Hi Guys

On 17 Dec 2021, at 09.34, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:


On 17 Dec 2021, at 3:28 am, Jan-Pieter Cornet <johnpc@xs4all.net> wrote:

I regret to inform you that XS4ALL stopped using DANE, both inbound for xs4all.nl and outbound.

The reason is that the XS4ALL systems are being dismantled, and the customers are moving to KPN, who do not use nor publish DANE records.


:-(

Oh well, perhaps one of these days we can convince KPN to pick up the mantle...

KPN are using Halons as far as I recall, so it should be possible. Time for a little Viktor nudging?


If anyone still has "xs4all.nl" in a "strict dane" list, please remove us. I saw a bounce from one.comindicating that possibly one of their systems still expects DANE records for xs4all.nl.

This is odd, because the whole of DANE is one generally does not
need to pin local DANE policy, it is enforced when the TLSA records
are published for the MX hosts, and not otherwise.


We do not have any such local strict dane list - I suspect it might be a case of DNS TTLs, when the TLSA records where removed,
but I asked Jan-Pieter for at logsnippet off-list in order to investigate.

I can't rule out local policy enforcing DANE, but this should only
happen by prior coordination with and consent of the receiving
systems.  Otherwise, ... expect breakage.

Survey says, ... you're no longer doing DANE:

https://stats.dnssec-tools.org/explore/?xs4all.nl

--
Viktor.



Kind Regards,
Sidsel Jensen
Team manager Mail & Abuse, Systems Engineer @ One.com