On Mon, Nov 09, 2015 at 03:15:25PM +0000, Viktor Dukhovni wrote:
> I've had some luck getting .gov domains to fix the issue, for
> example, loc.gov (and around 15 associated domains) and fbi.gov
> used to not work, but now do.
>
> Yes, indeed the .mil MX host nameservers are configured with
> misguided "security" settings to drop queries for "unexpected"
> RRtypes.
>
>
> https://tools.ietf.org/html/draft-andrews-dns-no-response-issue-13#section-1
>
> https://tools.ietf.org/html/draft-andrews-dns-no-response-issue-13#section-2.6
>
> I've reported the problem to .gov registrar for forwarding to the
> .mil folks, but I'm not expecting any immediate miracles. This
> will likely take some time.
I've identified working contacts at disa.mil and have a ticket open
to track this problem. If all goes well, mail.mil and related
domains will be remediated at the completion of a suitably lengthy
process given the size and complexity of the relevant organizations
and the likely number of folks who'll need to agree to the required
changes. (The DNS and firewall folks will have to agree that there
is a problem and to to take steps to correct it).
My list of domains with DNS issues now stands at 176, of which 29
are slated to be resolved by isphuset.no and 32 by mail.mil, leaving
115 others none of which handle very many domains (that I've been
able to find). Of these only 48 have problems across all their
nameservers, for the rest there are just intermittent delays when
you hit "the wrong" nameserver.
I won't have the cycles to engage the "long-tail" of operators.
The vast majority of users will never send any email to these
domains. Only one of those with across the board nameserver isssues
has sent or received enough mail to have appeared in Google's email
transparency report at some point in the last couple of years:
patriotguard.org. MX 10 svcs.patriotguard.org.
patriotguard.org. NS ns1.patriotguard.org.
patriotguard.org. NS ns2.patriotguard.org.
So, bottom line, interoperability issues are minor, even though
we're in the very early stages of deployment, and so the problem
sites don't yet see any significant degradation in service. Things
should continue to improve.
--
Viktor.
