Now that I am able to contribute commits to the danefail list at:
https://github.com/danefail/list
https://raw.githubusercontent.com/danefail/list/master/dane_fail_list.dat
I've pushed data for many of the domains served by MX hosts with persistent
issues.
You can use this list to confirm that you're not the only one with delivery
issues to one of the listed domains, and perhaps create exceptions for such
domains in your configuration.
Also, please try to not end up on the list:
https://dane.sys4.de/common_mistakes
http://imrryr.org/~viktor/ICANN61-viktor.pdf
http://imrryr.org/~viktor/icann61-viktor.mp3
Do implement monitoring of your own TLSA records and DNSSEC
zone. Do implement a key/cert rollover process that ensures
that matching TLSA records are in place for both the old and
the new cert have been in place for some time (multiple TTLs
and slave zone refresh times) before deploying new certificate
chains.
When using DANE-TA(2) TLSA records, make sure that the certificate
does not expire, has a name that matches the MX hostname and the
trust-anchor certificate is included in the server's chain file.
--
Viktor.
