[dns-operations] Anyone with contacts at Paypal and/or Ultradns?

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Apr 4 20:33:02 UTC 2020 

[ Bcc: Paul Ebersman, Steve DeJong, and dns support at Neustar ]

On Sun, Dec 29, 2019 at 03:56:53PM -0500, Viktor Dukhovni wrote:

> Now I see DoE failure for 330 TLSA RRsets in 322 zones served by:
> 
>      253   dns1.registrar-servers.com,   dns2.registrar-servers.com
>       68  pdns1.registrar-servers.com,  pdns2.registrar-servers.com
>        1 dns101.registrar-servers.com, dns102.registrar-servers.com
> 
> which affect email delivery to (at least) 351 domains.  DNSViz reports
> the below errors:

At the time, an off-list response seemed to promise remediation in the
mid-January timeframe, but clearly that did not happen.  Rather, the
number of problem TLSA qnames has grown to 516.  These break email
delivery from a growing list of DANE-enabled senders to 550+ domains
using one of the MX hosts exhibiting the TLSA lookup breakage.

Now that mijnhostingpartner.nl have resolved all issues (many thanks!),
this is by far the largest cluster of denial of existence problems:

    http://dnssec-stats.ant.isi.edu/~viktor/dnsviz/registrar-servers.com.html

For all but one, DNSViz reports one of the two symptoms:

    267 E:MISSING_NSEC_FOR_NODATA, e.g.

        http://dnssec-stats.ant.isi.edu/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.1125.io.html

    248 E:WILDCARD_NOT_COVERED, e.g.

        http://dnssec-stats.ant.isi.edu/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.0x5f3759df.xyz.html

    with additional symptoms for 11 of them:

     E:MISSING_RRSIG_FOR_ALG_DS
     E:MISSING_SEP_FOR_ALG

    For example:

        http://dnssec-stats.ant.isi.edu/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.denveracrepair.com.html

    has DS RRs for both alg 8 and 13, but DNSKEYs are only present for 13.
    Most likely the rest are in the same boat.

The one exception is:

    http://dnssec-stats.ant.isi.edu/~viktor/dnsviz/registrar-servers.com.d/_25._tcp.mail.tenmail.us.txt

for which the error is E:SNAME_NOT_COVERED.

The nameservers for the domains in question are:

    425 dns1.registrar-servers.com.
    425 dns2.registrar-servers.com.
     82 pdns1.registrar-servers.com.
     82 pdns2.registrar-servers.com.

-- 
    Viktor.

More information about the dns-operations mailing list