Update on stats 2018-01

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Feb 1 05:31:16 CET 2018


Summary:  The total domain count has increased from 176079 to 176941

	  The number DNSSEC domains in the survey stands at 5188318,
	  thus DANE TLSA is deployed on 3.41% of domains with DNSSEC.
	  Many DNSSEC domains use third-party MX hosts, that don't
	  have DNSSEC, so they can't benefit from DANE until their
	  providers secure the MX hosts.  Please ask your provider
	  to enable DNSSEC and DANE on their MX hosts.  [ It would
	  be especially significant if "redirect.ovh.net" were to
	  implement DNSSEC+DANE.  If someone personally knows the
	  right people to gently nudge at ovh.net, please do. ]

As of today I count 176941 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected the bulk of the DANE domains are hosted by the handful of
DNS/hosting providers who've enabled DANE support in bulk for the
domains they host.  The top 10 MX host providers by domain count
are:

   68675 domeneshop.no
   63512 transip.nl
   18579 udmedia.de
    6268 bhosted.nl
    1752 nederhost.nl
    1248 yourdomainprovider.net
     880 ec-elements.com
     517 core-networks.de
     398 omc-mail.com
     392 mailbox.org

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.nl/.de.  Speaking
of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts
shows the below top 11 countries (each unique IP address is counted,
so multi-homed MX hosts are perhaps somewhat over-represented):

   1282 DE, Germany
    802 US, United States
    453 NL, Netherlands
    326 FR, France
    175 GB, United Kingdom
    111 CZ, Czech Republic
     84 CA, Canada
     62 SE, Sweden
     60 CH, Switzerland
     53 SG, Singapore
     53 BR, Brazil

IPv6 is still comparatively rare for MX hosts, and the top 10
countries by DANE MX host IPv6 GeoIP are (same top 6):

    279 DE, Germany
    144 US, United States
    119 NL, Netherlands
     74 FR, France
     35 GB, United Kingdom
     27 CZ, Czech Republic
     15 SE, Sweden
      9 SG, Singapore
      9 CH, Switzerland
      8 SI, Slovenia

There are 3125 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.

The number of published MX host TLSA RRsets found is 4856.  These
cover 4948 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 127 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 76 are in recent reports:

   gmx.at                   mail.de                overheid.nl
   travelbirdbelgie.be      posteo.de              pathe.nl
   travelbirdbelgique.be    ruhr-uni-bochum.de     uvt.nl
   nic.br                   tum.de                 xs4all.nl
   registro.br              uni-erlangen.de        domeneshop.no
   gmx.ch                   unitybox.de            handelsbanken.no
   open.ch                  unitymedia.de          webcruitermail.no
   switch.ch                web.de                 aegee.org
   anubisnetworks.com       dk-hostmaster.dk       debian.org
   gmx.com                  egmontpublishing.dk    freebsd.org
   isavedialogue.com        netic.dk               gentoo.org
   mail.com                 tilburguniversity.edu  ietf.org
   solvinity.com            insee.fr               isc.org
   trashmail.com            octopuce.fr            netbsd.org
   xfinity.com              comcast.net            openssl.org
   xfinityhomesecurity.com  dd24.net               samba.org
   xfinitymobile.com        dns-oarc.net           torproject.org
   nic.cz                   gmx.net                asf.com.pt
   bayern.de                hr-manager.net         handelsbanken.se
   bund.de                  mpssec.net             minmyndighetspost.se
   elster.de                t-2.net                skatteverket.se
   fau.de                   xs4all.net             t-2.si
   freenet.de               bhosted.nl             mail.co.uk
   gmx.de                   boozyshop.nl           govtrack.us
   jpberlin.de              hierinloggen.nl
   lrz.de                   ouderportaal.nl

Of the ~177000 domains, 786 have "partial" TLSA records, that cover
only a subset of the MX hosts.  While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 232. This, despite all appearances to the contrary, is an
improvement on last month, since other than a recent new batch of
72 little-known domains served by "mail.apteo.com", the overall
number of problem MX hosts has declined from 102 to 86.  Below is
the list of underlying MX hosts that serve these domains and whose
TLSA records don't match reality:

   Hall of Shame:

   white.agoracon.at              mail.absynth.de              anubis.delphij.net
   mail.dipietro.id.au            mail.all4.de                 mail.diejanssens.net
   eclipse.id.au                  mx2.mindrun.de               mail.efflam.net
   mx.krb.srv.pique.net.au        www.mtg.de                   smtp.bl.lybre.net
   zebulon.pique.net.au           mx2.pfp.de                   mail.fscker.nl
   eufront.stansoft.bg            relay.rsxc.de                smtp1.lococensus.nl
   eumembers.stansoft.bg          thores-zimmer.de             smtp2.lococensus.nl
   mx0.reich-trade.ch             mx10.timotoups.de            mail.myzt.nl
   andbraiz.com                   mx20.timotoups.de            bounder.steelyard.nl
   mail.apteo.com                 anotherone.braceyourself.es  webmail.vivisol.nl
   mail.digitalwebpros.com        mail.0pc.eu                  mail.abanto-zierbena.org
   mail.dnsmadefree.com           gamepixel.eu                 hydra.aufbix.org
   smtp-1.httrack.com             smtp.skolovi.eu              hydra-ipv4.aufbix.org
   mail.i-bible.com               mail2.subse.eu               eumembers.datacentrix.org
   demo.liveconfig.com            mx.quentindavid.fr           genius.konundrum.org
   miqote.com                     servmail.fr                  mx2.maicolepape.org
   srv2.noneuclideanconcepts.com  mx.pushidrosal.id            itaskmanager.ovh
   diablo.sgt.com                 mail.demongeot.info          mail.bacrau.ro
   tusk.sgt.com                   mail.nonoserver.info         mail.itconnect.ro
   stmics01.smia-automotive.com   mx1.email.youwerehere.info   mx.itconnect.ro
   stmics02.smia-automotive.com   mx2.email.youwerehere.info   mail.pasion.ro
   romulus.wittsend.com           kd2.io                       mail.familie-sander.rocks
   mail.zx.com                    mail.rapidfuse.io            mx1.shevaldin.ru
   mx2.aquasoft.cz                mx.datenknoten.me            mail.labbrack.se
   mx.bels.cz                     rootbox.me                   mail.rostit.se
   mail.davidbodnar.cz            backup.heikorichter.name     mail.amail.si
   gaia.nfx.cz                    www.heikorichter.name        mail.xn----ymcadjpj1at5o.xn--wg
   mail.seslost.cz                mail.castleturing.net        secdns1.posix.co.za
   mail.zionbit.cz                mail.culm.net

Please make sure to monitor the validity of your TLSA records, and
implement a reliable key rotation procedure.  Let's Encrypt users
in particular tend to forget that by default Let's Encrypt certificate
renewal replaces both the key and certificate, please read:

    http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444
    https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766
    https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certificates-for-mail-servers-and-dane-part-2-of-2/
    https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022
    http://tools.ietf.org/html/rfc7671#section-8.1
    http://tools.ietf.org/html/rfc7671#section-8.4

When updating the certificate chain you need to temporarily
pre-publish multiple TLSA records matching the current and future
certificate:

    https://dane.sys4.de/common_mistakes#3

However, with "3 1 1" + "2 1 1", the rollover process can be
substantially simplified:

    http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436.html#a86444
    https://www.ietf.org/mail-archive/web/uta/current/msg01498.html

After eliminating parked domains that do not accept email of any
kind, the number of "real" email domains with bad DNSSEC support
stands at 118.  The top 7 (the rest have too few domains to include
in a top 10) name server operators with problem domains
are:

  23 firstfind.nl
   7 active24.cz
   6 tse.jus.br
   4 ignum.com
   4 glbns.com
   4 army.mil
   4 1cocomo.com

Only 1 DNS-broken domain has no working nameservers and also appears
in historical Google Email transparency reports:

   tiviths.com.br

The problem DNS query is:

   _25._tcp.mx.tiviths.com.br

  [ See <https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08>,
    Much of the TLSA non-response issue seems to be related to a
    "feature" of some firewalls, that enables droping of DNS requests
    for all but the most common RRtypes.  Do not make the mistake
    of enabling this firewall "feature". ]

The oldest outstanding DNS issue is an SOA signature issue at
truman.edu dating back to Nov/2014:

  http://dnsviz.net/d/_25._tcp.barracuda.truman.edu/VGzORw/dnssec/

I hope some day soon they'll start missing email they care about
and take the time to resolve the problem.

-- 
	Viktor.

[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.


More information about the dane-users mailing list