On Wed, Nov 11, 2015 at 07:43:30AM +1100, Mark Andrews wrote: > Perhaps we should be getting Jari, Suzanne and Andrew to push this > at IGF meetings.
Not knowing what IGF meetings are, I can't comment on this specific point. > So we don't say what's right because you fear that not everybody > will perform the actions. We don't need to get every TLD to check > to have a real impact. We just need several to check and inform, > preferably big ones. Lots of zones are hosted by big players and > getting them fixed has a big impact on the overhaul health of the > DNS. e.g. UltraDNS and related companies fixing their service > resulted in a 18% fix for the root and TLD servers, a 5% fix for > the Alexa top 1000, a 2% fix for Gov servers in the Alexa top 1M > and about the same for the AU servers in the Alexa top 1M. The > bottom 1000 is too noisy to see if there was a change there. See > the Sep 28 2015 steps in <https://ednscomp.isc.org/compliance/ts/allok.html>. I strongly support publication of a BCP that expains a best practice in this space. Even my meager efforts at remediating problems in this space, without access to comprehensive domains lists or good contact information for some of the parties have been effective at reducing barriers to DANE adoption for SMTP by an order of magnitude, but we can and should do better, and registries/registrars are far better positioned to take the appropriate action. I've been fowarding links to Mark's draft to various guily parties, as it provides a solid explanation of why their nameservers are wrong and how they should behave. It would be even more useful as an RFC. The reason that the TLSA records for fbi.gov are not broken is because they no longer drop TLSA queries, the folly of which is explained in the draft. Have not yet had much luck with the disa.mil who operate the nameservers for mail.mil. This would be much easier if, for example, the .gov and .mil conducted periodic tests of their delegated domains. > This is actually IETF business. We can set community consensus of > what is a resonable requirement. If nothing else ICANN will come > back to us looking for checks to be enforced. Additionally the > CCtlds are not bound by ICANN but by RFCs. Indeed. -- Viktor. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
