Re: [dane] Please help to remediate broken DNSSEC hosting

Viktor Dukhovni <> Thu, 20 November 2014 07:34 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 083711A00B0 for <>; Wed, 19 Nov 2014 23:34:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id BmIK44ZPzWEJ for <>; Wed, 19 Nov 2014 23:34:47 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 28BE01A00AE for <>; Wed, 19 Nov 2014 23:34:47 -0800 (PST)
Received: by (Postfix, from userid 1034) id 89B47282F88; Thu, 20 Nov 2014 07:34:45 +0000 (UTC)
Date: Thu, 20 Nov 2014 07:34:45 +0000
From: Viktor Dukhovni <>
Message-ID: <>
References: <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.23 (2014-03-12)
Subject: Re: [dane] Please help to remediate broken DNSSEC hosting
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Thu, 20 Nov 2014 07:34:49 -0000

On Thu, Nov 20, 2014 at 06:29:42AM +0000, Viktor Dukhovni wrote:

> A number of large DNS hosting providers have enabled DNSSEC support,
> but are using nameserver software that is not compatible with the
> specification with respect to authenticated denial of existence.

Note, by far the bulk of the problem is with transip. From their


    TransDNS is the foundation of our DNSSEC implementation, a DNS
    protocol security extension. Signing more than 500.000 domain
    names with DNSSEC was a challenge we gladly accepted. Because
    of TransDNS we were one of the first domain providers in The
    Netherlands that signed all our domain names. We are now the
    largest DNSSEC provider in the world. We could not have done
    this with third-party solutions. That is the reason why we
    develop everything in-house.

Perhaps they have more problems that show up in interop tests
because they indeed signed so many more domains that anyone else.
In any case, they would be a good place to start remediation.

If anyone has contacts there and can reach out that would be great.