Question re prevention of enumeration with DNSSEC (NSEC3, etc.)

John McCormac jmcc at
Thu May 12 12:52:59 UTC 2022

On 12/05/2022 11:16, Masataka Ohta wrote:
> John McCormac wrote:
>>> There are various ways, such as crawling the web, to enumerate
>>> domain names.
>> That is not an efficient method.
> Not a problem for large companies or botnet. So, only
> small legal players suffer from hiding zone information.

Agree on the effects on smaller legal players.

A domain name does not always have to have a website. This means that 
some domain names may have no presence on the Web unless they are 
mentioned on a site or in e-mail. With the increased automation of 
webhosting control panels, undeveloped domain names may be automatically 
parked on the webhoster's or registrar's holding page.

> You misunderstand my statement. Domain names not offering
> HTTP service can also be collected by web crawling.

Perhaps if there are lists of new registrations published or the domain 
names are reregistrations that had been previously deleted. Some might 
be detected if they have reverse DNS set up for the domain name. DNS 
traffic could be another source. Other than those cases, I am not sure 
about web crawling detecting domain names without HTTP service.

> Google can also use gmail to collect domain names used by
> sent or received e-mails.

Or even Google Analytics but that may have legal issues over privacy.

>> But there is a problem with that because of all the FUD about websites 
>> linking to "bad" websites that had been pushed in the media a few 
>> years ago.
> Is your concern privacy of "bad" websites?

No. The problem for search engines and other crawlers that detect new 
websites by crawling links from others are at a disadvantage because of 
websites being less likely to link to others due to search engine 
optimisation. The decline of web directories has also had an effect. It 
becomes increasingly difficult for newer players without the resources 
of Google or Microsoft to compete at detecting new websites, typically 
ccTLD, when they have no inbound links from other websites.

>> Another factor that is often missed is the renewal rate of domain names.
> That's not a problem related to enumeration of domain names.

It is when millions of (gTLD and ccTLD) domain names per month are 
deleted. Even after a run of enumerating domain names in a zone, some of 
those domain names will have been deleted before the process is 
completed. Enumerating domain names is very much a continual process 
rather than a one-off process. The set of domain names in a zone is 
rarely a static one. An enumerated zone is a snapshot of that zone at a 
particular time. It becomes increasingly unreliable.

>> A lot of personal data such as e-mail addresses, phone numbers and 
>> even postal addresses have been removed from gTLD records because of 
>> the fear of GDPR.
> As I have been saying, the problem, *if+ *any*, is whois. So?

There are multiple issues. The redaction of WHOIS data has made dealing 
with fradulent/malware/phishing sites more difficult. It can also cause 
problems for registrants who have registered their domain name through a 
reseller that has disappeared.

Spammers using WHOIS data from new registrations to target registrants 
has declined somewhat since 2018. The redaction of data from the WHOIS 
is not a one-size-fits-all solution. This is why ICANN is moving towards 
RDAP and a more controlled access to registrant data.

>> The zones change. New domain names are registered and domain names are 
>> deleted. For many TLDs, the old WHOIS model of registrant name, e-mail 
>> and phone number no longer exists. And there are also WHOIS privacy 
>> services which have obscured ownership.
> As I wrote:
> : Moreover, because making ownership information of lands and
> : domain names publicly available promotes public well fair
> : and domain name owners approve publication of such
> : information in advance, there shouldn't be any concern
> : of privacy breach forbidden by local law of DE.
> that is not a healthy movement.

There has been some discussion about using a Natural Person or Legal 
Person field in gTLD WHOIS records with the Legal Person (effectively a 
business or company) having more information published. There are 
multiple jurisdictions and some have different protections for data. 
Some registrars and registries allow registrants to publish ownership 
details but others do not. With gTLDs, there is a central organisation 
(ICANN). With ccTLDs, each ccTLD registry is almost unique (a few 
registries also run IDN versions of ccTLDs in addition to their main 
ccTLD) and subject to the local laws of its country. GDPR has caused a 
lot of problems inside and outside of the EU.

John McCormac  *  e-mail: jmcc at
MC2            *  web:
22 Viewmount   *  Domain Registrations Statistics
Waterford      *  Domnomics - the business of domain names
Ireland        *
IE             *  Skype:

This email has been checked for viruses by Avast antivirus software.

More information about the NANOG mailing list