From ietf-dane at dukhovni.org Thu Oct 11 17:25:15 2018 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Thu, 11 Oct 2018 11:25:15 -0400 Subject: Reminder DNSSEC Root KSK roll today Message-ID: <20181011152515.GG3589@straasha.imrryr.org> In case you've not seen this many other places, just a friendly reminder that ICANN is rolling the DNSSEC root KSK today. Make sure your resolver (if it is validating) is ready. If you're forwarding queries to an upstream resolver, you might also check that the upstream is ready. -- Viktor. From ietf-dane at dukhovni.org Thu Oct 11 18:41:52 2018 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Thu, 11 Oct 2018 12:41:52 -0400 Subject: Reminder DNSSEC Root KSK roll today In-Reply-To: <20181011152515.GG3589@straasha.imrryr.org> References: <20181011152515.GG3589@straasha.imrryr.org> Message-ID: <20181011164152.GI3589@straasha.imrryr.org> On Thu, Oct 11, 2018 at 11:25:15AM -0400, Viktor Dukhovni wrote: > In case you've not seen this many other places, just a friendly > reminder that ICANN is rolling the DNSSEC root KSK today. Make > sure your resolver (if it is validating) is ready. If you're > forwarding queries to an upstream resolver, you might also check > that the upstream is ready. The new root zone is now live, with the DNSKEY RRset signed with KSK2017 (id 20326), rather than KSK2010 (id 19036): Before: http://dnsviz.net/d/root/W79zYQ/dnssec/ During: http://dnsviz.net/d/root/W79zmg/dnssec/ After: http://dnsviz.net/d/root/W790GQ/dnssec/ As cached data expires, this should make its way into all working caches over the next day or two. -- Viktor. From ietf-dane at dukhovni.org Wed Oct 31 05:13:42 2018 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Wed, 31 Oct 2018 00:13:42 -0400 Subject: Update on stats 2018-10 Message-ID: <20181031041341.GA991@straasha.imrryr.org> Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .LI, .NAME, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. Summary: The DANE domain count is now 336,682 The number of domains with DNSSEC MX records is 9,015,211. Thus DANE TLSA is deployed on 3.73% of domains with DNSSEC. As of today I count 336,682 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are: 115370 transip.nl 96024 domeneshop.no 34882 active24.com 23683 udmedia.de 10797 bhosted.nl 10599 wido.info 5664 previder.nl 3665 interconnect.nl 2531 provalue.nl 2443 nederhost.nl 1505 yourdomainprovider.net 1290 xcellerate.nl 1210 hi7.de 1075 surfmailfilter.nl 998 soverin.net 765 omc-mail.com 688 sciver.net 647 core-networks.de 612 mailbox.org 537 secure-gw.de The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 12 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented): 5323 TOTAL 1789 DE, Germany 984 NL, Netherlands 957 US, United States 382 FR, France 172 GB, United Kingdom 172 CZ, Czech Republic 107 CA, Canada 86 CH, Switzerland 65 SE, Sweden 56 SG, Singapore 54 BR, Brazil 47 NO, Norway IPv6 is still comparatively rare for MX hosts, and the top 10 countries by DANE MX host IPv6 GeoIP are (same top 6). 2633 TOTAL 1042 DE, Germany 441 US, United States 441 NL, Netherlands 218 FR, France 103 CZ, Czech Republic 80 GB, United Kingdom 44 NO, Norway 42 SE, Sweden 31 SG, Singapore 28 CH, Switzerland 21 AT, Austria 19 FI, Finland There are 3669 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. The number of published MX host TLSA RRsets found is 5242. These cover 5628 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of domains that at some point were listed in Gmail's email transparency report is 176 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 95 are in recent (last 90 days of) reports: gmx.at lrz.de intermax.nl transip.be mail.de markteffectmail.nl nic.br posteo.de ouderportaal.nl registro.br ruhr-uni-bochum.de overheid.nl gmx.ch tum.de pathe.nl open.ch uni-erlangen.de politie.nl anubisnetworks.com unitybox.de rotterdam.nl gmx.com unitymedia.de transip.nl habr.com web.de truetickets.nl mail.com egmontpublishing.dk uvt.nl mylocalbuddy.com netic.dk xs4all.nl societe.com tilburguniversity.edu domeneshop.no solvinity.com octopuce.fr handelsbanken.no t-2.com comcast.net webcruitermail.no trashmail.com dd24.net aegee.org xfinity.com gmx.net debian.org xfinityhomesecurity.com habramail.net freebsd.org xfinitymobile.com hr-manager.net gentoo.org active24.cz inexio.net ietf.org cuni.cz mpssec.net isc.org destroystores.cz mylobu.net lazarus-ide.org klubpevnehozdravi.cz t-2.net netbsd.org optimail.cz transip.net openssl.org smtp.cz xs4all.net samba.org bayern.de xworks.net torproject.org bund.de ardanta.nl asf.com.pt elster.de bhosted.nl handelsbanken.se fau.de boozyshop.nl minmyndighetspost.se freenet.de hierinloggen.nl skatteverket.se gmx.de hr.nl t-2.si jpberlin.de hro.nl govtrack.us kabelmail.de interconnect.nl Of the ~336000 domains, 1954 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 222. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. A partial list is available at: https://github.com/danefail/list To avoid getting listed, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes http://imrryr.org/~viktor/ICANN61-viktor.pdf http://imrryr.org/~viktor/icann61-viktor.mp3 http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 509. The top 10 name server operators with problem domains are: 50 dotserv.com 38 tiscomhosting.nl 38 metaregistrar.nl 34 sylconia.net 31 nrdns.nl 25 active24.cz (customer zones with broken wildcard cnames) 20 nazwa.pl (customer zones with broken wildcard NS RRs) 19 host-redirect.com 10 blauwblaatje.nl 10 army.mil If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. None of the domains all whose nameservers have broken denial of existence appear in historical Google reports. So it is likely that the DNSSEC denial of existence problems are not felt by most email senders. -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.