[dns-operations] New DNS testing tool: Check My DNS (in development)

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Oct 10 07:54:55 UTC 2016


> On Oct 6, 2016, at 11:33 AM, Jerry Lundström <jerry at dns-oarc.net> wrote:
> 
> As a start we now have tests for QNAME Minimization, DNSSEC, TCP and
> IPv6 Connectivity with future plans to add tests for DANE/TLSA, Reply
> Size, Port and DNS Entropy.  Beside these tests we also detect if the
> resolvers are using TLS, TCP or UDP and IPv4 or IPv6.

Don't know what you intend to do with DANE/TLSA.  My suggestion is:

   - If a domain's MX host (or implied "example. IN MX 0 example." record
     in the absense of MX RRs) lies in a signed zone then TLSA lookups
     MUST either succeed, return NODATA or NXDOMAIN (with valid denial
     of existence).  A small minority fail to respond correctly.

   - If the MX host domain is unsigned, best to avoid TLSA queries
     entirely.

   - Determining the validity of any TLSA records is much more
     complex, not sure whether you want to tackle that.  It requires
     connecting to the target service and validating the chain it
     presents.  Many DANE domains share the same MX hosts, bulk
     validation is best performed with caches that avoid connecting
     to the same MX tens of thousands of times (in a few cases).

Out of the ~100,000 domains I've found to have valid DANE TLSA RRs for
their (explicit or implicit) MX hosts, the top 7 hosting providers
support approximately the following domain counts:

   40000 domeneshop.no
   32000 transip.nl
   15000 udmedia.de
    1800 bhosted.nl
    1300 nederhost.net
     900 ec-elements.com
     400 core-networks.de

Out of ~1.3 million domains with both the MX RRset and at least
one best-preference MX host in signed zones, and no associated
TLSA records, ~400 fail to respond to TLSA queries, or respond
with a "bogus" denial of existence on at least some of the
nameservers.  The biggest offenders by domain count are:

  49 axc.nl
  39 infracom.nl
  24 registrar-servers.com
  21 loopia.se
  19 active24.cz
  18 jsr-it.nl
  16 forpsi.net
  12 cas-com.net
   9 ignum.com
   8 is.nl

For more than one of these the problem is denial of existence corner
cases, involving wildcard CNAME records or other behaviour seen at
only a small subset of the hosted domains.

You can test some more exotic cases at:

	_25._tcp.barracuda.truman.edu. IN TLSA ?
	_25._tcp.mx1.techtrack.gov. IN TLSA ?
	_25._tcp.mailgate3.darpa.mil. IN TLSA ?

A more complete torture-test list is below my signature.
(A small number may be remediated by the time you test,
but many have been broken for quite some time, and will
likely remain that way for a while more).

-- 
	Viktor.

_25._tcp.ccbfinancial.bank. IN TLSA ?
_25._tcp.countryclub.bank. IN TLSA ?
_25._tcp.countryclubbank.bank. IN TLSA ?
_25._tcp.fis.bank. IN TLSA ?
_25._tcp.atie.be. IN TLSA ?
_25._tcp.ation.be. IN TLSA ?
_25._tcp.dartsdatabase.be. IN TLSA ?
_25._tcp.mathsaey.be. IN TLSA ?
_25._tcp.mail.mit-solutions.be. IN TLSA ?
_25._tcp.brianwilliams.biz. IN TLSA ?
_25._tcp.bb.b.br. IN TLSA ?
_25._tcp.itau.b.br. IN TLSA ?
_25._tcp.mail.snitelecom.com.br. IN TLSA ?
_25._tcp.mx.tiviths.com.br. IN TLSA ?
_25._tcp.mail.mme.gov.br. IN TLSA ?
_25._tcp.mail.m3ganet.net.br. IN TLSA ?
_25._tcp.5606.com. IN TLSA ?
_25._tcp.6060000.com. IN TLSA ?
_25._tcp.86francisstreet.com. IN TLSA ?
_25._tcp.mail.act85.com. IN TLSA ?
_25._tcp.arclandia.com. IN TLSA ?
_25._tcp.arklandia.com. IN TLSA ?
_25._tcp.bb-inflatables.com. IN TLSA ?
_25._tcp.benesdelfzijl.com. IN TLSA ?
_25._tcp.mail.bernheimmansion.com. IN TLSA ?
_25._tcp.bestbuy-fans.com. IN TLSA ?
_25._tcp.mail.bestregistrar.com. IN TLSA ?
_25._tcp.bitcoindownline.com. IN TLSA ?
_25._tcp.mail.bmwlemon.com. IN TLSA ?
_25._tcp.borduurstudiobrm.com. IN TLSA ?
_25._tcp.bouwbedrijfveerman.com. IN TLSA ?
_25._tcp.bykia.com. IN TLSA ?
_25._tcp.mail.c-a-s-i.com. IN TLSA ?
_25._tcp.carrosserieluchtenberg.com. IN TLSA ?
_25._tcp.chriseiffel.com. IN TLSA ?
_25._tcp.mx1.commonsenseideas.com. IN TLSA ?
_25._tcp.mx1.conso-acteur.com. IN TLSA ?
_25._tcp.dgcgroningen.com. IN TLSA ?
_25._tcp.disear.com. IN TLSA ?
_25._tcp.dnssec-fisglobal.com. IN TLSA ?
_25._tcp.doorgroeikansen.com. IN TLSA ?
_25._tcp.mail.dotshop.com. IN TLSA ?
_25._tcp.emod-music.com. IN TLSA ?
_25._tcp.evergen-label.com. IN TLSA ?
_25._tcp.mx1.exchangemail.com. IN TLSA ?
_25._tcp.fenlei101.com. IN TLSA ?
_25._tcp.fnfis.com. IN TLSA ?
_25._tcp.garagebijsma.com. IN TLSA ?
_25._tcp.gearfun.com. IN TLSA ?
_25._tcp.howbacha.com. IN TLSA ?
_25._tcp.huisartssluijs.com. IN TLSA ?
_25._tcp.itarbeheer.com. IN TLSA ?
_25._tcp.kruijeradvies.com. IN TLSA ?
_25._tcp.kuiltires.com. IN TLSA ?
_25._tcp.mailip.lease-admin.com. IN TLSA ?
_25._tcp.m-mtg.com. IN TLSA ?
_25._tcp.mx1.mediadchq.com. IN TLSA ?
_25._tcp.mfgseafarersfund.com. IN TLSA ?
_25._tcp.mr2dave.com. IN TLSA ?
_25._tcp.mulderappingedam.com. IN TLSA ?
_25._tcp.h82.managed.nevoxo.com. IN TLSA ?
_25._tcp.noblejury.com. IN TLSA ?
_25._tcp.pensionkuiper.com. IN TLSA ?
_25._tcp.mailip.pfsc.com. IN TLSA ?
_25._tcp.mx1.politicalmediareport.com. IN TLSA ?
_25._tcp.procodis-france.com. IN TLSA ?
_25._tcp.rachelreagan.com. IN TLSA ?
_25._tcp.mail.relyapawn.com. IN TLSA ?
_25._tcp.sailsocieteitamsterdam.com. IN TLSA ?
_25._tcp.mailip.servicerplus.com. IN TLSA ?
_25._tcp.short-street.com. IN TLSA ?
_25._tcp.slowlicks.com. IN TLSA ?
_25._tcp.snowplume.com. IN TLSA ?
_25._tcp.societeitsailamsterdam.com. IN TLSA ?
_25._tcp.sphinxciviel.com. IN TLSA ?
_25._tcp.starweldboats.com. IN TLSA ?
_25._tcp.studiobrm.com. IN TLSA ?
_25._tcp.tebsail.com. IN TLSA ?
_25._tcp.telemax247.com. IN TLSA ?
_25._tcp.webmail.totalshipsupply.com. IN TLSA ?
_25._tcp.upmccancercenter.com. IN TLSA ?
_25._tcp.vfdworld.com. IN TLSA ?
_25._tcp.mail.watchevents.com. IN TLSA ?
_25._tcp.wellnessnoord.com. IN TLSA ?
_25._tcp.y44.com. IN TLSA ?
_25._tcp.878.cz. IN TLSA ?
_25._tcp.aaastrechy.cz. IN TLSA ?
_25._tcp.absorpce.cz. IN TLSA ?
_25._tcp.access-it.cz. IN TLSA ?
_25._tcp.bdsoft.cz. IN TLSA ?
_25._tcp.botanix.cz. IN TLSA ?
_25._tcp.callsystem.cz. IN TLSA ?
_25._tcp.canson.cz. IN TLSA ?
_25._tcp.dido.cz. IN TLSA ?
_25._tcp.doporuceneubytovani.cz. IN TLSA ?
_25._tcp.extraslide.cz. IN TLSA ?
_25._tcp.fermontplus.cz. IN TLSA ?
_25._tcp.fosfa.cz. IN TLSA ?
_25._tcp.gurmanunicov.cz. IN TLSA ?
_25._tcp.hnatik.cz. IN TLSA ?
_25._tcp.hobbypoint.cz. IN TLSA ?
_25._tcp.hvideo.cz. IN TLSA ?
_25._tcp.klempirsky-eshop.cz. IN TLSA ?
_25._tcp.kotatko-kamenivo-kura.cz. IN TLSA ?
_25._tcp.luciekrystofova.cz. IN TLSA ?
_25._tcp.mediastyle.cz. IN TLSA ?
_25._tcp.mflight.cz. IN TLSA ?
_25._tcp.mikrofony.cz. IN TLSA ?
_25._tcp.omfo.cz. IN TLSA ?
_25._tcp.pastorovi.cz. IN TLSA ?
_25._tcp.pod1.cz. IN TLSA ?
_25._tcp.pozorkliste.cz. IN TLSA ?
_25._tcp.reklama-natelo.cz. IN TLSA ?
_25._tcp.silper.cz. IN TLSA ?
_25._tcp.spiritbar.cz. IN TLSA ?
_25._tcp.strechy-brno.cz. IN TLSA ?
_25._tcp.studentisobe.cz. IN TLSA ?
_25._tcp.studujchytre.cz. IN TLSA ?
_25._tcp.sybai.cz. IN TLSA ?
_25._tcp.talka.cz. IN TLSA ?
_25._tcp.urbec.cz. IN TLSA ?
_25._tcp.videostart.cz. IN TLSA ?
_25._tcp.barracuda.truman.edu. IN TLSA ?
_25._tcp.shahar.email. IN TLSA ?
_25._tcp.acemarketing.eu. IN TLSA ?
_25._tcp.bed4baby.eu. IN TLSA ?
_25._tcp.dartsdatabase.eu. IN TLSA ?
_25._tcp.demius.eu. IN TLSA ?
_25._tcp.mail.ephix.eu. IN TLSA ?
_25._tcp.hansvanelst.eu. IN TLSA ?
_25._tcp.oobb.eu. IN TLSA ?
_25._tcp.mail.sironeurope.eu. IN TLSA ?
_25._tcp.mail.stockyard.eu. IN TLSA ?
_25._tcp.vixada.eu. IN TLSA ?
_25._tcp.mail.logimedia.fr. IN TLSA ?
_25._tcp.mycolli.fr. IN TLSA ?
_25._tcp.ironport3.jobcorps.gov. IN TLSA ?
_25._tcp.ironport4.jobcorps.gov. IN TLSA ?
_25._tcp.mx1.techtrack.gov. IN TLSA ?
_25._tcp.mail.calamar.hu. IN TLSA ?
_25._tcp.mail.ppko.hu. IN TLSA ?
_25._tcp.mail.progmat.hu. IN TLSA ?
_25._tcp.brianwilliams.info. IN TLSA ?
_25._tcp.23systems-dev.net. IN TLSA ?
_25._tcp.mx.admings.net. IN TLSA ?
_25._tcp.mailky.b2.net. IN TLSA ?
_25._tcp.brianwilliams.net. IN TLSA ?
_25._tcp.mailky.cas-com.net. IN TLSA ?
_25._tcp.centiermx0.centier.net. IN TLSA ?
_25._tcp.mx1.conservativeconversation.net. IN TLSA ?
_25._tcp.mx1.cs15.net. IN TLSA ?
_25._tcp.mail.ecwr.net. IN TLSA ?
_25._tcp.henrock.net. IN TLSA ?
_25._tcp.mail.mcso.net. IN TLSA ?
_25._tcp.ninethreequarter.net. IN TLSA ?
_25._tcp.twitterdex.net. IN TLSA ?
_25._tcp.websitewharf.net. IN TLSA ?
_25._tcp.mail.123stream.nl. IN TLSA ?
_25._tcp.18pluscontact.nl. IN TLSA ?
_25._tcp.a-kan.nl. IN TLSA ?
_25._tcp.acemarketing.nl. IN TLSA ?
_25._tcp.mail.all4bbq.nl. IN TLSA ?
_25._tcp.altijdwebcams.nl. IN TLSA ?
_25._tcp.arclandia.nl. IN TLSA ?
_25._tcp.arklandia.nl. IN TLSA ?
_25._tcp.mail.ashatenbroeke.nl. IN TLSA ?
_25._tcp.atletiekrecords.nl. IN TLSA ?
_25._tcp.mail.beeldles.nl. IN TLSA ?
_25._tcp.mail.beimans.nl. IN TLSA ?
_25._tcp.mail.best4bbq.nl. IN TLSA ?
_25._tcp.camera-kopen-advies.nl. IN TLSA ?
_25._tcp.cameras-kopen.nl. IN TLSA ?
_25._tcp.xchange.caramelo-media.nl. IN TLSA ?
_25._tcp.catmurdock.nl. IN TLSA ?
_25._tcp.mail.cober.nl. IN TLSA ?
_25._tcp.comodus.nl. IN TLSA ?
_25._tcp.mail.dakprobleem.nl. IN TLSA ?
_25._tcp.dartsdatabase.nl. IN TLSA ?
_25._tcp.mail.de-garage.nl. IN TLSA ?
_25._tcp.mail.de-seo-expert.nl. IN TLSA ?
_25._tcp.debeeldbank.nl. IN TLSA ?
_25._tcp.dgcgroningen.nl. IN TLSA ?
_25._tcp.f35.nl. IN TLSA ?
_25._tcp.mail.feije.nl. IN TLSA ?
_25._tcp.ferketnet.nl. IN TLSA ?
_25._tcp.gdl.nl. IN TLSA ?
_25._tcp.hhdetuinman.nl. IN TLSA ?
_25._tcp.historischmuseumhengelo.nl. IN TLSA ?
_25._tcp.smtp.ibcs.nl. IN TLSA ?
_25._tcp.idoweddings.nl. IN TLSA ?
_25._tcp.infopay.nl. IN TLSA ?
_25._tcp.iq-dev.nl. IN TLSA ?
_25._tcp.mail.jecom.nl. IN TLSA ?
_25._tcp.mail.johanszonwering.nl. IN TLSA ?
_25._tcp.mail.jsrit.nl. IN TLSA ?
_25._tcp.mail.loodgieterindenbosch.nl. IN TLSA ?
_25._tcp.mail.lostaging.nl. IN TLSA ?
_25._tcp.mail.mailaccommmail.nl. IN TLSA ?
_25._tcp.mail.marsenvenus.nl. IN TLSA ?
_25._tcp.mail.mediagardeserver.nl. IN TLSA ?
_25._tcp.mail.mhglasfolie.nl. IN TLSA ?
_25._tcp.mail.misterhealthy.nl. IN TLSA ?
_25._tcp.mtbook.nl. IN TLSA ?
_25._tcp.smtp.mwalet.nl. IN TLSA ?
_25._tcp.niid.nl. IN TLSA ?
_25._tcp.o365.nl. IN TLSA ?
_25._tcp.oaldhengel.nl. IN TLSA ?
_25._tcp.mail.parkhotelvalkenburgct.nl. IN TLSA ?
_25._tcp.mail.particulieralarm.nl. IN TLSA ?
_25._tcp.mail.penxl.nl. IN TLSA ?
_25._tcp.platform-bbl.nl. IN TLSA ?
_25._tcp.remote.pro-vision-engineering.nl. IN TLSA ?
_25._tcp.mail.rkdesign.nl. IN TLSA ?
_25._tcp.rkdesigns.nl. IN TLSA ?
_25._tcp.mail.simbi.nl. IN TLSA ?
_25._tcp.smartcop.nl. IN TLSA ?
_25._tcp.spinnenwebteksten.nl. IN TLSA ?
_25._tcp.mail.spoedscriptie.nl. IN TLSA ?
_25._tcp.mail.stichtingictmanagement.nl. IN TLSA ?
_25._tcp.mail.studentrecruiter.nl. IN TLSA ?
_25._tcp.studiobeerens.nl. IN TLSA ?
_25._tcp.mail.therealistgroup.nl. IN TLSA ?
_25._tcp.WatchGuardXCS280.twenterand.nl. IN TLSA ?
_25._tcp.mail.vadersalleen.nl. IN TLSA ?
_25._tcp.mail.vastgoed-hypotheken.nl. IN TLSA ?
_25._tcp.mail.vip-finance.nl. IN TLSA ?
_25._tcp.mail.vvbeta.nl. IN TLSA ?
_25._tcp.mail.webnit.nl. IN TLSA ?
_25._tcp.mail.wheelking.nl. IN TLSA ?
_25._tcp.winneroptimist.nl. IN TLSA ?
_25._tcp.mail.wisehosted.nl. IN TLSA ?
_25._tcp.mail.wuzzi.nl. IN TLSA ?
_25._tcp.xnyhps.nl. IN TLSA ?
_25._tcp.mail.xtijd.nl. IN TLSA ?
_25._tcp.mail.zngd.nl. IN TLSA ?
_25._tcp.fivelpoort.nu. IN TLSA ?
_25._tcp.gratis-skraplotter.nu. IN TLSA ?
_25._tcp.matspjut.nu. IN TLSA ?
_25._tcp.creditsights.nyc. IN TLSA ?
_25._tcp.brianwilliams.org. IN TLSA ?
_25._tcp.mail.dotworld.org. IN TLSA ?
_25._tcp.niads.org. IN TLSA ?
_25._tcp.magister.ovh. IN TLSA ?
_25._tcp.mixandblend.pt. IN TLSA ?
_25._tcp.planitum.pt. IN TLSA ?
_25._tcp.rolasdaportela.pt. IN TLSA ?
_25._tcp.standvirtual.pt. IN TLSA ?
_25._tcp.mailgw.ap2.se. IN TLSA ?
_25._tcp.daralabs.se. IN TLSA ?
_25._tcp.darkambient.se. IN TLSA ?
_25._tcp.dbdo.se. IN TLSA ?
_25._tcp.easton.se. IN TLSA ?
_25._tcp.finansforum.se. IN TLSA ?
_25._tcp.fungerandemedier.se. IN TLSA ?
_25._tcp.johanhellgren.se. IN TLSA ?
_25._tcp.jonsoft.se. IN TLSA ?
_25._tcp.molnmicke.se. IN TLSA ?
_25._tcp.mywaybutiken.se. IN TLSA ?
_25._tcp.papperstallrik.se. IN TLSA ?
_25._tcp.raffesbil.se. IN TLSA ?
_25._tcp.mailedge.sala.se. IN TLSA ?
_25._tcp.shellvik.se. IN TLSA ?
_25._tcp.softwareengineering.se. IN TLSA ?
_25._tcp.mail.statskontoret.se. IN TLSA ?
_25._tcp.studiodaikon.se. IN TLSA ?
_25._tcp.tornordern.se. IN TLSA ?
_25._tcp.tstime.se. IN TLSA ?
_25._tcp.mail.stm.com.tw. IN TLSA ?
_25._tcp.mail.mof.gov.tw. IN TLSA ?
_25._tcp.mail.blackcherry-management.co.uk. IN TLSA ?
_25._tcp.brianwilliams.us. IN TLSA ?
_25._tcp.nsantos.xyz. IN TLSA ?




More information about the dns-operations mailing list