On Fri, Oct 13, 2017 at 03:33:33PM +0200, Anders Berggren wrote: > After some of our users (one of which have 1.5M+ customers) enabled DANE > ~one year ago, they've indeed had to maintain pretty large (at times), > and ever changing, bypass lists (even after the large DNS providers fixed > their TLSA responses).
Can you quantify "pretty large"? Your list on Github is quite short... > As you mentioned, the most common cause we've seen > is broken DNSSEC proof for NODATA/NXDOMAIN, and firewalls filtering TLSA > queries. My fairly comprehensive survey of 4.6 million DNSSEC domains only finds O(200) email domains where DNSSEC denial of existence would hamper email delivery, and most of these are parked or otherwise unlikely to be popular email destinations. > Since a few weeks, we're experimenting with a shared list > https://danefail.org https://github.com/danefail/list for our customers, This list is not large, just 26 domains, of which 5 no longer have issues when I test: labella-eindhoven.nl pluk-bloemen.nl appeldoorn-riooltechniek.nl schoorsteenvegerij-feije.nl jeroenappel.nl It seems jsr-it.nl have resolved some problems, though 59 jsr-it domains are still bad. Of the remaining 21, 16 were on my list, but 5 were new, thanks: autohopperleidschendam.nl ketel-dokter.nl rvhautos.nl vanderheijdenbouw.nl tre-pr.jus.br The "jus.br" domain is a hornet's nest of DNSSEC breakage, so that last one is not at all surprising. I've not yet had much luck in finding useful jus.br contacts to notify. I already had: tse.jus.br tre-ap.jus.br Plus not on your list: trtrj.jus.br tre-ce.jus.br tre-sp.jus.br tre-pb.jus.br tjrs.jus.br I see you also have "truman.edu", which is the oldest entry on my list, and continues to remain there despite multiple notices since 19-Nov-2014. Some receiving systems don't yet care [feel enough pain] :-( > but hopefully it'll not be needed in the near future. Many of the domain > owners and/or providers that we've contacted fixed their TLSA/DNSSEC issues > within a few days after reporting. Ditto for the domains I've found, but the problem rate is rather modest across a large population of domains (200 out of 4.6 million). But the the original point, if large providers enable DANE outbound and delay or bounce mail to probem domains I would expect the problem to self-correct. Feel free to confirm DNSSEC breakage for the additional 136 domains immediately below my signature and add them to your list if your observations match mine. A few might have problems with a subset of their nameservers, so the issues can be intermittent. A large fraction may be parked, but I don't consider domains whose SMTP servers are non-responsive, so these have at least one live MX host (possibly implicit in the absence of MX records). The second list of 128 domains below the first lists domains with working DNSSEC, but with either incorrect TLSA records, or no STARTTLS (as seen from my server). You can test both DANE and certificate chain failures with: https://github.com/vdukhovni/danecheck (If you have trouble getting the danecheck code built, I am interested in curating more helpful build instructions for various platforms, so please get in touch). -- Viktor. # TLSA lookup failure sispace.at askerbeyli.az cert.az cgicustomerservice.biz brmaster.com.br emktcerto.com.br m3ganet.net.br cmscollegefrancais.ca acct-admin.com act85.com amazon-awcs.com cgicustomerservice.com collegefrancais.com conso-acteur.com domains-dnssec.com goofybynature.com gwinnettmusic.com lease-admin.com netwerkevent.com pfsc.com servicerplus.com swwu.com terre-ysera.com thesandiegos.com varilease-invoicing.com vrcinvestigations.com workwizz.com electrochmelar.cz gurmanunicov.cz hvideo.cz kotatko-kamenivo-kura.cz mflight.cz talka.cz thmotormedia.cz zeleneauto.cz sdutilities.de okplus.dk lmrsbkhome.eu magicbus.fr ic3.gov calamar.hu centrumimplant.hu hungariansontrack.hu ppko.hu tulipankemping.hu gorontaloprov.go.id admings.net b2.net cleansendertracking.net collegefrancais.net keltia.net mcso.net akdesigns.nl amsterdam-trouwringen.nl appeldoornriooltechniek.nl autoverhuurleidschendam.nl bartox.nl bomenrooibedrijfkuijpers.nl bqr-club.nl bqrc.nl bt-cars.nl btcars.nl cober-goudsmeden.nl cober-trouwringen.nl code-lab.nl comfortconnexion.nl denhaagautoverhuur.nl dobrebopolskie.nl dutch-devotion.nl dwarsfluitlesalmere.nl erotheek-cupido.nl erotheekcupido.nl fampruim.nl gezondwesterpark.nl gootchy.nl groenemaatschappij.nl gsmshopspijk.nl handgemaaktesieraden.nl handgemaaktetrouwringen.nl heboma-bouwmachines.nl houtart.nl ibleurope.nl klusbedrijfdejong.nl kuijpersbomenrooibedrijf.nl leukegroepsuitjes.nl mh-glasfolie.nl mijntommy.nl mijnwuzzi.nl misterhealthy.nl moj-best.nl mojbest.nl mondharmonicales.nl nac-ua.nl noddeveltpaarden.nl noddeveltrubberenrvs.nl particulieralarm.nl pebbles.nl platformbrabant.nl praktijk-deberk.nl pubermuur.nl quadforumnederland.nl reclameprodukten.nl remotesim.nl rk-design.nl rk-designs.nl rkdesign.nl ronniekrijger.nl runacademy.nl schoorsteenveger-haarlem.nl schoorsteenvegerijfeije.nl sexshop-eindhoven.nl simbi.nl stroomconnectie.nl studentenverdienenmeer.nl timmersrijen.nl tommyalert.nl uitgaans.nl vastgoed-hypotheken.nl videoalarmservices.nl wuzzi.nl wuzzialarm.nl wuzzialert.nl wuzzimonitor.nl xnyhps.nl zakelijkeadministratie.nl zngd.nl cgicustomerservice.org degner.org peacepilgrimage.org sprinzing.org washingtonexclusive.org foretagarcentrum.se nsysu.edu.tw mof.gov.tw littlebluecar.co.uk cleansendertracking.us # TLSA verification failure or lack of STARTTLS search.at dipietro.id.au dnschecker.be it.be stansoft.bg gna.ch sca.ch smartmx.ch 4nettech.com abanto-zierbena.com abantoyciervana.com andbraiz.com arcanetides.com avarty.com bindlestickphotography.com digitalwebpros.com domaine-ala.com gedankenausbruch.com hirther.com ismadgeintrouble.com jeremyness.com kaisers-backstube.com kkeane.com madgeandpaul.com madgeisawesome.com mykolab.com nctechcenter.com nevodnet.com paulandmadge.com pieterpottie.com polymathematician.com qooshi.com rnrfunco.com sgt.com smia-automotive.com sylvieandpieter.com sylviesfollies.com tntmonitoring.com arbogard.cz bels.cz completeconsulting.cz fks-roudnice.cz ilustrat.cz nfx.cz petg.cz pointaart.cz zionbit.cz apachedemo.de bi9.de juergenhecht.de manima.de ocmenzel.de smartmx.de supersahnetorten.de thorko.de 1pc.es 0pc.eu antoineducret.eu cesidianroot.eu gamepixel.eu juergenhecht.eu palinet.eu smartmx.eu subse.eu vdlaken.eu xenobite.eu familledavid.fr mc-fr.fr quentindavid.fr servmail.fr kraus.global demongeot.info nonoserver.info kd2.io mxbackup.io rapidfuse.io kraus.is lsd.is lapenas.lt laukas.lt lius.lt magistras.lt datenknoten.me giesen.me rootbox.me ahrain.net avarty.net castleturing.net cherrypet.net duffau.net efflam.net freeservices.net misbegotten.net oostergo.net rk-mail.net rnrfunco.net wfbrace.net castle.network cbrace.nl kamikazekippetjes.nl lajetee.nl lococensus.nl myzt.nl nuj-netherlands.nl solarisinternetgroep.nl steelyard.nl abanto-zierbena.org abantoyciervana.org datacentrix.org framkant.org konundrum.org pean.org amadigi.ovh efflam.ovh itaskmanager.ovh mail-jetable.ovh skyneaker.ovh damicris.ro pasion.ro testgeomed.ro familie-sander.rocks shevaldin.ru ankerstal.se brygg.se jails.se labbrack.se rostit.se ducret.sh _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
