[dns-operations] My DNS, my rules (was isphuset.no/fsdata.se DNSSEC breakage)

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Sep 6 05:36:44 UTC 2016

On Tue, Sep 06, 2016 at 02:56:21PM +1000, Mark Andrews wrote:

> > The great thing about DNS is that it mostly aligns the costs and
> > benefits of the service.
> Until something breaks at which point the costs basically falls on
> everybody else.  There are good reasons that excommunication is at
> the end of the complaints proceedure in RFC 1033.  It force the
> costs back on to the offending party when reasonable steps to get
> a issue addressed fail to be effective.

Right, opportunistic DANE TLS only works when DNSSEC-signed zones
are able to return validated denial of existence when no TLSA
records are present.  Otherwise, the protocol becomes vulnerable
to downgrade attacks.  If too many email domains that don't publish
TLSA records also have broken nameservers, then they make opportunistic
DANE TLS a pain to deploy for everyone else.

Thus far, the vast majority of the providers I've contacted have
been responsive and have fixed the reported software defects or
firewall misconfigurations (dropping of TLSA queries).

There is no compulsion to implement DNSSEC or DANE, but it should
be reasonable to expect that, when deployed, DNSSEC works correctly.
Especially when the nameserver is operated by a hosting provider
that serves many customer domains.

I am certainly not about to rush into requesting the de-listing of
any domains.  I am, however, asking for some help to flush out the
guilty parties and prod them to remediate.

Their choice whether to support DNSSEC or not, but not so much
whether to bother to get it right.  Indeed in the case of isphuset
I did suggest to them on a few occasions that they can also resolve
the problem by dropping DNSSEC support, but this did not elicit a


More information about the dns-operations mailing list