Viktor Dukhovni ietf-dane at
Mon Jan 19 20:01:15 CET 2015

On Mon, Jan 19, 2015 at 04:41:42PM +0000, Viktor Dukhovni wrote:

> There are just six more that I know of for a total of 10, in contrast
> to 962 domains with conformant certificate usages.

Just to update the statistics, that's 971 conformant domains as of
this morning.  In addition 6 domains with TLSA records that don't
match reality.  Mail to these domains MUST fail:

Finally, there are DNSSEC hosting providers whose nameservers don't
implement denial of existence correctly.  Their NODATA or NXDOMAIN
responses for "_25._tcp.<mxhost> IN TLSA ?" are "bogus".  When they
also don't have a working backup MX, mail to such domains is expected
to fail.

This applies to 1507 domains in my survey (which found ~28000 DNSSEC
enabled domains some of whose MX hosts also lie in signed zones).

Only 7 of the problem domains are large enough to appear as sending
or receiving email domains in Google's email transparency report:

Out of the 1496 domains, 1420 are managed by the top 10 (by count
of non-working domains) providers:


The remaining 27 "transip" domains will likely be fixed in a matter
of days. Transip are making good progress, and have already fixed
~1000 previously problematic domains.  The .nl and .cz registries
are aware of the and issues, and I believe
that these are slated to be fixed near term.

That would leave just 1496 - 1338 = 158 small domains with nameserver
issues, many of which are likely parked or only used for HTTP, and
are unlikely to be seen by anyone not specifically looking for
problem domains.

Fixing this "long tail" of the distribution will take more time,
but most DANE senders are unlikely to run into any issues.

If you do run into a domain to which you're sending email, but
delivery consistently fails because TLSA record lookups SERVFAIL
or time out, check the problem domain at, and
the specific TLSA RRset at  These should confirm whether
the problem is on your end or not.  For example, see the litany of
woes for "":

or the more mundane (looks like an out of date PowerDNS, an upgrade
to 3.3.1 or later should fix it) denial of existence problem at
the MX host for "":

If the problem is confirmed, please notify the administrative
contact of the other domain (send a notice from Gmail or similar,
or temporarily disable DANE for that domain, ...).  Let them know
their DNSSEC implementation has problems.  They may need to upgrade
PowerDNS, replace or patch djbdns, or fix firewall configurations
that drop TLSA queries.


More information about the dane-users mailing list