Hi Guys > On 17 Dec 2021, at 09.34, Viktor Dukhovni <[email protected]> wrote: > > >> On 17 Dec 2021, at 3:28 am, Jan-Pieter Cornet <[email protected]> wrote: >> >> I regret to inform you that XS4ALL stopped using DANE, both inbound for >> xs4all.nl and outbound. >> >> The reason is that the XS4ALL systems are being dismantled, and the >> customers are moving to KPN, who do not use nor publish DANE records. >
:-( > Oh well, perhaps one of these days we can convince KPN to pick up the > mantle... KPN are using Halons as far as I recall, so it should be possible. Time for a little Viktor nudging? > >> If anyone still has "xs4all.nl" in a "strict dane" list, please remove us. I >> saw a bounce from one.comindicating that possibly one of their systems still >> expects DANE records for xs4all.nl. > > This is odd, because the whole of DANE is one generally does not > need to pin local DANE policy, it is enforced when the TLSA records > are published for the MX hosts, and not otherwise. > We do not have any such local strict dane list - I suspect it might be a case of DNS TTLs, when the TLSA records where removed, but I asked Jan-Pieter for at logsnippet off-list in order to investigate. > I can't rule out local policy enforcing DANE, but this should only > happen by prior coordination with and consent of the receiving > systems. Otherwise, ... expect breakage. > > Survey says, ... you're no longer doing DANE: > > https://stats.dnssec-tools.org/explore/?xs4all.nl > > -- > Viktor. > Kind Regards, Sidsel Jensen Team manager Mail & Abuse, Systems Engineer @ One.com <http://one.com/>
signature.asc
Description: Message signed with OpenPGP
