Belated update on stats 2017-09/2017-10
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Oct 26 08:31:42 CEST 2017
[ Sorry about the delay, I was too busy rewriting major chunks
of the underlying code to produce a report. Better late than
never so the below is the status for today, rather than the end
of September. ]
Summary: The number of DANE-enabled domains that have also been sighted
on Google's email transparency report has increased from 115 to
122, while the number of DNS zones with TLSA-enabled primary MX
hosts has increased from 2708 to 2999. The total domain count
is largely unchanged from 172205 to 172120.
A new type of TLSA record mismatch has cropped up, so far on
just two MX hosts. Their RSA certificate chains match their
TLSA records, but their ECDSA certificate chains do not:
https://mail.sys4.de/pipermail/dane-users/2017-August/000416.html
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
As of today I count 172120 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected the bulk of the DANE domains are hosted by the handful of
DNS/hosting providers who've enabled DANE support in bulk for the
domains they host. The top 10 MX host providers by domain count
are:
68399 domeneshop.no
60915 transip.nl
18354 udmedia.de
6460 bhosted.nl
1787 nederhost.net
1294 yourdomainprovider.net
1009 ec-elements.com
505 core-networks.de
384 omc-mail.com
333 mailbox.org
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.nl/.de.
[ The DANE domain counts for the large providers appear to have
plateaued in the past couple of months. Perhaps, absent new more
comprehensive sources of live domain names, I've finally found
as many domains I can reasonably expect to find for these providers,
and there's not much growth in their "visible" domain portfolios. ]
There are 2999 unique zones in which the underlying MX hosts are found,
this counts each of the above providers as just one zone, so is a measure
of the breadth of adoption in terms of servers deployed. Alternatively,
a similar number is seen in the count (2853) of distinct MX host server
certificates that support the same ~172000 domains.
The number of published MX host TLSA RRsets found is 3932. These
cover 4004 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).
The number of domains that at some point were listed in Gmail's
email transparency report is 122 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain). Of
these, 70 are in recent reports (spanning Sep and Oct):
gmx.at posteo.de overheid.nl
travelbirdbelgie.be ruhr-uni-bochum.de pathe.nl
nic.br tum.de uvt.nl
registro.br uni-erlangen.de xs4all.nl
gmx.ch unitybox.de domeneshop.no
open.ch unitymedia.de webcruitermail.no
anubisnetworks.com web.de debian.org
gmx.com egmontpublishing.dk freebsd.org
mail.com tilburguniversity.edu gentoo.org
solvinity.com enron.email ietf.org
t-2.com octopuce.fr isc.org
trashmail.com comcast.net lazarus-ide.org
xfinity.com dd24.net netbsd.org
xfinityhomesecurity.com gmx.net openssl.org
xfinitymobile.com hr-manager.net samba.org
nic.cz t-2.net torproject.org
bayern.de xs4all.net asf.com.pt
bund.de asp4all.nl minmyndighetspost.se
fau.de bhosted.nl skatteverket.se
freenet.de bit.nl t-2.si
gmx.de boozyshop.nl mail.co.uk
jpberlin.de hierinloggen.nl govtrack.us
lrz.de otvi.nl
mail.de ouderportaal.nl
Of the ~172000 domains, 545 have "partial" TLSA records, that cover
only a subset of the MX hosts. While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to advertise
STARTTLS (even though TLSA records are published) stands today at 160.
Below is a list of the 100 underlying MX hosts that serve these domains
and whose TLSA records don't match reality:
Hall of Shame:
white.agoracon.at mail.manima.de mx2.wfbrace.net
mail.dipietro.id.au mail.ocmenzel.de mx3.wfbrace.net
asp-mxa.belnet.be supersahnetorten.de wfbrace.net
asp-mxb.belnet.be mx.thorko.de mx2.cbrace.nl
asp-mxtest.belnet.be mail.0pc.eu mx3.cbrace.nl
eufront.stansoft.bg relay.antoineducret.eu mail.lajetee.nl
eumembers.stansoft.bg mail2.cesidianroot.eu smtp1.lococensus.nl
fazendeiro.ifba.edu.br gamepixel.eu smtp2.lococensus.nl
mail.gna.ch webmail.kassoft.eu mail.myzt.nl
andbraiz.com smtp.skolovi.eu mx2.nuj-netherlands.nl
mx1.cloudfiltering.com mail2.subse.eu nuj-netherlands.nl
mx2.cloudfiltering.com smtp.vdlaken.eu mail.solarisinternetgroep.nl
mail.digitalwebpros.com mx.quentindavid.fr bounder.steelyard.nl
mail.itsmine.com servmail.fr mail.abanto-zierbena.org
demo.liveconfig.com mail.demongeot.info freebox.crans.org
mx04.mykolab.com mail.nonoserver.info soyouz.crans.org
intranet.nctechcenter.com node1.mxbackup.io eumembers.datacentrix.org
mta1-em1.orleans.occnc.com mail.rapidfuse.io genius.konundrum.org
mta3-em1.somerville.occnc.com mail.lsd.is smtp2.amadigi.ovh
lon-do.pieterpottie.com mail.laukas.lt smtp3.amadigi.ovh
ny-do.pieterpottie.com mx.datenknoten.me itaskmanager.ovh
ma.qbitnet.com mx.giesen.me mail.bacrau.ro
stmics01.smia-automotive.com rootbox.me club3d.ro
stmics02.smia-automotive.com lima.ahrain.net mail.itconnect.ro
mail.zx.com avarty.net mx.itconnect.ro
mx.bels.cz mail.castleturing.net mail.pasion.ro
mail.davidbodnar.cz mail.d3fy.net mail.familie-sander.rocks
gaia.nfx.cz mail.efflam.net mx1.shevaldin.ru
petg.cz mail.luyckx.net mail.labbrack.se
mail.seslost.cz mail.misbegotten.net mail2.puggan.se
mail.zionbit.cz mx2.oostergo.net mail.rostit.se
mail.jo8.de oostergo.net mail.muthai.in.th
mail.lanasoft.de mail.qusign.net
mutt.lsexperts.de mail.roeller.net
Some just notified, so I expect this to be a local peak.
After eliminating parked domains that do not accept email of any
kind, The number of "real" email domains with bad DNSSEC support
stands at 175. (The accenture.com domains from the previous
report were all parked). The top 10 name server operators with
problem domains are:
63 jsr-it.nl
17 firstfind.nl
7 active24.cz
5 tse.jus.br
4 glbns.com
3 cas-com.net
2 tiscomhosting.nl
2 sylconia.net
2 psyclonecontacts.net
2 ns01.nl
Only 7 of the DNS-broken domains appear in historical Google Email
transparency reports:
tiviths.com.br
tre-ce.jus.br
trtrj.jus.br
tse.jus.br
idaho.gov
nsysu.edu.tw
The problem DNS queries are:
_25._tcp.mx.tiviths.com.br. IN TLSA ?
_25._tcp.dexter.tse.jus.br. IN TLSA ?
_25._tcp.lalavava.tse.jus.br. IN TLSA ?
_25._tcp.mandark.tse.jus.br. IN TLSA ?
_25._tcp.inbound.idaho.gov. IN TLSA ?
_25._tcp.mx1.trtrj.jus.br. IN TLSA ?
_25._tcp.barracuda.nsysu.edu.tw. IN TLSA ?
[ See <https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08>,
Much of the TLSA non-response issue seems to be related to a
"feature" of some firewalls, that enables droping of DNS requests
for all but the most common RRtypes. Do not make the mistake
of enabling this firewall "feature". ]
The oldest outstanding DNS issue is an SOA signature issue at
truman.edu dating back to Nov/2014:
http://dnsviz.net/d/_25._tcp.barracuda.truman.edu/VGzORw/dnssec/
I hope some day soon they'll start missing email they care about
and take the time to resolve the problem.
--
Viktor.
[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist. I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.
More information about the dane-users
mailing list