[dane] Problem with hostnet.nl/hostnetbv.{com, nl} nameservers and DANE TLSA

Viktor Dukhovni <ietf-dane@dukhovni.org> Sun, 23 November 2014 20:35 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6EC0D1A1A8A for <dane@ietfa.amsl.com>; Sun, 23 Nov 2014 12:35:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.7
X-Spam-Level:
X-Spam-Status: No, score=-0.7 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, J_CHICKENPOX_82=0.6, J_CHICKENPOX_92=0.6] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SbZ20TXOMypC for <dane@ietfa.amsl.com>; Sun, 23 Nov 2014 12:35:17 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E09151A1A87 for <dane@ietf.org>; Sun, 23 Nov 2014 12:35:16 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id D3470282FCF; Sun, 23 Nov 2014 20:35:15 +0000 (UTC)
Date: Sun, 23 Nov 2014 20:35:15 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: hostmaster@hostnet.nl
Message-ID: <20141123203515.GJ922@mournblade.imrryr.org>
References: <e78b811d7c054a1bb1ced93b38109be7@forpsi.com> <20140908123910.GU26920@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20140908123910.GU26920@mournblade.imrryr.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/o_tlvZ-sd5eAzJ2PdQDheUm9HVI
Cc: "Deccio, Casey" <cdeccio@verisign.com>, dane@ietf.org
Subject: [dane] Problem with hostnet.nl/hostnetbv.{com, nl} nameservers and DANE TLSA
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 23 Nov 2014 20:35:18 -0000

Many hostnet.nl domains emit incorrect denial of existence NSEC3
records for DANE TLSA queries.  This will cause email delivery
problems to your customers' domains if not resolved by fixing the
nameserver software.  My (surely incomplete) list of affected
domains is below.

The newly updated (thanks Casey!) dnsviz.net site now gives a very
clear picture of the problem (just "mouse over" the NSEC3 record
box).  The NODATA response is not accompanied by any NSEC3 records
that match the hash of the Qname, rather the NSEC3 records prove
NXDOMAIN, but the RCODE is incorrectly NOERROR:

    http://dnsviz.net/d/_25._tcp.banoshop.eu/dnssec/?rr=52&ds=all&a=all&doe=on&ta=p;doe=on&ta=.

Queries for the TLSA records of all the MX hosts below similarly
fail validation.  What and when might be done to fully address this
issue?

Domain                             _25._tcp.mx-host. IN TLSA ?
---------------------------------  ---------------------------
banoshop.eu.                       _25._tcp.banoshop.eu. IN TLSA ?
cyclewear.eu.                      _25._tcp.mail.cyclewear.eu. IN TLSA ?
motorcyclespareparts.eu.           _25._tcp.mail.motorcyclespareparts.eu. IN TLSA ?
24uurshop.nl.                      _25._tcp.mail.24uurshop.nl. IN TLSA ?
androididee.nl.                    _25._tcp.androididee.nl. IN TLSA ?
astroblogs.nl.                     _25._tcp.astroblogs.nl. IN TLSA ?
bedrijvenenwinkels.nl.             _25._tcp.mail.bedrijvenenwinkels.nl. IN TLSA ?
bergsalaenigma.nl.                 _25._tcp.mail.bergsalaenigma.nl. IN TLSA ?
bijleszaanstad.nl.                 _25._tcp.mail.bijleszaanstad.nl. IN TLSA ?
bitmagazine.nl.                    _25._tcp.bitmagazine.nl. IN TLSA ?
bouwproducten.nl.                  _25._tcp.mail.bouwproducten.nl. IN TLSA ?
brandsupply.nl.                    _25._tcp.mail.brandsupply.nl. IN TLSA ?
completebeveiliging.nl.            _25._tcp.mail.completebeveiliging.nl. IN TLSA ?
content-hoster.nl.                 _25._tcp.content-hoster.nl. IN TLSA ?
expert.nl.                         _25._tcp.mail.expert.nl. IN TLSA ?
florijnmobiliteit.nl.              _25._tcp.mail.florijnmobiliteit.nl. IN TLSA ?
foodness.nl.                       _25._tcp.mail.foodness.nl. IN TLSA ?
fotoklein.nl.                      _25._tcp.exchange.fotoklein.nl. IN TLSA ?
gangbangstars.nl.                  _25._tcp.gangbangstars.nl. IN TLSA ?
halloprisma.nl.                    _25._tcp.halloprisma.nl. IN TLSA ?
hrdlpn.nl.                         _25._tcp.mail.hrdlpn.nl. IN TLSA ?
ikkijkonline.nl.                   _25._tcp.ikkijkonline.nl. IN TLSA ?
ikwoonfijn.nl.                     _25._tcp.ikwoonfijn.nl. IN TLSA ?
inshared.nl.                       _25._tcp.mail5.inshared.nl. IN TLSA ?
insomnia247.nl.                    _25._tcp.mail.insomnia247.nl. IN TLSA ?
jacquelinelaats.nl.                _25._tcp.jacquelinelaats.nl. IN TLSA ?
jeffreyappel.nl.                   _25._tcp.jeffreyappel.nl. IN TLSA ?
jobbsquare.nl.                     _25._tcp.jobbsquare.nl. IN TLSA ?
joof.nl.                           _25._tcp.mail.joof.nl. IN TLSA ?
kredietspotter.nl.                 _25._tcp.mail.kredietspotter.nl. IN TLSA ?
leestrainer.nl.                    _25._tcp.mail.leestrainer.nl. IN TLSA ?
minimumloon.nl.                    _25._tcp.minimumloon.nl. IN TLSA ?
myshipper.nl.                      _25._tcp.mx.myshipper.nl. IN TLSA ?
nrdbv.nl.                          _25._tcp.mail.nrdbv.nl. IN TLSA ?
oilcontrolsystems.nl.              _25._tcp.mail.oilcontrolsystems.nl. IN TLSA ?
preferenso.nl.                     _25._tcp.mail.preferenso.nl. IN TLSA ?
premiummotors.nl.                  _25._tcp.mail.premiummotors.nl. IN TLSA ?
punkypet.nl.                       _25._tcp.mail.punkypet.nl. IN TLSA ?
rotomdev.nl.                       _25._tcp.rotomdev.nl. IN TLSA ?
sanisale.nl.                       _25._tcp.mail-1.sanisale.nl. IN TLSA ?
showbiznewz.nl.                    _25._tcp.mail.showbiznewz.nl. IN TLSA ?
skipiste-nieuwegein.nl.            _25._tcp.skipiste-nieuwegein.nl. IN TLSA ?
smokinbarrels.nl.                  _25._tcp.mail.smokinbarrels.nl. IN TLSA ?
studeersnel.nl.                    _25._tcp.mail.studeersnel.nl. IN TLSA ?
telefoondetective.nl.              _25._tcp.mail.telefoondetective.nl. IN TLSA ?
teocho.nl.                         _25._tcp.mail.teocho.nl. IN TLSA ?
tijdvooralcoholvrij.nl.            _25._tcp.mail.tijdvooralcoholvrij.nl. IN TLSA ?
toilet-webshop.nl.                 _25._tcp.toilet-webshop.nl. IN TLSA ?
topvitamins.nl.                    _25._tcp.topvitamins.nl. IN TLSA ?
utopiagekte.nl.                    _25._tcp.utopiagekte.nl. IN TLSA ?
vakantie-frankrijk.nl.             _25._tcp.vakantie-frankrijk.nl. IN TLSA ?
venduevoir.nl.                     _25._tcp.venduevoir.nl. IN TLSA ?
werkenbijinventiv.nl.              _25._tcp.mail.werkenbijinventiv.nl. IN TLSA ?
xco-unlimited.nl.                  _25._tcp.mail.xco-unlimited.nl. IN TLSA ?
zonnemarkt.nl.                     _25._tcp.newmail.zonnemarkt.nl. IN TLSA ?
zwokbor.nl.                        _25._tcp.zwokbor.nl. IN TLSA ?

-- 
	Viktor.