[dns-operations] isphuset.no/fsdata.se DNSSEC breakage (Solved)
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Sep 13 07:02:08 UTC 2016
> On Sep 4, 2016, at 8:01 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>
> [ TL;DR anyone know of responsive contacts at fsdata.se? ]
>
> isphuset.no hosts many DNSSEC signed (mostly .no) domains.
> Unfortunately, their woefully out of date PowerDNS software (managed
> for them by fsdata.se) fails badly at authenticated denial of
> existence.
Just to capstone this thread, the isphuset.no/fsdata.se issue is now
resolved. Thanks for all the help. All 407 problem domains (at last
count) now return valid TLSA record denial of existence.
A minor nit is that the response needlessly sets the opt-out bit even
though all the DNS records in the delegated 2LDs are signed. I've
let them know that not setting the "opt-opt" bit is more appropriate
for such 2LD zones. Whether that's changed or not, DANE-enabled sending
MTAs can now send email to these domains. So case closed.
--
Viktor.
More information about the dns-operations
mailing list