[Uta] Unexpected notification channel

Mon, 16 May 2016 10:57:14 -0700 

On Sun, May 15, 2016 at 05:50:23PM -0400, Viktor Dukhovni wrote:

> Similarly, the nameservers of patriotguard.org are misguidedly configured to
> drop TLSA queries as a security^Wignorance feature in a firewall to
> protect^Wbreak the nameservers.  This too resembles an MiTM attack:
> 
> http://dnsviz.net/d/_25._tcp.svcs.patriotguard.org/dnssec/

Wow!  Just one day after posting the above the domain's nameservers
no longer block TLSA lookups. Though they still mishandle denial
of existence for the AAAA records of the MX host:

    
http://dnsviz.net/d/svcs.patriotguard.org/dnssec/?rr=28&a=all&ds=all&ta=.&tk=

that error does not impede mail delivery.  So sometimes the best
notification channel is a public forum.  I first tried WHOIS, ...
over a year ago with no luck).  Sadly, turning the UTA WG list into
a broadcast DNS misconfiguration notification system would not be
appropriate, but this does demonstrate the importance of effective
notification channels.

So anyone trying to reproduce bad DNS responses will need a new
test domain.  The list below incudes 121 TLSA RR qnames for which
at least some of the nameservers malfunction.  This should provide
enough examples for a while.  I doubt the whole list will be fixed
by tomorrow!  (For example, I first notified truman.edu in Nov
2014, I don't expect a miracle today. :-)

    _25._tcp.ccbfinancial.bank
    _25._tcp.countryclub.bank
    _25._tcp.countryclubbank.bank
    _25._tcp.marquettesavings.bank
    _25._tcp.mail.mit-solutions.be
    _25._tcp.synn.be
    _25._tcp.bb.b.br
    _25._tcp.mailhost1.dpf.gov.br
    _25._tcp.mailhost2.dpf.gov.br
    _25._tcp.pf.gov.br
    _25._tcp.mail.m3ganet.net.br
    _25._tcp.86francisstreet.com
    _25._tcp.mail.act85.com
    _25._tcp.mail.bernheimmansion.com
    _25._tcp.mail.bestregistrar.com
    _25._tcp.mail.bmwlemon.com
    _25._tcp.mail.c-a-s-i.com
    _25._tcp.mx1.conso-acteur.com
    _25._tcp.dmgznet.com
    _25._tcp.dnssec-fisglobal.com
    _25._tcp.doorgroeikansen.com
    _25._tcp.mail.dotshop.com
    _25._tcp.fluxometer.com
    _25._tcp.fnfis.com
    _25._tcp.gearfun.com
    _25._tcp.howbacha.com
    _25._tcp.mailip.lease-admin.com
    _25._tcp.ouracnetreatment.com
    _25._tcp.mailip.pfsc.com
    _25._tcp.procodis-france.com
    _25._tcp.psychomario.com
    _25._tcp.mail.realmansolympics.com
    _25._tcp.mail.relyapawn.com
    _25._tcp.safeoffice.com
    _25._tcp.mailip.servicerplus.com
    _25._tcp.short-street.com
    _25._tcp.slowlicks.com
    _25._tcp.thedashingbadger.com
    _25._tcp.upmccancercenter.com
    _25._tcp.mail.watchevents.com
    _25._tcp.878.cz
    _25._tcp.administruji.cz
    _25._tcp.autokey.cz
    _25._tcp.bdsoft.cz
    _25._tcp.botanix.cz
    _25._tcp.canson.cz
    _25._tcp.dido.cz
    _25._tcp.fermontplus.cz
    _25._tcp.fosfa.cz
    _25._tcp.hnatik.cz
    _25._tcp.hobbypoint.cz
    _25._tcp.hvideo.cz
    _25._tcp.klempirsky-eshop.cz
    _25._tcp.mediastyle.cz
    _25._tcp.obleceni-hracky.cz
    _25._tcp.pastorovi.cz
    _25._tcp.pod1.cz
    _25._tcp.pozorkliste.cz
    _25._tcp.silper.cz
    _25._tcp.talka.cz
    _25._tcp.toxik.cz
    _25._tcp.mail.solarscale.de
    _25._tcp.pilot.jhuapl.edu
    _25._tcp.piper.jhuapl.edu
    _25._tcp.barracuda.truman.edu
    _25._tcp.bed4baby.eu
    _25._tcp.demius.eu
    _25._tcp.upanel.eu
    _25._tcp.ironport1.jobcorps.gov
    _25._tcp.ironport2.jobcorps.gov
    _25._tcp.23systems-dev.net
    _25._tcp.mx.admings.net
    _25._tcp.mailky.b2.net
    _25._tcp.mailky.cas-com.net
    _25._tcp.mail.ecwr.net
    _25._tcp.mail.mcso.net
    _25._tcp.vps1.mctherealm.net
    _25._tcp.mx1.psyclonecontacts.net
    _25._tcp.mx2.psyclonecontacts.net
    _25._tcp.twitterdex.net
    _25._tcp.cameras-kopen.nl
    _25._tcp.xchange.caramelo-media.nl
    _25._tcp.mail.de-garage.nl
    _25._tcp.mail.denver-electronics.nl
    _25._tcp.g13.nl
    _25._tcp.gdl.nl
    _25._tcp.mail.howit.nl
    _25._tcp.htbl.nl
    _25._tcp.mail.jecom.nl
    _25._tcp.mail.mautiv.nl
    _25._tcp.mail.mediagardeserver.nl
    _25._tcp.smtp.mwalet.nl
    _25._tcp.o365.nl
    _25._tcp.pe1br.nl
    _25._tcp.mail.simbi.nl
    _25._tcp.mail.studentrecruiter.nl
    _25._tcp.studiobeerens.nl
    _25._tcp.mail.time2track.nl
    _25._tcp.tt-forum.nl
    _25._tcp.ttclub.nl
    _25._tcp.ttforum.nl
    _25._tcp.upanel.nl
    _25._tcp.vrijeuitgevers.nl
    _25._tcp.mail.vvbeta.nl
    _25._tcp.mail.wheelking.nl
    _25._tcp.xnyhps.nl
    _25._tcp.mail01.sigterm.no
    _25._tcp.mail.roffe.nu
    _25._tcp.magister.ovh
    _25._tcp.exedge1.saudipost.post
    _25._tcp.smtp.saudipost.post
    _25._tcp.mailgw.ap2.se
    _25._tcp.cloud.ekenberg.se
    _25._tcp.dator.ekenberg.se
    _25._tcp.12.mindsolution.se
    _25._tcp.nllplus.se
    _25._tcp.shellvik.se
    _25._tcp.mail.statskontoret.se
    _25._tcp.mail.stm.com.tw
    _25._tcp.mail.mof.gov.tw

-- 
        Viktor.

_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta

Reply via email to