Re: [DNSOP] Heads up: DANE TLSA lookup issues with some nameservers.
Mark Andrews <marka@isc.org> Wed, 25 November 2015 23:49 UTC
Return-Path: <marka@isc.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D9DA31B32B3 for <dnsop@ietfa.amsl.com>; Wed, 25 Nov 2015 15:49:04 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.214
X-Spam-Level:
X-Spam-Status: No, score=0.214 tagged_above=-999 required=5 tests=[BAYES_50=0.8, RP_MATCHES_RCVD=-0.585, SPF_PASS=-0.001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KdY3_cEHTvr1 for <dnsop@ietfa.amsl.com>; Wed, 25 Nov 2015 15:49:02 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 250D61B32B2 for <dnsop@ietf.org>; Wed, 25 Nov 2015 15:49:01 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx.ams1.isc.org (Postfix) with ESMTPS id 4BE191FCB4F; Wed, 25 Nov 2015 23:48:58 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id B4389160048; Wed, 25 Nov 2015 23:50:26 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id A661E160071; Wed, 25 Nov 2015 23:50:26 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id jbJMQBdmbT88; Wed, 25 Nov 2015 23:50:26 +0000 (UTC)
Received: from rock.dv.isc.org (c122-106-161-187.carlnfd1.nsw.optusnet.com.au [122.106.161.187]) by zmx1.isc.org (Postfix) with ESMTPSA id 65AF9160048; Wed, 25 Nov 2015 23:50:26 +0000 (UTC)
Received: from rock.dv.isc.org (localhost [IPv6:::1]) by rock.dv.isc.org (Postfix) with ESMTP id 01ADD3D93111; Thu, 26 Nov 2015 10:48:54 +1100 (EST)
To: "DeJong, Steve" <Steve.DeJong@neustar.biz>
From: Mark Andrews <marka@isc.org>
References: <20150812052025.GM9139@mournblade.imrryr.org> <D27B5A19.B72B1%steve.dejong@neustar.biz>
In-reply-to: Your message of "Wed, 25 Nov 2015 20:37:31 -0000." <D27B5A19.B72B1%steve.dejong@neustar.biz>
Date: Thu, 26 Nov 2015 10:48:54 +1100
Message-Id: <20151125234854.01ADD3D93111@rock.dv.isc.org>
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/AQWguqdJ4NpK42cqbp0gtjJmBQY>
Cc: "dnsop@ietf.org" <dnsop@ietf.org>
Subject: Re: [DNSOP] Heads up: DANE TLSA lookup issues with some nameservers.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Nov 2015 23:49:05 -0000
Testing for things like a successful resolution to _25._tcp.example.com. IN TLSA is something registries / registrars should be doing. If you deploy servers that are incapable of answering the query then that becomes potential grounds for removal of the delegation. Whether you have or don't have a TLSA record is a entirely seperate matter. It is "can the server answer the question or not" that the parents need to be concerned with. www.example.com/AAAA, www.example.com/A, example.com/MX, example.com/A and example.com/AAAA should all be answerable and if there is a negative response that the SOA record if present is consistent with the delegation. A SOA for COM is not a valid SOA record with some exceptions. In message <D27B5A19.B72B1%steve.dejong@neustar.biz>, "DeJong, Steve" writes: > Greetings - > As of Nov. 22 Neustar UltraDNS has completed the rollout of the latest > resolver which addresses the NSEC3 authenticated denial of existence > issues. > > Thanks to Viktor for assisting in the testing and verification of the fix. > > -Steve > > > On 8/11/15, 10:20 PM, "DNSOP on behalf of Viktor Dukhovni" > <dnsop-bounces@ietf.org on behalf of ietf-dane@dukhovni.org> wrote: > > > * Outdated versions of PowerDNS, don't handle denial of > > existence correctly, the query domain's immediate parent > > also does not exist. In particular queries of the form: > > > > _25._tcp.example.com. IN TLSA ? > > > > fail to elicit proof that "_tcp" does not exist (which is > > typically the case). The response is then "bogus", and mail > > is delayed. > > > > This currently afflicts various Neustar.biz nameservers, in > > some cases appearing as nameservers for various customers. > > > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org
- [DNSOP] Heads up: DANE TLSA lookup issues with so… Viktor Dukhovni
- Re: [DNSOP] Heads up: DANE TLSA lookup issues wit… DeJong, Steve
- Re: [DNSOP] Heads up: DANE TLSA lookup issues wit… Mark Andrews