Re: [dane] Please help to remediate broken DNSSEC hosting

Viktor Dukhovni <> Thu, 20 November 2014 15:18 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 6B9F91A1A79 for <>; Thu, 20 Nov 2014 07:18:15 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1VklyxplvZhh for <>; Thu, 20 Nov 2014 07:18:13 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 47D711A1AB2 for <>; Thu, 20 Nov 2014 07:17:18 -0800 (PST)
Received: by (Postfix, from userid 1034) id 8E047282F88; Thu, 20 Nov 2014 15:17:16 +0000 (UTC)
Date: Thu, 20 Nov 2014 15:17:16 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [dane] Please help to remediate broken DNSSEC hosting
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Nov 2014 15:18:15 -0000

On Thu, Nov 20, 2014 at 09:29:02AM +0100, Marco Davids (SIDN) wrote:

> In particular TransIP is a bit of a challenge, because they run their
> own DNS-software and feel no rush to fix this issue. But rest assured
> that we will keep on trying to have them improve things.

At this point the "feel no rush" attitude will cause loss of email
between SMTP with DANE early adopters to transip sites that employ
wildcard records.  They really need to get off their rear-ends and
fix the problem.

Otherwise, I may need to develop a new unbound feature that considers
a zone insecure if all its NS records lie in a given blacklisted

I don't suppose it is possible to pressure transip with a threat
of removal of the problem DS records from the '.nl' registry by
say 6 months from now if the problem is not addressed?