Re: [DNSOP] Asking TLD's to perform checks.
Viktor Dukhovni <ietf-dane@dukhovni.org> Wed, 11 November 2015 18:05 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CC7B71B31B5 for <dnsop@ietfa.amsl.com>; Wed, 11 Nov 2015 10:05:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.6
X-Spam-Level:
X-Spam-Status: No, score=-2.6 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id d31E08TOL04J for <dnsop@ietfa.amsl.com>; Wed, 11 Nov 2015 10:05:43 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4BC871B31C8 for <dnsop@ietf.org>; Wed, 11 Nov 2015 10:05:27 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 07E342843A5; Wed, 11 Nov 2015 18:05:26 +0000 (UTC)
Date: Wed, 11 Nov 2015 18:05:26 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dnsop WG <dnsop@ietf.org>
Message-ID: <20151111180525.GF24882@mournblade.imrryr.org>
References: <20151105235402.39FFC3BF2F29@rock.dv.isc.org> <20151110152511.6f1a1c20@pallas.home.time-travellers.org> <20151110204330.C47C63C7D699@rock.dv.isc.org> <7B4B7DEA-C705-437E-8BC1-64D96D55014E@vpnc.org> <0F2DD78A-69C4-49DA-936F-C32D0FC97CC2@rfc1035.com> <5373DDAB-1ED2-489B-AB62-BA7CF6D3DB48@frobbit.se> <31988EDD-B2F3-4244-A75B-CAA2937A5B01@insensate.co.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <31988EDD-B2F3-4244-A75B-CAA2937A5B01@insensate.co.uk>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dnsop/b_yY72Vr2eJPFs5kWg7i8Mptd_w>
Subject: Re: [DNSOP] Asking TLD's to perform checks.
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dnsop@ietf.org
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2015 18:05:45 -0000
On Wed, Nov 11, 2015 at 12:22:05PM +0000, Lawrence Conroy wrote:
> ISTM that the IETF isn't in a position to force its suggestions through
> the 'industry'.
Who said anything about "forcing", I thought this was intended to
be a BCP. As for whether the checks are done by registries or
registrars: ideally both!
* Registrars check their customer domains and notify the customer.
* Registries checks all domains to apply soft pressure on
registrars with whose domains are notably more broken than
average.
For example, I've worked directly with some .nl registrars, and
indirectly with SIDN to resolve the highest visibility problems
wrt. DANE TLSA and .nl domains. Small pockets of problems remain,
and SIDN are doing proactive monitoring.
So in the last year or so, we've seen DNS server upgrades that
resolved issues at transip.nl, hostnet.nl, hosting2go.nl,
metaregistrar.nl and sonexo.nl. Still waiting on axc.nl, but IIRC
they're working on it. The incidence of broken DNSSEC TLSA lookup
in .nl is down by two orders of magnitude over the last year.
In the .se case, citynetwork.se fixed their firewall that was
dropping TLSA queries, and IIRC I was in touch with someone at at
the .se registry to help encourage them to do that.
My efforts don't scale, and I believe a sensibly worded BCP would
be quite useful. It would explain what's important to remediate
and why. I may motivate some proactive TLD operators and their
registrars to do the right thing voluntarily.
--
Viktor.
- Re: [DNSOP] Asking TLD's to perform checks. Jim Reid
- Re: [DNSOP] Asking TLD's to perform checks. Paul Hoffman
- [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. marius
- Re: [DNSOP] Asking TLD's to perform checks. Antoin Verschuren
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. Antoin Verschuren
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. Ralf Weber
- Re: [DNSOP] Asking TLD's to perform checks. Daniel Stirnimann
- Re: [DNSOP] Asking TLD's to perform checks. Shane Kerr
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Dr Eberhard W Lisse
- Re: [DNSOP] [ccnso-techwg] Re: Asking TLD's to pe… Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLD's to perform checks. Dr Eberhard W Lisse
- Re: [DNSOP] Asking TLD's to perform checks. Paul Vixie
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Havard Eidnes
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Tony Finch
- Re: [DNSOP] Asking TLD's to perform checks. Stephane Bortzmeyer
- Re: [DNSOP] Asking TLD's to perform checks. Havard Eidnes
- Re: [DNSOP] Asking TLD's to perform checks. Stephane Bortzmeyer
- Re: [DNSOP] Asking TLD's to perform checks. Mark Andrews
- Re: [DNSOP] Asking TLD's to perform checks. Patrik Fältström
- Re: [DNSOP] Asking TLD's to perform checks. Lawrence Conroy
- Re: [DNSOP] Asking TLD's to perform checks. Viktor Dukhovni
- Re: [DNSOP] Asking TLDs to perform checks. Joe Abley
- Re: [DNSOP] Asking TLD's to perform checks. Frederico A C Neves
- Re: [DNSOP] Asking TLD's to perform checks. Tim Wicinski
- Re: [DNSOP] Asking TLD's to perform checks. Dr Eberhard W Lisse
- Re: [DNSOP] Asking TLD's to perform checks. Jelte Jansen