On Mon, Apr 11, 2016 at 11:48:39PM +0200, Kurt Roeckx wrote:
> > Initially (2 years ago), problems were widespread. Now problems are rather
> > rare and getting more so. Out of ~130,000 DNSSEC domains in my corpus, only
> > ~40 drop requests for TLSA records. Two years ago there were many thousands
> > out of a much smaller corpus.
>
> Don't you have to look at it the other way? From a client that's
> behind some broken box that tries to look up TLSA records?
Yes, that's a separate issue. I've been monitoring domains served
by nameservers that support DNSSEC, but refuse TLSA RR queries.
(which are DANE, not DNSSEC).
> I would really hope that if someone deploys DNSSEC that their
> nameservers would actually support DNSSEC.
Some had significant issues with authenticated denial of existence,
which was a DNSSEC implementation problem, the vast majority of
these are now resolved. Others, were dropping TLSA RRs, which is
not a DNSSEC issue, but breaks RFC 7672 opportunistic DANE TLS.
That too is mostly addressed.
> But that doesn't mean
> that a client trying to look up the DNSSEC related records is able
> to.
What's under discussion here is not so much DNSSEC, but some
hypothetical new RRtype to support 0-RTT data. It is true that
I've not been monitoring client-side issues (home cable boxes,
hotel networks, and the like), a lot more cats to herd on the client
side, and not really relevant to MTA-to-MTA transport security.
--
Viktor.
_______________________________________________
TLS mailing list
TLS@ietf.org
https://www.ietf.org/mailman/listinfo/tls
