Re: [dane] Please help to remediate broken DNSSEC hosting

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 20 November 2014 22:15 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 679031A87AB for <dane@ietfa.amsl.com>; Thu, 20 Nov 2014 14:15:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.7
X-Spam-Level:
X-Spam-Status: No, score=-0.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_72=0.6, J_CHICKENPOX_82=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 2VFFIMT9wcc8 for <dane@ietfa.amsl.com>; Thu, 20 Nov 2014 14:15:38 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CCDF1A87E0 for <dane@ietf.org>; Thu, 20 Nov 2014 14:15:38 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 6A946284B10; Thu, 20 Nov 2014 22:15:36 +0000 (UTC)
Date: Thu, 20 Nov 2014 22:15:36 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141120221536.GF13179@mournblade.imrryr.org>
References: <20141027225310.29285.24437.idtracker@ietfa.amsl.com> <F0C0FC32-FAA7-4D07-A230-59A538754BCD@isoc.org> <20141120062942.GL13179@mournblade.imrryr.org> <20141120073445.GM13179@mournblade.imrryr.org> <546DA64E.4010900@sidn.nl> <20141120151716.GQ13179@mournblade.imrryr.org> <20141120203130.6DC1323CE598@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20141120203130.6DC1323CE598@rock.dv.isc.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/SInyglzvUYIAOY4RmgP36NrQuhU
Subject: Re: [dane] Please help to remediate broken DNSSEC hosting
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 22:15:40 -0000

On Fri, Nov 21, 2014 at 07:31:30AM +1100, Mark Andrews wrote:

> We have a documented complaints proceedure.  We should follow it.
>  
> RFC 1033 COMPLAINTS
> 
>    These are the suggested steps you should take if you are having
>    problems that you believe are caused by someone else's name server:
> 
> 
>    1.  Complain privately to the responsible person for the domain.  You
>    can find their mailing address in the SOA record for the domain.
> 
>    2.  Complain publicly to the responsible person for the domain.
> 
>    3.  Ask the NIC for the administrative person responsible for the
>    domain.  Complain.  You can also find domain contacts on the NIC in
>    the file NETINFO:DOMAIN-CONTACTS.TXT
> 
>    4.  Complain to the parent domain authorities.
> 
>    5.  Ask the parent authorities to excommunicate the domain.
> 
> With a DNSSEC problem we may want to add a 4.5 step, ask the parent
> to remove the DS record.

Thanks for the info.  I guess we're not nearly up to steps 4.5 or
5 yet.  And I did contacted off-list by transip, who I hope will
follow-up on-list.  I am however asking for help with cycles for
this process.  I can no longer keep up with the communication
requirements.

If anyone can help work the issue through the various domain
contacts, registrars, and registries that'd be great!  Below are
the SOA RRs of the signed domains where MX host TLSA lookups SERVFAIL
due to various nameserver bugs or zone signing problems.

    --- Likely systemic applying to many hosted domains ---
    aanbodpagina.nl.        SOA     ns0.transip.net. hostmaster.transip.nl.
    codingunit.com.         SOA     ns0.transip.net. hostmaster.transip.nl.
    connections-it.com.     SOA     ns0.transip.net. hostmaster.transip.nl.
    dresscode.nl.           SOA     ns0.transip.net. hostmaster.transip.nl.
    entix.nl.               SOA     ns0.transip.net. hostmaster.transip.nl.
    erdee.nl.               SOA     ns0.transip.net. hostmaster.transip.nl.
    fonq.nl.                SOA     ns0.transip.net. hostmaster.transip.nl.
    gamesync.nl.            SOA     ns0.transip.net. hostmaster.transip.nl.
    infonu.nl.              SOA     ns0.transip.net. hostmaster.transip.nl.
    kinderspiele.de.        SOA     ns0.transip.net. hostmaster.transip.nl.
    mediumchat.nl.          SOA     ns0.transip.net. hostmaster.transip.nl.
    notprovided.eu.         SOA     ns0.transip.net. hostmaster.transip.nl.
    ooshopping.nl.          SOA     ns0.transip.net. hostmaster.transip.nl.
    performance.nl.         SOA     ns0.transip.net. hostmaster.transip.nl.
    redskillz.nl.           SOA     ns0.transip.net. hostmaster.transip.nl.
    reviewspot.nl.          SOA     ns0.transip.net. hostmaster.transip.nl.
    seoshop.nl.             SOA     ns0.transip.net. hostmaster.transip.nl.
    splendense.nl.          SOA     ns0.transip.net. hostmaster.transip.nl.
    studio-donder.nl.       SOA     ns0.transip.net. hostmaster.transip.nl.
    trendstats.nl.          SOA     ns0.transip.net. hostmaster.transip.nl.
    trentt.com.             SOA     ns0.transip.net. hostmaster.transip.nl.
    webshopapp.com.         SOA     ns0.transip.net. hostmaster.transip.nl.
    webwinkelsoftware.nl.   SOA     ns0.transip.net. hostmaster.transip.nl.
    wrts.nl.                SOA     ns0.transip.net. hostmaster.transip.nl.
    zipzoo.nl.              SOA     ns0.transip.net. hostmaster.transip.nl.
    banoshop.eu.            SOA     ns1.hostnet.nl. hostmaster.hostnet.nl.
    bergsalaenigma.nl.      SOA     ns1.hostnet.nl. hostmaster.hostnet.nl.
    brandsupply.nl.         SOA     ns1.hostnet.nl. hostmaster.hostnet.nl.
    expert.nl.              SOA     ns1.hostnet.nl. hostmaster.hostnet.nl.
    foodness.nl.            SOA     ns1.hostnet.nl. hostmaster.hostnet.nl.
    ikkijkonline.nl.        SOA     ns1.hostnet.nl. hostmaster.hostnet.nl.
    leestrainer.nl.         SOA     ns1.hostnet.nl. hostmaster.hostnet.nl.
    studeersnel.nl.         SOA     ns1.hostnet.nl. hostmaster.hostnet.nl.
    utopiagekte.nl.         SOA     ns1.hostnet.nl. hostmaster.hostnet.nl.
    androidworld.nl.        SOA     ns0.transip.nl. hostmaster.transip.nl.
    gigacomputer.cz.        SOA     ns.forpsi.net. admin.forpsi.net.
    jursoft.cz.             SOA     ns.forpsi.net. admin.forpsi.net.

    --- Possibly sporadic applying to just the domains shown ---
    flashpatterns.nl.       SOA     ns1.hosting2go.nl. postmaster.flashpatterns.nl.
    informatieplatform.nl.  SOA     ns1.hosting2go.nl. postmaster.informatieplatform.nl.
    developmentaid.org.     SOA     ns0.transdns.eu. hostmaster.transip.eu.
    fuhrt.de.               SOA     ns1.remotedienst.de. natalie.fuhrt.de.
    fbi.gov.                SOA     ns1.fbi.gov. dns-admin.fbi.gov.
    nic.mil.                SOA     dns2.nipr.mil. disa\.columbus\.ns\.mbx\.hostmaster-dod-nic.mail.mil.
    disa.mil.               SOA     ns1.csd.disa.mil. disa\.meade\.esd\.list\.es312-ccc-hostmaster.mail.mil.
    stj.jus.br.             SOA     ns1.stj.jus.br. netmaster.stj.jus.br.
    dominion.ch.            SOA     ns.dominion.ch. hostmaster.dominion.ch.
    mec-import.de.          SOA     ns5.kp-dns.de. hostmaster.mec-import.de.

-- 
	Viktor.