[dns-operations] TLSA denial of existence issues at dotroll.com

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Aug 29 23:25:27 UTC 2018

> On Aug 6, 2018, at 9:43 PM, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> A handful of hosting providers account for the majority of observed issues
> with DNSSEC denial of existence.  I've put together an easy to browse
> DNSViz "gallery" of the problems seen at each of the top 10 such providers:
> 89   http://imrryr.org/~viktor/dnsviz/dotroll.com.html

That number is now 107, all but 3 return NODATA for TLSA lookups, but NSEC
chain consists of just the zone apex, and does not include the wildcard
also present in the zone.

The remaining 3 have somewhat more sporadic issues:

 SERVFAIL queries with DO bit:

 Lame delegation of _tcp sub-domain:

> ... perhaps some of you know exactly the right person ...
> to gently nudge to get the issues resolved ...

I've had any luck with <support at dotroll.com> or their twitter account.  Anyone
know any humans behind dotroll.com/webspacecontrol.com?


More information about the dns-operations mailing list