> On 13 Oct 2017, at 23:32, Viktor Dukhovni <ietf-d...@dukhovni.org> wrote: > > On Fri, Oct 13, 2017 at 03:33:33PM +0200, Anders Berggren wrote: > >> After some of our users (one of which have 1.5M+ customers) enabled DANE >> ~one year ago, they've indeed had to maintain pretty large (at times), >> and ever changing, bypass lists (even after the large DNS providers fixed >> their TLSA responses). > > Can you quantify "pretty large"? Your list on Github is quite short…
Thank you for the comprehensive and very helpful answer, and sorry for saying large without context. The total number of domains were larger than I expected; for example 144 (at its peak) at one site. >> As you mentioned, the most common cause we've seen >> is broken DNSSEC proof for NODATA/NXDOMAIN, and firewalls filtering TLSA >> queries. > > My fairly comprehensive survey of 4.6 million DNSSEC domains only > finds O(200) email domains where DNSSEC denial of existence would > hamper email delivery, and most of these are parked or otherwise > unlikely to be popular email destinations. Agreed. The issue of DANE failure domains haven’t demotivated our customers from doing DANE verification. >> Since a few weeks, we're experimenting with a shared list >> https://danefail.org https://github.com/danefail/list for our customers, > > This list is not large, just 26 domains, of which 5 no longer have > issues when I test: > > labella-eindhoven.nl > pluk-bloemen.nl > appeldoorn-riooltechniek.nl > schoorsteenvegerij-feije.nl > jeroenappel.nl Thank you for pointing that out; we should run our cleanup script more often. > ... >> but hopefully it'll not be needed in the near future. Many of the domain >> owners and/or providers that we've contacted fixed their TLSA/DNSSEC issues >> within a few days after reporting. > > Ditto for the domains I've found, but the problem rate is rather > modest across a large population of domains (200 out of 4.6 million). > But the the original point, if large providers enable DANE outbound > and delay or bounce mail to probem domains I would expect the > problem to self-correct. > > Feel free to confirm DNSSEC breakage for the additional 136 domains > immediately below my signature and add them to your list if your > observations match mine. A few might have problems with a subset > of their nameservers, so the issues can be intermittent. A large > fraction may be parked, but I don't consider domains whose SMTP > servers are non-responsive, so these have at least one live MX host > (possibly implicit in the absence of MX records). > > The second list of 128 domains below the first lists domains with > working DNSSEC, but with either incorrect TLSA records, or no > STARTTLS (as seen from my server). You can test both DANE and > certificate chain failures with: > > https://github.com/vdukhovni/danecheck > > (If you have trouble getting the danecheck code built, I am interested > in curating more helpful build instructions for various platforms, > so please get in touch). I really appreciate this. I’ll definitely take a look, mainly to confirm breakage and see if any of our customers have seen traffic to those domains. Thanks, Anders _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
