The danefail list on Github

Viktor Dukhovni ietf-dane at
Sat Apr 14 23:38:30 CEST 2018

Now that I am able to contribute commits to the danefail list at:

I've pushed data for many of the domains served by MX hosts with persistent issues.

You can use this list to confirm that you're not the only one with delivery issues to one of the listed domains, and perhaps create exceptions for such domains in your configuration.

Also, please try to not end up on the list:

Do implement monitoring of your own TLSA records and DNSSEC
zone.  Do implement a key/cert rollover process that ensures
that matching TLSA records are in place for both the old and
the new cert have been in place for some time (multiple TTLs
and slave zone refresh times) before deploying new certificate

When using DANE-TA(2) TLSA records, make sure that the certificate
does not expire, has a name that matches the MX hostname and the
trust-anchor certificate is included in the server's chain file.


More information about the dane-users mailing list