On Wed, Nov 11, 2015 at 12:22:05PM +0000, Lawrence Conroy wrote:
> ISTM that the IETF isn't in a position to force its suggestions through
> the 'industry'.
Who said anything about "forcing", I thought this was intended to
be a BCP. As for whether the checks are done by registries or
registrars: ideally both!
* Registrars check their customer domains and notify the customer.
* Registries checks all domains to apply soft pressure on
registrars with whose domains are notably more broken than
average.
For example, I've worked directly with some .nl registrars, and
indirectly with SIDN to resolve the highest visibility problems
wrt. DANE TLSA and .nl domains. Small pockets of problems remain,
and SIDN are doing proactive monitoring.
So in the last year or so, we've seen DNS server upgrades that
resolved issues at transip.nl, hostnet.nl, hosting2go.nl,
metaregistrar.nl and sonexo.nl. Still waiting on axc.nl, but IIRC
they're working on it. The incidence of broken DNSSEC TLSA lookup
in .nl is down by two orders of magnitude over the last year.
In the .se case, citynetwork.se fixed their firewall that was
dropping TLSA queries, and IIRC I was in touch with someone at at
the .se registry to help encourage them to do that.
My efforts don't scale, and I believe a sensibly worded BCP would
be quite useful. It would explain what's important to remediate
and why. I may motivate some proactive TLD operators and their
registrars to do the right thing voluntarily.
--
Viktor.
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
