On Mon, Apr 11, 2016 at 01:08:39PM -0400, Viktor Dukhovni wrote: > > > On Apr 11, 2016, at 12:36 PM, D. J. Bernstein <[email protected]> wrote: > > > > I agree that the original goal of extensible "query types" in DNS (see > > RFC 1034, third paragraph) was ruined by poor implementation work (which > > was in turn encouraged by other aspects of the DNS protocol design, but > > let me not get sidetracked here), so trying to deploy new DNS "query > > types" creates operational problems. > > I've been monitoring DANE TLSA adoption in SMTP for some time now, including > monitoring of domains where requests for the novel TLSA records encountered > misconfigured middle-boxes that drop the query. > > Initially (2 years ago), problems were widespread. Now problems are rather > rare and getting more so. Out of ~130,000 DNSSEC domains in my corpus, only > ~40 drop requests for TLSA records. Two years ago there were many thousands > out of a much smaller corpus.
Don't you have to look at it the other way? From a client that's behind some broken box that tries to look up TLSA records? I would really hope that if someone deploys DNSSEC that their nameservers would actually support DNSSEC. But that doesn't mean that a client trying to look up the DNSSEC related records is able to. Kurt _______________________________________________ TLS mailing list [email protected] https://www.ietf.org/mailman/listinfo/tls
