Update on stats 2019-11

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Dec 2 19:35:31 CET 2019

On Mon, Dec 02, 2019 at 08:01:27PM +0200, Mark Elkins wrote:

> I run a small ISP in South Africa - with about 2000 domains. About 200 
> of these are DNSSEC signed.

Hello Mark, good to see you're on the dane-users list.

For 49 of the 200 domains, my DANE survey is chronically unable to
validate the TLSA RR of the secondary MX (secdns1.posix.co.za):

    _25._tcp.secdns1.posix.co.za. IN TLSA 3 1 1 a82d33d63d9c4acea043007041c0c99839f1805e5755e54c9d32ced02cc790ea
      secdns1.posix.co.za[]: STARTTLS 454 TLS currently unavailable
      secdns1.posix.co.za[2001:42a0::81]: STARTTLS 454 TLS currently unavailable

the MX host always declines STARTTLS.  Is this deliberate?  Or something
that should/could be fixed?


More information about the dane-users mailing list