From ietf-dane at dukhovni.org Thu Feb 1 05:31:16 2018 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Thu, 1 Feb 2018 04:31:16 +0000 Subject: Update on stats 2018-01 Message-ID: <20180201043116.GO29327@mournblade.imrryr.org> Summary: The total domain count has increased from 176079 to 176941 The number DNSSEC domains in the survey stands at 5188318, thus DANE TLSA is deployed on 3.41% of domains with DNSSEC. Many DNSSEC domains use third-party MX hosts, that don't have DNSSEC, so they can't benefit from DANE until their providers secure the MX hosts. Please ask your provider to enable DNSSEC and DANE on their MX hosts. [ It would be especially significant if "redirect.ovh.net" were to implement DNSSEC+DANE. If someone personally knows the right people to gently nudge at ovh.net, please do. ] As of today I count 176941 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected the bulk of the DANE domains are hosted by the handful of DNS/hosting providers who've enabled DANE support in bulk for the domains they host. The top 10 MX host providers by domain count are: 68675 domeneshop.no 63512 transip.nl 18579 udmedia.de 6268 bhosted.nl 1752 nederhost.nl 1248 yourdomainprovider.net 880 ec-elements.com 517 core-networks.de 398 omc-mail.com 392 mailbox.org The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.nl/.de. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 11 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented): 1282 DE, Germany 802 US, United States 453 NL, Netherlands 326 FR, France 175 GB, United Kingdom 111 CZ, Czech Republic 84 CA, Canada 62 SE, Sweden 60 CH, Switzerland 53 SG, Singapore 53 BR, Brazil IPv6 is still comparatively rare for MX hosts, and the top 10 countries by DANE MX host IPv6 GeoIP are (same top 6): 279 DE, Germany 144 US, United States 119 NL, Netherlands 74 FR, France 35 GB, United Kingdom 27 CZ, Czech Republic 15 SE, Sweden 9 SG, Singapore 9 CH, Switzerland 8 SI, Slovenia There are 3125 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. The number of published MX host TLSA RRsets found is 4856. These cover 4948 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of domains that at some point were listed in Gmail's email transparency report is 127 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 76 are in recent reports: gmx.at mail.de overheid.nl travelbirdbelgie.be posteo.de pathe.nl travelbirdbelgique.be ruhr-uni-bochum.de uvt.nl nic.br tum.de xs4all.nl registro.br uni-erlangen.de domeneshop.no gmx.ch unitybox.de handelsbanken.no open.ch unitymedia.de webcruitermail.no switch.ch web.de aegee.org anubisnetworks.com dk-hostmaster.dk debian.org gmx.com egmontpublishing.dk freebsd.org isavedialogue.com netic.dk gentoo.org mail.com tilburguniversity.edu ietf.org solvinity.com insee.fr isc.org trashmail.com octopuce.fr netbsd.org xfinity.com comcast.net openssl.org xfinityhomesecurity.com dd24.net samba.org xfinitymobile.com dns-oarc.net torproject.org nic.cz gmx.net asf.com.pt bayern.de hr-manager.net handelsbanken.se bund.de mpssec.net minmyndighetspost.se elster.de t-2.net skatteverket.se fau.de xs4all.net t-2.si freenet.de bhosted.nl mail.co.uk gmx.de boozyshop.nl govtrack.us jpberlin.de hierinloggen.nl lrz.de ouderportaal.nl Of the ~177000 domains, 786 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 232. This, despite all appearances to the contrary, is an improvement on last month, since other than a recent new batch of 72 little-known domains served by "mail.apteo.com", the overall number of problem MX hosts has declined from 102 to 86. Below is the list of underlying MX hosts that serve these domains and whose TLSA records don't match reality: Hall of Shame: white.agoracon.at mail.absynth.de anubis.delphij.net mail.dipietro.id.au mail.all4.de mail.diejanssens.net eclipse.id.au mx2.mindrun.de mail.efflam.net mx.krb.srv.pique.net.au www.mtg.de smtp.bl.lybre.net zebulon.pique.net.au mx2.pfp.de mail.fscker.nl eufront.stansoft.bg relay.rsxc.de smtp1.lococensus.nl eumembers.stansoft.bg thores-zimmer.de smtp2.lococensus.nl mx0.reich-trade.ch mx10.timotoups.de mail.myzt.nl andbraiz.com mx20.timotoups.de bounder.steelyard.nl mail.apteo.com anotherone.braceyourself.es webmail.vivisol.nl mail.digitalwebpros.com mail.0pc.eu mail.abanto-zierbena.org mail.dnsmadefree.com gamepixel.eu hydra.aufbix.org smtp-1.httrack.com smtp.skolovi.eu hydra-ipv4.aufbix.org mail.i-bible.com mail2.subse.eu eumembers.datacentrix.org demo.liveconfig.com mx.quentindavid.fr genius.konundrum.org miqote.com servmail.fr mx2.maicolepape.org srv2.noneuclideanconcepts.com mx.pushidrosal.id itaskmanager.ovh diablo.sgt.com mail.demongeot.info mail.bacrau.ro tusk.sgt.com mail.nonoserver.info mail.itconnect.ro stmics01.smia-automotive.com mx1.email.youwerehere.info mx.itconnect.ro stmics02.smia-automotive.com mx2.email.youwerehere.info mail.pasion.ro romulus.wittsend.com kd2.io mail.familie-sander.rocks mail.zx.com mail.rapidfuse.io mx1.shevaldin.ru mx2.aquasoft.cz mx.datenknoten.me mail.labbrack.se mx.bels.cz rootbox.me mail.rostit.se mail.davidbodnar.cz backup.heikorichter.name mail.amail.si gaia.nfx.cz www.heikorichter.name mail.xn----ymcadjpj1at5o.xn--wg mail.seslost.cz mail.castleturing.net secdns1.posix.co.za mail.zionbit.cz mail.culm.net Please make sure to monitor the validity of your TLSA records, and implement a reliable key rotation procedure. Let's Encrypt users in particular tend to forget that by default Let's Encrypt certificate renewal replaces both the key and certificate, please read: http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444 https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766 https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/ https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022 http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 When updating the certificate chain you need to temporarily pre-publish multiple TLSA records matching the current and future certificate: https://dane.sys4.de/common_mistakes#3 However, with "3 1 1" + "2 1 1", the rollover process can be substantially simplified: http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444 https://www.ietf.org/mail-archive/web/uta/current/msg01498.html After eliminating parked domains that do not accept email of any kind, the number of "real" email domains with bad DNSSEC support stands at 118. The top 7 (the rest have too few domains to include in a top 10) name server operators with problem domains are: 23 firstfind.nl 7 active24.cz 6 tse.jus.br 4 ignum.com 4 glbns.com 4 army.mil 4 1cocomo.com Only 1 DNS-broken domain has no working nameservers and also appears in historical Google Email transparency reports: tiviths.com.br The problem DNS query is: _25._tcp.mx.tiviths.com.br [ See , Much of the TLSA non-response issue seems to be related to a "feature" of some firewalls, that enables droping of DNS requests for all but the most common RRtypes. Do not make the mistake of enabling this firewall "feature". ] The oldest outstanding DNS issue is an SOA signature issue at truman.edu dating back to Nov/2014: http://dnsviz.net/d/_25._tcp.barracuda.truman.edu/VGzORw/dnssec/ I hope some day soon they'll start missing email they care about and take the time to resolve the problem. -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. From ietf-dane at dukhovni.org Mon Feb 5 17:29:58 2018 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Mon, 5 Feb 2018 11:29:58 -0500 Subject: Upgrade unbound resolver to 1.6.8 if used for DANE Message-ID: If you're using unbound as your local DNSSEC-validating resolver and have enabled DANE, an issue is resolved in unbound 1.6.8 where NSEC records for wildcards could be misused for invalid denial-of-existence proofs. See: https://medium.com/nlnetlabs/the-peculiar-case-of-nsec-processing-using-expanded-wildcard-records-ae8285f236be https://unbound.net/downloads/CVE-2017-15105.txt The first article mentions that the same issue affected PowerDNS and Dnsmasq. So if you're using one of those, you might also need to update. While Google's public DNS was also affected, this is out of scope for DANE, as you get little security from relying on the AD bit from remote resolvers. -- Viktor. From bart.knubben at gmail.com Thu Feb 15 11:52:37 2018 From: bart.knubben at gmail.com (Bart Knubben) Date: Thu, 15 Feb 2018 11:52:37 +0100 Subject: Testing for DANE: MECSA by European Commission, Internet.nl and more Message-ID: Hi, The European Commission lately launched a tool called "My Email Communications Security Assessment (MECSA)". It also checks for DANE records. See: https://mecsa.jrc.ec.europa.eu/ There are others tools as well which are testing for DANE records on receiving mailservers (inbound) like https://internet.nl (an initiative of the Dutch Internet community and government). See for example the following test report: https://en.internet.nl/mail/internet.nl/69612/#control-panel-20 And of course there is https://dane.sys4.de that checks DANE records. For testing DANE validation when sending mail (outbound) you could use https://havedane.net/ -- Best regards, Bart Knubben From ietf-dane at dukhovni.org Fri Feb 16 21:05:20 2018 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Fri, 16 Feb 2018 15:05:20 -0500 Subject: A sensible "3 1 1" + "3 1 1" key rotation approach Message-ID: <67E1F706-4513-4A9D-BDD2-3A3D487DB5F8@dukhovni.org> To avoid (even temporary) mismatches always publish multiple (two are enough) TLSA records. One for matching the current certificate chain, and another matching the *future* certificate chain. You might ask how the *future* certificate chain can be predicted, but the answer is simple enough. While you may not know all the certificate details, you can control the public key that goes into the future certificate. This can be matched with a "3 1 1" record. Therefore, the recommended key rotation approach is: 1. Whenever you *deploy* a certificate chain with a new key, at the same time (that way you won't forget later) generate the next key! And that time update your TLSA records to match both keys. You only need the next public key for this, the next private key could be password protected if you like, but for most sites just rotating the keys often and letting the OS protect the keys from all but the authorized account is enough. _25._tcp.smtp.example.com. IN TLSA 3 1 1 _25._tcp.smtp.example.com. IN TLSA 3 1 1 2. When it is time to obtain a new certificate, generate the CSR from the previously generated *next* key (this may require decryption of the private if stored encrypted initially) and request the certificate, *but* do that only if the corresponding TLSA record is already published! Do the DNS lookup to verify. 3. To deploy the newly obtained certificate go back to step 1. -- Viktor.