On Wed, Mar 18, 2015 at 09:15:46AM +0000, Viktor Dukhovni wrote:
Today grdns.cz fixed their 10 domains. The known broken domain count is now 74, and the top 8 list (30 domains total) is now:
10 registry@binero.se ...
The binero.se domains are now practically, fixed. I say "practically", because one of the nameserver clusters (that they manage directly) is now working fine, which is enough for mail to go through even if it takes a few extra queries to get a valid response into the cache.
The clusters operated by an outside provider are still running software that has obsolete DNSSEC software. Binero and I will be reaching out to the provider to encourage them to address the issue in a timely manner. With luck, that should remediate any additional customers of that provider.
Today also saw the remediation of 26 sub-domains (which shared 3 MX hosts) of "jus.br".
So while, as a result of testing more domains, the count of problem domains had crept up to ~100 recently, it is now back down to 84. and I've reached out to the provider for 25 of those and hope to make some progress.
The issues are mostly the usual ones:
* Incorrect handling of "denial of existence" in older versions of PowerDNS.
* Blocking of queries with "unexpected" RRtypes for "security" reasons. This sadly includes "TLSA" queries in some nameservers.
[ Avoid the "security" features of InfoBlox and Arbor Networks DNS servers that do this. ]
* Similar blocking in firewalls that filter DNS queries.
* Use of secondary nameservers that only support NSEC records to slave domains that use NSEC3.
You can check for properly working DNSSEC via:
http://dnsviz.net/d/_25._tcp.<mxhostname>/dnssec/
There should be zero "bogus" replies and no "errors" or "warnings".
For comparison my list of working DANE enabled domains now has ~1800 entries. Keep adding more, but don't forget:
https://dane.sys4.de/common_mistakes
and especially:
https://dane.sys4.de/common_mistakes#3
In other news, the draft-ietf-dane-ops document is scheduled for the IESG telechat today, and should soon reach the RFC editor queue.
This will unblock the publication of the SMTP draft, which was waiting for this normative reference to get approved. Thus I expect that the SMTP, SRV and "ops" drafts will soon all be proper standards-track RFCs. Perhaps that'll help with mainstream adoption.