Re: [dane] Please help to remediate broken DNSSEC hosting
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 20 November 2014 22:15 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 679031A87AB for <dane@ietfa.amsl.com>; Thu, 20 Nov 2014 14:15:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.7
X-Spam-Level:
X-Spam-Status: No, score=-0.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_72=0.6, J_CHICKENPOX_82=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2VFFIMT9wcc8 for <dane@ietfa.amsl.com>; Thu, 20 Nov 2014 14:15:38 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CCDF1A87E0 for <dane@ietf.org>; Thu, 20 Nov 2014 14:15:38 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 6A946284B10; Thu, 20 Nov 2014 22:15:36 +0000 (UTC)
Date: Thu, 20 Nov 2014 22:15:36 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141120221536.GF13179@mournblade.imrryr.org>
References: <20141027225310.29285.24437.idtracker@ietfa.amsl.com> <F0C0FC32-FAA7-4D07-A230-59A538754BCD@isoc.org> <20141120062942.GL13179@mournblade.imrryr.org> <20141120073445.GM13179@mournblade.imrryr.org> <546DA64E.4010900@sidn.nl> <20141120151716.GQ13179@mournblade.imrryr.org> <20141120203130.6DC1323CE598@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20141120203130.6DC1323CE598@rock.dv.isc.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/SInyglzvUYIAOY4RmgP36NrQuhU
Subject: Re: [dane] Please help to remediate broken DNSSEC hosting
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 22:15:40 -0000
On Fri, Nov 21, 2014 at 07:31:30AM +1100, Mark Andrews wrote: > We have a documented complaints proceedure. We should follow it. > > RFC 1033 COMPLAINTS > > These are the suggested steps you should take if you are having > problems that you believe are caused by someone else's name server: > > > 1. Complain privately to the responsible person for the domain. You > can find their mailing address in the SOA record for the domain. > > 2. Complain publicly to the responsible person for the domain. > > 3. Ask the NIC for the administrative person responsible for the > domain. Complain. You can also find domain contacts on the NIC in > the file NETINFO:DOMAIN-CONTACTS.TXT > > 4. Complain to the parent domain authorities. > > 5. Ask the parent authorities to excommunicate the domain. > > With a DNSSEC problem we may want to add a 4.5 step, ask the parent > to remove the DS record. Thanks for the info. I guess we're not nearly up to steps 4.5 or 5 yet. And I did contacted off-list by transip, who I hope will follow-up on-list. I am however asking for help with cycles for this process. I can no longer keep up with the communication requirements. If anyone can help work the issue through the various domain contacts, registrars, and registries that'd be great! Below are the SOA RRs of the signed domains where MX host TLSA lookups SERVFAIL due to various nameserver bugs or zone signing problems. --- Likely systemic applying to many hosted domains --- aanbodpagina.nl. SOA ns0.transip.net. hostmaster.transip.nl. codingunit.com. SOA ns0.transip.net. hostmaster.transip.nl. connections-it.com. SOA ns0.transip.net. hostmaster.transip.nl. dresscode.nl. SOA ns0.transip.net. hostmaster.transip.nl. entix.nl. SOA ns0.transip.net. hostmaster.transip.nl. erdee.nl. SOA ns0.transip.net. hostmaster.transip.nl. fonq.nl. SOA ns0.transip.net. hostmaster.transip.nl. gamesync.nl. SOA ns0.transip.net. hostmaster.transip.nl. infonu.nl. SOA ns0.transip.net. hostmaster.transip.nl. kinderspiele.de. SOA ns0.transip.net. hostmaster.transip.nl. mediumchat.nl. SOA ns0.transip.net. hostmaster.transip.nl. notprovided.eu. SOA ns0.transip.net. hostmaster.transip.nl. ooshopping.nl. SOA ns0.transip.net. hostmaster.transip.nl. performance.nl. SOA ns0.transip.net. hostmaster.transip.nl. redskillz.nl. SOA ns0.transip.net. hostmaster.transip.nl. reviewspot.nl. SOA ns0.transip.net. hostmaster.transip.nl. seoshop.nl. SOA ns0.transip.net. hostmaster.transip.nl. splendense.nl. SOA ns0.transip.net. hostmaster.transip.nl. studio-donder.nl. SOA ns0.transip.net. hostmaster.transip.nl. trendstats.nl. SOA ns0.transip.net. hostmaster.transip.nl. trentt.com. SOA ns0.transip.net. hostmaster.transip.nl. webshopapp.com. SOA ns0.transip.net. hostmaster.transip.nl. webwinkelsoftware.nl. SOA ns0.transip.net. hostmaster.transip.nl. wrts.nl. SOA ns0.transip.net. hostmaster.transip.nl. zipzoo.nl. SOA ns0.transip.net. hostmaster.transip.nl. banoshop.eu. SOA ns1.hostnet.nl. hostmaster.hostnet.nl. bergsalaenigma.nl. SOA ns1.hostnet.nl. hostmaster.hostnet.nl. brandsupply.nl. SOA ns1.hostnet.nl. hostmaster.hostnet.nl. expert.nl. SOA ns1.hostnet.nl. hostmaster.hostnet.nl. foodness.nl. SOA ns1.hostnet.nl. hostmaster.hostnet.nl. ikkijkonline.nl. SOA ns1.hostnet.nl. hostmaster.hostnet.nl. leestrainer.nl. SOA ns1.hostnet.nl. hostmaster.hostnet.nl. studeersnel.nl. SOA ns1.hostnet.nl. hostmaster.hostnet.nl. utopiagekte.nl. SOA ns1.hostnet.nl. hostmaster.hostnet.nl. androidworld.nl. SOA ns0.transip.nl. hostmaster.transip.nl. gigacomputer.cz. SOA ns.forpsi.net. admin.forpsi.net. jursoft.cz. SOA ns.forpsi.net. admin.forpsi.net. --- Possibly sporadic applying to just the domains shown --- flashpatterns.nl. SOA ns1.hosting2go.nl. postmaster.flashpatterns.nl. informatieplatform.nl. SOA ns1.hosting2go.nl. postmaster.informatieplatform.nl. developmentaid.org. SOA ns0.transdns.eu. hostmaster.transip.eu. fuhrt.de. SOA ns1.remotedienst.de. natalie.fuhrt.de. fbi.gov. SOA ns1.fbi.gov. dns-admin.fbi.gov. nic.mil. SOA dns2.nipr.mil. disa\.columbus\.ns\.mbx\.hostmaster-dod-nic.mail.mil. disa.mil. SOA ns1.csd.disa.mil. disa\.meade\.esd\.list\.es312-ccc-hostmaster.mail.mil. stj.jus.br. SOA ns1.stj.jus.br. netmaster.stj.jus.br. dominion.ch. SOA ns.dominion.ch. hostmaster.dominion.ch. mec-import.de. SOA ns5.kp-dns.de. hostmaster.mec-import.de. -- Viktor.
- [dane] Fwd: New Version Notification for draft-yo… Dan York
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… Michael Ströder
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… Dan York
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… Shumon Huque
- Re: [dane] Fwd: New Version Notification for draf… Dan York
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… James Cloos
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… Paul Wouters
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- [dane] Please help to remediate broken DNSSEC hos… Viktor Dukhovni
- Re: [dane] Please help to remediate broken DNSSEC… Viktor Dukhovni
- Re: [dane] Please help to remediate broken DNSSEC… Marco Davids (SIDN)
- Re: [dane] Please help to remediate broken DNSSEC… Viktor Dukhovni
- Re: [dane] Please help to remediate broken DNSSEC… Mark Andrews
- Re: [dane] Please help to remediate broken DNSSEC… Viktor Dukhovni