Update on stats 2018-07

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Aug 1 04:29:05 CEST 2018 

Credits:  The .NL registry (SIDN) have kindly provided a snapshot
          of the signed .NL domains.  With this month's coverage
	  of .NL domains is 100% modulo late changes.  Some additional
          coverage growth is due to ongoing data drops from Paul Vixie
          of Farsight Security.

Summary:  The DANE domain count is now 311,725.

          The number DNSSEC domains in the survey stands at 8,702,087
          Thus DANE TLSA is deployed on 3.58% of domains with DNSSEC.

As of today I count 311,725 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host.  The top 15 MX host providers by domain count are:

   111683 transip.nl
    95899 domeneshop.no
    34296 active24.com
    23508 udmedia.de
    10670 bhosted.nl
     3768 interconnect.nl
     2517 provalue.nl
     2435 nederhost.nl
     1681 yourdomainprovider.net
     1300 xcellerate.nl
     1131 hi7.de
     1028 surfmailfilter.nl
      702 omc-mail.com
      629 core-networks.de
      573 mailbox.org

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 10 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat
over-represented):

  4162     TOTAL
  1415 DE, Germany
   904 US, United States
   532 NL, Netherlands
   350 FR, France
   158 GB, United Kingdom
   122 CZ, Czech Republic
    82 CA, Canada
    61 SG, Singapore
    61 SE, Sweden
    57 CH, Switzerland

IPv6 is still comparatively rare for MX hosts, and the top 10
countries by DANE MX host IPv6 GeoIP are (same top 6).

  2066     TOTAL
   781 DE, Germany
   421 US, United States
   282 NL, Netherlands
   194 FR, France
    90 GB, United Kingdom
    66 CZ, Czech Republic
    35 SE, Sweden
    27 SG, Singapore
    21 CH, Switzerland
    15 FI, Finland

There are 3474 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.

The number of published MX host TLSA RRsets found is 4866.  These
cover 5216 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 159 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 91 are in recent reports:

  gmx.at                   jpberlin.de            interconnect.nl
  travelbirdbelgique.be    lrz.de                 intermax.nl
  nic.br                   mail.de                ouderportaal.nl
  registro.br              posteo.de              overheid.nl
  gmx.ch                   ruhr-uni-bochum.de     pathe.nl
  open.ch                  tum.de                 politie.nl
  anubisnetworks.com       uni-erlangen.de        truetickets.nl
  gmx.com                  unitybox.de            uvt.nl
  mail.com                 unitymedia.de          xs4all.nl
  societe.com              web.de                 domeneshop.no
  solvinity.com            dk-hostmaster.dk       rushtrondheim.no
  t-2.com                  egmontpublishing.dk    webcruitermail.no
  trashmail.com            netic.dk               aegee.org
  xfinity.com              tilburguniversity.edu  debian.org
  xfinityhomesecurity.com  insee.fr               freebsd.org
  xfinitymobile.com        octopuce.fr            gentoo.org
  active24.cz              atrivio.net            ietf.org
  clubcard.cz              comcast.net            isc.org
  cuni.cz                  dd24.net               netbsd.org
  itesco.cz                dns-oarc.net           openssl.org
  klubpevnehozdravi.cz     gmx.net                samba.org
  knizni-magazin.cz        hr-manager.net         torproject.org
  nic.cz                   inexio.net             asf.com.pt
  optimail.cz              mpssec.net             handelsbanken.se
  smtp.cz                  t-2.net                iis.se
  bayern.de                xs4all.net             minmyndighetspost.se
  bund.de                  bhosted.nl             skatteverket.se
  elster.de                bit.nl                 t-2.si
  fau.de                   boozyshop.nl           govtrack.us
  freenet.de               deltion.nl
  gmx.de                   hierinloggen.nl

Of the ~312000 domains, 1203 have "partial" TLSA records, that
cover only a subset of the MX hosts.  While this protects traffic
to some of the MX hosts, such domains are still vulnerable to the
usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 220. Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts.  A partial list is available at:

  https://github.com/danefail/list

To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure.  See:

    https://dane.sys4.de/common_mistakes
    http://imrryr.org/~viktor/ICANN61-viktor.pdf
    http://imrryr.org/~viktor/icann61-viktor.mp3

    http://tools.ietf.org/html/rfc7671#section-8.1
    http://tools.ietf.org/html/rfc7671#section-8.4

All the new blood in the survey has uncovered some previously unseen
DNSSEC denial of existence breakage.  After eliminating parked
domains that do not accept email of any kind, the number of "real"
email domains with bad DNSSEC support stands at 881.  The top 20
name server operators with problem domains are:

   129 mijnhostingpartner.nl
    99 webspacecontrol.com / dotroll.com
    64 metaregistrar.nl
    64 is.nl
    51 dotserv.com
    41 tiscomhosting.nl
    33 sylconia.net
    29 tse.jus.br
    27 active24.cz		(some broken wildcard cnames)
    25 nrdns.nl
    21 host-redirect.com
    16 nazwa.pl                 (some broken wildcard NS RRs)
    14 zeptor.nl
    13 psb1.org
    11 blauwblaatje.nl
    11 army.mil
     9 dnscluster.nl
     8 pcextreme.nl
     8 glbns.com
     7 forpsi.net

If anyone has good contacts at one of these provides, please encourage
them to remediate not only the broken domains (I can send them a
list), but also the root cause that makes the breakage possible.

The domains all whose nameservers have broken denial of existsnce
that also appear in historical Google reports are:

  tre-ce.jus.br
  tre-pe.jus.br
  tre-rj.jus.br
  tre-rs.jus.br
  tre-sc.jus.br
  tre-sp.jus.br
  trt1.jus.br
  trtrj.jus.br
  tse.jus.br

-- 
        Viktor.

[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.

More information about the dane-users mailing list