From ietf-dane at dukhovni.org Wed Aug 1 04:29:05 2018 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Tue, 31 Jul 2018 22:29:05 -0400 Subject: Update on stats 2018-07 Message-ID: <20180801022904.GA47864@straasha.imrryr.org> Credits: The .NL registry (SIDN) have kindly provided a snapshot of the signed .NL domains. With this month's coverage of .NL domains is 100% modulo late changes. Some additional coverage growth is due to ongoing data drops from Paul Vixie of Farsight Security. Summary: The DANE domain count is now 311,725. The number DNSSEC domains in the survey stands at 8,702,087 Thus DANE TLSA is deployed on 3.58% of domains with DNSSEC. As of today I count 311,725 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 15 MX host providers by domain count are: 111683 transip.nl 95899 domeneshop.no 34296 active24.com 23508 udmedia.de 10670 bhosted.nl 3768 interconnect.nl 2517 provalue.nl 2435 nederhost.nl 1681 yourdomainprovider.net 1300 xcellerate.nl 1131 hi7.de 1028 surfmailfilter.nl 702 omc-mail.com 629 core-networks.de 573 mailbox.org The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 10 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented): 4162 TOTAL 1415 DE, Germany 904 US, United States 532 NL, Netherlands 350 FR, France 158 GB, United Kingdom 122 CZ, Czech Republic 82 CA, Canada 61 SG, Singapore 61 SE, Sweden 57 CH, Switzerland IPv6 is still comparatively rare for MX hosts, and the top 10 countries by DANE MX host IPv6 GeoIP are (same top 6). 2066 TOTAL 781 DE, Germany 421 US, United States 282 NL, Netherlands 194 FR, France 90 GB, United Kingdom 66 CZ, Czech Republic 35 SE, Sweden 27 SG, Singapore 21 CH, Switzerland 15 FI, Finland There are 3474 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. The number of published MX host TLSA RRsets found is 4866. These cover 5216 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of domains that at some point were listed in Gmail's email transparency report is 159 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 91 are in recent reports: gmx.at jpberlin.de interconnect.nl travelbirdbelgique.be lrz.de intermax.nl nic.br mail.de ouderportaal.nl registro.br posteo.de overheid.nl gmx.ch ruhr-uni-bochum.de pathe.nl open.ch tum.de politie.nl anubisnetworks.com uni-erlangen.de truetickets.nl gmx.com unitybox.de uvt.nl mail.com unitymedia.de xs4all.nl societe.com web.de domeneshop.no solvinity.com dk-hostmaster.dk rushtrondheim.no t-2.com egmontpublishing.dk webcruitermail.no trashmail.com netic.dk aegee.org xfinity.com tilburguniversity.edu debian.org xfinityhomesecurity.com insee.fr freebsd.org xfinitymobile.com octopuce.fr gentoo.org active24.cz atrivio.net ietf.org clubcard.cz comcast.net isc.org cuni.cz dd24.net netbsd.org itesco.cz dns-oarc.net openssl.org klubpevnehozdravi.cz gmx.net samba.org knizni-magazin.cz hr-manager.net torproject.org nic.cz inexio.net asf.com.pt optimail.cz mpssec.net handelsbanken.se smtp.cz t-2.net iis.se bayern.de xs4all.net minmyndighetspost.se bund.de bhosted.nl skatteverket.se elster.de bit.nl t-2.si fau.de boozyshop.nl govtrack.us freenet.de deltion.nl gmx.de hierinloggen.nl Of the ~312000 domains, 1203 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 220. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. A partial list is available at: https://github.com/danefail/list To avoid getting listed, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes http://imrryr.org/~viktor/ICANN61-viktor.pdf http://imrryr.org/~viktor/icann61-viktor.mp3 http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 All the new blood in the survey has uncovered some previously unseen DNSSEC denial of existence breakage. After eliminating parked domains that do not accept email of any kind, the number of "real" email domains with bad DNSSEC support stands at 881. The top 20 name server operators with problem domains are: 129 mijnhostingpartner.nl 99 webspacecontrol.com / dotroll.com 64 metaregistrar.nl 64 is.nl 51 dotserv.com 41 tiscomhosting.nl 33 sylconia.net 29 tse.jus.br 27 active24.cz (some broken wildcard cnames) 25 nrdns.nl 21 host-redirect.com 16 nazwa.pl (some broken wildcard NS RRs) 14 zeptor.nl 13 psb1.org 11 blauwblaatje.nl 11 army.mil 9 dnscluster.nl 8 pcextreme.nl 8 glbns.com 7 forpsi.net If anyone has good contacts at one of these provides, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. The domains all whose nameservers have broken denial of existsnce that also appear in historical Google reports are: tre-ce.jus.br tre-pe.jus.br tre-rj.jus.br tre-rs.jus.br tre-sc.jus.br tre-sp.jus.br trt1.jus.br trtrj.jus.br tse.jus.br -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. From bart.knubben at forumstandaardisatie.nl Fri Aug 17 14:05:10 2018 From: bart.knubben at forumstandaardisatie.nl (Knubben, B.S.J. (Bart) - Forum Standaardisatie) Date: Fri, 17 Aug 2018 12:05:10 +0000 Subject: Overview of outbound DANE for SMTP support Message-ID: <6f468eb315b54e368f92aa286432faeb@SV1601472.frd.shsdir.nl> On Tue, Jul 17, 2018, Knubben, B.S.J. (Bart) - Forum Standaardisatie wrote: > We made the following overview of products/services with outbound > DANE support (i.e. DANE verification). Any remarks/additions are > welcome. > I. Supported: Upcoming: PowerMTA 5.0 ( announcement on https://twitter.com/Port25Solutions/status/1029770765716123648 ) -- Best regards, Bart Knubben Dutch Standardisation Forum https://www.forumstandaardisatie.nl/content/english Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages. From ietf-dane at dukhovni.org Mon Aug 20 22:01:29 2018 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Mon, 20 Aug 2018 16:01:29 -0400 Subject: Overview of outbound DANE for SMTP support In-Reply-To: References: Message-ID: <20180820200129.GL28851@straasha.imrryr.org> On Tue, Jul 17, 2018 at 08:20:58PM +0000, Knubben, B.S.J. (Bart) - Forum Standaardisatie wrote: > We made the following overview of products/services with outbound DANE > support (i.e. DANE verification). Any remarks/additions are welcome. > > [...] Are you keeping this list on a website somewhere? -- Viktor. From bart.knubben at forumstandaardisatie.nl Tue Aug 21 13:56:35 2018 From: bart.knubben at forumstandaardisatie.nl (Knubben, B.S.J. (Bart) - Forum Standaardisatie) Date: Tue, 21 Aug 2018 11:56:35 +0000 Subject: Overview of outbound DANE for SMTP support In-Reply-To: <20180820200129.GL28851@straasha.imrryr.org> References: <20180820200129.GL28851@straasha.imrryr.org> Message-ID: <360d1eb0ae254e25ae5e79f499186ad6@SV1601472.frd.shsdir.nl> > > We made the following overview of products/services with outbound DANE > > support (i.e. DANE verification). Any remarks/additions are welcome. > > > > [...] > > Are you keeping this list on a website somewhere? Not yet... feel free to reuse it on your website. -- Best regards, Bart Knubben Dutch Standardisation Forum https://www.forumstandaardisatie.nl/content/english Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.