Deployment news (comcast.net publishes TLSA RRs)

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Nov 3 21:10:19 CET 2015 

Today comcast.net published TLSA records for their MX hosts.

    comcast.net. IN MX 5 mx1.comcast.net.
    comcast.net. IN MX 5 mx2.comcast.net.
    _25._tcp.mx1.comcast.net. IN TLSA 3 1 1 90e2f742b459860c0bbf1343b5a36bc5842a3f45056d30bf25dbb475a62eca47
    _25._tcp.mx2.comcast.net. IN TLSA 3 1 1 c8cb2faa4c0b92cb3fd37e61eb4671744055f123c14c0dd31e8d92c379f9f8a3

    $ posttls-finger -c -Lsummary -o inet_protocols=ipv4 "[mx1.comcast.net]"
    posttls-finger: Verified TLS connection established to mx1.comcast.net[96.114.157.80]:25: TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)

    $ posttls-finger -c -Lsummary -o inet_protocols=ipv4 "[mx2.comcast.net]"
    posttls-finger: Verified TLS connection established to mx2.comcast.net[68.87.20.5]:25: TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)

Congratulations and thanks to Comcast.  They are the first major
US email provider to do so.  Let's hope their lead will be followed
by many others.

My ongoing survey has now found 9389 working DANE domains.  Most
of these are served by a few domain hosting providers:

    5230 udmedia.de
     955 nederhost.net
     354 transip.email
      47 mediaweb-it.net
      45 mailbox.org
      36 gr-webdesign.de
      32 core-networks.de
      32 wk-serv.net
      30 set-hosting.de
      30 dotplex.de

The actual numbers of DANE-enabled hosted domains is much larger,
for example udmedia alone reportedly has over 25 thousand.  My
lists of candidate domains to test are far from complete.

Of these 9389, there are now 28 domains (up from 27 yesterday now
that comcast.net is live) that are "large enough" to be listed
in Google's email transparency report:

  conjur.com.br      jpberlin.de         comcast.net         freebsd.org
  mypst.com.br       lrz.de              rrpproxy.net        ietf.org
  registro.br        posteo.de           t-2.net             isc.org
  societe.com        ruhr-uni-bochum.de  aanbodpagina.nl     netbsd.org
  t-2.com            tum.de              xs4all.nl           openssl.org
  bayern.de          unitymedia.de       debian.org          samba.org
  bund.de            lepartidegauche.fr  eu.org              torproject.org

On the "problem" front.  The following DNS hosters still have some
issues with correct DNSSEC "denial of existence":

  #Domains Provider
  -------- ----------
	33 binero.se		(resolution in progress)
	28 isphuset.no		(issue acknowledged)
	15 axc.nl		(notified)
	11 papaki.gr		(notified)
	 5 forpsi.net		(notified)

And 10 "small" domains currently publish incorrect TLSA records:

  bebidaliberada.com.br
  solucoesglobais.com.br
  nevodnet.com
  zx.com
  1post.de
  geekify.de
  wx0.de
  tsimnet.eu
  konundrum.org
  www.co.tt

If anyone reading this happens to know a usable contact for the
above, please let them know their TLSA records need updates.

Finally, I have a list of ~97000 domains that have DNSSEC and at
least one "primary" MX host has DNSSEC, but no TLSA records are
published as yet.  These domains are good candidates for DANE
deployment, it is just a matter of deciding out of whether to use
"3 1 1" end-entity records or "2 0 1" trust-anchor records, and
documenting a key/cert rotation procedure:

    https://tools.ietf.org/html/rfc7671#section-5.1
    https://tools.ietf.org/html/rfc7671#section-5.2

As always, don't forget:

    https://dane.sys4.de/common_mistakes#3
    https://dane.sys4.de/common_mistakes#6
    https://tools.ietf.org/html/rfc7671#section-8.1
    https://tools.ietf.org/html/rfc7671#section-8.4

-- 
	Viktor.

More information about the dane-users mailing list