On Tue, Jan 20, 2015 at 05:39:22PM +0000, Viktor Dukhovni wrote:
I am pleased to report that transip.nl/ns0.nl have fixed all the remaining problem domains on my list. If any remain to be fixed that I did not manage to find, they should be fixed shortly.
I am now pleased to report that forpsi.cz have fixed all but two of their domains (corner case not addressed by main fix). With any luck hostnet.nl will follow relatively soon.
The top 9 problem DNS hosting providers are now:
481 hostnet.nl 121 citynetwork.se 17 interstroom.nl 10 grdns.cz 10 binero.se 6 metaregistrar.nl 6 swedenmail.com 5 openprovider.eu 4 thosting.cz
these account for 660 out of 749 total domains with TLSA record lookup issues. The last 89 domains are part of the long tail that'll have to fixed by their respective owners (many may well be parked or not in any case not used for email).
We finally have more DANE enabled domains (1007 at last count) than broken domains (749). I expect that soon the broken domain count will be pratically insignificant.
At hostnet.nl, the nameserver mishandles denial of existence, have not heard directly from them, but the .NL registry is I believe working with them on remediation.
At citynetwork.se, a firewall drops IPv4 UDP TLSA queries, while allowing the same queries via IPv4 TCP or IPv6 UDP and TCP. There's an open ticket for the citynetwork.se issue, but progress has been very slow. If anyone on this list is a customer of citynetwork, please encourage them to address ticket #AJP-503-19284.