Re: [dane] Please help to remediate broken DNSSEC hosting

"Marco Davids (SIDN)" <> Thu, 20 November 2014 08:29 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 4C71C1A00CD for <>; Thu, 20 Nov 2014 00:29:09 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -0.5
X-Spam-Status: No, score=-0.5 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HELO_EQ_NL=0.55, HOST_EQ_NL=1.545, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=no
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1S8f8Y7UZ5mD for <>; Thu, 20 Nov 2014 00:29:07 -0800 (PST)
Received: from ( [IPv6:2a00:d78:0:147:94:198:152:69]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 113621A00C5 for <>; Thu, 20 Nov 2014 00:29:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt;; s=sidn_nl; c=relaxed/relaxed; h=message-id:date:from:user-agent:mime-version:to:subject:references:in-reply-to:content-type:x-originating-ip; bh=G+ht2kmxJRWYOnOyFofrStU8jWOs1ZUWgM5FOflnVa4=; b=UUKMZXIvZMElo3zMbBfZVEjN0zYRWFSvRryUkDrB5GLxoL+lAhbREKDUARPslWZGCFuvypcCgws7AHyYxP2l6yMZWxTuSto5YMpu3qmMG+3TwSBXx4t1o4LHI3bGRhF9ULw4q9+2RM4Tnpk9z35xha8pBl1KUw52VGhYnTougnY=
Received: from kahubcasn01.SIDN.local ([]) by with ESMTP id sAK8T3Vo003460-sAK8T3Vq003460 (version=TLSv1.0 cipher=AES256-SHA bits=256 verify=CAFAIL) for <>; Thu, 20 Nov 2014 09:29:03 +0100
Received: from ( by kahubcasn01.SIDN.local ( with Microsoft SMTP Server (TLS) id; Thu, 20 Nov 2014 09:29:02 +0100
Message-ID: <>
Date: Thu, 20 Nov 2014 09:29:02 +0100
From: "Marco Davids (SIDN)" <>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:35.0) Gecko/20100101 Thunderbird/35.0a2
MIME-Version: 1.0
References: <> <> <> <>
In-Reply-To: <>
Content-Type: multipart/signed; protocol="application/pkcs7-signature"; micalg="sha1"; boundary="------------ms070209010003030405030602"
X-Originating-IP: []
Subject: Re: [dane] Please help to remediate broken DNSSEC hosting
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Nov 2014 08:29:09 -0000


At SIDN (registry for .nl) we are aware of these problems and we are in
touch with the registrars involved.

In particular TransIP is a bit of a challenge, because they run their
own DNS-software and feel no rush to fix this issue. But rest assured
that we will keep on trying to have them improve things.


On 20/11/14 08:34, Viktor Dukhovni wrote:
> On Thu, Nov 20, 2014 at 06:29:42AM +0000, Viktor Dukhovni wrote:
>> A number of large DNS hosting providers have enabled DNSSEC support,
>> but are using nameserver software that is not compatible with the
>> specification with respect to authenticated denial of existence.
> Note, by far the bulk of the problem is with transip. From their
> website:
>     DNSSEC
>     TransDNS is the foundation of our DNSSEC implementation, a DNS
>     protocol security extension. Signing more than 500.000 domain
>     names with DNSSEC was a challenge we gladly accepted. Because
>     of TransDNS we were one of the first domain providers in The
>     Netherlands that signed all our domain names. We are now the
>     largest DNSSEC provider in the world. We could not have done
>     this with third-party solutions. That is the reason why we
>     develop everything in-house.
> Perhaps they have more problems that show up in interop tests
> because they indeed signed so many more domains that anyone else.
> In any case, they would be a good place to start remediation.
> If anyone has contacts there and can reach out that would be great.