DANE stats update: all jsr-it.nl DNS issues resolved.

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Nov 11 09:53:52 CET 2017 

On Thu, Oct 26, 2017 at 06:31:42AM +0000, Viktor Dukhovni wrote:

> After eliminating parked domains that do not accept email of any
> kind, The number of "real" email domains with bad DNSSEC support
> stands at 175.  (The accenture.com domains from the previous
> report were all parked).  The top 10 name server operators with
> problem domains are:
> 
>   63 jsr-it.nl
>   17 firstfind.nl
>    7 active24.cz
>    5 tse.jus.br
>    4 glbns.com
>    3 cas-com.net
>    2 tiscomhosting.nl
>    2 sylconia.net
>    2 psyclonecontacts.net
>    2 ns01.nl

All previously seen problem domains served by jsr-it.nl nameservers
no longer exhibit any issues with TLSA record lookup.  Thus the
problem domain count is now down to 125, with the top 10 now:

  22 firstfind.nl
   7 active24.cz
   5 tse.jus.br
   4 glbns.com
   3 metaregistrar.nl
   3 cas-com.net
   2 webhostingserver.nl
   2 tiscomhosting.nl
   2 sylconia.net
   2 psyclonecontacts.net

When firstfind.nl fix their nameserver bugs, (nameservers return
NODATA, along with NSEC3 records that actually prove NXDOMAIN):

    http://dnsviz.net/d/_25._tcp.econo.nl/dnssec/

we'll have exhausted all the major concentrations of DNS problems,
with the remaining issues being largely confined to individual
domains, and not systemic at DNS hosting providers.

I should note that the 7 problem domains at active24.cz are not
systemic issues with their DNS software.  Rather, some hosted
domains have bad wildcard CNAME records (presumably misconfigured
by the customer).  For example:

    _25._tcp.greif-cz.cz.   CNAME   www.greif-cz.cz.greif-cz.cz.
    www.greif-cz.cz.greif-cz.cz. CNAME www.greif-cz.cz.greif-cz.cz.

Clearly a missing trailing "." on the CNAME RHS, which creates a
CNAME loop, and so TLSA lookups ServFail.  I don't know whether
fixing this is something that active24 can be expected to do.  It
may well be that each customer is fully in control of whatever
data, good or bad, appears in their zone file, and it is not up to
the hoster to attempt to fix it...

    _25._tcp.mflight.cz. IN TLSA ? ; ServFail AD=0
    _25._tcp.gurmanunicov.cz. IN TLSA ? ; ServFail AD=0
    _25._tcp.bdsoft.cz. IN TLSA ? ; ServFail AD=0
    _25._tcp.kotatko-kamenivo-kura.cz. IN TLSA ? ; ServFail AD=0
    _25._tcp.talka.cz. IN TLSA ? ; ServFail AD=0
    _25._tcp.electrochmelar.cz. IN TLSA ? ; ServFail AD=0
    _25._tcp.greif-cz.cz. IN TLSA ? ; ServFail AD=0

-- 
	Viktor.

More information about the dane-users mailing list