Re: [DNSOP] Asking TLD's to perform checks.

Viktor Dukhovni <> Wed, 11 November 2015 18:05 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id CC7B71B31B5 for <>; Wed, 11 Nov 2015 10:05:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id d31E08TOL04J for <>; Wed, 11 Nov 2015 10:05:43 -0800 (PST)
Received: from ( []) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 4BC871B31C8 for <>; Wed, 11 Nov 2015 10:05:27 -0800 (PST)
Received: by (Postfix, from userid 1034) id 07E342843A5; Wed, 11 Nov 2015 18:05:26 +0000 (UTC)
Date: Wed, 11 Nov 2015 18:05:26 +0000
From: Viktor Dukhovni <>
To: dnsop WG <>
Message-ID: <>
References: <> <> <> <> <> <> <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <>
Subject: Re: [DNSOP] Asking TLD's to perform checks.
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: IETF DNSOP WG mailing list <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 11 Nov 2015 18:05:45 -0000

On Wed, Nov 11, 2015 at 12:22:05PM +0000, Lawrence Conroy wrote:

>  ISTM that the IETF isn't in a position to force its suggestions through
>  the 'industry'.

Who said anything about "forcing", I thought this was intended to
be a BCP.  As for whether the checks are done by registries or
registrars: ideally both!

    * Registrars check their customer domains and notify the customer.

    * Registries checks all domains to apply soft pressure on
      registrars with whose domains are notably more broken than

For example, I've worked directly with some .nl registrars, and
indirectly with SIDN to resolve the highest visibility problems
wrt. DANE TLSA and .nl domains.  Small pockets of problems remain,
and SIDN are doing proactive monitoring.

So in the last year or so, we've seen DNS server upgrades that
resolved issues at,,, and  Still waiting on, but IIRC
they're working on it.  The incidence of broken DNSSEC TLSA lookup
in .nl is down by two orders of magnitude over the last year.

In the .se case, fixed their firewall that was
dropping TLSA queries, and IIRC I was in touch with someone at at
the .se registry to help encourage them to do that.

My efforts don't scale, and I believe a sensibly worded BCP would
be quite useful.  It would explain what's important to remediate
and why.  I may motivate some proactive TLD operators and their
registrars to do the right thing voluntarily.