Since we don't often hear dnssec positive stories, I figured I share this sad operational outage situation with the list.
A large dutch ISP ran into issues with their Registrar (which I'm really biting my nails not to mention by name). It caused 100's of domains to enter the PENDINGDELETE stage. One such example is puiterwijk.org. They have been in this state now for days. What made things worse is that said Registrar took over the domains and is running those zones on their DNS servers, including an MX record that points to an actual mailserver. So if you were lucky, your email just bounced. If unlucky, someone else got your emails. The TLS certificate on that mail server doesn't even match their hostname, so anyone on path can also just MITM it and a traceroute shows 26+ hops all over the place. However, they did not modify the DS records after taking over the NS records and MX/A records. So those domains (including the above mentioned puiterwijk.org) are not resolving at all because the validators are rejecting the domain supplier zones as bogus. So, my emails to this person were not delivered to the rogue MX servers because both he and I deployed DNSSEC. Now, taking over MX and causing email failures like this is pretty evil. I would hope this violates some ICANN or PIR agreement but as said Registrar has been a sad registrar since uhm about 1995, I guess nothing is going to change. Let's hope the Dutch ISP has learned from this and will move to another Registrar soon after this mess gets resolved. Paul
