> On 12 Oct 2017, at 17:31, Viktor Dukhovni <[email protected]> wrote: > > It *would* be nice some movement by more of the large providers towards > supporting DANE *outbound*, which does not require any changes to their > own domains. This would also help to flush out the small residual set > of domains that have broken TLSA records (or broken DNSSEC denial of > existence), but don't seem to care, because at present most senders > aren't affected.
After some of our users (one of which have 1.5M+ customers) enabled DANE ~one year ago, they’ve indeed had to maintain pretty large (at times), and ever changing, bypass lists (even after the large DNS providers fixed their TLSA responses). As you mentioned, the most common cause we’ve seen is broken DNSSEC proof for NODATA/NXDOMAIN, and firewalls filtering TLSA queries. Since a few weeks, we're experimenting with a shared list https://danefail.org https://github.com/danefail/list for our customers, but hopefully it’ll not be needed in the near future. Many of the domain owners and/or providers that we’ve contacted fixed their TLSA/DNSSEC issues within a few days after reporting. -- Anders Berggren Halon _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
