DNS Hosting provider issues (binero.se and jus.br resolved) and other news...

Thu Aug 6 08:20:01 CEST 2015

On Wed, Mar 18, 2015 at 09:15:46AM +0000, Viktor Dukhovni wrote:

> Today grdns.cz fixed their 10 domains.  The known broken domain
> count is now 74, and the top 8 list (30 domains total) is now:
> 
>   10 registry at binero.se
>    ...

The binero.se domains are now practically, fixed.  I say "practically",
because one of the nameserver clusters (that they manage directly)
is now working fine, which is enough for mail to go through even
if it takes a few extra queries to get a valid response into the
cache.

The clusters operated by an outside provider are still running
software that has obsolete DNSSEC software.  Binero and I will be
reaching out to the provider to encourage them to address the issue
in a timely manner.  With luck, that should remediate any additional
customers of that provider.

Today also saw the remediation of 26 sub-domains (which shared 3
MX hosts) of "jus.br".

So while, as a result of testing more domains, the count of problem
domains had crept up to ~100 recently, it is now back down to 84.
and I've reached out to the provider for 25 of those and hope to
make some progress.

The issues are mostly the usual ones:

    * Incorrect handling of "denial of existence" in older
      versions of PowerDNS.

    * Blocking of queries with "unexpected" RRtypes for "security"
      reasons.  This sadly includes "TLSA" queries in some nameservers.

      [ Avoid the "security" features of InfoBlox and Arbor Networks DNS
        servers that do this. ]

    * Similar blocking in firewalls that filter DNS queries.

    * Use of secondary nameservers that only support NSEC records
      to slave domains that use NSEC3.

You can check for properly working DNSSEC via:

    http://dnsviz.net/d/_25._tcp.<mxhostname>/dnssec/

There should be zero "bogus" replies and no "errors" or "warnings".

For comparison my list of working DANE enabled domains now has
~1800 entries.  Keep adding more, but don't forget:

    https://dane.sys4.de/common_mistakes

and especially:

    https://dane.sys4.de/common_mistakes#3

In other news, the draft-ietf-dane-ops document is scheduled for
the IESG telechat today, and should soon reach the RFC editor queue.

This will unblock the publication of the SMTP draft, which was
waiting for this normative reference to get approved.  Thus I expect
that the SMTP, SRV and "ops" drafts will soon all be proper
standards-track RFCs.  Perhaps that'll help with mainstream adoption.

-- 
	Viktor.