Re: [dane] Please help to remediate broken DNSSEC hosting

"Marco Davids (SIDN)" <marco.davids@sidn.nl> Thu, 20 November 2014 08:29 UTC

Return-Path: <Marco.Davids@sidn.nl>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4C71C1A00CD for <dane@ietfa.amsl.com>; Thu, 20 Nov 2014 00:29:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Level:
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1S8f8Y7UZ5mD for <dane@ietfa.amsl.com>; Thu, 20 Nov 2014 00:29:07 -0800 (PST)
Received: from arn2-kamx.sidn.nl (kamx.sidn.nl [IPv6:2a00:d78:0:147:94:198:152:69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 113621A00C5 for <dane@ietf.org>; Thu, 20 Nov 2014 00:29:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; d=sidn.nl; s=sidn_nl; c=relaxed/relaxed; h=message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:x-originating-ip; bh=G+ht2kmxJRWYOnOyFofrStU8jWOs1ZUWgM5FOflnVa4=; b=UUKMZXIvZMElo3zMbBfZVEjN0zYRWFSvRryUkDrB5GLxoL+lAhbREKDUARPslWZGCFuvypcCgws7AHyYxP2l6yMZWxTuSto5YMpu3qmMG+3TwSBXx4t1o4LHI3bGRhF9ULw4q9+2RM4Tnpk9z35xha8pBl1KUw52VGhYnTougnY=
Received: from kahubcasn01.SIDN.local ([192.168.2.73]) by arn2-kamx.sidn.nl with ESMTP id sAK8T3Vo003460-sAK8T3Vq003460 (version=TLSv1.0 cipher=AES256-SHA bits=256 verify=CAFAIL) for <dane@ietf.org>; Thu, 20 Nov 2014 09:29:03 +0100
Received: from rndhost215.sidn.nl (94.198.152.215) by kahubcasn01.SIDN.local (192.168.2.77) with Microsoft SMTP Server (TLS) id 14.3.174.1; Thu, 20 Nov 2014 09:29:02 +0100
Message-ID: <546DA64E.4010900@sidn.nl>
Date: Thu, 20 Nov 2014 09:29:02 +0100
From: "Marco Davids (SIDN)" <marco.davids@sidn.nl>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0) Gecko/20100101 Thunderbird/35.0a2
MIME-Version: 1.0
To: <dane@ietf.org>
References: <20141027225310.29285.24437.idtracker@ietfa.amsl.com> <F0C0FC32-FAA7-4D07-A230-59A538754BCD@isoc.org> <20141120062942.GL13179@mournblade.imrryr.org> <20141120073445.GM13179@mournblade.imrryr.org>
In-Reply-To: <20141120073445.GM13179@mournblade.imrryr.org>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg=sha1; boundary="------------ms070209010003030405030602"
X-Originating-IP: [94.198.152.215]
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/CPbtJPc0oW3VzArkERe9RQlBihI
Subject: Re: [dane] Please help to remediate broken DNSSEC hosting
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 08:29:09 -0000

Hi,

At SIDN (registry for .nl) we are aware of these problems and we are in
touch with the registrars involved.

In particular TransIP is a bit of a challenge, because they run their
own DNS-software and feel no rush to fix this issue. But rest assured
that we will keep on trying to have them improve things.

--
Marco



On 20/11/14 08:34, Viktor Dukhovni wrote:
> On Thu, Nov 20, 2014 at 06:29:42AM +0000, Viktor Dukhovni wrote:
> 
>> A number of large DNS hosting providers have enabled DNSSEC support,
>> but are using nameserver software that is not compatible with the
>> specification with respect to authenticated denial of existence.
> 
> Note, by far the bulk of the problem is with transip. From their
> website:
> 
>     https://www.transip.co.uk/domain-name/transdns/
> 
>     DNSSEC
> 
>     TransDNS is the foundation of our DNSSEC implementation, a DNS
>     protocol security extension. Signing more than 500.000 domain
>     names with DNSSEC was a challenge we gladly accepted. Because
>     of TransDNS we were one of the first domain providers in The
>     Netherlands that signed all our domain names. We are now the
>     largest DNSSEC provider in the world. We could not have done
>     this with third-party solutions. That is the reason why we
>     develop everything in-house.
> 
> Perhaps they have more problems that show up in interop tests
> because they indeed signed so many more domains that anyone else.
> In any case, they would be a good place to start remediation.
> 
> If anyone has contacts there and can reach out that would be great.
>