Deployment news (comcast.net publishes TLSA RRs)
ietf-dane at dukhovni.org
Tue Nov 3 21:10:19 CET 2015
Today comcast.net published TLSA records for their MX hosts.
comcast.net. IN MX 5 mx1.comcast.net.
comcast.net. IN MX 5 mx2.comcast.net.
_25._tcp.mx1.comcast.net. IN TLSA 3 1 1 90e2f742b459860c0bbf1343b5a36bc5842a3f45056d30bf25dbb475a62eca47
_25._tcp.mx2.comcast.net. IN TLSA 3 1 1 c8cb2faa4c0b92cb3fd37e61eb4671744055f123c14c0dd31e8d92c379f9f8a3
$ posttls-finger -c -Lsummary -o inet_protocols=ipv4 "[mx1.comcast.net]"
posttls-finger: Verified TLS connection established to mx1.comcast.net[22.214.171.124]:25: TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)
$ posttls-finger -c -Lsummary -o inet_protocols=ipv4 "[mx2.comcast.net]"
posttls-finger: Verified TLS connection established to mx2.comcast.net[126.96.36.199]:25: TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Congratulations and thanks to Comcast. They are the first major
US email provider to do so. Let's hope their lead will be followed
by many others.
My ongoing survey has now found 9389 working DANE domains. Most
of these are served by a few domain hosting providers:
The actual numbers of DANE-enabled hosted domains is much larger,
for example udmedia alone reportedly has over 25 thousand. My
lists of candidate domains to test are far from complete.
Of these 9389, there are now 28 domains (up from 27 yesterday now
that comcast.net is live) that are "large enough" to be listed
in Google's email transparency report:
conjur.com.br jpberlin.de comcast.net freebsd.org
mypst.com.br lrz.de rrpproxy.net ietf.org
registro.br posteo.de t-2.net isc.org
societe.com ruhr-uni-bochum.de aanbodpagina.nl netbsd.org
t-2.com tum.de xs4all.nl openssl.org
bayern.de unitymedia.de debian.org samba.org
bund.de lepartidegauche.fr eu.org torproject.org
On the "problem" front. The following DNS hosters still have some
issues with correct DNSSEC "denial of existence":
33 binero.se (resolution in progress)
28 isphuset.no (issue acknowledged)
15 axc.nl (notified)
11 papaki.gr (notified)
5 forpsi.net (notified)
And 10 "small" domains currently publish incorrect TLSA records:
If anyone reading this happens to know a usable contact for the
above, please let them know their TLSA records need updates.
Finally, I have a list of ~97000 domains that have DNSSEC and at
least one "primary" MX host has DNSSEC, but no TLSA records are
published as yet. These domains are good candidates for DANE
deployment, it is just a matter of deciding out of whether to use
"3 1 1" end-entity records or "2 0 1" trust-anchor records, and
documenting a key/cert rotation procedure:
As always, don't forget:
More information about the dane-users