[dns-operations] isphuset.no/fsdata.se DNSSEC breakage (Solved)

Warren Kumari warren at kumari.net
Wed Sep 14 13:40:57 UTC 2016

On Tue, Sep 13, 2016 at 3:02 AM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>> On Sep 4, 2016, at 8:01 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
>> [ TL;DR anyone know of responsive contacts at fsdata.se? ]
>> isphuset.no hosts many DNSSEC signed (mostly .no) domains.
>> Unfortunately, their woefully out of date PowerDNS software (managed
>> for them by fsdata.se) fails badly at authenticated denial of
>> existence.
> Just to capstone this thread, the isphuset.no/fsdata.se issue is now
> resolved.  Thanks for all the help.  All 407 problem domains (at last
> count) now return valid TLSA record denial of existence.

I quickly wanted to (publicly) thank Viktor (and Mark Andrews) for
doing these sorts of things - it is annoying, grungy work, but it
makes the DNS work better for all of us.


> A minor nit is that the response needlessly sets the opt-out bit even
> though all the DNS records in the delegated 2LDs are signed.  I've
> let them know that not setting the "opt-opt" bit is more appropriate
> for such 2LD zones.  Whether that's changed or not, DANE-enabled sending
> MTAs can now send email to these domains.  So case closed.
> --
>         Viktor.
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

I don't think the execution is relevant when it was obviously a bad
idea in the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair
of pants.

More information about the dns-operations mailing list