Re: [dane] Please help to remediate broken DNSSEC hosting

Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 20 November 2014 07:34 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 083711A00B0 for <dane@ietfa.amsl.com>; Wed, 19 Nov 2014 23:34:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.8
X-Spam-Level:
X-Spam-Status: No, score=0.8 tagged_above=-999 required=5 tests=[BAYES_50=0.8] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BmIK44ZPzWEJ for <dane@ietfa.amsl.com>; Wed, 19 Nov 2014 23:34:47 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 28BE01A00AE for <dane@ietf.org>; Wed, 19 Nov 2014 23:34:47 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 89B47282F88; Thu, 20 Nov 2014 07:34:45 +0000 (UTC)
Date: Thu, 20 Nov 2014 07:34:45 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20141120073445.GM13179@mournblade.imrryr.org>
References: <20141027225310.29285.24437.idtracker@ietfa.amsl.com> <F0C0FC32-FAA7-4D07-A230-59A538754BCD@isoc.org> <20141120062942.GL13179@mournblade.imrryr.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20141120062942.GL13179@mournblade.imrryr.org>
User-Agent: Mutt/1.5.23 (2014-03-12)
Archived-At: http://mailarchive.ietf.org/arch/msg/dane/zpg8zh6NQjOLBxqk-uhsksaE6Sw
Subject: Re: [dane] Please help to remediate broken DNSSEC hosting
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 20 Nov 2014 07:34:49 -0000

On Thu, Nov 20, 2014 at 06:29:42AM +0000, Viktor Dukhovni wrote:

> A number of large DNS hosting providers have enabled DNSSEC support,
> but are using nameserver software that is not compatible with the
> specification with respect to authenticated denial of existence.

Note, by far the bulk of the problem is with transip. From their
website:

    https://www.transip.co.uk/domain-name/transdns/

    DNSSEC

    TransDNS is the foundation of our DNSSEC implementation, a DNS
    protocol security extension. Signing more than 500.000 domain
    names with DNSSEC was a challenge we gladly accepted. Because
    of TransDNS we were one of the first domain providers in The
    Netherlands that signed all our domain names. We are now the
    largest DNSSEC provider in the world. We could not have done
    this with third-party solutions. That is the reason why we
    develop everything in-house.

Perhaps they have more problems that show up in interop tests
because they indeed signed so many more domains that anyone else.
In any case, they would be a good place to start remediation.

If anyone has contacts there and can reach out that would be great.

-- 
	Viktor.