih7KLf+P0UMPgNL9ZOSLX29GF+CjE4JYQXNfhTUYqdBTDNFpcuyiNcUA6gy2PMWBToIRvD8h82v0gjuJ8lhsjncbj6twmkIhAPkjqjm/ygDNf5SxUln5eU9BjnobkmYL1sU/+MPddpattRoK3c4MVpqmWSwRqYyWC5aKKOubpbZdLFd1LrO6fECLhkX52S/plwhH/ZI4aUpLwX4FEtA/g0lN5HxafLwrfdCqlQpSiLap1eJbU2NpX7enTfkyt3pft0kxzXUekLUDNoV8YagL8Ck=
bikeim.com.	3600	IN	DNSKEY	256 3 8 AwEAAeNVhvRP3IT79YuJCUOfGm7PyUNZoLmiiuP/oGqkNlF8/9TVoaHPsix6aemFtCvMofLXZ2aBPovXKB0KyVxZ+F2QJHUuVIKOFL5dBe2EbVXkljJRV6M/rbWiPr4RpVNzhNijUHGulAeIJpaZdvEiCrO11hUIHw6v1m46OVgan7zge8ReOdSWVOS/4buQGXech2EXpCQXNPu+SVoOrIkipt3ZYgrzOEY+Qik0+bBoGcHf5YyTvUDQAHTw0/T97T/UIg4u10YnUK/O0QanBfsL1/7OxYoBaseZiuIv7YckGw9P2bSRkgOZvRT7Tm7nAszwvSjN2SawLZ2xd2xg28iwDysVkBA3oZ1q+aqfYo75imB1SEPguzJsonOBIZ8t26NPw3zRahmUGEucQUA2m7RO0ADDNAYBchrTwcOjRSBivd9btI/mC0QhzfhvmkIO4StBKSZdXTa2QM6JcCxk8ZAM4H/mGMEg5tHmJ0C0+fpUEBiFsrWa6PA4wV07JWAsIMX52rUWEVSwe0hN3WBxNAJ11wlzFCFhoYR0h5n1Cc8EHV6aFQ8zcmTF43lx9PtNPrUkYaVWH42Gwsc+tA/HWXbA0o4XdETJDZdVUyyX8OUv3cMBPONbIAZsvOO9DYjg783LaRI0FvISNxudDMzCUzajKvtgXHO4zI36UM67cnbVr1Qh ;{id = 54945 (zsk), size = 4096b}
bikeim.com.	3600	IN	RRSIG	DNSKEY 8 2 3600 20150222180705 20150125180705 54945 bikeim.com. nIKgI8pZMmf/dQfi0kAqF3VAvEi7EMClWZT0hvAGGSMkiS3FydcLd3YEICX8EdDewsVR+Uvd76ToLQeMMJEdR7JhXpd/Iemt0DK9RZhaTvXlio6+S/xok60HAg52V0l5PL2K5IQk+fpOxAtZvNY8cAykFKnf6qCCskrKl3VL684sW+VtaCt7/osupmkJ8M/yu5SKJUIcv4pGQv0oW84Xnr6ir59TeJNjFUr1Q7KgkzjN0QkIgXSJMKJ/0+rHemOlGx40n8df9YsQQRBiT0slju/Z/j8jviLhV1fsHKLirYy4/YZi7tUB+M4KkUSrFA8DE42CNN0H8lltqV7Q373hUjOGQoovEDKcbPvON/7pZ1NsEw5fIao8t0svCbdltdjsx/59PHGZQ25pGcKuXKHqdz+lrP9g+J8ipG5OwWfomUtOl2DQQ7YZEWmU3vAU3+EKXh3Zb29+KpXouWzlkih8OxE91PR9T1jMY3JDZUiQfeloBkwR6EwSqGXJCw0JR/XLEDgRrhWLAdH3w7xNIZrBqrWewoT8wChFX4CGk/OoEVg1IjHtec5SXkRfmLQNInODi0r0GXDHooDZwkrj7EUX07epqtdn6sScRNqJm7RQEkJficWUw9mcHqBV+3oRB4r3ErcQfJUUyQw6c3ZdpOe9WPoAKhUyHdKWs1NddD49izQ=
bikeim.com.	3600	IN	NSEC3PARAM	1 0 10 b17e19c0ffee7eafff 
bikeim.com.	3600	IN	RRSIG	NSEC3PARAM 8 2 3600 20150222180705 20150125180705 54945 bikeim.com. tZvUNvHoZwENgLnqv5Hpoleh6qjMonmg6sEz5+L12OnZppxDXyNEL724+TAsuR0K1YYg+PzVn6NnjZLrgCs+B0/f2G9bFb3BwTgfawTJPoYtppEOJlUBnnhjyTb9T1Wb08pnIkkNMZMFd6DhG/g0CiCFUdYPEk4/jMPvbmiGdAuDvejG7OZETjcXHLDBM7tbjbHFDatZ296DXo1sM1v+o07aj4T4qJcL529LWv9DnggCw4hKkh5LAZ9gkxIeUtau2R3jOP5sOUjR8zHivzXnzz9AUB3jC7nI2/x0nV8GK7VwGq3CsEoKWPZOHDgekXAe1RFAprtYwGB7UC6bIm/O2NnWRMzmCIEYBZsQP07pFKB2k6J3lKb7/72lvmPtl2o4bFHjJBW+FkCiwHTVIi19F++ELvy85jx8S0eJ5mQcvGUfVxl1QVDyxiOZhoIMM4u2S8PUotMCIpEmZvlJl/OnPib9xrDfeRJnEamMQvKjA/C43XTdbHruX70O1PO7gxJfPvoQCbmLzRPeUQRhLuSzsJ3WH4ZES9JNd3oF6IMrwuP0kGMRx/qKcTmg9ToBx3bRQfIM7q5GQFM/DGR7CE+GkG/z6FYdK1kO1xuT55DboUFhLHy9HEJjnk0HHGrrvR4I/RMEp106e7wb5MtzS+EC8BQbTqoTsm+MtkuefCtIMeU=
25m7umcbbcep021gup624cp6khao90qi.bikeim.com.	3601	IN	NSEC3	1 0 10 b17e19c0ffee7eafff  495hmaukgs0mcuu66e68iib1alrpdfr8 A NS SOA RRSIG DNSKEY NSEC3PARAM 
25m7umcbbcep021gup624cp6khao90qi.bikeim.com.	3601	IN	RRSIG	NSEC3 8 3 3601 20150222180705 20150125180705 54945 bikeim.com. V9tCtO4Qhgz4q22pXrQEc0gMNwfGwAfpMWOk45+4XHiYiSIpBYjQ23z2TpIpak5HyLg8Ol3vmMzcJEXg2a4qczcCr7aPjwAHvN2aWKTToM+YCY8UpSKP4M6az2r6/htDLHO58xQNmQ0IWwBrMRiCAEEe9iTQxz7Hv83RUogNNmHVWcULo6YWET9fgQdv8qEgGZ0cm0cC6QSpQtS9fzgApzGNbV667JYNfQvRhQb38K81AA0PLWiNZwMKSaCnmSEFK0AEhDMyLyGSDE5E9+2NrgKCZuTeh71nk8tKDISVJxJ1g7fnTitH1qA450eO5xhYLHrG7Ud6aP5bJLkmnqR4mF2r71LfEAWlhhkaDkkvz1Av4BA68M5JYtH/P00YOaSdf7+EuJWyOZT1ZhuLCfh/ox1iWQouw4K76ayQFGJfafEHDvxOsuaUBoDFaNf8kWl0p8uYl4xUJ9v2ZYaV/YEjc3DXXPTvGjb4r7VWeRTNnRLr9TpAcgsRbgGhzfpLgO193rl/JN2tE2hekLWKKkt3V90G19Wj0nYsxVkOh5561UEjgj4cwa2GTTOeuLnadDaCfcb7C+02xnJOFqGV/pZB0UVCVMfiKfPPuOdg8GXEMi2Y1xn6jszFUrUjl3V1i4QsvucFFcOsJxC+SsPgH4kUTRWJuhUBy6RgfM/GhG/3h20=
c1s5nhr1.bikeim.com.	86400	IN	CNAME	bikeim.com.
c1s5nhr1.bikeim.com.	86400	IN	RRSIG	CNAME 8 3 86400 20150222180705 20150125180705 54945 bikeim.com. fIxbj0MzvFXMwSITRzZBStN0nxnyk749y2AeUAOZh+aXkxB53QSpAITrXPzjDMgXy6RB2S6Cnisvf+MfC4Y7KwXufZ/eGyijNsANzwMRUeRg/J/CkPCec7z0BI04pFiczIdFcLYSFsza/zrdNUC/sPZD2P0A/I5C7AgEDfGoTm+HQgQz7ejbsiFe0Jbyp/Wm8B/xF2XaSUq57A7IMOCM9UcBdBeMgCxGyvaXZa/N9HduB9CFNs3bHp1fRAd43nxQwiERgExwmSN1NEEy5aTNaHcImbc4LD5/lqWqsXq32ToaXsTxULd/nrqI1hfmE5Rjyr+2se5ktOYhB4VIMlyv8geaZmKMQVny+DBE2YgMnwgdJgvQxo2o5biC6YWvMhr3AtGG8eSNw6+LccRQvRuohT8wrtdeMBasLTpgXqtYNhe2M/hnasrMjy242CV3zOwbSyUg4cmEuk2r6Wy1l08tSQWCpCmgB9R45Xh4uIvXTukPL58RodV4aVkigLzr1gK6Ui+YSaSD5PMvAAzYvmZYMg5SCiQpnee6VfRLxZyQJv3W8baC4p9Q7UYoSUU/xGouOTigU8u/c0uCjkyaxZXO2yGvfCNZdN8np0h3AcwDfTI3pYTpVg37pnyMiqPKcnn+cp2rRgWW5wO+3yika0L8k0S+QuSI0JIgAV3gvZCUIpc=
javaf499auko4mrgvkhhj16u8htrqujp.bikeim.com.	3601	IN	NSEC3	1 0 10 b17e19c0ffee7eafff  km6plui7sdj3rliepi2ppahubmm4b3ue CNAME RRSIG 
javaf499auko4mrgvkhhj16u8htrqujp.bikeim.com.	3601	IN	RRSIG	NSEC3 8 3 3601 20150222180705 20150125180705 54945 bikeim.com. LgiQe+B50Fn8W+JDsGzCddQjG8+kzddzrMRcURqgvHvo/e+W6JA785iu+eh87M3KI9+h08VHTbd7RtJqpq5hozEZmP5rNdyZKRN1+P9OmGH+k0wsPHGQ7GsNZifF9phrfKRLXo0gqKnAmV/HWtXUob567YmEE4z2WgU8xsQlQKZfHvptp+y0G0sqxXh3CBHevlzhS5ZFb/6zfgMgsPt+TFemCHsjFBCc9KP6VkXSvQbwRPgjZKcs8NSIStgh7+DiK2SpjvXMS367xDTXlzspx1VcZriaoLK9Tpj4+jHX2gBSN9q3GqVUOa6D4lRgOzBvuBmBAEFT2xbIY8ShSDz6pkSGjGliIUuR6PyBzhKAyF5UTfPo1hCwZwlGZ/NuRwz0NObnn5h9MS8HD+408qI2hM/2p/Cu3U6i9n/oJ/cJQOIhATPtr1SneBiMXWmI2cHv75eSgcUfV8wmKC2XL8zE0DFy3uwHe1dhpuUjwQaZ7Be9hgP+IQXVUjM3nnWJ70OzgmD4EsZYcuEPHrpLYNnfyNUvwbEWj8XMLUPMXZgCNDT8OqfdhQfIuSn6YMtzhW94kaIri/pRGq3RgoOUsMXKa5F/Ox9OlortxXSBCUt0Ql2g5YDZ484Fm0zgjrEeQcagUGF6g7bWRYCEkvibqL74C8nWp4aMad+2WcNU+fNXCFA=
495hmaukgs0mcuu66e68iib1alrpdfr8.bikeim.com.	3601	IN	NSEC3	1 0 10 b17e19c0ffee7eafff  c83dc2ceikqjrj8m2sr5tc4dk97um11s
495hmaukgs0mcuu66e68iib1alrpdfr8.bikeim.com.	3601	IN	RRSIG	NSEC3 8 3 3601 20150222180705 20150125180705 54945 bikeim.com. tnEDCosDIHxWdgevVId6MG//5LUX8Z4DGc4nqSqaOSLyiSwBnekRnFFYqGbb+kW7j2GzHQ24esyWEAhGSH0wslbnxD++sGdwuUpUrP1vlo+Iejqn07LgXuL4A9IwkNoIzVYBIZwWpLidi23xYTIgNxHF4UEzUrorMIam6s0rLvj08IJBfpSPue7VP6GaNGJE+lxT29wrpUxQVgOu3vda65j26b0M6VcVoofb7OZjrseNjJCA2IntOWiuiDqJrJwh1N0ghKxBW3A9zMLyU9tO0qlRjXu/jatirls3SJvG+1OP5AWSXrS94YqOJ7MhjqV9w32+UxfUftsAta76JLDiE51++sFVEH2qs0aTF6hWeS6sb8WEpyo6O/ItPl5oZ/EgjjnGrcayGOB0MOJReUTF4C/MFhFtMfQqTOcz5WlJMeDA80+5pI+IhYZuz0/D3wy99nd7Ic9U6IMyxcZP1tdDXFfyTZaLh1gxUXhWmCLhmV5duAYr+O1gustXJB7eyHDmlfxhSQaelFO6xjJJ3BasctSRsezHg2VqhMtPOogCl+EK61x5U/YlHYJm9yaVPVpiv9QQk/wkDrC/aln9vf57E4T4tsUE85R16O2ZtNwjKW1hW/16liQ6y7C7E+7PvscgiF4HxKpAW7X1aoNBqAxeV5GhOuZN1Ih2j0OqSAzr4WU=
a.ns.bikeim.com.	259200	IN	A	216.218.134.11
a.ns.bikeim.com.	259200	IN	RRSIG	A 8 4 259200 20150222180705 20150125180705 54945 bikeim.com. EeFMneX2L77pUnYz0HOwir/q77V5Fxa5pYLR75EUoT6/3GJlGw+slIrDHRLFjaJVLwf4KnBRmCPrzgipoeCh99xpawwtYwbI5rXpkgccJLmxYKUoE+k97hnpe8c4GHVgmkVzqc/A7U40LsVC5H3paxpirZqxT9reKWlYLP98bTN0BgKnBsN7gv5N8FTl3t0z6rAEMk5HimcKOxpaarvc+L8DdxEq6olcomAca1JDvrbsyZ4NlOP0YC+JulCYreVFWoeObeVv9BQMIvbiNehGM9jDoIVEdjJZJTMNFUpjP//rV626vKS8WwDyRmz+aYWAS/vylEwq3AkdMXy7RBHnJPmN9JPfaov78B6vlhP/gfaOnOVuVbHxjEA2PuXOtYMgqb2dWCpi3abIHusQHd4KRNIMlQYwPa0BQ8z/HL0w4pFqLfAurFQeNp58NR6fPfJvaLzLGGmnsTZSuMXsmS8CFTzY/8Rvj2oRP+BUcNOTJ6MdnOscmYk30K0maaikKll1Mix8Y+QRCwshPqLolX+I0fY+v66btY8jhuA07Rai5+vinOdCxgGoFYFN22cpgHSYt64CgBQRdPStyiB5W7udBjQpo7P5ZRJScUinxaUuU//0dT9dee5Ya6WIMc7K9Vtm3Qaa2OttI9kwdfbfRLIIF09pjA3wzIaNjAEmso+axrA=
km6plui7sdj3rliepi2ppahubmm4b3ue.bikeim.com.	3601	IN	NSEC3	1 0 10 b17e19c0ffee7eafff  25m7umcbbcep021gup624cp6khao90qi A RRSIG 
km6plui7sdj3rliepi2ppahubmm4b3ue.bikeim.com.	3601	IN	RRSIG	NSEC3 8 3 3601 20150222180705 20150125180705 54945 bikeim.com. dHkHtrxu987Fnio9oSsp35FOjS0Kc0LyKV0ohZ2dOO1zTJeBcnikhSzyXlX4qoh4ocRn8FkLKKfcIjYhKKb7UK58jcryOpE12sUZu/Qj9Ev3M3Spat5SyMop7T8okuliYZLWZFtlc3LqKUB8I1RSmifU2WzFIl+gqjzWnDSzwg3j9RKFyTqpjPF2nsGkUgQLj2oFh+X9uQwBiJ6Atz3g89+h/39Qi1mmmhPDdU5c4dwPjWggG37F9oZUVuQZhiDr3iYQZliKlAepBDZDL7JG2fre2a6agfU2edt3lvTZXOBz+Qzk7YM3LnT4o0fmCYWfTOI5JsGln+v96drYkwUgSXRlecnP78iDt26TbuUSYTzXecJg5vJ8XVbPpyW1rWxBJTC8yg9mAKYhltxEHoKwBCKMg0R/CT76xe7DKLkmAjITgzNM+vKps8vfEjOoYNq647k58l5p2fJdi4wGWXWRqhCv98mkLvHBUBaDAmdjrEP7Nk2QRCKN0SZzVXCKEQOjIGFu4wQ8C1bgiUltfytketUrA1kA0HV7/1PcKzhABT4BiHf0RRBa2h+8hhTiX7EtTPVrILVFIDPHZQepxYzlBQv1CQQ1x0ydoCbgyLboEfw0qGjLD4hSGVJtww8voClMhJNVgacHtYtuxgHpmVp7G0T/E9OGfKCXUBAo/2fx8p8=
b.ns.bikeim.com.	259200	IN	A	50.132.7.141
b.ns.bikeim.com.	259200	IN	RRSIG	A 8 4 259200 20150222180705 20150125180705 54945 bikeim.com. bWOez6a3Hqi+GB27nmFN9oWsLF7VnKS4Aht6RxzwkJm/+GkTf4GbxWOSwZR0Qpj/0tOSEy9UygCKtkhpPlibHav03tS21ad/SDQibxnuoX46jnlM7esO71MLWrWtTwVFCYbr3Z0I68rw5dWJsDPqKcOoGu9KX0PxX5jAI3YnpeLRDO2sgVQa0eWC642hxOvnSiUNdJAPV286IvjEmbIAYW1vTyPTwokThiEowZKbn610Cefjh7tIBeVsyd7XBLqHZd21lRppBVcYYKFBY0qSPRcuOSSrCfBLdWGSN3eivtwQvsh23ua5t9Jlc2KkFIdhnKxHZydGZgv9M8O9W1+oL7CcnX+p9P2IdQ3/sqcQ20KZEvvWuSOwtzFseq/xMlsxsPEvyjIkbr3qmw4UHD1aaVkNEYcqgwyCnjFm5hsvu2d1Kzv9+zAmbpBCXgRNg8RxoLBz6o14wRUrTyxP0buK3I2IFDVcOUmRMaNRT4XwIuUNN1PxYv+fZsVtYRHSM/40NXeMVI/m4a5uiVC83QE28LiTB+DYVnaUWeeTI9V4hjdHyhJ35GhpWhZiWd+zKWZgd1Lvkn6w09tIMzbfdyOvL/aljvRnh2/rZNmxugwJ175n8N34LDag8Xu84FbsNHYNyn8lvmalGc0Q4XFsTDiIzIhaBmbWNJVQZ5SHzgJbXRk=
c83dc2ceikqjrj8m2sr5tc4dk97um11s.bikeim.com.	3601	IN	NSEC3	1 0 10 b17e19c0ffee7eafff  j9uhf4t9u2ph12q9a3kfrjn6inflamd5 A RRSIG 
c83dc2ceikqjrj8m2sr5tc4dk97um11s.bikeim.com.	3601	IN	RRSIG	NSEC3 8 3 3601 20150222180705 20150125180705 54945 bikeim.com. Opv7kW+kZiiBvE0keiB9bflsUWFYY1Ik+sUDzfno2P8voAvUUcCnSwKYfdLRkmfcm+pJORq+SyG+sh/1luonO3n9Yype3zhAir3iB3sni5cBDrI8E1jKtpZxrkcEZ1m0X5ZzDvO9Yn8I3FeQah8NnfexTGpXD3kjKzJ3CNJUIF7VTadf6xw8ayh/ccs3VSiES4Y3wR9lz5bWdir/UvDh7S0xaA26eeDBxMm5CrtoccXhuoL/8S0Qs+wXmTyTNL2HxPunT91DBFvWcOtWyz+Akqczp+GkgjOG97Y6i/zA+gb0iNS+9dGwQtPOx1MbNqHwC2hEzC12I2u6UrCWKI1DMNf0mq73jZQ5enNL106ybcKFxBNri7/Bp0aKVk16UKDYEdOqP47pnVffoQTARF0LwrSaa2A8OWHVRNhM/pe8UeJhh4OspJ+U1Djh0ytrkcnmiqQjXF8L/wN2ApRWsWRbNg8M1927CemnZcusDw6wbskbuAeEPbPcaTioBaIEEPxMzA8x6pIMlsv3024uK1VBK6wT2NAMOuXCQpFCDtkPgVO4+CJDK9XpPhD6yTZA4NdjTM3hzzn2L0odbOC54w0hsncpDkq1trJLAZJpB6KnKZciTEJ8RKtMab20h7z1N0utBGc6G961894j47pkO4J5YbVKejeAboDbpQ1l0VVUbuU=
xnko6q0l.bikeim.com.	86400	IN	CNAME	bikeim.com.
xnko6q0l.bikeim.com.	86400	IN	RRSIG	CNAME 8 3 86400 20150222180705 20150125180705 54945 bikeim.com. ExHcrruxDZRYr/It6czWivk8xl9d/Je02rPWeJTCLQwToidTixMA+q6u9NsKW7Tj8xp0Q1mRXdXxzQtxX9/zha/sYhLmwwMfhm8HgIBtb949oF0jZdGjjWMgFEc/2YrvoUUGb+DGm2//26iycuyJEzIgHUacLAB1xHEnkrrAFt2HewtlG3n/N8ly+1Dc+fpuuprAJddVpyNO+YWB9sLfvZUdLIVN2fZRNYmsLwdsIrpqPZD3Ir9BFns3TlULu1Xdk7gdHq7/Q0kMPADwy8pNHxAOdRTLbC2bKw/86+DsKwGNbfIEqvuof3u743niQDiXpcsshC8F5ZRJwD/cAtEArBeNFyQTghH4LLcWhz0fmNtkci9qDAM3Ljbmz2k0o/PIplVYlesv12OTsX4mGVkemN4ssUvAWQ00dwqBWX8yfo0J0ZgNw2dJjF4rqJk97JlBXtrCM2EdOM3g2X4P6/4bJa2X+8I3oJeeLHV42Am+KsNZbcifQI6jap2rrKmPYpjeO0jRIwV5VzmwFMEvICCYkvUhvXMaipZiX/AAl2E4pH8TxE/c6zZK/28hPChHdu3aphe4seGPAE3jPtsWgNIwqT39pTUZcssUoT0+xMNazIfLvry0bo0VrGHbQSX1Mir2mcLige5jovvc6j45I/UgchOUHHt3xUglfhF9Z+EqMQE=
j9uhf4t9u2ph12q9a3kfrjn6inflamd5.bikeim.com.	3601	IN	NSEC3	1 0 10 b17e19c0ffee7eafff  javaf499auko4mrgvkhhj16u8htrqujp CNAME RRSIG 
j9uhf4t9u2ph12q9a3kfrjn6inflamd5.bikeim.com.	3601	IN	RRSIG	NSEC3 8 3 3601 20150222180705 20150125180705 54945 bikeim.com. gFS71eAno5QCNmLCPftHD870SetbNHg+0QogGMFdanrD4xhSwV7X7ZM5Gp4Fz2lj+PYiIodpttmeITRG0uzv+MY2z3i42cMnaMmi88QyDQUsrTkafkmdlermDhBrg9XwOMobWfzGEbKZLR+F0htGEWKEEUXPKiuZSsadNrceENAHW+To1GZ0lAdarH7P6GPSqz0OiGKuikLoWBsEohZO1hokVM9hvc++uG3wAlDt9Fp9rNHo2Dh4r2Thp2U1llqfcFXEK0h66qfp38sAXVsKB/qwsOTUvoK8gY6bw2k+31cAZiWHWyZNlrq8kEsvE2tmY3c4d0YOmrB1aG6HWw3Mz1dGQr1NACydOQJrZGRT/7sWUiMsWOsoGtizxMMwNpjlbI7nUABgvWwrgzAOTIiaRlSUZbAWnCYZpAwNsyc+B5TPPZZQvozD+UZnwzhE0/2DMvSbjr0aTPaAMSzoUN/MoH2UoFxfkPvbvwv5n7XY3YBRiaL0w6lvDpmmRi8dpb0X7deEeS28EHhLvl0VuhfTk8ngrjp9PqRjjMj+CJ3YWiZCHXyHXspG0d5Hddo+caObbgiqIuveCaSeqGz4RdatLQVbW/DyyuYfJvflVPa+UylLflMWCOHsZwYNbso2Pz1qKH5VoQlNnR9MtZdbdfxm1vs/bof+OVVMcgiiE63MNjc=

# Sign bikeim.com with a no salt and no iterations.
ldns-signzone -n -a 1 -t 0 -s '' bikeim.com.zone Kbikeim.com.+008+54945

# Verify the output
cat bikeim.com.zone.signed
bikeim.com.     3600    IN      SOA     dns1.registrar-servers.com. hostmaster.registrar-servers.com. 2014090300 3600 1801 604800 3601
bikeim.com.     3600    IN      RRSIG   SOA 8 2 3600 20150222180854 20150125180854 54945 bikeim.com. itDHqs1WnPewIgTUxP9yqfoYd5rvcGXiBo212rOq6ivTeYK/v9c+mTIYQSKtFO3KBQyuBkR0bxZijDErgSnnloYacoQwd7tANs48rHGZ4crK33d8XSoy/+qCKLaulYUjPdoSbsRJDa9DV2vlnYpU4btrRZbSr6iCurs4BJNLQnEVjhSw41HyBUIL7zHnrnorD9Sn3u9XF7D1obf+wBkeA0ENaT6eG1TY1C5whcyISnxHDn4gX0rjNoV5KQ+Ea3Tnl+yIzV9rxOJ6lwyU5godlBwENkwUlKxKrfBSre0zoi05j+8AJI1wD3mAgWuQdl5sRqZt02mlP5hP9AZex4URLXECpaWvC4iWU0hbK/LU5WryKWTSjNFjmLh9mVIenimI1tFxdupEanfgBS+KVhGJNXI9+oDUiQb5PwUsCIO8lD/QPygGhszyDk6p2N3c5E/fBO14lsDE/Pl9SrG91e+PTy2W+4c2xguVZAkzsu5Mu/QsUjaTRX0zlRAdImfFoPFVnndUIj3Hq616tq/rbeCJvRh/hjOZGgGDxjAXykyoU3SRdhX/ZYpfHj4h1TKA/WKnOEBko4S6kbFjwwDe7u6DL/dhWVYIRIphGIfS8UCTWb8RmCwuQtzDRYJ8F+cmUd/KIFjeQvqoUJRPXuwv04grH9iSmUhmArB+KPGcYPOxUbI=
bikeim.com.     86400   IN      A       216.218.134.11
bikeim.com.     86400   IN      RRSIG   A 8 2 86400 20150222180854 20150125180854 54945 bikeim.com. KqzW38UkAvhUj1U1PVdqckaFIHta1a3BLcmX8LD4mxAVsoRn4OSMbn0Z4TAPc7UfXrNol75w4kz9DS4DsFcQ6jQm7KOPqfDJKSer8/5ZW3S1lIVOLzqXYcVQGynci7ddwsZtkLLpdwXcCRMogpIbvNyO5uXVabxmccoIycMe7NiNDwqh12yFl2+V2AdMHbjq+b8wrWf+bbC+88bGIYA/hA5Yxm4Gox1/NrDgiDjv5TlgI6MOv6E5+HPn4iauqRa/3QUi9KZJPoF49DMAGqRBirk7VHcdNLgDYdE/cnHyUboofq/J/1qCkBKvylfRaPJ7I7Tx8D2uwjY192FkQnomGV8lMPYypxEgvfGDdrVn0nfQh1aZ4AmvXPXPhIEtKtbym4j7X9wdKBcE0TzKop2mPihVNuE40o7jfXfeFlkUAOYAjV4hD8p7TYkBrzjcMFrATQP+rz8QGmmzk8wH65maRGr53Cxwp1EIk7U0FVQSlYGR56h/uJ35xC4WvyrAdllo/qxRWarfvUnORbhzCYyjLrAqsb2X8CFhmtmxneA1JGdEMr+lTuEz3RxoKF7VKvHoA8PP+TaID75qR64OW4mt42At1h9K7njf4kGm5x9GDwLCHwayKFrlcveQZ+O9owdSNoGJlSdIC5/4O4dP/epGj3qUqy+cnPshvs5jq5OlDcw=
bikeim.com.     259200  IN      NS      a.ns.bikeim.com.
bikeim.com.     259200  IN      NS      b.ns.bikeim.com.
bikeim.com.     259200  IN      RRSIG   NS 8 2 259200 20150222180854 20150125180854 54945 bikeim.com. OWmSVyiawMpcJWakpOlpGRPH0Dv2luRpscLG3J37rSEn4WNUncN5nJgy8PMbX6eWc0cG5mSRXBcKlwszJxBKNyeq1dOPHEaZV6836CtnI2wTw5LS8Ail5F+fPkuGgypDmxE+xhrTrOD0KNZ5kfWW+NGLURar0hVo0CBcXZFgqxvNd0g+xchyjLDh+E+0UyQXp9QmozoRBg6QbioqZRB1XgsKQp4T/Dksw2zb2tbAUYjab6nhNDpuets84tmqLvghJAs5s99BFqeb+DKRZvdBWRY6EAvri4iQO1mcVbE6JxzjDd2Bia38O8m22WeTMx2LR80IZWCHEI2Yve4/YRM4k3mTENgiPOfqa5P4raK0bfaLPvuidKfq/9O093hoDGaSQpAsNaIz/KqutzdQSr5FfEJyhItJXELhrAyv38pk9iCKA5/NXYi/rycwlLSXNJ/obMNn+sMiUsW5qwEUIeT9udTyjC0kjfP6AmkxWxAo5zqwe8ORyk+25h79bwHyD6VRzssPWTL3/TEdSCCU5B0Zc/RsAB+J6c2JufCUcmgrF5uMhwHjpfiWUnhcggu21hIYDrqTfNzXkeVV3Pfo5ACu2asnLpYi/sKoOiFs0ID231kLZ9uYK+y9+Zhw0BTfQMecMoRPD/P6h+ctBDDj+y2Dvt8v6b17acAYZb1iy2B5j3c=
bikeim.com.     3600    IN      DNSKEY  256 3 8 AwEAAeNVhvRP3IT79YuJCUOfGm7PyUNZoLmiiuP/oGqkNlF8/9TVoaHPsix6aemFtCvMofLXZ2aBPovXKB0KyVxZ+F2QJHUuVIKOFL5dBe2EbVXkljJRV6M/rbWiPr4RpVNzhNijUHGulAeIJpaZdvEiCrO11hUIHw6v1m46OVgan7zge8ReOdSWVOS/4buQGXech2EXpCQXNPu+SVoOrIkipt3ZYgrzOEY+Qik0+bBoGcHf5YyTvUDQAHTw0/T97T/UIg4u10YnUK/O0QanBfsL1/7OxYoBaseZiuIv7YckGw9P2bSRkgOZvRT7Tm7nAszwvSjN2SawLZ2xd2xg28iwDysVkBA3oZ1q+aqfYo75imB1SEPguzJsonOBIZ8t26NPw3zRahmUGEucQUA2m7RO0ADDNAYBchrTwcOjRSBivd9btI/mC0QhzfhvmkIO4StBKSZdXTa2QM6JcCxk8ZAM4H/mGMEg5tHmJ0C0+fpUEBiFsrWa6PA4wV07JWAsIMX52rUWEVSwe0hN3WBxNAJ11wlzFCFhoYR0h5n1Cc8EHV6aFQ8zcmTF43lx9PtNPrUkYaVWH42Gwsc+tA/HWXbA0o4XdETJDZdVUyyX8OUv3cMBPONbIAZsvOO9DYjg783LaRI0FvISNxudDMzCUzajKvtgXHO4zI36UM67cnbVr1Qh ;{id = 54945 (zsk), size = 4096b}
bikeim.com.     3600    IN      RRSIG   DNSKEY 8 2 3600 20150222180854 20150125180854 54945 bikeim.com. j96agUDZwaWnifj+NxnhXoE3Gt2xkRWsefZvvbWzeJZU4si9RhtBt6KUDHwYrLedMCOfXhXd6OGllRy6kBFoZfGbYyCoZI98o4lEc+fpDq/dDbpzMF288Al71BRrqFtaTchkWxZMpGEiRbk+PKcrw3y8v5PF9x5XWbnXmH+vAMzvkFo7Fz4VxatUlogo7kAdqcRqkseJdg3nG01BYI/5XJYw9ix9CsRFWleQDnKMzTm5zzJdzga8AXyBViOE5Pg+OzfnrYKZvLMP3tUSce3AR+97w00fdi/6FOpTadhMCoS+8sUOwkROAimfk3fL5ZFpbiH5F42kLviiDvBpYaEAafBWn0AXSYpfka5LKoV2/ISSef3gAlJwnve4nEsJ0U4iU/i3x4h0fF12HKQTU/SH359DdjQxYfxItsvP0Vw7nKGU4buR2mkBaInEXdXf6OLVLI95IFVWmFyNuttd4pLVJ9dB0lQiNxl9rflfIT0KCOVwGQ+x3z5n7yTYr0kH5Vx1rmwQNUOYlcAvJef5H5cUBagW5lue3fY/BcdP+jwLfP1jaajeLgToURgDKkq0/htOqhw6sHup8Bvrcs5Oo6+4jnQv+ed/vexzjCuK806DDIGHy1KuesnAMk9qYLlpqaS7KME8OuoZuOByPpyUFkeXJf16M5bJ2TT8SFmpm3qOaLs=
bikeim.com.     3600    IN      NSEC3PARAM      1 0 0 - 
bikeim.com.     3600    IN      RRSIG   NSEC3PARAM 8 2 3600 20150222180854 20150125180854 54945 bikeim.com. DQ/TYF81t/xmUA2BubeOP4aheFiiKi59rKkzm53Kpr3lKkxgldoP/DrzEwNbNqMW89v0aNJPu3HE60Lc+kLZCLEQRBu1JM8nlbI0il+VDYHEmsOT1dY+9b99DEjjYwbIPDch1uZxZgaqaA7mDuuGGrX03Gpe4mpgVRyroae1jGQN6Jfc/um0L5cPdB30L3U/rYeHA+cTbsTlob6dlNIvE5UTdGkl9SX2zfIbetbpCY/g/ga4eS10g0mEiO/mi4DfKD/fRKXfN+xmN/Tmsjs4uf9LVnF4mPimCEra/JQd3jGUoGmIPlgArZIvv7SPaMDXBzhvB0OYZB7coUF+SytvYdAwdsU31Q7tLvrC083AYD8gT1yhRGZfZ2S9nCdPE/UhV6OCYrFVruJJ6VgMJJmr1365xMK9vAotLCrPI07Gj8hMMdx6D6Qlk8J5xTFNKtq3vFwjBeEtFg57LgN65tR6MH9IBUh9mJv/yXebrfgKx+hdLmM2JEuK8c3f/MI9QA8860mY/nsMqykapJ301o+I70jNTb6y5I010sS+QxUh8Eoiw0QZgBpolJ5ubmUHR4bjFpSICmY48oMyZoYQ+F+vZ9g8ear9wQ8MjDeSjotNAJW/mcuwH3K56nmWqK695ki0Njh82m4m7Z3+GibQ4w13gbHfxdcOcfZdaVkkeRENn8E=
dljtttutt6c755amh5fajnufb9l4gtmn.bikeim.com.    3601    IN      NSEC3   1 0 0 -  javac662pltpq3a0rchu1gfk1tkshv7g A NS SOA RRSIG DNSKEY NSEC3PARAM 
dljtttutt6c755amh5fajnufb9l4gtmn.bikeim.com.    3601    IN      RRSIG   NSEC3 8 3 3601 20150222180854 20150125180854 54945 bikeim.com. Mbgu8oHg07B7CfL0Hp4apn1qLAPYXCmXQ7VrzXVjPue0YSa11eOcgwYETspmEyeCSPmJH5z66GJYcsp2IDGAlfTk7ojPGmi0irWJXkvzFIk73I9EAdDlvtkicLhIqaepiZ8OsyCUPs1Karg6pG1z6RHMGRoxkn7RowBOSEpoI9I19JkQLd9a8onCEr4VxHkP9/x8sNR2tnqQU1t/SHGa5t1c2Th1e+cLtZ++wm8COU8WGyfe6ffGIRSEIncGqcvbVX+k3NTV4UBqBNIKlIep0g+C3Pu9UFFSGvndDB4qOGlF9ivB/g4GTrg/H/FoIo9K624GYxbYJfXc3JuMZM2WYZOTlq+fUYAg22BZllumwEyIvY7vJbIzvrza5p38+XP5HSDkxC4VJ4NSe0u54Lb7NrAweC+alrhItY1yFKXf/5fpZDgB+lYfmShB8sVe51PF+oJzpvnhFiUeh7hw1gGyOll1eJ0oyO/CuV6EEELoXd/XWvYO2jSi/x6vNkao8kRllo8zxXkuOslmLjLwCYyDW0wd60jHqRDFio+T+921HV0pEaWWRkW6Nh8cI2I8fjrAEeOX4QtAbUPuML3Oq5uTcpUYdhE0+eVlJykPq56Gn/JJAZOvd2CQLe40V82EB/3qD5NR1rW14LW6MQGD8kU0mwAZa1qh1fsmPC+cFlK5jEU=
c1s5nhr1.bikeim.com.    86400   IN      CNAME   bikeim.com.
c1s5nhr1.bikeim.com.    86400   IN      RRSIG   CNAME 8 3 86400 20150222180854 20150125180854 54945 bikeim.com. k/1v8Bqurunj6TEUZO87+fPdCxDnhaN2pQJDyFFSWfiqu9CVesHcNMMcZGi21r5Mms2ENApwFcLwVGlQYHAwBI4cqsAGjEPSJw+NIDeikweueXlnJXFgbtko94uRlH28Gdbr4jCBqS0o77U7H3fb9scAGPvyVnzUnts1o2P9zTzRgWRC7OOoBRI31nv5zgI+LXMC6geqTXJ34DxY3JXf1RScCzww0MM1QMxQDQH3Re2LQ0cNqZAGJ/RYOZS59/udhxj7/Y8emaeWWsMOoBjum/CVnWAwntdHnQBzU1emIdIATAl579kKFJBz3CZ/k6D0pU07AwzZ/sSsiSV/bFaY64PWH/uRxGoVZ3UfdNXFV4vc5KORTFC4scr8K1CJOEoJmbLBd2rmsdB97Ja5SeAKN4nsPhQQNYCoRYfOo2Wix1GsGykckPM/cgYcerS1/t78zuJDU/2BddDxKANYXS5wO3UnLuU3ykkb727+8oNpzjE5jx2T9slrzYht9rMji+ZpAImHnXUOUDfsuBEt6YduoEKHi037iUs9uKGGUwg7m4OA4EG/TqifdOx6SQQKNJ9g8TlQrEvd2FTzcsmIac2g3mVYBOqZxNQ0FKU4vgIgE+368ylazU5Z+KqaR+IlhbRS/oWMFC9rd+fw/oMd9H5ggbqB0pxWy1UZjTc9HTTlmY0=
7fv7r7h5pft3vmc25vrj67ujhu9mo0kb.bikeim.com.    3601    IN      NSEC3   1 0 0 -  cbnoih4n9np5sdtstdksr5kkihr5cngj CNAME RRSIG 
7fv7r7h5pft3vmc25vrj67ujhu9mo0kb.bikeim.com.    3601    IN      RRSIG   NSEC3 8 3 3601 20150222180854 20150125180854 54945 bikeim.com. KO5zf5om525aEfeXD4izaPhgUb9t8aW1pR7G1GWPNu57DfA/cVFEvOTH9pN3Qux1R1fNFuMjTLciz26LVATjY9zMP5kfrmYxS2XqmeiMRWLtboMfwhSkWV4F/ZNJsNAhboE+TUMLwXJoXQlp5e7HblJW2GG8urMvZf55M4YBuGCQc7qIFJBZlerkwNNY17RSbMeVMNPhK7BVkDwnXqYWGygv7KGmrQSRellyH6hhJ2xrO3IZk0byGOgNs6Jydg6y/1Sgd1KVjcp1Hs5NGSMwfzsO0UtWewQdxKdVsv1f+xAXsippa58J6g4M3lB48ca/A1kAdkN0JTLEO7il+Fhd2zQX3TYA3tofiGOJXo3uyqz/wI0RciFBoQ1xr6Ia5sSdJzJi923mj4xGBPNRtKCVcYaJ2OrVlPRuAy21sqlT7IZgexPBxOAsIQqKo/8vf7u4vkU+Uz/zj2Gerc+he5VF+qF5Lr3ylRIHKuNxX4TUZhM/yCRAeX95AFsukNB89rOMK9d49K8JGZMs+hXrhRai9eqe/LwgZNLsLlWXfF6XF9kmfmQsChu8sO4ykKHN/eRdIo0bBJoEeZYgnDvNo/14wIzbyD8DGzT1fDbkrRZ79B19zzOfJ/N5wRKjmOD/BY/U9ByBrQ11BnH1AVKVjMrrGPoBXnAB6pB10Eq5/OYU2F0=
ou6p4t72g0nh79k09vj48a3pfrqt549s.bikeim.com.    3601    IN      NSEC3   1 0 0 -  78b7lhj4niip8shv86vjca8qacb1c89t
ou6p4t72g0nh79k09vj48a3pfrqt549s.bikeim.com.    3601    IN      RRSIG   NSEC3 8 3 3601 20150222180854 20150125180854 54945 bikeim.com. FHYsFKEO9l6sgZwKlbYSdKTUB3Q3SRsvOy2VhfWR+ZJ9SXhMuIBB7l0DcXC+5t9VBIQR0VCVTGvvzDMBI4x9Xlb3O/ny2oAJHCCDqyKvMKA5dtF6XA/iJ+QY6QgZYnYWonaHF9dkKHGR9T7tddqyQaU4DziQGCBGBmapIloIAqM5fGPbGOvS2DD216HVLt8fUuII6zoaQACebvgxE4118o7bXX524q8vjSdBzRpxNq7rzFMwv0TNzgNaC6aPvoKKJBU/6bJ7te1iOtIIKtSa5CqKZ+8k9o+D0wdF0sAJpBd6m3FUjb3LlozUEsWAhLNu8TyL2JvVsnpicqcyb3F4lk+bdG9EByoN074ve+KXHBRdf7qXKT3jtPJX3+yOhSd/D4UaXOvFFXFRwU2riIZ8PForPIxprobRxIYTjY5IADV2HwE6FJToMPuGQiQOgSB9YClVbyuK7tf4RNQMF53PbSB9q9RbkQXtJqlBFS8W5cCIhqxDkhrvGq8SmtXF5qs5bwj7q+pGb7AjmzTSVWtz+JzT5rZzHNEDbxUJKjcwZeO9qFor5yTq97xNwvHakpMlXSiOVzSndXhF8kaPfxNuayMuprZyFlM0y6kXIs97I+8cUansTgay2pI52U9NA42M05sD1paQjnWRFyW7umN4p1V2aW0mRlWLbQhSZ4x0sZY=
a.ns.bikeim.com.        259200  IN      A       216.218.134.11
a.ns.bikeim.com.        259200  IN      RRSIG   A 8 4 259200 20150222180854 20150125180854 54945 bikeim.com. tpN24eE3yTSPVq1kaegFeT1TQx15rrh+tFQ0Tu+C5zOeHFw/M1UwZ7ZS61Zge0riWgrEVhwoSf7lJ1brOT5+sWd4sWaGoWQaa2PN6hg029BcdCn++s7eSjoDDdh6en1eBHeQjkPB0pksNTDe+3uK3y5U30MVlJcFtQgIcdmkoN+BBUaf+RKDFf6AnuO0sBsBexinV4dBd2dw9SBNF+WAzJnyQiwj5gtHFwhKN6zjKqHK2uQKWTjGVq7WdqvXWvgFWbBGlntMBDaX1PTmeeOHsHxF7v+fNkazEP+/n6kpLpI4zFzJPsw6QR7ASsyybQ3iIvgI4YyobKruiQp3W9MxpldikCwqFoquyrS7df87d9W7HybKTAnZwkTdlLZeIjZLx2Yooi5RCkkiQovTRtpEwQtPUTjVcK5zD+TpqNZqWSi5huFRSCva05gZ0pU6zvke4FtxJnX+06zKqwWAEtqkZI3doMF3iIdqvGmfe2QflJEeUE1m7qrmg8ok6yxMLI87VDC++0+9I+CBf6doDf1ckixYIYyEpdqOQNA2mUW7ew7byPyNT8/o4zn6SN/IBjPMB6agOEXUokXh7669cOd+7q4psYClyHv/OreFp2SRld+b3fgsVeblEJqGWJXRsO3VsQPT5jrgBcHmUoBL158X8ap9EJZb9qhXeub5uh7AXF8=
78b7lhj4niip8shv86vjca8qacb1c89t.bikeim.com.    3601    IN      NSEC3   1 0 0 -  7fv7r7h5pft3vmc25vrj67ujhu9mo0kb A RRSIG 
78b7lhj4niip8shv86vjca8qacb1c89t.bikeim.com.    3601    IN      RRSIG   NSEC3 8 3 3601 20150222180854 20150125180854 54945 bikeim.com. LxkTqWL6um2NCs1aufvsBk4qBWZgvY4sHlTTyHmY3bz0vf5ztgp7KD2Hfo+03DU+uEGThyQRKiU03aWsiXUyW3Zc8Ed3LN8rrfF8ZPKQNe61/npr9W/D3ni7/T9p1nUeD+ZB4Yz2OH6hlHuxRh8OTZSyI/lu2+UqKM5A+EIIj1Cyqg7NMQ/IcY7pTBILYc/Bsx6GHcQqHXXq59LiOAenrAD2uGFQ/C6QIX2Bfh86JNWr0Z4YsR6wGqK8K54n20t5KehQXWVbcyAw/r2Mfn1b9dWJIvhNfV1VL9MkyuNF9ckl2+eKUuYbWJ0pRxmd0A+vvAnHXQv7ElI3g43MJ7B3Z4MC6sc3s0/NZXXcLBDLP02RLpZ1e6++udllBhmSOAO3ExHLaJLa1k+lBE48ylyHz86yH0OzveE7W0KhRi1V2KXsDgALSIC52O87BLPVi46yqHgvHacXbSDC4NfXqieForbaWcb1amNSiK15a+/i/meESiLQ1Nn6LtutZuHC+xC4Ke9HWPO+UgM+BV/P2qa2mZlRX7QOascARKWeimMu/5SBE/e+MMtWwmy9LXNP+2KWs5NdOMlvaZxyOPy+YBkbnUN7pdPFKks/L088wDi7729UiPgApr+kf5yA9nnTnZ04VwhtHJdjjesIkLUoVP1FDdtA3rJ1qdVvK1E6tOWnJKk=
b.ns.bikeim.com.        259200  IN      A       50.132.7.141
b.ns.bikeim.com.        259200  IN      RRSIG   A 8 4 259200 20150222180854 20150125180854 54945 bikeim.com. Fab14ERK4A5Sx6iBLj08MJivNemuVdpeiEOASxeFZAzV5lFrzfIV3cO4kJUFkzcwRtM/8AubwGOd9HOFt8wsc32oe5tBOpR8uWpycm4sdIH31AoXzMVHPwUEUiN/ENk6hUsQ6Nn914CW3nem5rjdtueXSy5pNSsTlP5Q4CSKiUKcsnnbZzD91bCHIl0LMqpodWt75qSuH3jGjmclyxluzOnj4tHkWK1acTIyZKbY1LsHkKOsjVmioWBZWQta+AptHYAIrp3Y6gq7p09VxElVmEZ4j5K+W7pxxJ6yyhe3DhrDwm3q57dRCg+aHg0ph3ao2bJQ5+6VxF+/gnfxifIwl0PEWImqo+xfVECWzuHDrD3HO64dQRLoeMMUWnupJ/7F2gz2Wc4sb0Yi8dci7LKTPFzQfJ8292g64sfCtTM6ZKcKfjVQtxqbvNzO8U6fYbfEYht4bchxEMu0g84D2Gi9gC5Cn8fgd3J72GVL/f6aZ/M4tWm+kG9tGiBzOxUObscx6QTMI7qX6zfdQmbPttCUJ5rkmdLWh0CRT+Wb6W6IiAbZl435f+oZmPrwniqy0mRGcjhgodO6BLHRSnbShA75HCr9nBne9aHdYQFybvPR88cnXKDTSIRg4iJGaBA37vdGy0gctz/RQDQec4Bc5YxlphWesGhBv0cWI7W7g8IG1og=
cbnoih4n9np5sdtstdksr5kkihr5cngj.bikeim.com.    3601    IN      NSEC3   1 0 0 -  dljtttutt6c755amh5fajnufb9l4gtmn A RRSIG 
cbnoih4n9np5sdtstdksr5kkihr5cngj.bikeim.com.    3601    IN      RRSIG   NSEC3 8 3 3601 20150222180854 20150125180854 54945 bikeim.com. grAGPhm61YTaqYrNmnbYoMQjqKcpgtPEOwstD9pdl2KxgVNnIyhLzn3PFMz/wTLgsni08T9ma5r3yFRccFC5nH2R6ZU16r2uA6GDaDrosw5XmJiJP1Vo+mX/yrZJ/WclHznlbXIcosXV1YEoImlOuYXj5kXi+rSZjzOPIuz/Vw2NQ1eB00xWyf/s9B9wmujJnReYyEp3DhSovYlk52ZdYWgU2C3FKp2+LE9GfeDR3gaN/j/mQ9cI4CxpX+Tdf0OjjE99ZC1SCadpQxGoGLGFQwWi17xUgGcagcHEqoxlDABEi/NgdKEtFqCMvQ78CIyLNED4X3/jbdp2GfUx5fGburv3unzyQbX5iCWeflvNQ4J4ytISWydWWdUJugKnWD6rQZnDP8rfFrCXyXkh++mcQ3A5nrGftrI02aguUKEESDhVD2DWCpsFmczShefvpUmMu5TXAR1IhnDMlucwAdqFSha9nQUEgq0k1Rf0/7UuH5pPDEUeHPCpNcZllTQ3lPv6PFHjgcp/YN1QuXWFlV+X7ci+Yz+0FzcW8eerwQSwwmlRVp9txH17WEjb/jtxU62PwpZWUMZvspM0xN7LPaBKEs6ZdXgqmSURK9yAy9temT/Uy9L7b/rwFQbIDdF4G6ag8Kq47HczIDeUJnx7oIaXZhOcth2ChBYYR2FnrcaJ8Ps=
xnko6q0l.bikeim.com.    86400   IN      CNAME   bikeim.com.
xnko6q0l.bikeim.com.    86400   IN      RRSIG   CNAME 8 3 86400 20150222180854 20150125180854 54945 bikeim.com. NYMZyvlp0W4mLUdt1WiPBGmxAFnCxJsbBohw400ZELs1ifcbCSfEQBb0NNFUfGFgVtq4AEU4/wLhJmTnj4DPbNHOBIFTx7HgZMPnaAf7qdTYVvlq3KuVvUX0DBMtfmyGlNBRPrYPiYeXBpOeSVlFEY/GFlRwYZjtxs4uaC6gyOUZOGquErwAXMq1RIXmUix1C4MzvCqfUO3PJT4hdcbvdWYm4AyWT5KmRqlwwRLtGnVZuMAAfOqtC62O8j6h7liye7p1FW1gEtfvUUBlXF40chnju+AguNGnRgMkyLFi/kfm7sLgw2D0zE86XJgv5M/YMy2kcrNKjic2//dkC0jZtLGNgpB4vCI4x89N3hvlXXqqg/4LSsVCG5kBVpFoFDFY73803ev9BF6CN8tS4JdjUskMxKYhZzSHHk4tY/K7cT/RQ9KkFCoj/ZjCGXFYQFPVhMZEDR3a+ukf6ZYHakg4T09FWPklf0n7b/xijn11/o2+62GE1JvhnGHiM65/fB1924TU9uh7i+4OLwhTEfBCUw3t/SApFteefMk98k8qw7ZGKkN9GzF6hBjVlmAhHrpNdNQgNwOk58XkJDBaXsk3AmCrGvHrsqkqyHJlms6cPGvU8MJbxtv/uJgsxrehZfF3WtIXQpg99gkQe8GPEDomOqz0tPzs7H5w4OzjMgOxXro=
javac662pltpq3a0rchu1gfk1tkshv7g.bikeim.com.    3601    IN      NSEC3   1 0 0 -  ou6p4t72g0nh79k09vj48a3pfrqt549s CNAME RRSIG 
javac662pltpq3a0rchu1gfk1tkshv7g.bikeim.com.    3601    IN      RRSIG   NSEC3 8 3 3601 20150222180854 20150125180854 54945 bikeim.com. Rp68xLMZuhkO6nNaYv+7zCq5tiu2oLEftKGnSJuEYK7ddtRT+nmeBRXYrFjIvfykcWy2p/z4bRHp3Gg6Utgfk0B6ah5Nlu/dVLvHi1eNWDhuWOKElCaJ3tURFKFLPXGjgrNT917YKQUbPdd1AjSuSIejVk5qm5lFjhTnH6DKn9q9yCnBLl+Dv1DvJjcMNTOQUhtRQ9pYtzCduA//8Z0FoOA7cB0O3yizpNSjU8iI7MRL49ZjbkJwtPBojYCdZbokh0RNRvVzv+y7BkAotuCq7vt73rtiyBarsMuE/8KqL54MUbzk5JdQ/xoPpvv5llcHoA3F8wt4RpPVrbxE0aP8CSWN+O87xpnh4ePzI1K5y9qLMu/URtcSoG0TTdGTxjRWm/DiuOt+RiBHR2qNd+vw2TdNy0wPxC/HoI2Ffib6+tk6ADNMZASJbkfIIdb7JuiXkfmXTGXj/IMPj5jGX5PzM1rNzexx9LabjjVCdw1huUoCrCp5VrVOrKqIIw3BHr0ia6qlWGLJ8V8pJKNHGBbgZfckg1xKELmzVccfrGyga3O/9xdrzlp60wLb5slXRWBdb2+tMbcnomUmbwr4Hvvgg2jepUNbtH9GPlC8Qafj7kMH0NtvhHggg5gSJAey2pxWQlWzMJ6M9lIqJ/A1GaYh3AU9od/C28zlCAa97vv/QnU=

Now we're ready to deploy this data onto our DNS server. The only modifications to the DNS server that need to be made are the parsers for RRSIG, DS, and DNSKEY, and responses for DNSSEC requests. That means there's no extra cryptography involved on the DNS server. Nice, huh? The only drawback is that if anyone queries my server, it will divulge all subdomains. To make this fun, I have added two subdomains to my zone which CNAME to bikeim.com. As you can see the subdomains are seemingly random. However, when hashed, the NSEC3 record starts with java. For one, the NSEC3 record with the long salt and 10 iterations hashes to javaf499auko4mrgvkhhj16u8htrqujp. For the other, the NSEC3 record with no salt and 0 iterations hashes to javac662pltpq3a0rchu1gfk1tkshv7g. This isn't by coincidence. I used the following script to generate each:

./randomhashes bikeim.com 10 'b17e19c0ffee7eafff' |grep -e '^[^ ]*bike' -e altsci -e java

./randomhashes bikeim.com 0 '' |grep -e '^[^ ]*bike' -e altsci -e java

The program randomhashes comes with nsec3walker-20101223. It is what is used by unhash to crack NSEC3 records. If you do a query for bikeim.com at this time you won't see the DS, NSEC3, or RRSIG records. That's because my nameserver doesn't support DNSSEC and the only other free nameserver I have access to also doesn't support DNSSEC. Should I spin up a VM to run ISC BIND or Unbound? I won't at this point, but perhaps in the future to demonstrate the process of making a server unintentionally support a form of AXFR through NSEC3 or NSEC. For now, we have hundreds of thousands of other people's servers to test on.

Cracking Hashes

Hashes were originally cracked using nsec3walker's unhash script but after time, I decided that it was too inefficient. I wrote an plugin for John the Ripper and later optimized it for SSE2 (using the MySQL plugin and the Salted SHA1 plugin from John the Ripper) so that an efficient effort could be made to crack as many hashes as possible. Since brute force is much less effective than passphrase cracking on domain names, I wrote a set of passphrase cracking programs (originally in Python, and then ported them to C) to make this possible. Using passphrase cracking, I was able to crack 964903 hashes that were 8 or more characters, which would only be possible using wordlists otherwise. This is a majority of hashes cracked. This is evidence that passphrase cracking should be improved for better NSEC3 hash cracking. Brute force cracking is simply less efficient than passphrase cracking in this case.

One very interesting method found during this project was markov chaining of two popular words together. Unlike John the Ripper's Markov mode, this only chooses words or parts of words which means that cracking speed and efficiency is greatly improved. If you wish to look at the code for this, it is in crack_popular2.sh and crack_*_popular.sh in the script directory. To test crack_popular2.sh, I ran it on .uk. crack_popular2.sh cracked 24481 hashes in 7 minutes. In comparison to the most efficient methods I have, 68667 hashes were cracked in the previous 90 minutes using wordlists, passphrase, and brute force of alpha-numeric up to 6 characters. To save you the math, that's a factor of 4.6 faster on hashes that were not cracked by the previous methods. Of course this is not a fair assessment because brute force up to 6 characters is very inefficient.

An interesting note about cracking, the tlds asia, bz, in, info, me, org, and sc all use the same salt: d399eaab. One might think that a rainbow table could be created, but the problem is that each NSEC3 record hashes the tld along with the rest of the domain, so a rainbow table that used .asia could not be used for .bz. There's no good reason to attempt to create a rainbow table across domains, so the tld acts like its own salt. Therefore there's no harm in sharing the salt between different domains. Sharing the salt for a single domain however allows an attacker to create a rainbow table for an entire domain. For example, a rainbow table could be made for .com that with 99.9% success rate with all possible combinations of alphanumeric and dash up to 8 letters and be stored in only 21 GB. When a new hash is found, an average time to crack it would be minutes rather than hours or days for a brute force attempt. This is especially effective against high iteration hashes like la, by, dk, and cat. Rainbow tables are vulnerable to a rehash of the domain. If a domain decided to change their salt and rehash all their names, the rainbow tables become worthless. Thus a managed risk must be taken when creating rainbow tables for NSEC3 records.

Conclusion

I missed the DNSSEC vulnerability craze back in 2009 despite it being right up my alley (UDP, protocol design flaws, amplification attacks, and cryptography). It turns out that 5 years later, the vulnerabilities have become even more ripe for attack. The reason? Bad design doesn't go away when you shine a light on them. Bad design goes away when it makes the user's lives more miserable than they are willing to tolerate. I think you know what to do. Now that I've released the patch and given you a link to ldns, you can learn about DNSSEC yourself. I have also released the output of the domain names found so far so that you don't need to reproduce my work. There is plenty more work to do in enumerating domain names. The results of this crack makes an excellent wordlist to test against hashes that you currently have and hashes that you obtain. It is time to make DNSSEC users' lives a little less private than they currently are.

Interesting results include comcast.net (they use NSEC for their enormous network), Brazilian domains (see above), Czech domains, .nu domains, universities with thousands of records (stanford.edu, berkeley.edu, mst.edu, psc.edu, nau.edu), cmp.com (a public company with 1200 gateways that trades shares at 448.20 GBp), and of course hpc.mil.

As passphrase crackers improve in efficiency, more and more domain hashes can be cracked. Improvements to nsec3walker's collection algorithm may be possible to ensure that collection doesn't require more CPU power as the number of domains increases to the millions and possibly billions of domains owned by a TLD. It should be noted that energy costs money and that running a computer with 8 cores at 100 watts is costly. Therefore the collection and cracking of domains is not completely free to the attacker. Luckily all the research here was done one a computer that had the dual purpose as a heater (during Seattle's winter) and the electricity cost nothing considering the heat it generated would have otherwise need to be generated with a furnace.

If the work were done in the summer, the work done on my desktop would have cost approximately $26 and the work done on my laptop would have cost approx $2 (running markov 250 on all hashes). While this is trivial for anyone who spends that much on on a RTL-SDR, it is unwise to waste electricity that could be saved and spent in the future.

It has not eluded me that the wordlists found by cracking NSEC3 hashes and walking NSEC records will be worthwhile to future hacking efforts. I have made these wordlists available in the tarball as well as seperately here: NSEC3 and NSEC wordlist. The wordlist is a concatenation of words found using NSEC3 and NSEC walking and cracking containing over 3 million words. If you are able to crack more hashes or walk more NSEC records, please send a link to the results so that the wordlist can be updated. Note that some words in the wordlist are widely considered profane and unfit for human consumption. These were not added by a human on this side but were found in the process of NSEC walking and cracking.

Future work will include:

  • Rainbow tables
    so that precomputation and cheap storage can benefit crackers when new systems come online
  • OpenCL SHA1 cracking in John the Ripper
    So that we don't have to use the closed source oclHashCat
  • Improved user interface
    So that we can include users who just want to make DNSSEC a bit less private
  • Fixing bugs in ldns-walk so that it can finish .co and .bg
  • Fixing collect so that it works on massive domains including parallel cracking and possibly optimized cracking
  • Fixing bugs in collect so some domains don't cause it to never exit looking for a hash that cannot be found.
  • Improved markov chains
    crack_popular2.sh and crack_*_popular.sh in the scripts directory are the start of a markov chain cracking library but could be improved significantly by using better mathematical models for which words will result in the most possible cracked hashes first.
Until improvements are made, you can use the supplied tools, hashes, John the Ripper, and oclHashcat. If you want to use nsec3walker be sure to patch it before using it though since nsec3walker-20101223 has a lot of bugs that make it not work with newer NSEC3 records (such as com and edu).

If you wish to submit results or patches to this project, send an encrypted e-mail to Javantea.

Works Cited

[1] Bernstein, Daniel J. DNS Database Espionage. http://dnscurve.org/espionage2.html
[2] Back, Adam. Hashcash. http://www.hashcash.org/
[3] IANA. DNSSEC Information. https://www.iana.org/dnssec
[4] Internic. Root Zone Directory List. http://www.internic.net/domain/
[5] Carter, Mike. "FBI created fake Seattle Times Web page to nab bomb-threat suspect". http://seattletimes.com/html/localnews/2024888170_fbinewspaper1xml.html
[6] Dark Mail Technical Alliance. Dark Mail Internet Environment Architecture and Specifications. https://darkmail.info/downloads/dark-internet-mail-environment-december-2014.pdf
[7] Louis, Jack. Namedrop. https://github.com/Neg9/namedrop
[8] Heninger, Nadia, et al. FastGCD. https://factorable.net/
[9] Kaminsky, Dan. Phreebird. http://dankaminsky.com/phreebird/

Permalink

Comments: 169

Leave a reply »

 
  • An Onion

    I just moved one of my old projects, nsec3map, to GitHub when I discovered your article and realized that we did very similar research. Some years ago, we enumerated the .ch zone and got about 1.3 million records, out of which we cracked about 1.1 million using just COTS CPUs at the time (we used wordlists generated from Wikipedia articles, among others). I recommend you check out our tool at github.com/anonion0/nsec3map.
    It can also walk through NSEC zones (using A or NSEC queries, trying to avoid nasty loops) and can guess the total size of large NSEC3 chain based on just a few hundred records. It is somewhat parallelized, although I don't know how its performance compares to nsec3walker.
    Cheers

     
     
  • best mountain homes for sale in TN

    Thhis post is worth everyone's attention. How can I find out more?

     
     
  • Glenna

    My partner and I stumbled over here coming from a different website and thought I might
    check things out. I like what I see so now i am
    following you. Look forward to looking into your web page repeatedly.

     
     
  • mountain homes in Dunlap Tennessee for sale

    Howdy this is kinda of off topic but I was wanting to know iif blogs use WYSIWYG editors or
    iif you have to manually code with HTML. I'm starting a blog soon but have no coding knowledge so
    I wanted to get advice from someone with experience.
    Any help would be enormously appreciated!

     
     
  • Javantea

    Dear mountain homes in Dunlap Tennessee for sale,

    WYSIWYG editors are fairly common among the most widely used blogs. Like this comment section, the more custom blogs won't have WYSIWYG editors. Remember that most of the work is writing. If you can write without a lot of spelling mistakes (use the browser's built-in spellchecker), you're in decent shape. Posting an off-topic comment to my blog is almost as difficult as writing your own blog. Then you'd just need to improve your skill a tiny bit and then you too can have the privilege of moderating spam and unwanted comments.

    If you don't have a blog, why did you put a link to one in the optional website input box for the comment form?

    Regards,
    Javantea

     
     
  • Bursting Strength Testing Machine

    Does your blog have a contact page? I'm haing trouble
    locating it but, I'd like to send you an email. I've got some suggestions for your blog you mighht be interested in hearing.

    Either way, great blog and I look forward to seeing it expand over time.

     
     
  • Javantea

    Dear Bursting Strength Testing Machine,

    Yes it does, https://www.altsci.com/gpg.html

    Regards,
    Javantea

     
     
  • Joel

    Hi! Would you mind if I share your blog with my myspace group?
    There's a lot of people that I think would really enjoy your content.
    Please let me know. Thank you

     
     
  • Javantea

    Dear Joel,

    Tell anyone you like about my blog. It's Creative Commons Attribution, so feel free to copy it and make my copyright visible. Please share it with your friendster and hi5 groups as well.

    Regards,
    Javantea

     
     
  • Affiliate Rebirth Review

    It's truly very difficult in this active life to listen news on TV, so I
    jus use world wide web ffor that reason, and take the newest
    information.

     
     
  • click here

    I'm extremely inspired along with your writing talents and
    also with the layout on your weblog. Is this a
    paid subject or did you customize it your self? Anyway stay
    up the excellent high quality writing, it's uncommon to peer a nice blog like this one today..

     
     
  • Rosaline

    I am in fact delighted to read this blog posts which contains
    tons of helpful facts, thanks for providing such data.

     
     
  • Ulysses

    Niice post. I learn something new and chaallenging on blogs I stumbleupon everyday.
    It will always be exciting to read content from other writers and practice a little something
    from their web sites.

     
     
  • Help Writing assignments

    I really love your website.. Excellent colors &
    theme. Did you create this site yourself?
    Please reply back as I'm hoping to create my own personal website
    and want to learn where you got this from or exactly what
    the theme is called. Many thanks!

     
     
  • Javantea

    Dear Help Writing assignments,

    Thank you for the compliment. I only picked the theme among a plethora of good choices. The theme's name is simple organization website template and the theme's author is Arcsin. You can click the link at the bottom of the website where it says "Website template by Arcsin".

    Regards,
    Javantea

     
     
  • Javantea

    Dear click here,

    I aim to please. I wrote this blog myself and did the research with only those projects I cite to guide my efforts. I will endeavor to keep the quality of my published papers increasing as time moves forward.

    Regards,
    Javantea

     
     
  • MCA Strategy Club

    I think the admin of this web site is truly working hard ffor his website, as here every
    data is quality baxed material.

     
     
  • MCA Team Training

    I like the valuable information you provide for your articles.
    I will bookmark your bloog and test again right here regularly.

    I am somewhat sure I will be informed lots of new stuff right here!
    Besst of luck for the following!

     
     
  • captcha solver service

    Hey! I know this is kinda off topic however , I'd figured
    I'd ask. Would you be interested in exchanging links or maybe guest writing a blog post or
    vice-versa? My site goes over a lot of the same subjects as yours and I think we could greatly benefit from each other.
    If you are interested feel free to shoot me an email. I look forward to hearing from you!

    Fantastic blog by the way!

     
     
  • Help Me Do My Assignment In Australia

    Oh my goodness! Amazing article dude! Many thanks, However I am encountering issues with your
    RSS. I don't know why I cannot join it. Is there anyone
    else having the same RSS issues? Anyone who knows the solution can you kindly respond?
    Thanx!!

     
     
  • captcha solvers

    What's up colleagues, its great post concerning teachingand entirely defined, keep it up all
    the time.

     
     
  • Type Beat with Hook

    You actually mae it appear resally easy together with your presentation but I in finding this
    matter to be actually onee thing that I believe I
    would by no means understand. It sort of feels too
    complex and very extensive for me. I am taking a look forward on your subsequent post,
    I will try to get the dangle oof it!

     
     
  • Dance

    Greate article. Keep writing such kind of information oon your
    site. Im really impressed by it.
    Hello there, You've done a fantastic job. I'll certainly digg it and for my part recommend tto my
    friends. I'm confident they'll be benefited from this website.

     
     
  • Jacksonville, Florida

    I've read several good stuff here. Certainly value bookmarking for revisiting.
    I surprise how so much attempt you set to make one of these great informative site.

     
     
  • pussy

    Heya i am for the first time here. I found this board
    and I find It truly useful & it helped me out a lot. I hope to
    give something back and aid others like you helped me.

     
     
  • cheats pokemon go

    Ӏt'ѕ actually a niϲe and helpful piece of informatiоn. I'mhappy tһat you simply shared
    tnis useful ifo with սs. Please keeⲣ uѕ informed ⅼike this.

    Τhank you ffor shаring.

     
     
  • how to induce a sneeze

    I feel this is among the so much vital info for me.
    And i'm happy reading your article. However wanna statement on few
    common issues, The website taste is perfect, the articles is truly great :
    D. Excellent process, cheers

     
     
  • serrurier à paris

    Vous avez un questionnaire de fuite d’eau sur le secteur de Paris 01 et l ile de france ?

    Planete service est une entreprise de chauffagistes qualifiés qui intervient chez vous 24h/24 et 7j/7.

    Villes du 94 dans lesquelles nos electricien se déplacent :
    serrurier Vitry-sur-Seine

    Villes du 95 dans lesquelles nos chauffagiste se déplacent :

    serrurier Cergy

    Villes du 92 dans lesquelles nos vitrier se déplacent :
    plombier Levallois Perret

    Villes du 93 dans lesquelles nos chauffagiste se déplacent :

    volet metalique Aubervilliers

    Villes du 78 dans lesquelles nos electricien se déplacent :

    plombier Mantes-la-Jolie

     
     
  • Javantea

    Dear captcha solver service,

    No. Trading links worked when you could trust people to actually put links somewhere on their website. That isn't true of people who post off-topic on a person's blog.

    Regards,
    Javantea

     
     
  • extreme testosterone

    What's Taking place i am new to this, I stumbled upon this I've discovered It positively useful and it has aided
    me out loads. I am hoping to contribute & help other users likoe its helped me.
    Good job.

     
     
  • Quincy

    If some one eeds to be updated with most recent technologies therefore he must be
    go to see this web site and bbe up to date daily.

     
     
  • recharge alipay wallet

    It's great that you arre getting ideas from this post as well as from our dialogue made
    at this place.

     
     
  • recaptcha breaker

    Everything is very open with a really clear clarification of the challenges.
    It was definitely informative. Your website is very useful.
    Thanks for sharing!

     
     
  • paketo diakopon gia florentia

    I needed to thank you for this good read!! I certainly
    loved every little bit oof it. I have ggot you book-marked to check
    out new stuff you post…

     
     
  • σεξι 50αρεσ

    Veery good article! We are linking to this great content
    on our website. Keep up the good writing.

     
     
  • p203481

    I know this if off topic but I'm looking into starting my own weblog and was curious what all is
    required to get set up? I'm assuming having a blog like yours
    would cost a pretty penny? I'm not very web savvy so I'm not 100% certain. Any tips or advice would be greatly appreciated.

    Many thanks

     
     
  • 2017 acura tlx packages

    Great post.

     
     
  • jewelry software

    It's very trouble-free to find out any topic on web as compared to books, as I found thiis piece of
    writing at this site.

     
     
  • Eddy

    Hello colleagues, its wonderful paragraph regarding educationand fully
    explained, keep it up all the time.

     
     
  • how to increase breast size

    Oh my goodness! Amazing article dude! Thank you so much, However I am
    encountering troubles with your RSS. I don't know the reason why I am unable to subscribe to it.
    Is there anybody having similar RSS problems? Anyone that knows the answer will you kindly respond?
    Thanks!!

     
     
  • details

    WOW just what I was searching for. Came here by searching for cavities

     
     
  • Minneapolis Janitorial Service

    Yes! Finally something about puke.

     
     
  • Luca

    Thanks for any other excellent post. The place else maay anyone get that kin oof information in such a perfect approach off writing?
    I have a presentation next week, and I am on the search for such information.

     
     
  • Rocket League

    Do you have a spam problem on this site; I also am a blogger, and I was wondering your situation; many of us
    have created some nice procedures and we are looking to exchange strategies
    with others, why not shoot me an e-mail if interested.

     
     
  • Heidi

    Aw, this was an ibcredibly nice post. Taking a few minutes
    andd actual effort to generate a superb article… but what can I say… I hesitate a lot
    and don't seem to get nearoy anything done.

     
     
  • Trevor

    Thanks for finally writing about >Enumerating DNSSEC NSEC and NSEC3 Records - AltSci Concepts <Loved it!

     
     
  • Quentin

    After I originally left a comment I seem tto have clicked on the -Notify me when new comments are added-
    checkbox and from now on each time a comment is added I get 4
    emails with the exact same comment. There has to be
    a means yyou can remove me from that service? Many thanks!

     
     
  • Julienne

    Good day! Do you use Twitter? I'd like to follokw you if that would be okay.
    I'm definitely enjoying your blog and look forward to new posts.

     
     
  • Peppa Pig School Bus

    Heya i'm for the first time here. I found this board and I find It truly
    useful & it helped me out a lot. I hope to give something back and help others like you aided me.

     
     
  • kozie

    I used to be recommended this blog by way of my cousin. I'm no longer sure
    whether this publish iss written via him as nobody else understand such distinctive approximately my trouble.
    You are incredible! Thanks!

     
     
  • Edi Mehndi

    I simply could not go away your website prior to suggesting that I really enjoyed the usual information an individual provide for your guests?
    Is gonna be back incessantly to check up on new posts

     
     
  • Tiskarna

    Veery rapidly this web site will be famouss amid all blog viewers, due to it's good posts

     
     
  • Berry

    Pretty nice post. I just stumbled uon your blog and wished to say that I have truly enjoyed
    browsing your blog posts. After all I'll be subscribing to your rss feed and I hope
    you wrote again soon!

     
     
  • mount albert thai massage

    Hey very nice blog!

     
     
  • how to improve my credit score

    If some one needs to be updated with latest technologies then he must be go to see this website and
    be up to date everyday.

     
     
  • how to increase breast size

    I think everything said made a bunch of sense. However,
    what about this? what if you composed a catchier post title?
    I mean, I don't wish to tell you how to run your blog, but suppose you added a title to possibly get folk's attention? I
    mean Enumerating DNSSEC NSEC and NSEC3 Records - AltSci Concepts is kinda plain. You might glance at Yahoo's front page and note how they create news headlines to get viewers to click.
    You might add a related video or a picture or two to grab readers interested about what
    you've written. Just my opinion, it would make your blog a little livelier.

     
     
  • Mini SUV

    I am curious to find out what blog platform you're utilizing?
    I'm experiencing some small security problems with my latest website and I would like to find something more secure.
    Do you have any suggestions?

     
     
  • best security guards in Long Beach, Torrance

    Thanks for any other wonderful post. The place else could anyone get
    that type of info in such a perfect means of writing? I have
    a presentation next week, and I am on the look for
    such info.

     
     
  • does cla work for weight loss

    Please let me know if you're looking for a article author for your weblog.
    You have some really good posts and I feel I would be a good asset.
    If you ever want to take some of tthe load off, I'd love to write some
    articles for your blog in exchange for a link back to
    mine. Please shoot me an email if interested. Cheers!

     
     
  • free websites to watch tv shows

    Its ⅼike yoᥙ rеad my mind! Үou seеm tօo know sօ mᥙch аbout thiѕ, like you wrote the book in іt or sometһing.
    I tthink that yօu cߋuld ddo withh ѕome pics tto drive the message һome a little bіt, bսt
    instеad of tһat, thіѕ iѕ great blog. A fantastic
    гead. І wіll definiteⅼy be back.

     
     
  • cars

    I am extremely impressed with your writing skills as well as with the layout on your weblog.

    Is this a paid theme or did you customize it yourself?

    Either way keep up the nice quality writing, it is
    rare to see a nice blog like this one today.

     
     
  • speed dating events in miami

    Wow, fantastic blog layout! How long hafe you been blogging for?
    you make blogging look easy. The overall look of your
    sote is magnificent, leet alone the content!

     
     
  • Charissa

    I was recommended this website by my cousin. I am not sure whether this post is
    written by him as no one else know such detailed about my difficulty.
    You are amazing! Thanks!

     
     
  • coffee

    Excellent way of describing, and pleasant piece of writing to obtain information concerning my presentation topic, which i am going to deliver in university.

     
     
  • dating back en espanol

    My spouse and I absolutely love your blog and find most
    of your post's to be what precisely I'm looking for.
    Would you offer guest writers to write content for you?
    I wouldn't mind composing a post or elaborating on many of the
    subjects you write with regards to here. Again, awesome blog!

     
     
  • Javantea

    Dear dating back en espanol,

    I would be absolutely thrilled to post your writing on my website so long as it was up to my standards and original -- I don't repost stuff that can be found elsewhere. Send it to me, you know how to contact me.

    Regards,
    Javantea

     
     
  • إعلانات تجارية

    Whats up are using Wordpress for your blog platform? I'm new to the blog world but I'm trying to get started and create my
    own. Do you require any html coding knowledge to make your own blog?
    Any help would be greatly appreciated!

     
     
  • 3540

    I like it whenever people come together and share opinions.
    Great blog, stick with it!

     
     
  • canadian international school singapore

    Nice post. I used to be checking constantly this weblog and I'm impressed!
    Very helpful information specifically the remaining part :) I maintain such info a lot.
    I used to be looking for this certain info for a long time.
    Thanks and best of luck.

     
     
  • 2018 toyota supra

    Having read this I believed it was rather informative.
    I appreciate you spending some time and energy to put this content
    together. I once again find myself personally spending way too much
    time both reading and leaving comments. But so what, it was still worthwhile!

     
     
  • snapchat password

    Keep on working, great job!

     
     
  • Florence

    Howdy just wanted to give yoou a quick heads up. The text in your content seem to be
    running off the screen in Firefox. I'm not sure if this is a format issue or something to
    do wiith browser compatibility but I figured I'd post tto let
    you know. The style and design look great though!
    Hope you get thee problem solved soon. Thanks

     
     
  • Lane

    I loved as much as you'll receive carried out right here.
    The sketch is tasteful, your authored subject matter stylish.

    nonetheless, you command get bought an edginess over
    that you wish be delivering the following.
    unwell unquestionably come further formerly again ass ezactly the same nearly a lot
    often inside case you shield this hike.

     
     
  • coon

    I think that is one of the so much important information for me.
    And i am glad reading your article. However should commentary on some normal issues, The
    site taste is wonderful, the articles is in point of fact nice
    : D. Just right activity, cheers

     
     
  • grawer

    Hello There. I found your blog using msn. This is a really well
    written article. I'll be sure to bookmark it and return to read more of your useful info.
    Thanks for the post. I'll definitely comeback.

     
     
  • csr 2 cheats

    Kеeep thios going pⅼease, great job!

     
     
  • cheap jordan sneakers

    AJ28 constant to the heat, own uncontrolled climaxes display over-priced gas; a whole new
    tinge just about every single score, leeper emperor many more reliable...

     
     
  • Berry

    Hmm is anyone else encountering problems with the images oon this blog loading?
    I'm trying to find out if its a problem on my end or if
    it's the blog. Any responses wkuld be greatly appreciated.

     
     
  • my details

    These are actually great ideas in on the topic of blogging.

    You have touched some good points here. Any way keep up
    wrinting.

     
     
  • Acura TSX

    Pretty element of content. I just stumbled upon your web site and
    in accession capital to say that I acquire in fact loved account your blog posts.
    Any way I'll be subscribing for your augment or even I
    achievement you get right of entry to constantly quickly.

     
     
  • tara vidente denuncias

    astro tv videncia tara vidente denuncias vidente brasileno
    dice que peru ganara la copa america mhoni vidente para
    el amor el vidente nicolas cage mega vidente de verdad 5 euros carmen diaz vidente bilbao vidente amor astrologa vidente rosario montoya vidente sevilla gratis que significa vidente en la biblia karmen pastora vidente vidente en valencia la
    voluntad videncia on line gratis vidente de maria rosa mistica medium vidente gratis vidente marta pena bidente y vidente definicion vidente tarotista iris vidente reinaldo dos santos 2015 mhoni vidente facebook buen vidente barcelona videncia
    gratis milanuncios videncia gratis por whatsapp argentina videncias argentinas anabella vidente gijon videncia real videncia tarot gratis on line vidente famoso venezolano
    vidente gratis telefono fijo videnci como puedo saber si
    soy medium o vidente vida de lucia vidente de fatima vidente muy buena en sevilla cartas tarot videncia videncia natural existe vidente natural 1 pregunta gratis
    luz maria vidente mariana vidente wikipedia
    enciclopedia libre vidente natural on line gratis tarot videncia gratis argentina vidente telefonica
    porque hay gente vidente mhoni vidente real madrid vs barcelona videncia
    gratis por wasap tarot y videncia super economico videncia gratis
    por whatsapp argentina vidente ana de luz primera consulta videncia gratis
    tarot del amor mhoni vidente

     
     
  • gas

    It's a shame you don't have a donate button! I'd most certainly donate to this outstanding blog!
    I suppose for now i'll settle for bookmarking and
    adding your RSS feed to my Google account. I look forward to brand new updates
    and will share this site with my Facebook group. Talk soon!

     
     
  • avs video editor

    Thanks for sharing your thoughts about hacking.
    Regards

     
     
  • visit link

    Ahaa, its pleasant conversation regarding this paragraph at this place
    at this website, I have read all that, so at this time me also commenting at this place.

     
     
  • coffee beans

    Heya i'm foor the primary time here. I came across this board and I find It truly useful & it helped
    me out a lot. I am hoping to offer something back and
    aid others like you helped me.

     
     
  • Offers promotions

    Right here is the right webpage for anybody who really wants to understand this
    topic. You understand so much its almost hard to argue with you (not that I personally will need to…HaHa).
    You definitely put a brand new spin on a topic which has
    been written about for many years. Great stuff, just excellent!

     
     
  • tarot gratuit 1 2 3

    tarot belline iza tarot gratuit 1 2 3 tarot marseillais wikipedia objectif tarot
    signification lame tarot soleil tarot gratuit en ligne immediat tarots cartomancie
    gratuits association justice jugement tarot tirage
    tarot indien tarot le mat et l'empereur marie claire astro tarots apprendre le tarot
    en ligne advanced tarot russell grant le tarot
    gratuit du jour mon avenir tarot objectif tarot windows 10 tirage tarot quotidien diana poignee tarot 3 tarot gratuit oui non immediat tarot kabbalistique hermite arcane tarot tarot amour gratuit iza
    voyance tirage tarot gratuit jeff voyance tarot bohemien tarot egyptien thot
    tarot august 2015 cancer tarot forum carte tarot gratuit du jour objectif tarot jeu en ligne aurelia tarot tarot marie claire amour gratuit
    tirage tarot egyptien femme actuelle tirage
    croix tarot gratuit tarot grimaud marseille orange tarot du soleil joue au tarot tarot
    lenorman tirage tarot amour pour la semaine association soleil jugement tarot interpretation tarot marseille grand tarot
    belline gratuit jouer tarot gratuit tarot gratuit avril 2016 tirage tarots gratuits avenir le grand tarot belline 1966
    avenir facile tarot tirage gratuit reponse matthieu tarot biographie tarot journal tirage
    tarot amour homme tarot 2017

     
     
  • Dumpster Rental 95358

    In brief, taking the steps to go inexperienced can save the setting,
    increase your fame with shoppers, and prevent cash.

     
     
  • ukay ukay haul

    I'm curious to find out what blog system you have been working with?

    I'm experiencing some minor security problems with my
    latest blog and I would like too fid something more risk-free.
    Do you have any solutions?

     
     
  • Quick Heal Total Security 2017

    Hi there, I enjoy reading through your post.
    I wanted to write a little comment to support you.

     
     
  • BNW 5 Series

    Thanks for every other great post. The place else could anybody get that kind of information in such an ideal approach of writing?
    I've a presentation subsequent week, and I'm on the search for such info.

     
     
  • 授乳中 葉酸

    最近母乳の出がわるく、粉ミルクに変更しようと思っているのですが、生後4カ月のベビーが粉ミルクを飲んでくれなくて参っています。
    粉ミルクの温度が低すぎるのか高すぎるのか?
    一昔前は、煮沸した水道水を利用してbabyの粉ミルクを作ることが当たり前でした。
    昨今では、原発問題や水道水から病原性原虫が検出されたニュースなど、水道水のセキュリティにも裏付けが持てなくなりました。
    うちではベビーが生まれる前からウォーターサーバーを使っていましたが、ベビーの粉ミルクを作るために利用するウォーターサーバーはかなりメリットが大きいと感じます。
    粉ミルク作りを安全にして、ママとパパの負担を下げるためにオススメです。

     
     
  • заказать баннер для сайта

    Hey I know this is off topic but I was wondering if
    you knew of any widgets I could add to my blog that automatically tweet my newest twitter updates.
    I've been looking for a plug-in like this for quite some time and was hoping maybe you would
    have some experience with something like this. Please let me know if you run into anything.
    I truly enjoy reading your blog and I look forward to your
    new updates.

     
     
  • home Deco

    I have been surfing online more than three hours today, yet I never found any interesting article like yours.
    It iis preetty worth enough for me. In my opinion, if all webmasters andd bloggers
    made good content as you did, the internet will be a lot more
    useful than ever before.

     
     
  • Basil Supplement

    This blog was... how do I say it? Relevant!! Finally
    I've found something that helped me. Thanks!

     
     
  • blogger marketing

    You can use Google Base for any type of e-commerce website, like
    CafePress, Amazon, eCrater, Zazzle, or your own personal website!

     
     
  • dumpster rental savannah tn

    You can not simply plant bushes within the gardens annually the week of the environment and to worship at that moment as if representing massive impact on individuals and the setting.

     
     
  • grawerowanie

    Thank you for another magnificent post. The place else may
    just anyone get that kind of info in such a perfect means of writing?

    I have a presentation subsequent week, and I'm on the look for such information.

     
     
  • inner gloves for boxing

    Great site you have here.. It's hard to find good quality writing like yours nowadays.
    I honestly appreciate individuals like you! Take care!!

     
     
  • PaulaX

    I see your blog needs some fresh posts. Writing manually takes
    a lot of time, but there is tool for this time consuming
    task, search for; Wrastain's tools for content

     
     
  • good photography

    Quality posts is the key to invite the people to pay a quick visit the web page, that's what this website is providing.

     
     
  • my details

    When I originally commented I clicked the "Notify me when new comments are added" checkbox and now each time a comment is added I get four emails with the same comment.
    Is there any way you can remove people from that service?
    Many thanks!

     
     
  • tanning bed

    Appreciating the time and effort you put into your blog and
    in depth information you provide. It's great to come across a blog every once in a while that isn't the same unwanted
    rehashed material. Great read! I've bookmarked your site and I'm including
    your RSS feeds to my Google account.

     
     
  • post1297968764

    I really like what you guys tend to be up too. This kind of clever work and reporting!

    Keep up the superb works guys I've added you guys to blogroll.

     
     
  • singapore sports school

    What's up, always i used to check website posts here in the early hours in the daylight,
    since i enjoy tto learn more and more.

     
     
  • designer nails

    After checking out a number of the blog articles on your web page, I
    seriously appreciate your way of writing a blog. I book marked it to my
    bookmark website list and will be checking back soon. Please visit my website too
    and let me know your opinion.

     
     
  • Wake me up

    Paragraph writing is also a excitement, if yoou be
    familiar with after that you can write if nott it is complex to
    write.

     
     
  • Julian

    hey there and thank you for your information – I have certainly picked up something new from right here.

    I did however expertise some technical points using this site, since I experienced
    to reload the web site a lot of times previous to I could get it
    to load properly. I had been wondering if your web hosting
    is OK? Not that I'm complaining, but slow loading instances times will
    very frequently affect your placement in google and can damage your
    high-quality score if advertising and marketing with Adwords.
    Anyway I am adding this RSS to my email and could look out for a lot more of your respective fascinating content.

    Ensure that you update this again soon.

     
     
  • idola188 red zone sgp

    Very good blog! Do you have any suggestions for aspiring writers?
    I'm planning to start my own site soon but I'm a little lost on everything.
    Would you propose starting with a free platform like Wordpress or go for a paid option? There are
    so many choices out there that I'm totally overwhelmed ..

    Any suggestions? Cheers!

     
     
  • taeyang white night

    Hey very interesting blog!

     
     
  • hp laser toner

    wonderful put up, very informative. I'm wondering
    why the opposite specialists of this sector don't notice this.
    You must continue your writing. I'm confident, you have a great readers' base
    already!

     
     
  • Ronda

    Would you like to play with Hungry Shark World?

     
     
  • Dwayne

    Wow, awesome weblog layout! Hoow long have you ever been running a blog for?
    you made blogging look easy. The overall look of your web site is excellent, as neatly as the content material!

     
     
  • dumpster Rentals 26288

    Categories include: Energy-Saving Tips, Guides to Conserving Resources (Recycling, Reducing Garbage), Guides to Protecting Your Families' Health (Water Filters / Filtration, Household
    Pests), Travel and Recreation (Buying a Hybrid Car), and more.

     
     
  • восстановление зрения

    Informative article, totally what I wanted to find.

     
     
  • seo article generator

    Having read this I thought it was rather informative.
    I appreciate you taking the time and effort to put this content together.
    I once again find myself spending a lot of
    time both reading and leaving comments. But so what, it was still worthwhile!

     
     
  • Good discount

    This article will assist the internet visitors for creating new blog
    or even a blog from start to end.

     
     
  • musica

    Have you ever considered about including a little bit more than just your
    articles? I mean, what you say is fundamental andd
    everything. Nevertheless imagine if you added some great images or
    videos to give your posts more, "pop"! Your content is excelent but with images and
    videos, this blog could certainly be one oof the
    best in its field. Fantastic blog!

     
     
  • titwank

    I'm very pleased to discover this great site. I want to to thank
    you for your time for this fantastic read!! I definitely liked every bit
    of it and I have you book-marked to check out new information on your website.

     
     
  • help with credit card debt

    Excellent post however , I was wanting to know if you could write
    a litte more on this subject? I'd be very thankful
    if you could elaborate a little bit further.
    Many thanks!

     
     
  • Windows 7 Activator

    You ought to take part in a contest for one of the highest quality blogs on the internet.
    I most certainly will highly recommend this website!

     
     
  • ielts

    Hello this is somewhat of off topic but I was wanting to kmow if blogs use WYSIWYG editors or if you have to manually code with
    HTML. I'm starting a blog soon but have no coding skills so I wanted to get guidance from someone with experience.
    Any help would be enormously appreciated!

     
     
  • ielts listening

    certainly lke your web site but you have to test the spelling on quite a few of your posts.

    Many of them are rife with spelling issues and I find it very bothersome to inform the reality
    then again I'll definitely come again again.

     
     
  • zone relatively

    Hi! I simply wish to offer you a huge thumbs up for your excellent
    info you've got right here on this post. I'll be returning to your website for more soon.

     
     
  • Mr and mrs Leads Colorado Springs

    This paragraph is actually a fastidious one itt helps new internet users, who are wishing for
    blogging.

     
     
  • slot machines

    Thank you for the auspicious writeup. It if truth be
    told used to be a leisure account it. Look complicated to more delivered agreeable from
    you! By the way, how could we communicate?

     
     
  • Ali

    I am genuinely pleased to glance at this website posts which includes tons of useful data, thanks for providing these kinds of information.

     
     
  • Ford Bronco Interior

    What's up colleagues, its great piece of writing on the topic of educationand
    completely explained, keep it up all the time.

     
     
  • Hip-Hop DJs

    It's actually a cool and helpful piece of info. I'm happy
    that you just shared this useful information with us.
    Please stay us informed like this. Thanks for sharing.

     
     
  • thiết bị điện An Nguyên

    Hi! I just wanted to ask if you ever have any problems with hackers?
    My last blog (wordpress) was hacked and I ended up losing several weeks of hard work due to no data backup.
    Do you have any methods to prevent hackers?

     
     
  • заказать ядро сайта

    Excellent post. I was checking continuously this weblog and I'm inspired!
    Extremely helpful info particularly the final phase :) I
    handle such information a lot. I was looking for this certain information for a long time.
    Thank you and best of luck.

     
     
  • 产品

    We create events with impact.

     
     
  • check

    First of all I want to say awesome blog! I had a quick question in which I'd like to ask if you don't mind.

    I was interested to find out how you center yourself and clear your mind prior to writing.
    I've had trouble clearing my mind in getting my thoughts out.
    I truly do enjoy writing however it just seems like the first 10 to 15 minutes tend to be lost just trying to figure out
    how to begin. Any suggestions or tips? Kudos!

     
     
  • identyfikatory lubin

    It's a shame you don't have a donate button! I'd most certainly donate to this fantastic blog!
    I suppose for now i'll settle for bookmarking and adding your RSS
    feed to my Google account. I look forward to brand new
    updates and will share this website with
    my Facebook group. Talk soon!

     
     
  • pomoc informatyczna

    This paragraph provides clear idea for the new people of blogging, that actually how to do blogging
    and site-building.

     
     
  • NoraX

    I see your website needs some fresh content. Writing manually takes a lot of time, but there is tool for this time consuming task, search for; Wrastain's tools for
    content

     
     
  • dumpsterator

    Having previously defined how the modern landfill is constructed to contain and isolate its contents from the atmosphere into
    perpetuity most people never think about the contents of a landfill.

     
     
  • cout installation chauffage electrique Lyon

    I feel that is among the so much vital information for me.

    And i'm happy reading your article. However want to statement on some common things, The website style
    is ideal, the articles is really excellent : D. Just right job,
    cheers

     
     
  • Coupons

    It's the best time to make a few plans for the long run and it's time to be happy.
    I've learn this publish and if I may just I desire to recommend
    you some interesting issues or suggestions. Perhaps you can write next
    articles regarding this article. I want to read more things approximately it!

     
     
  • RosieTwews

    Hello friends!
    I am an official representative of private company which deals with all kinds of written work (essay, coursework, dissertation, presentation, report, etc) in short time.
    We are ready to offer a free accomplishment of written work hoping for further cooperation and honest feedback about our service.
    This offer has limited quantities!!!
    Details on our website: >>> top-essay.work

     
     
  • link

    My brother suggested I might like this website. He was totally right.
    This post actually made my day. You can not imagine simply how
    much time I had spent for this info! Thanks!

     
     
  • Australian Law Society

    Hi there! This blog post couldn't be written much better! Reading through this article reminds me
    of my previous roommate! He continually kept preaching about this.
    I'll forward this post to him. Fairly certain he's going to
    have a great read. Thanks for sharing!

     
     
  • tabliczki znamionowe lubin

    Great article.

     
     
  • Debt Consolidation australia

    I know this if off topic but I'm looking into starting my own blog and was curious what all is
    needed to get setup? I'm assuming having a blog like yours
    would cost a pretty penny? I'm not very web smart
    so I'm not 100% certain. Any suggestions or advice would be
    greatly appreciated. Kudos

     
     
  • marketing

    Please let me know if you're looking for a writer for
    your site. You have some really great articles and I feel I
    would be a good asset. If you ever want to take some of
    the load off, I'd really like to write some articles for your blog in exchange for a
    link back to mine. Please shoot me an email if interested.

    Kudos!

     
     
  • wypożyczalnia samochodów luksusowych

    For most up-to-date news you have to pay a quick visit world-wide-web and on world-wide-web I
    found this web page as a most excellent web page for mpst up-to-date updates.

     
     
  • cablage va et vient 3 interrupteurs Lyon 7

    I do not know if it's just me or if perhaps everybody else experiencing issues with your website.

    It appears as if some of the written text on your posts are
    running off the screen. Can somebody else please comment and let me know if this is happening to them as well?

    This might be a issue with my internet browser because
    I've had this happen before. Kudos

     
     
  • grawerowanie skory lubin

    Wonderful blog! I found it while surfing around on Yahoo News.
    Do you have any suggestions on how to get listed in Yahoo News?
    I've been trying for a while but I never seem to get
    there! Thanks

     
     
  • webdesign antwerp

    Greetings! Very helpful advice within this post! It is the
    little changes that will make the biggest changes.
    Thanks a lot for sharing!

     
     
  • pr agency

    Hello, I think your blog might be having browser compatibility issues.
    When I look at your website in Chrome, it looks fine but when opening
    in Internet Explorer, it has some overlapping. I just wanted to
    give you a quick heads up! Other then that, excellent blog!

     
     
  • best thing for stretch marks

    Just want to say your article is as amazing. The clarity in your
    post is just excellent and i can assume you are an expert on this subject.
    Well with your permission allow me to grab your feed to keep up to date with forthcoming post.
    Thanks a million and please continue the gratifying
    work.

     
     
  • best blogger site 2015

    Everyone loves what you guys tend to be up too.
    This kind of clever work and reporting! Keep up the fantastic works guys I've incorporated you guys to
    blogroll.

     
     
  • link

    My partner and I stumbled over here from a different website and thought
    I should check things out. I like what I see so now i'm following you.
    Look forward to exploring your web page for a second time.

     
     
  • serwis komputerowy

    Its such as you learn my thoughts! You seem to grasp a lot approximately this, such as you
    wrote the e book in it or something. I believe that you just could do with some p.c.
    to drive the message house a bit, but other than that, that is great blog.
    A great read. I'll definitely be back.

     
     
  • cablage electrique maison Lyon 5

    Today, I went to the beach front with my children. I found
    a sea shell and gave it to my 4 year old daughter and said "You can hear the ocean if you put this to your ear." She
    placed the shell to her ear and screamed.

    There was a hermit crab inside and it pinched her
    ear. She never wants to go back! LoL I know this is totally off topic but I had to tell someone!

     
     
  • oil tank hopatcong, nj

    Wow, this post is pleasant, my younger sister is analyzing these things,
    thus I am going to convey her.

     
     
  • Jack armstrongs paintings

    Oh my goodness! Incredible article dude!
    Many thanks, However I am going through problems with your RSS.

    I don't understand the reason why I cannot join it. Is
    there anybody else having identical RSS issues? Anyone who knows the answer will you kindly
    respond? Thanx!!

     
     
  • website laten maken

    Pretty! This has been an extremely wonderful article. Thank you for providing
    this info.

     
     
  • water park

    Hello, the whole thing is going sound here and ofcourse every one is sharing data, that's in fact good, keep up writing.

     
     
  • ASK ME ANYTHING

    Magnificent goods from you, man. I've understand your stuff
    previous to and you are just too fantastic. I actually like what you have acquired here, really like
    what you are stating and the way in which you say it. You make it entertaining
    and you still take care of to keep it smart. I can't wait to read much
    more from you. This is actually a wonderful site.

     
     
  • υγιεινη διατροφη διαιτα

    Hello, yeah this piece of writing is in fact pleasant and I ave learned lot of things from it concerning
    blogging. thanks.

     
     
  • private beachfront villa fiji

    Thiis information is priceless. How can I find out
    more?

     
     
  • 3μηνη ασφαλιση online Insurance Market

    Article writing is also a excitement, if you be familiar with
    afterward you can write or else it is complex to write.

     
     
  • Phoebe

    Wow, incredible blog layout! How long have you been blogging for?
    you make blogging look easy. The overall look of your site is fantastic, let alone the content!

     
     
  • Android

    Link exchange is nothing else but it iis just placing the other person's blog link on your page at proper place
    and other person will also do similar in support of
    you.

     
     
  • pink punching bag

    Excellent post. I was checking continuously this blog and I am impressed!
    Very useful information specially the last part :) I care
    for such information a lot. I was seeking this particular information for a very
    long time. Thank you and best of luck.

     
     
  • etsy

    A fascinating discussion is definitely worth comment.
    There's no doubt that that you ought to publish more on this issue, it might
    not be a taboo subject but generally folks don't discuss
    such subjects. To the next! Best wishes!!

     
     
  • Marketing digital Madureira

    Wow that was strange. I just wrote an very long comment but after I clicked submit my comment didn't show up.

    Grrrr... well I'm not writing all that over again. Anyhow, just wanted to say great blog!

     
     
  • Maricruz

    I'll right away snatch yor rss feed as I can not to find your emsil subscription link
    or e-newsletter service. Do you have any? Kindly allkow mee recognise so that I maay just
    subscribe. Thanks.

     
     
  • Leave a Reply
    Your gravatar
    Your Name