Re: [dane] Please help to remediate broken DNSSEC hosting
Mark Andrews <marka@isc.org> Thu, 20 November 2014 20:31 UTC
Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BACDE1A6EFE for <dane@ietfa.amsl.com>; Thu, 20 Nov 2014 12:31:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.495
X-Spam-Level:
X-Spam-Status: No, score=-7.495 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6LPEsJKyTHyD for <dane@ietfa.amsl.com>; Thu, 20 Nov 2014 12:31:36 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CEFE1A1AEF for <dane@ietf.org>; Thu, 20 Nov 2014 12:31:36 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 1D7D31FCAB6 for <dane@ietf.org>; Thu, 20 Nov 2014 20:31:33 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id AF3B2160066 for <dane@ietf.org>; Thu, 20 Nov 2014 20:34:58 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 7F76016005A for <dane@ietf.org>; Thu, 20 Nov 2014 20:34:58 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 6DC1323CE598 for <dane@ietf.org>; Fri, 21 Nov 2014 07:31:30 +1100 (EST)
To: dane@ietf.org
From: Mark Andrews <marka@isc.org>
References: <20141027225310.29285.24437.idtracker@ietfa.amsl.com> <F0C0FC32-FAA7-4D07-A230-59A538754BCD@isoc.org> <20141120062942.GL13179@mournblade.imrryr.org> <20141120073445.GM13179@mournblade.imrryr.org> <546DA64E.4010900@sidn.nl> <20141120151716.GQ13179@mournblade.imrryr.org>
In-reply-to: Your message of "Thu, 20 Nov 2014 15:17:16 -0000." <20141120151716.GQ13179@mournblade.imrryr.org>
Date: Fri, 21 Nov 2014 07:31:30 +1100
Message-Id: <20141120203130.6DC1323CE598@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/uEm9y0E-4S4mGmkvN0HUM8OtjyY
Subject: Re: [dane] Please help to remediate broken DNSSEC hosting
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 20:31:39 -0000
In message <20141120151716.GQ13179@mournblade.imrryr.org>, Viktor Dukhovni writ es: > On Thu, Nov 20, 2014 at 09:29:02AM +0100, Marco Davids (SIDN) wrote: > > > In particular TransIP is a bit of a challenge, because they run their > > own DNS-software and feel no rush to fix this issue. But rest assured > > that we will keep on trying to have them improve things. > > At this point the "feel no rush" attitude will cause loss of email > between SMTP with DANE early adopters to transip sites that employ > wildcard records. They really need to get off their rear-ends and > fix the problem. > > Otherwise, I may need to develop a new unbound feature that considers > a zone insecure if all its NS records lie in a given blacklisted > domain. > > I don't suppose it is possible to pressure transip with a threat > of removal of the problem DS records from the '.nl' registry by > say 6 months from now if the problem is not addressed? We have a documented complaints proceedure. We should follow it. RFC 1033 COMPLAINTS These are the suggested steps you should take if you are having problems that you believe are caused by someone else's name server: 1. Complain privately to the responsible person for the domain. You can find their mailing address in the SOA record for the domain. 2. Complain publicly to the responsible person for the domain. 3. Ask the NIC for the administrative person responsible for the domain. Complain. You can also find domain contacts on the NIC in the file NETINFO:DOMAIN-CONTACTS.TXT 4. Complain to the parent domain authorities. 5. Ask the parent authorities to excommunicate the domain. With a DNSSEC problem we may want to add a 4.5 step, ask the parent to remove the DS record. Mark > -- > Viktor. > > _______________________________________________ > dane mailing list > dane@ietf.org > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [dane] Fwd: New Version Notification for draft-yo… Dan York
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… Michael Ströder
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… Dan York
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… Shumon Huque
- Re: [dane] Fwd: New Version Notification for draf… Dan York
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… James Cloos
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- Re: [dane] Fwd: New Version Notification for draf… Paul Wouters
- Re: [dane] Fwd: New Version Notification for draf… Viktor Dukhovni
- [dane] Please help to remediate broken DNSSEC hos… Viktor Dukhovni
- Re: [dane] Please help to remediate broken DNSSEC… Viktor Dukhovni
- Re: [dane] Please help to remediate broken DNSSEC… Marco Davids (SIDN)
- Re: [dane] Please help to remediate broken DNSSEC… Viktor Dukhovni
- Re: [dane] Please help to remediate broken DNSSEC… Mark Andrews
- Re: [dane] Please help to remediate broken DNSSEC… Viktor Dukhovni