> On Apr 11, 2016, at 12:36 PM, D. J. Bernstein <d...@cr.yp.to> wrote:
>
> I agree that the original goal of extensible "query types" in DNS (see
> RFC 1034, third paragraph) was ruined by poor implementation work (which
> was in turn encouraged by other aspects of the DNS protocol design, but
> let me not get sidetracked here), so trying to deploy new DNS "query
> types" creates operational problems.
I've been monitoring DANE TLSA adoption in SMTP for some time now, including
monitoring of domains where requests for the novel TLSA records encountered
misconfigured middle-boxes that drop the query.
Initially (2 years ago), problems were widespread. Now problems are rather
rare and getting more so. Out of ~130,000 DNSSEC domains in my corpus, only
~40 drop requests for TLSA records. Two years ago there were many thousands
out of a much smaller corpus.
If TLSA is a canary for generic "exotic" RRtypes, we're increasingly in good
shape, at least for domains whose zones are signed.
When one reports demonstrated problems caused by firewalls that are too eager
to "protect" DNS servers from "non-standard" DNS queries the issue is generally
dealt with.
So the main obstacle to lack of support of new RRtypes is lack of use. Make it
compelling for DNS operators to support these (e.g. continue to receive email,
...) and they will update their configurations accordingly.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
