Small uptick in domains with long-term incorrect TLSA records

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Feb 3 09:06:04 CET 2016 

Quick numbers update:

  * Top 3 DANE domain MX host providers (in my survey, real numbers
    much higher).  A significant jump in the transip numbers
    recently:

    5077 udmedia.de
    1281 mx.transip.email
     921 mx.nederhost.net

  * Total DANE SMTP domains: 10780
  * Total primary MX hosts:   1568
  * Top 10 DANE TLDs:

    3856 com
    2162 de
    1333 net
    1100 nl
     541 org
     426 eu
     175 info
     139 be
     126 at
     114 ch

I've also noticed a growing presence of MX hosts of the form
"box.example.com" with Let's Encrypt certificates and correctly
rotated "3 1 1" TLSA records.  These seem to be "mail in a box"
deployments, that seem to just work.  Kudos to the "mail in a box"
folks.

And now to the subject of this message.  Until quite recently, the
number of domains with long-term erroneous incorrect records has
been in the 10-15 range at any given time, out of a total of ~11,000
domains served by ~1600 MX hosts.

In the last few weeks I see an uptick of domains whose TLSA records
become wrong and stay that way after sloppy key rotation.  A
noticeable fraction (though not the majority) of the problem domains
have recently deployed "Let's Encrypt" certificates, without taking
their TLSA records into account.

Please take care to handle key rotation correctly.  In Postfix 3.1,
which should be released soon (likely this month), there will with
any luck be a new tool to help administrators manage keys,
certificates, CSRs and TLSA records.  I'll post pointers to
documentation once this is available.

In the mean time, please don't forget:

  https://dane.sys4.de/common_mistakes#3
  https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/70+22
  http://tools.ietf.org/html/rfc7671#section-8.1
  http://tools.ietf.org/html/rfc7671#section-8.4
  http://tools.ietf.org/html/rfc7671#section-5.2

I am now tracking 25 broken domains that show no sign that they
are likely to be fixed soon:

  f2h.at
  allispdv.com.br
  bebidaliberada.com.br
  comseo.com.br
  imagemdigital.com.br
  mypst.com.br
  prodnsbr.com.br
  simplesestudio.com.br
  solucoesglobais.com.br
  twsolutions.net.br
  4nettech.com
  lastsip.com
  nevodnet.com
  zx.com
  bels.cz
  1post.de
  3nw.de
  neuhaus-city.de
  tsimnet.eu
  planissimo.fr
  castleturing.net
  linlab.net
  auxio.org
  konundrum.org
  www.co.tt

If anyone on this list either operates one of these, or knows the
administrators, please help to get these resolved.

There are 11 more broken domains that are less than a week old, I
am hoping some of those will be repaired in the near term, but a
few may join the chronically-ill list.

If anyone on this list is in Brazil, perhaps there's a language
barrier that's making it more difficult for .br sites to know what
to do, or respond to notices of problems.  It would be great if
there a were a .br version of dane.sys4.de with "common_mistakes"
in Portuguese.

-- 
      Viktor.

More information about the dane-users mailing list