On Mon, Jan 19, 2015 at 04:41:42PM +0000, Viktor Dukhovni wrote:
There are just six more that I know of for a total of 10, in contrast to 962 domains with conformant certificate usages.
Just to update the statistics, that's 971 conformant domains as of this morning. In addition 6 domains with TLSA records that don't match reality. Mail to these domains MUST fail:
webseitendesigner.com webseitenserver.com xworks.net joworld.net hasno.info castleturing.net
Finally, there are DNSSEC hosting providers whose nameservers don't implement denial of existence correctly. Their NODATA or NXDOMAIN responses for "_25._tcp.<mxhost> IN TLSA ?" are "bogus". When they also don't have a working backup MX, mail to such domains is expected to fail.
This applies to 1507 domains in my survey (which found ~28000 DNSSEC enabled domains some of whose MX hosts also lie in signed zones).
Only 7 of the problem domains are large enough to appear as sending or receiving email domains in Google's email transparency report:
belgievacature.be walmart.com.br disa.mil nederlandvacature.nl prorun-mail.nl patriotguard.org sourceware.org
Out of the 1496 domains, 1420 are managed by the top 10 (by count of non-working domains) providers:
871 forpsi.com/forpsi.net 467 hostnet.nl 27 transip.nl/ns0.nl 16 interstroom.nl 10 grdns.cz 8 binero.se 7 metaregistrar.nl 5 openprovider.eu 5 active24.cz 4 thosting.cz
The remaining 27 "transip" domains will likely be fixed in a matter of days. Transip are making good progress, and have already fixed ~1000 previously problematic domains. The .nl and .cz registries are aware of the hostnet.nl and forpsi.cz issues, and I believe that these are slated to be fixed near term.
That would leave just 1496 - 1338 = 158 small domains with nameserver issues, many of which are likely parked or only used for HTTP, and are unlikely to be seen by anyone not specifically looking for problem domains.
Fixing this "long tail" of the distribution will take more time, but most DANE senders are unlikely to run into any issues.
If you do run into a domain to which you're sending email, but delivery consistently fails because TLSA record lookups SERVFAIL or time out, check the problem domain at https://dane.sys4.de, and the specific TLSA RRset at dnsviz.net. These should confirm whether the problem is on your end or not. For example, see the litany of woes for "sourceware.org":
http://dnsviz.net/d/_25._tcp.sourceware.org/dnssec/
or the more mundane (looks like an out of date PowerDNS, an upgrade to 3.3.1 or later should fix it) denial of existence problem at the MX host for "belgievacature.be":
http://dnsviz.net/d/_25._tcp.mail.nrdbv.nl/dnssec/
If the problem is confirmed, please notify the administrative contact of the other domain (send a notice from Gmail or similar, or temporarily disable DANE for that domain, ...). Let them know their DNSSEC implementation has problems. They may need to upgrade PowerDNS, replace or patch djbdns, or fix firewall configurations that drop TLSA queries.