On Thu, Oct 26, 2017 at 06:31:42AM +0000, Viktor Dukhovni wrote:
After eliminating parked domains that do not accept email of any kind, The number of "real" email domains with bad DNSSEC support stands at 175. (The accenture.com domains from the previous report were all parked). The top 10 name server operators with problem domains are:
63 jsr-it.nl 17 firstfind.nl 7 active24.cz 5 tse.jus.br 4 glbns.com 3 cas-com.net 2 tiscomhosting.nl 2 sylconia.net 2 psyclonecontacts.net 2 ns01.nl
All previously seen problem domains served by jsr-it.nl nameservers no longer exhibit any issues with TLSA record lookup. Thus the problem domain count is now down to 125, with the top 10 now:
22 firstfind.nl 7 active24.cz 5 tse.jus.br 4 glbns.com 3 metaregistrar.nl 3 cas-com.net 2 webhostingserver.nl 2 tiscomhosting.nl 2 sylconia.net 2 psyclonecontacts.net
When firstfind.nl fix their nameserver bugs, (nameservers return NODATA, along with NSEC3 records that actually prove NXDOMAIN):
http://dnsviz.net/d/_25._tcp.econo.nl/dnssec/
we'll have exhausted all the major concentrations of DNS problems, with the remaining issues being largely confined to individual domains, and not systemic at DNS hosting providers.
I should note that the 7 problem domains at active24.cz are not systemic issues with their DNS software. Rather, some hosted domains have bad wildcard CNAME records (presumably misconfigured by the customer). For example:
_25._tcp.greif-cz.cz. CNAME www.greif-cz.cz.greif-cz.cz. www.greif-cz.cz.greif-cz.cz. CNAME www.greif-cz.cz.greif-cz.cz.
Clearly a missing trailing "." on the CNAME RHS, which creates a CNAME loop, and so TLSA lookups ServFail. I don't know whether fixing this is something that active24 can be expected to do. It may well be that each customer is fully in control of whatever data, good or bad, appears in their zone file, and it is not up to the hoster to attempt to fix it...
_25._tcp.mflight.cz. IN TLSA ? ; ServFail AD=0 _25._tcp.gurmanunicov.cz. IN TLSA ? ; ServFail AD=0 _25._tcp.bdsoft.cz. IN TLSA ? ; ServFail AD=0 _25._tcp.kotatko-kamenivo-kura.cz. IN TLSA ? ; ServFail AD=0 _25._tcp.talka.cz. IN TLSA ? ; ServFail AD=0 _25._tcp.electrochmelar.cz. IN TLSA ? ; ServFail AD=0 _25._tcp.greif-cz.cz. IN TLSA ? ; ServFail AD=0