DNS Hosting provider issues (resolved at forpsi.cz)

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Jan 26 22:53:12 CET 2015

On Tue, Jan 20, 2015 at 05:39:22PM +0000, Viktor Dukhovni wrote:

> I am pleased to report that transip.nl/ns0.nl have fixed all the
> remaining problem domains on my list.  If any remain to be fixed
> that I did not manage to find, they should be fixed shortly.

I am now pleased to report that forpsi.cz have fixed all but two
of their domains (corner case not addressed by main fix).  With
any luck hostnet.nl will follow relatively soon.

The top 9 problem DNS hosting providers are now:

 481 hostnet.nl
 121 citynetwork.se
  17 interstroom.nl
  10 grdns.cz
  10 binero.se
   6 metaregistrar.nl
   6 swedenmail.com
   5 openprovider.eu
   4 thosting.cz

these account for 660 out of 749 total domains with TLSA record
lookup issues.  The last 89 domains are part of the long tail
that'll have to fixed by their respective owners (many may well be
parked or not in any case not used for email).

We finally have more DANE enabled domains (1007 at last count) than
broken domains (749).  I expect that soon the broken domain count
will be pratically insignificant.

At hostnet.nl, the nameserver mishandles denial of existence, have
not heard directly from them, but the .NL registry is I believe
working with them on remediation.

At citynetwork.se, a firewall drops IPv4 UDP TLSA queries, while
allowing the same queries via IPv4 TCP or IPv6 UDP and TCP.  There's
an open ticket for the citynetwork.se issue, but progress has been
very slow.  If anyone on this list is a customer of citynetwork,
please encourage them to address ticket #AJP-503-19284.


More information about the dane-users mailing list