Re: [dane] Please help to remediate broken DNSSEC hosting

Mark Andrews <marka@isc.org> Thu, 20 November 2014 20:31 UTC

Return-Path: <marka@isc.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id BACDE1A6EFE for <dane@ietfa.amsl.com>; Thu, 20 Nov 2014 12:31:39 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.495
X-Spam-Level:
X-Spam-Status: No, score=-7.495 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, RP_MATCHES_RCVD=-0.594, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6LPEsJKyTHyD for <dane@ietfa.amsl.com>; Thu, 20 Nov 2014 12:31:36 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [199.6.1.65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9CEFE1A1AEF for <dane@ietf.org>; Thu, 20 Nov 2014 12:31:36 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) by mx.ams1.isc.org (Postfix) with ESMTP id 1D7D31FCAB6 for <dane@ietf.org>; Thu, 20 Nov 2014 20:31:33 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id AF3B2160066 for <dane@ietf.org>; Thu, 20 Nov 2014 20:34:58 +0000 (UTC)
Received: from rock.dv.isc.org (c211-30-183-50.carlnfd1.nsw.optusnet.com.au [211.30.183.50]) by zmx1.isc.org (Postfix) with ESMTPSA id 7F76016005A for <dane@ietf.org>; Thu, 20 Nov 2014 20:34:58 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 6DC1323CE598 for <dane@ietf.org>; Fri, 21 Nov 2014 07:31:30 +1100 (EST)
To: dane@ietf.org
From: Mark Andrews <marka@isc.org>
References: <20141027225310.29285.24437.idtracker@ietfa.amsl.com> <F0C0FC32-FAA7-4D07-A230-59A538754BCD@isoc.org> <20141120062942.GL13179@mournblade.imrryr.org> <20141120073445.GM13179@mournblade.imrryr.org> <546DA64E.4010900@sidn.nl> <20141120151716.GQ13179@mournblade.imrryr.org>
In-reply-to: Your message of "Thu, 20 Nov 2014 15:17:16 -0000." <20141120151716.GQ13179@mournblade.imrryr.org>
Date: Fri, 21 Nov 2014 07:31:30 +1100
Message-Id: <20141120203130.6DC1323CE598@rock.dv.isc.org>
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/uEm9y0E-4S4mGmkvN0HUM8OtjyY
Subject: Re: [dane] Please help to remediate broken DNSSEC hosting
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 20:31:39 -0000

In message <20141120151716.GQ13179@mournblade.imrryr.org>rg>, Viktor Dukhovni writ
es:
> On Thu, Nov 20, 2014 at 09:29:02AM +0100, Marco Davids (SIDN) wrote:
> 
> > In particular TransIP is a bit of a challenge, because they run their
> > own DNS-software and feel no rush to fix this issue. But rest assured
> > that we will keep on trying to have them improve things.
> 
> At this point the "feel no rush" attitude will cause loss of email
> between SMTP with DANE early adopters to transip sites that employ
> wildcard records.  They really need to get off their rear-ends and
> fix the problem.
> 
> Otherwise, I may need to develop a new unbound feature that considers
> a zone insecure if all its NS records lie in a given blacklisted
> domain.
> 
> I don't suppose it is possible to pressure transip with a threat
> of removal of the problem DS records from the '.nl' registry by
> say 6 months from now if the problem is not addressed?

We have a documented complaints proceedure.  We should follow it.
 
RFC 1033 COMPLAINTS

   These are the suggested steps you should take if you are having
   problems that you believe are caused by someone else's name server:


   1.  Complain privately to the responsible person for the domain.  You
   can find their mailing address in the SOA record for the domain.

   2.  Complain publicly to the responsible person for the domain.

   3.  Ask the NIC for the administrative person responsible for the
   domain.  Complain.  You can also find domain contacts on the NIC in
   the file NETINFO:DOMAIN-CONTACTS.TXT

   4.  Complain to the parent domain authorities.

   5.  Ask the parent authorities to excommunicate the domain.

With a DNSSEC problem we may want to add a 4.5 step, ask the parent
to remove the DS record.

Mark

> -- 
> 	Viktor.
> 
> _______________________________________________
> dane mailing list
> dane@ietf.org
> https://www.ietf.org/mailman/listinfo/dane
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org