Hi Guys
On 17 Dec 2021, at 09.34, Viktor Dukhovni ietf-dane@dukhovni.org wrote:
On 17 Dec 2021, at 3:28 am, Jan-Pieter Cornet johnpc@xs4all.net wrote:
I regret to inform you that XS4ALL stopped using DANE, both inbound for xs4all.nl and outbound.
The reason is that the XS4ALL systems are being dismantled, and the customers are moving to KPN, who do not use nor publish DANE records.
:-(
Oh well, perhaps one of these days we can convince KPN to pick up the mantle...
KPN are using Halons as far as I recall, so it should be possible. Time for a little Viktor nudging?
If anyone still has "xs4all.nl" in a "strict dane" list, please remove us. I saw a bounce from one.comindicating that possibly one of their systems still expects DANE records for xs4all.nl.
This is odd, because the whole of DANE is one generally does not need to pin local DANE policy, it is enforced when the TLSA records are published for the MX hosts, and not otherwise.
We do not have any such local strict dane list - I suspect it might be a case of DNS TTLs, when the TLSA records where removed, but I asked Jan-Pieter for at logsnippet off-list in order to investigate.
I can't rule out local policy enforcing DANE, but this should only happen by prior coordination with and consent of the receiving systems. Otherwise, ... expect breakage.
Survey says, ... you're no longer doing DANE:
https://stats.dnssec-tools.org/explore/?xs4all.nl
-- Viktor.
Kind Regards, Sidsel Jensen Team manager Mail & Abuse, Systems Engineer @ One.com http://one.com/