From ietf-dane at dukhovni.org Sat Jun 30 00:46:13 2018 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Fri, 29 Jun 2018 18:46:13 -0400 Subject: Update on stats 2018-06 Message-ID: <20180629224613.GA96119@straasha.imrryr.org> Credits: With additional data from Paul Vixie of Farsight Security, the DNSSEC coverage continues to improve. Summary: The DANE domain count is now 296,990. The number DNSSEC domains in the survey stands at 8,069,614. Thus DANE TLSA is deployed on 3.68% of domains with DNSSEC. As of today I count 296,990 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support in bulk for the domains they host. It is starting to get crowded at the top of the list, so I'm now listing the top 15 MX host providers by domain count: 103783 transip.nl 96089 domeneshop.no 34141 active24.com 23491 udmedia.de 9646 bhosted.nl 2270 nederhost.nl 1940 provalue.nl (new this month) 1575 yourdomainprovider.net 1072 hi7.de 958 xcellerate.nl 874 surfmailfilter.nl 652 omc-mail.com 651 core-networks.de 588 interconnect.nl (new this month) 547 mailbox.org The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.nl/.cz/.de. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 10 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented): 4080 TOTAL 1394 DE, Germany 900 US, United States 509 NL, Netherlands 338 FR, France 163 GB, United Kingdom 121 CZ, Czech Republic 80 CA, Canada 59 SE, Sweden 58 CH, Switzerland 57 SG, Singapore IPv6 is still comparatively rare for MX hosts, and the top 10 countries by DANE MX host IPv6 GeoIP are (same top 6). 2043 TOTAL 768 DE, Germany 417 US, United States 282 NL, Netherlands 187 FR, France 89 GB, United Kingdom 68 CZ, Czech Republic 34 SE, Sweden 25 SG, Singapore 23 CH, Switzerland 14 SI, Slovenia There are 3402 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. The number of published MX host TLSA RRsets found is 4690. These cover 5012 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of domains that at some point were listed in Gmail's email transparency report is 157 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 87 are in recent reports: gmx.at fau.de deltion.nl travelbirdbelgique.be freenet.de hierinloggen.nl nic.br gmx.de interconnect.nl registro.br jpberlin.de ouderportaal.nl gmx.ch lrz.de overheid.nl open.ch mail.de pathe.nl anubisnetworks.com posteo.de politie.nl gmx.com ruhr-uni-bochum.de truetickets.nl mail.com tum.de uvt.nl societe.com uni-erlangen.de xs4all.nl solvinity.com unitybox.de domeneshop.no t-2.com unitymedia.de webcruitermail.no trashmail.com web.de aegee.org xfinity.com egmontpublishing.dk debian.org xfinityhomesecurity.com netic.dk freebsd.org xfinitymobile.com tilburguniversity.edu gentoo.org active24.cz octopuce.fr ietf.org clubcard.cz comcast.net isc.org cuni.cz dd24.net netbsd.org cvc.cz dns-oarc.net openssl.org itesco.cz gmx.net samba.org klubpevnehozdravi.cz hr-manager.net torproject.org knizni-magazin.cz inexio.net asf.com.pt nic.cz mpssec.net handelsbanken.se optimail.cz t-2.net iis.se smtp.cz xs4all.net minmyndighetspost.se bayern.de bhosted.nl skatteverket.se bund.de bit.nl t-2.si elster.de boozyshop.nl govtrack.us Of the ~297000 domains, 1142 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 266. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. A partial list is available at: https://github.com/danefail/list To avoid getting listed, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes http://imrryr.org/~viktor/ICANN61-viktor.pdf http://imrryr.org/~viktor/icann61-viktor.mp3 http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 All the new blood in the survey has uncovered some previously unseen DNSSEC denial of existence breakage. After eliminating parked domains that do not accept email of any kind, the number of "real" email domains with bad DNSSEC support stands at 678. The top 20 name server operators with problem domains are: 127 mijnhostingpartner.nl 79 webspacecontrol.com / dotroll.com 56 dotserv.com 42 metaregistrar.nl 40 is.nl 32 tiscomhosting.nl 29 active24.cz (some broken wildcard cnames) 27 tse.jus.br 26 sylconia.net 14 host-redirect.com 13 psb1.org 13 nazwa.pl (some broken wildcard NS RRs) 12 zeptor.nl 12 nrdns.nl 11 blauwblaatje.nl 8 dnscluster.nl 7 forpsi.net 6 pcextreme.nl 6 glbns.com 6 domdom.hu If anyone has good contacts at one of these provides, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. The domains all whose nameservers have broken denial of existsnce that also appear in historical Google reports are: trt1.jus.br trtrj.jus.br tre-ce.jus.br tre-pe.jus.br tre-rj.jus.br tre-rs.jus.br tre-sc.jus.br tre-sp.jus.br tse.jus.br The last seven of these should be fixed shortly, the right parties have been informed, and I expect will have resolved promptly. -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.