Update on stats 2017-08

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Aug 31 22:40:38 CEST 2017 

Summary:  Mostly the same as last month, but new code made possible more
	  comprehensive coverage of domains with DNS issues.  As a result,
	  the number of reported DNS issues has increased by almost 75%.
	  This is not an actual surge in DNS problems, rather just better
	  reporting of the existing (still improving) landscape.

	  The number of DANE-enabled domains that have also been sighted
	  on Google's email transparency report has increased from 114 to
	  115, while the number of DNS zones with TLSA-enabled primary MX
	  hosts has increased from 2668 to 2708.  The domain count has
	  increased from 171738 to 172205.

	  A new type of TLSA record mismatch is starting to show up, so
	  far on just two MX hosts.  Their RSA certificate chains match
	  their TLSA records, but their ECDSA certificate chains do not:

	  https://mail.sys4.de/pipermail/dane-users/2017-August/000416.html
	  https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html

As of today I count 172205 domains with correct DANE TLSA records for
SMTP.  As expected the bulk of the DANE domains are hosted by the handful
of DNS/hosting providers who've enabled DANE support in bulk for the
domains they host.  The top 10 MX host providers by domain count are:

   68968 domeneshop.no
   60617 transip.nl
   18365 udmedia.de
    6576 bhosted.nl
    1809 nederhost.net
    1331 yourdomainprovider.net
    1003 ec-elements.com
     517 core-networks.de
     378 omc-mail.com
     326 bit.nl

The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.nl/.de.

There are 2708 unique zones in which the underlying MX hosts are found,
this counts each of the above providers as just one zone, so is a measure
of the breadth of adoption in terms of servers deployed.  Alternatively,
a similar number is seen in the count (2933) of distinct MX host server
certificates that support the same ~172000 domains.

A related number is 3585 matching TLSA RRsets found SMTP MX hosts.  These
cover 3708 distinct MX hosts (some of which clearly employ a shared
certificate).

The number of domains that at some point were listed in Gmail's email
transparency report is 115 (this is my ad-hoc criterion for a domain being
a large-enough actively used email domain).  Of these, 59 are in recent
reports:

  gmx.at                   jpberlin.de              ouderportaal.nl
  travelbirdbelgie.be      lrz.de                   overheid.nl
  nic.br                   mail.de                  pathe.nl
  registro.br              posteo.de                xs4all.nl
  gmx.ch                   ruhr-uni-bochum.de       domeneshop.no
  open.ch                  tum.de                   webcruitermail.no
  switch.ch                uni-erlangen.de          debian.org
  anubisnetworks.com       unitymedia.de            freebsd.org
  gmx.com                  web.de                   gentoo.org
  mail.com                 egmontpublishing.dk      ietf.org
  solvinity.com            enron.email              isc.org
  trashmail.com            octopuce.fr              netbsd.org
  xfinity.com              comcast.net              openssl.org
  xfinityhomesecurity.com  dd24.net                 samba.org
  bayern.de                gmx.net                  torproject.org
  bund.de                  hr-manager.net           asf.com.pt
  elster.de                mpssec.net               minmyndighetspost.se
  fau.de                   t-2.net                  skatteverket.se
  freenet.de               xs4all.net               t-2.si
  gmx.de                   asp4all.nl

Of the ~172000 domains, 811 have "partial" TLSA records, that cover only
a subset of the MX hosts.  While this protects traffic to some of the MX
hosts, such domains are still vulnerable to the usual active attacks via
the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to advertise
STARTTLS (even though TLSA records are published) stands today at 111.
Below is a list of the 69 underlying MX hosts that serve these domains
and whose TLSA records don't match reality:

  Hall of Shame:

  mail.dipietro.id.au          mutt.lsexperts.de     wfbrace.net
  eumembers.stansoft.bg        mail.manima.de        mx2.wfbrace.net
  mail.gna.ch                  mx1.spamsponge.de     mx2.cbrace.nl
  andbraiz.com                 mx.thorko.de          mx3.cbrace.nl
  mail.digitalwebpros.com      mail.0pc.eu           cinnamon.nl
  mail.itsmine.com             webmail.kassoft.eu    smtp1.gblt.nl
  demo.liveconfig.com          mx.quentindavid.fr    mail.initfour.nl
  mx04.mykolab.com             servmail.fr           smtp1.lococensus.nl
  intranet.nctechcenter.com    upc.dircon.hu         mail.myzt.nl
  ny-do.pieterpottie.com       mail.demongeot.info   nuj-netherlands.nl
  ma.qbitnet.com               mail.nonoserver.info  mx2.nuj-netherlands.nl
  diablo.sgt.com               kd2.io                mail.solarisinternetgroep.nl
  tusk.sgt.com                 node2.mxbackup.io     bounder.steelyard.nl
  stmics01.smia-automotive.com mail.laukas.lt        vanderbijlict.nl
  stmics02.smia-automotive.com mx.datenknoten.me     mail.abanto-zierbena.org
  erg.verweg.com               mx.giesen.me          beerstra.org
  mx.bels.cz                   rootbox.me            smtp.copi.org
  gaia.nfx.cz                  lima.ahrain.net       eumembers.datacentrix.org
  mail.seslost.cz              mail.castleturing.net smtp3.amadigi.ovh
  mail.3c7.de                  horse.cherrypet.net   mail.pasion.ro
  mail.afaul.de                mail.efflam.net       mail.familie-sander.rocks
  awesome-mail.de              hs.kuzenkov.net       mail.rostit.se
  mail.denniseffing.de         oostergo.net          protector.rajmax.si

The number of domains with bad DNSSEC support is 649.  Most of the increase
is from accenture.com domains, almost all likely parked, so the actual
impact on email delivery is probably small to none.  The top 10 name server
operators with problem domains are:

 145 accenture.com
  61 jsr-it.nl
  26 tiscomhosting.nl
  26 active24.cz
  21 firstfind.nl
  18 bradesco.com.br
  17 usda.gov
  10 rotterdam.nl
  10 loopia.se
  10 fde.dk

Around 79 of the broken domains have at least one working nameserver,
and so are email-reachable, given enough retries.  Only 5 of the
DNS-broken domains appear in historical Google Email transparency
reports:

  tiviths.com.br
  tre-ce.jus.br
  tre-sp.jus.br
  tse.jus.br
  nsysu.edu.tw

The associated DNS lookup issues are:

  _25._tcp.mailhost.bncr.fi.cr. IN TLSA ? ; ServFail
  _25._tcp.barracuda.nsysu.edu.tw. IN TLSA ? ; ServFail
  _25._tcp.lalavava.tse.jus.br. IN TLSA ? ; timeout
  _25._tcp.mx.tiviths.com.br. IN TLSA ? ; timeout
  _25._tcp.mandark.tse.jus.br. IN TLSA ? ; timeout
  _25._tcp.dexter.tse.jus.br. IN TLSA ? ; timeout

  [ See <https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08>,
    Much of the TLSA non-response issue seems to be related to a
    "feature" of Arbor Networks firewalls, that enables droping of
    DNS requests for all but the most common RRtypes.  Do not make
    the mistake of enabling this firewall "feature". ]

The oldest outstanding DNS issue is another SOA signature issue
at truman.edu dating back to Nov/2014:

  http://dnsviz.net/d/_25._tcp.barracuda.truman.edu/VGzORw/dnssec/

I hope some day soon they'll start missing email they care about
and take the time to resolve the problem.

-- 
	Viktor.

More information about the dane-users mailing list