Re: [DNSOP] Asking TLD's to perform checks.
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 11 November 2015 05:15 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C2101B325E for <dnsop@ietfa.amsl.com>; Tue, 10 Nov 2015 21:15:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UU0A8uj55aZG for <dnsop@ietfa.amsl.com>; Tue, 10 Nov 2015 21:15:11 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B0D71B3251 for <dnsop@ietf.org>; Tue, 10 Nov 2015 21:15:04 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id AE540283B22; Wed, 11 Nov 2015 05:15:03 +0000 (UTC)
Date: Wed, 11 Nov 2015 05:15:03 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop@ietf.org
Message-ID: <20151111051503.GU18315@mournblade.imrryr.org>
References: <20151105235402.39FFC3BF2F29@rock.dv.isc.org> <20151110152511.6f1a1c20@pallas.home.time-travellers.org> <20151110204330.C47C63C7D699@rock.dv.isc.org>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <20151110204330.C47C63C7D699@rock.dv.isc.org>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/4iKNGtT_vZRfFJglF7Ltjg2LRgI>
Subject: Re: [DNSOP] Asking TLD's to perform checks.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dnsop@ietf.org
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2015 05:15:13 -0000
On Wed, Nov 11, 2015 at 07:43:30AM +1100, Mark Andrews wrote: > Perhaps we should be getting Jari, Suzanne and Andrew to push this > at IGF meetings. Not knowing what IGF meetings are, I can't comment on this specific point. > So we don't say what's right because you fear that not everybody > will perform the actions. We don't need to get every TLD to check > to have a real impact. We just need several to check and inform, > preferably big ones. Lots of zones are hosted by big players and > getting them fixed has a big impact on the overhaul health of the > DNS. e.g. UltraDNS and related companies fixing their service > resulted in a 18% fix for the root and TLD servers, a 5% fix for > the Alexa top 1000, a 2% fix for Gov servers in the Alexa top 1M > and about the same for the AU servers in the Alexa top 1M. The > bottom 1000 is too noisy to see if there was a change there. See > the Sep 28 2015 steps in <https://ednscomp.isc.org/compliance/ts/allok.html>. I strongly support publication of a BCP that expains a best practice in this space. Even my meager efforts at remediating problems in this space, without access to comprehensive domains lists or good contact information for some of the parties have been effective at reducing barriers to DANE adoption for SMTP by an order of magnitude, but we can and should do better, and registries/registrars are far better positioned to take the appropriate action. I've been fowarding links to Mark's draft to various guily parties, as it provides a solid explanation of why their nameservers are wrong and how they should behave. It would be even more useful as an RFC. The reason that the TLSA records for fbi.gov are not broken is because they no longer drop TLSA queries, the folly of which is explained in the draft. Have not yet had much luck with the disa.mil who operate the nameservers for mail.mil. This would be much easier if, for example, the .gov and .mil conducted periodic tests of their delegated domains. > This is actually IETF business. We can set community consensus of > what is a resonable requirement. If nothing else ICANN will come > back to us looking for checks to be enforced. Additionally the > CCtlds are not bound by ICANN but by RFCs. Indeed. -- Viktor.
- Re: [DNSOP] Asking TLD's to perform checks. Jim Reid
- Re: [DNSOP] Asking TLD's to perform checks. Paul Hoffman
- [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. marius
- Re: [DNSOP] Asking TLD's to perform checks. Antoin Verschuren
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. Antoin Verschuren
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. Daniel Stirnimann
- Re: [DNSOP] Asking TLD's to perform checks. Shane Kerr
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Dr Eberhard W Lisse
- Re: [DNSOP] [ccnso-techwg] Re: Asking TLD's to pe… Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLD's to perform checks. Dr Eberhard W Lisse
- Re: [DNSOP] Asking TLD's to perform checks. Paul Vixie
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Havard Eidnes
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Tony Finch
- Re: [DNSOP] Asking TLD's to perform checks. Stephane Bortzmeyer
- Re: [DNSOP] Asking TLD's to perform checks. Havard Eidnes
- Re: [DNSOP] Asking TLD's to perform checks. Stephane Bortzmeyer
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Lawrence Conroy
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLDs to perform checks. Joe Abley
- Re: [DNSOP] Asking TLD's to perform checks. Frederico A C Neves
- Re: [DNSOP] Asking TLD's to perform checks. Tim Wicinski
- Re: [DNSOP] Asking TLD's to perform checks. Dr Eberhard W Lisse
- Re: [DNSOP] Asking TLD's to perform checks. Jelte Jansen