On Thu, Nov 20, 2014 at 06:29:42AM +0000, Viktor Dukhovni wrote:
> A number of large DNS hosting providers have enabled DNSSEC support,
> but are using nameserver software that is not compatible with the
> specification with respect to authenticated denial of existence.
Note, by far the bulk of the problem is with transip. From their
website:
https://www.transip.co.uk/domain-name/transdns/
DNSSEC
TransDNS is the foundation of our DNSSEC implementation, a DNS
protocol security extension. Signing more than 500.000 domain
names with DNSSEC was a challenge we gladly accepted. Because
of TransDNS we were one of the first domain providers in The
Netherlands that signed all our domain names. We are now the
largest DNSSEC provider in the world. We could not have done
this with third-party solutions. That is the reason why we
develop everything in-house.
Perhaps they have more problems that show up in interop tests
because they indeed signed so many more domains that anyone else.
In any case, they would be a good place to start remediation.
If anyone has contacts there and can reach out that would be great.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
