[dns-operations] isphuset.no/fsdata.se DNSSEC breakage (Solved)

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Sep 13 07:02:08 UTC 2016


> On Sep 4, 2016, at 8:01 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> [ TL;DR anyone know of responsive contacts at fsdata.se? ]
> 
> isphuset.no hosts many DNSSEC signed (mostly .no) domains.
> Unfortunately, their woefully out of date PowerDNS software (managed
> for them by fsdata.se) fails badly at authenticated denial of
> existence.

Just to capstone this thread, the isphuset.no/fsdata.se issue is now
resolved.  Thanks for all the help.  All 407 problem domains (at last
count) now return valid TLSA record denial of existence.

A minor nit is that the response needlessly sets the opt-out bit even
though all the DNS records in the delegated 2LDs are signed.  I've
let them know that not setting the "opt-opt" bit is more appropriate
for such 2LD zones.  Whether that's changed or not, DANE-enabled sending
MTAs can now send email to these domains.  So case closed.

-- 
	Viktor.




More information about the dns-operations mailing list