Re: [dane] [Uta] NEWSFLASH: DANE TLSA records published for web.de!
"Peter van Dijk" <peter.van.dijk@powerdns.com> Fri, 29 April 2016 20:23 UTC
Return-Path: <peter.van.dijk@powerdns.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id EA71E12D1BF for <dane@ietfa.amsl.com>; Fri, 29 Apr 2016 13:23:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qN57YZX0wPZ9 for <dane@ietfa.amsl.com>; Fri, 29 Apr 2016 13:23:02 -0700 (PDT)
Received: from shannon.7bits.nl (shannon.7bits.nl [IPv6:2a01:1b0:202:40::1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2A2FF12D096 for <dane@ietf.org>; Fri, 29 Apr 2016 13:23:02 -0700 (PDT)
Received: from [192.168.137.1] (unknown [92.110.143.62]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) (Authenticated sender: peter) by shannon.7bits.nl (Postfix) with ESMTPSA id C2D33C1B96; Fri, 29 Apr 2016 22:22:58 +0200 (CEST)
From: Peter van Dijk <peter.van.dijk@powerdns.com>
To: dane@ietf.org
Date: Fri, 29 Apr 2016 22:22:59 +0200
Message-ID: <E1A3EA56-039A-4C30-9035-28AEAF4820AE@powerdns.com>
In-Reply-To: <572204B1.5030401@switch.ch>
References: <20160414183856.GL26423@mournblade.imrryr.org> <20160421161734.GO26423@mournblade.imrryr.org> <20160422113901.Horde.bvaiK9UFQkE4OOmIZCUpVYa@webmail.kwsoft.de> <20160422153636.GT26423@mournblade.imrryr.org> <F1164584ED9308449E5115A8B9A27AB9E93C88A4@KERP-MBR002.unity.media.corp> <20160425034833.GW26423@mournblade.imrryr.org> <5721DBBA.6000106@switch.ch> <5721E1BD.7040407@switch.ch> <572204B1.5030401@switch.ch>
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: quoted-printable
X-Mailer: MailMate (1.9.4r5234)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/NbxsUtrC0fNgi43H9d0SQXkjloQ>
Subject: Re: [dane] [Uta] NEWSFLASH: DANE TLSA records published for web.de!
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Apr 2016 20:23:06 -0000
I’ve spoken to web.de/1und1 and they are aware of the weirdness they put in there. I trust they will rectify it soon. Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ On 28 Apr 2016, at 14:40, Daniel Stirnimann wrote: > Seems to be a typo and their signer (PowerDNS) correctly ignored it > and > used the correct value of 1. > > Daniel > > On 28.04.16 12:11, Daniel Stirnimann wrote: >> The NSEC3 record contains the hash algorithm type 1 >> >> 4c82sp2ag0m9hm9lfkb6d141t4qclui8.gmx.ch. 556 IN NSEC3 1 0 350 - >> 5AEHEF49CLPKJ5CHHRCND7VKKM7MKMJ4 CNAME RRSIG >> >> So, it's only the NSEC3PARAM Hash Algorithm which confuses me. >> >> Daniel >> >> On 28.04.16 11:45, Daniel Stirnimann wrote: >>> Hello >>> >>> I noticed that web.de uses a NSEC3 Hash Algorithm Type 8. >>> >>> But 8 is not assigned: >>> http://www.iana.org/assignments/dnssec-nsec3-parameters/dnssec-nsec3-parameters.xhtml#dnssec-nsec3-parameters-3 >>> >>> ; <<>> DiG 9.8.3-P1 <<>> web.de NSEC3PARAM +noall +answer >>> ;; global options: +cmd >>> web.de. 600 IN NSEC3PARAM 8 0 333 - >>> >>> ; <<>> DiG 9.8.3-P1 <<>> gmx.ch NSEC3PARAM +noall +answer >>> ;; global options: +cmd >>> gmx.ch. 600 IN NSEC3PARAM 8 0 350 - >>> >>> On a related note, I'm also confused why the browser plugin from >>> https://www.dnssec-validator.cz/ does not recognize that gmx.ch is >>> DNSSEC signed. It works for web.de though! >>> >>> Any idea? >>> >>> Daniel >>> >>> On 25.04.16 05:48, Viktor Dukhovni wrote: >>>> On Fri, Apr 22, 2016 at 04:28:51PM +0000, Gumprich, Mario wrote: >>>> >>>>> We from Unitymedia has enabled DANE outbound a couple of month >>>>> ago. >>>> >>>> Thanks for the update. >>>> >>>>> Today’s list of DANE inbound enabled domains / MX-IPs extracted >>>>> from logs. >>>>> mail.lux01.de[194.117.254.21] >>>>> ... >>>>> uhura.unitymedia.de[80.69.97.11] >>>>> >>>>> Pretty cool, the list grows from month to month. >>>> >>>> Do you ever run into any of the domains whose TLSA records are >>>> incorrect, or whose DNS servers fail authenticated denial of >>>> existence? In other words, is there any mail you bounce because >>>> of DANE that you might otherwise have delivered? >>>> >>>> Today's stats are: >>>> >>>> ~280000 DNSSEC domains that could have an MX host with TLSA RRs. >>>> 15097 domains with valid TLSA RRs >>>> 245 of those have 1+ MX hosts sans TLSA RRs (partial >>>> deployment) >>>> 227 domains with DNSSEC problems when doing TLSA lookups >>>> 56 domains with TLSA records that don't match the cert >>>> >>>> Given that the problem domans are rather few, perhaps you've never >>>> run into them? >>>> >>>> Of the ~15k, 56 domains that have at some point in the last ~2 >>>> years appeared in the Google email transparency report dataset. >>>> Of these 30 are in the most recent report: >>>> >>>> gmx.at >>>> conjur.com.br >>>> registro.br >>>> gmx.ch >>>> gmx.com >>>> mail.com >>>> bayern.de >>>> bund.de >>>> gmx.de >>>> jpberlin.de >>>> lrz.de >>>> posteo.de >>>> ruhr-uni-bochum.de >>>> tum.de >>>> unitymedia.de >>>> web.de >>>> octopuce.fr >>>> comcast.net >>>> dd24.net >>>> gmx.net >>>> t-2.net >>>> xs4all.net >>>> xs4all.nl >>>> debian.org >>>> freebsd.org >>>> gentoo.org >>>> ietf.org >>>> openssl.org >>>> samba.org >>>> torproject.org >>>> >>>> I'm still waiting for icann.org to show up on the list, and ideally >>>> a few prominent ".edu" domains that have gone to all the trouble >>>> of deploying DNSSEC, but have not yet published SMTP TLSA records. >>>> The ones from Gmail's transparentcy report would be: >>>> >>>> berkeley.edu >>>> fhsu.edu >>>> iastate.edu >>>> indiana.edu >>>> iu.edu >>>> iupui.edu >>>> nau.edu >>>> stanford.edu >>>> temple.edu >>>> ucdavis.edu >>>> ucr.edu >>>> uiowa.edu >>>> umbc.edu >>>> yale.edu >>>> >>>> None of these have made the leap as yet. It is possible, though >>>> not very likely that some departments have, I only scan domains >>>> directly delegated from public suffixes. >>>> >>>> A substantial outlier with problem TLSA records is ".br". The >>>> registry/sole-registrar provides a web interface for adding TLSA >>>> records, but no API for keeping them up to date. As a result, a >>>> large fraction of ".br" domains with TLSA RRs have invalid records, >>>> or related issues. Many don't promptly/ever act on email notices >>>> (at least in English). It may be wise to not enable DANE for ".br" >>>> domains. >>>> >>>> .BR TLSA records don't match reality: >>>> >>>> allispdv.com.br >>>> bebidaliberada.com.br >>>> giantit.com.br >>>> idsys.com.br >>>> lojabrum.com.br >>>> netlig.com.br >>>> prodnsbr.com.br >>>> simplesestudio.com.br >>>> solucoesglobais.com.br >>>> ticketmt.com.br >>>> twsolutions.net.br >>>> >>>> .BR DNSSEC lookup problems: >>>> >>>> bb.b.br >>>> dpf.gov.br >>>> pf.gov.br >>>> justicaeleitoral.jus.br >>>> tre-al.jus.br >>>> tre-ce.jus.br >>>> tre-ma.jus.br >>>> tre-mg.jus.br >>>> tre-ms.jus.br >>>> tre-mt.jus.br >>>> tre-pa.jus.br >>>> tre-pb.jus.br >>>> tre-pe.jus.br >>>> tre-pi.jus.br >>>> tre-pr.jus.br >>>> tre-rn.jus.br >>>> tre-rr.jus.br >>>> tre-sp.jus.br >>>> m3ganet.net.br >>>> >>> >>> _______________________________________________ >>> dane mailing list >>> dane@ietf.org >>> https://www.ietf.org/mailman/listinfo/dane >>> >> > > -- > SWITCH > Daniel Stirnimann, SWITCH-CERT > Werdstrasse 2, P.O. Box, 8021 Zurich, Switzerland > phone +41 44 268 15 15, direct +41 44 268 16 24 > daniel.stirnimann@switch.ch, http://www.switch.ch > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane
- [dane] NEWSFLASH: DANE TLSA records published for… Viktor Dukhovni
- Re: [dane] NEWSFLASH: DANE TLSA records published… Michael Kliewe
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Viktor Dukhovni
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… lst_hoe02
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Viktor Dukhovni
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Gumprich, Mario
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Viktor Dukhovni
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Daniel Stirnimann
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Daniel Stirnimann
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Daniel Stirnimann
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Martin Rex
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Daniel Stirnimann
- [dane] DNSSEC for tools.ietf.org Jim Reid
- Re: [dane] DNSSEC for tools.ietf.org Viktor Dukhovni
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… Peter van Dijk
- Re: [dane] DNSSEC for tools.ietf.org Paul Wouters
- Re: [dane] DNSSEC for tools.ietf.org Viktor Dukhovni
- Re: [dane] [Uta] NEWSFLASH: DANE TLSA records pub… A. Schulze