On Wed, Feb 04, 2015 at 09:12:03PM +0000, Viktor Dukhovni wrote:
As of today openprovider.eu seems to be resolved, leaving a top 10 list with:
121 citynetwork.se 10 grdns.cz 10 binero.se 7 metaregistrar.nl 6 swedenmail.com 5 dnscluster.nl 2 pretecno.it 2 papaki.gr 2 kniestdns.nl 2 forpsi.net
I am finally thrilled to announce that citynetwork.se are also done. A firewall was filtering out DNS queries with RRtypes it does not know about. Don't let your firewalls do this:
http://tools.ietf.org/html/draft-andrews-dns-no-response-issue-06#section-2....
The known broken domain count is now 87, and the top 9 list (47 domains total) is now:
10 registry@binero.se 10 admin@grdns.cz 7 beheer@metaregistrar.nl 6 alex@swedenmail.com 5 hostmaster@dnscluster.nl 3 hostmaster@papaki.gr 2 hostmaster@pretecno.it 2 hostmaster@kniestdns.nl 2 admin@forpsi.net
It is now reasonably "safe" to enable outbound DANE verification. While a few folks are still struggling to keep their DNSSEC zones signed correctly, and some others occasionally neglect to update TLSA records before installing new certificates, the problem volume is now rather low by comparison with the 1050+ domains that work.
https://tools.ietf.org/html/draft-ietf-dane-ops-07#section-8.1 https://tools.ietf.org/html/draft-ietf-dane-ops-07#section-8.4 https://tools.ietf.org/html/rfc6781
We'll try to add more features to https://dane.sys4.de/ to help domain owners not get into trouble, to stay out of trouble, and get out of trouble quickly if/when they make mistakes. Stay tuned.