From ietf-dane at dukhovni.org Tue Sep 13 03:59:43 2016 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Tue, 13 Sep 2016 01:59:43 +0000 Subject: Update on stats In-Reply-To: <20160504192719.GD3300@mournblade.imrryr.org> References: <20160504192719.GD3300@mournblade.imrryr.org> Message-ID: <20160913015942.GA4973@mournblade.imrryr.org> On Wed, May 04, 2016 at 07:27:19PM +0000, Viktor Dukhovni wrote: > I've gained access to the full zone files for .com/.net and a few > of the newer gTLDs. This makes it possible to do a more comprehensive > survey of DANE SMTP support. Now also .org, and the freely available .se/.nu TLDs, plus some other data sources. > The overall DANE domain count is now ~29800, but of course this is > not a dramatic rise in adoption, rather an increase in the breadth > of the survey. Similarly, while the domain count is now ~59300, the bulk of the rise is due to the broader survey. > in bulk for the domains they host. The top five are: > > 16650 transip.nl > 6020 udmedia.de > 1110 nederhost.net > 663 ec-elements.com > 180 core-networks.de > 24623 TOTAL The new top five counts are: 31298 transip.nl 15124 udmedia.de 1799 bhosted.nl 1264 nederhost.net 903 ec-elements.com 50388 TOTAL > There 1850 unique zones in which the underlying MX hosts are found, > this counts each of the above registrars as just one zone, so is > a measure of the breadth of adoption in terms of servers deployed. The new zone count is 2212. The number of distinct certificates presented by DANE TLSA SMTP servers is 2165. > Of the 29800 domains, 336 have "partial" TLSA records, that cover > only a subset of the MX hosts, while this protects traffic to some > of the MX hosts, the domain is still vulnerable to the usual active > attacks via the remaining MX hosts. The partial implementations now number 509. > The number of domains with incorrect TLSA records or failure to > advertise STARTTLS (even though TLSA records are published) stands > at 50. This number has proved reasonably stable, and stands at 53. Notable among these are 25 long-standing problem domains served by just 6 MX hosts that have non-matching TLSA records: hanisauland.at pinetree.cz therapie-forum.info 2cv-club-des-ducs.com renekliment.cz chauvet.me 4nettech.com bit-cleaner.de datenknoten.me kkeane.com boese-ban.de mirounga.net leatherfest.com alencon.eu acsemb.org nctechcenter.com dhautefeuille.eu kryskool.org tntmonitoring.com therapie-forum.eu hlfh.space davidmosna.cz dinepont.fr marketingpyro.cz achduliebergott.info and 7 more that publish TLSA records, but don't offer STARTTLS: lojabrum.com.br gazonk.org xorcist.org gestccon.com.br myhead.org bofjall.se skrivkramp.org > The number of domains with bad DNSSEC support is 262. The top 10 > DNS providers (by broken domain count) are: > > 41 isphuset.no > 36 tse.jus.br > 22 axc.nl > 21 active24.cz > 20 registrar-servers.com > 15 forpsi.net > 11 ovh.net > 11 cas-com.net > 11 bestregistrar.com > 10 shockmedia.nl The count of DNSSEC problem domains now stands at 736, mostly because I've found a lot more isphuset.no domains. The upstream DNS provider for isphuset.no has finally responded, and promised to deal with this shortly, we'll see what happens! 409 isphuset.no 34 infracom.nl 28 axc.nl 23 registrar-servers.com 19 loopia.se 15 forpsi.net 13 metaregistrar.nl 12 cas-com.net 12 active24.cz 9 jsr-it.nl I also have a new contact for axc.nl, perhaps that too will progress in the near future. > The number of domains that at some point were listed in Gmail's > transparency report is 57 (this is my ad-hoc criterion for a domain > being a large-enough actively used email domain). This number is now 71. > Of these 32 are in the most recent report: The "most recent report" number is quite variable, because on some days the transparency report includes a lot fewer domains than others. Still, this does give some sense of the "freshness" of this status. Today, that number is 33: gmx.at jpberlin.de t-2.net nic.br lrz.de xs4all.net registro.br mail.de xs4all.nl gmx.ch posteo.de debian.org open.ch ruhr-uni-bochum.de freebsd.org switch.ch web.de gentoo.org gmx.com octopuce.fr ietf.org mail.com comcast.net netbsd.org xfinity.com dd24.net openssl.org bund.de dns-oarc.net samba.org gmx.de gmx.net torproject.org > The .br TLD still includes too large a fraction (10/50) of domains > with incorrect TLSA RRs. This is a result of DNS hosting by > registro.br, where TLSA records are easy to initially publish, but > difficult to keep up to date. The .br registrar has taken positive steps to improve the situation, and I am now tracking just 2 broken .br domains. -- Viktor. From ietf-dane at dukhovni.org Tue Sep 13 08:53:50 2016 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Tue, 13 Sep 2016 06:53:50 +0000 Subject: Update on stats In-Reply-To: <20160913015942.GA4973@mournblade.imrryr.org> References: <20160504192719.GD3300@mournblade.imrryr.org> <20160913015942.GA4973@mournblade.imrryr.org> Message-ID: <20160913065349.GB4973@mournblade.imrryr.org> On Tue, Sep 13, 2016 at 01:59:42AM +0000, Viktor Dukhovni wrote: > The count of DNSSEC problem domains now stands at 736, mostly > because I've found a lot more isphuset.no domains. The upstream > DNS provider for isphuset.no has finally responded, and promised > to deal with this shortly, we'll see what happens! > > 409 isphuset.no Perhaps I should have waited a few hours longer before posting. I just got news from isphuset.no that after a nameserver upgrade all their domains are fixed. I've verified that this is indeed the case. So the total DNSSEC trouble count now stands at a more modest 327 domains. And the remaining top 10 all host a much more modest number of problem domains (typically corner-cases involving wildcard records, ...): 34 infracom.nl 28 axc.nl 23 registrar-servers.com 19 loopia.se 15 forpsi.net 13 metaregistrar.nl 12 cas-com.net 12 active24.cz 9 jsr-it.nl 8 ignum.com I expect to see some of these resolved in the next few months. -- Viktor. From andreas.schulze at datev.de Fri Sep 16 13:36:27 2016 From: andreas.schulze at datev.de (Andreas Schulze) Date: Fri, 16 Sep 2016 13:36:27 +0200 Subject: howto generate TLSA 0 0 0 Message-ID: Hello, I like to publish a PKIX-TA which mean I publisch a whole certificate, the whole blob... I found https://www.huque.com/bin/gen_tlsa but some commandline voodoo using openssl or ldns-dane would be cool. Any suggestions? Thanks & nice weekend Andreas -- A. Schulze DATEV eG From cs at sys4.de Fri Sep 16 13:39:16 2016 From: cs at sys4.de (Carsten Strotmann (sys4)) Date: Fri, 16 Sep 2016 13:39:16 +0200 Subject: howto generate TLSA 0 0 0 In-Reply-To: References: Message-ID: Hi Andreas, On 16/09/2016 13:36 PM, Andreas Schulze wrote: > Hello, > > I like to publish a PKIX-TA which mean I publisch a whole certificate, the whole blob... > > I found https://www.huque.com/bin/gen_tlsa but some commandline voodoo using openssl or ldns-dane would be cool. > Any suggestions? Viktor has posted his "tlsagen" script here on the list, that works fine (I've used it to generate a 0 0 0 for testing purposes last week). -- CS -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 819 bytes Desc: OpenPGP digital signature URL: From ietf-dane at dukhovni.org Fri Sep 16 19:24:52 2016 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Fri, 16 Sep 2016 17:24:52 +0000 Subject: howto generate TLSA 0 0 0 In-Reply-To: References: Message-ID: <20160916172452.GK4670@mournblade.imrryr.org> On Fri, Sep 16, 2016 at 01:39:16PM +0200, Carsten Strotmann (sys4) wrote: > On 16/09/2016 13:36 PM, Andreas Schulze wrote: > > Hello, > > > > I like to publish a PKIX-TA which mean I publisch a whole certificate, the whole blob... In almost all cases this is a bad idea, a SHA2-256 digest is quite secure enough, and is much less bloated. > > I found https://www.huque.com/bin/gen_tlsa but some commandline voodoo using openssl or ldns-dane would be cool. > > Any suggestions? > > Viktor has posted his "tlsagen" script here on the list, that works fine > (I've used it to generate a 0 0 0 for testing purposes last week). Attaching "tlsagen" and "chaingen". Note, the latter does not verify the integrity of the chain, garbage-in = garbage-out. -- Viktor. -------------- next part -------------- #! /usr/bin/env bash # Bash needed for PIPESTATUS array extract() { case "$4" in 0) openssl x509 -in "$1" -outform DER;; 1) openssl x509 -in "$1" -noout -pubkey | openssl pkey -pubin -outform DER;; esac } digest() { case "$5" in 0) cat;; 1) openssl dgst -sha256 -binary;; 2) openssl dgst -sha512 -binary;; esac } encode() { local cert=$1; shift local hostport=$1; shift local u=$1; shift local s=$1; shift local m=$1; shift local host=$hostport local port=25 OIFS="$IFS"; IFS=":"; set -- $hostport; IFS="$OIFS" if [ $# -eq 2 ]; then host=$1; port=$2; fi printf "_%d._tcp.%s. IN TLSA %d %d %d %s\n" \ "$port" "$host" "$u" "$s" "$m" \ "$(od -vAn -tx1 | tr -d ' \012')" } error() { echo "$1" 1>&2; exit 1; } usage() { error "Usage: $0 cert.pem host[:port] usage selector mtype"; } if [ $# -ne 5 ]; then usage; fi case "$(echo $3 | tr '[A-Z]' '[a-z]')" in 0|pkix-[ct]a) usage=0;; 1|pkix-ee) usage=1;; 2|dane-[ct]a) usage=2;; 3|dane-ee) usage=3;; *) error "Invalid certificate usage: $3";; esac case "$(echo $4 | tr '[A-Z]' '[a-z]')" in 0|cert) selector=0;; 1|spki|pkey) selector=1;; *) error "Invalid selector: $4";; esac case "$(echo $5 | tr '[A-Z]' '[a-z]')" in 0|full) mtype=0;; 1|sha2-256|sha256|sha-256) mtype=1;; 2|sha2-512|sha512|sha-512) mtype=2;; *) error "Invalid matching type: $5";; esac set -- "$1" "$2" "$usage" "$selector" "$mtype" rr=$( extract "$@" | digest "$@" | encode "$@" exit $(( ${PIPESTATUS[0]} | ${PIPESTATUS[1]} | ${PIPESTATUS[2]} )) ) status=$? if [ $status -ne 0 ]; then exit $status fi echo "$rr" -------------- next part -------------- #! /usr/bin/env bash # Bash needed for PIPESTATUS array extract() { case "$4" in 0) openssl x509 -in "$1" -outform DER;; 1) openssl x509 -in "$1" -noout -pubkey | openssl pkey -pubin -outform DER;; esac } digest() { case "$5" in 0) cat;; 1) openssl dgst -sha256 -binary;; 2) openssl dgst -sha512 -binary;; esac } encode() { local cert=$1; shift local hostport=$1; shift local u=$1; shift local s=$1; shift local m=$1; shift local host=$hostport local port=25 OIFS="$IFS"; IFS=":"; set -- $hostport; IFS="$OIFS" if [ $# -eq 2 ]; then host=$1; port=$2; fi printf "_%d._tcp.%s. IN TLSA %d %d %d %s\n" \ "$port" "$host" "$u" "$s" "$m" \ "$(od -vAn -tx1 | tr -d ' \012')" } genrr() { rr=$( extract "$@" | digest "$@" | encode "$@" exit $(( ${PIPESTATUS[0]} | ${PIPESTATUS[1]} | ${PIPESTATUS[2]} )) ) status=$?; if [ $status -ne 0 ]; then exit $status; fi echo "$rr" } error() { echo "$1" 1>&2; exit 1; } usage() { error "Usage: $0 chain.pem host[:port]"; } if [ $# -ne 2 ]; then usage; fi # Validate and normalize the chain # certfile=$1; shift chain="$( openssl crl2pkcs7 -nocrl -certfile "$certfile" | openssl pkcs7 -print_certs exit $(( ${PIPESTATUS[0]} | ${PIPESTATUS[1]} )) )" status=$?; if [ $status -ne 0 ]; then exit $status; fi hostport=$1; shift usage=3 cert= printf "%s\n\n" "$chain" | while read line do if [[ -z "$cert" && ! "$line" =~ ^-----BEGIN ]]; then continue fi cert=$(printf "%s\n%s" "$cert" "$line") if [ -z "$line" -a ! -z "$cert" ]; then echo "$cert" | openssl x509 -noout -subject -issuer -dates | sed -e 's/^/;; /' echo ";;" genrr <(echo "$cert") "$hostport" $usage 0 1 genrr <(echo "$cert") "$hostport" $usage 1 1 genrr <(echo "$cert") "$hostport" $usage 0 2 genrr <(echo "$cert") "$hostport" $usage 1 2 echo cert="" usage=2 fi done