Update on stats 2018-09

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Sep 30 20:39:04 CEST 2018 

Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .LI,
	  .NAME, .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

Summary:  The DANE domain count is now 316,920

	  The number DNSSEC domains in the survey stands at 8,986,410.
	  Thus DANE TLSA is deployed on 3.52% of domains with DNSSEC.

	  This month DNSSEC denial of existence issues were resolved
	  at KPN Internedservices (internedservices.nl or is.nl)
	  and dotroll.com (also known as webspacecontrol.com).  My
	  thanks to both for taking action to significantly reduce
	  the residual barriers to DANE adoption.

As of today I count 316,920 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host.  The top 15 MX host providers by domain count are:

   114384 transip.nl
    96340 domeneshop.no
    34676 active24.com
    23670 udmedia.de
    10761 bhosted.nl
     3721 interconnect.nl
     2533 provalue.nl
     2451 nederhost.nl
     1521 yourdomainprovider.net
     1299 xcellerate.nl
     1189 hi7.de
     1062 surfmailfilter.nl
      753 omc-mail.com
      622 core-networks.de
      591 mailbox.org

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 10 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat
over-represented):

  4251 TOTAL
  1449 DE, Germany
   910 US, United States
   549 NL, Netherlands
   330 FR, France
   158 GB, United Kingdom
   128 CZ, Czech Republic
   110 CA, Canada
    57 SE, Sweden
    56 SG, Singapore
    55 CH, Switzerland

IPv6 is still comparatively rare for MX hosts, and the top 10
countries by DANE MX host IPv6 GeoIP are (same top 6).

  2126 TOTAL
   816 DE, Germany
   426 US, United States
   317 NL, Netherlands
   191 FR, France
    70 GB, United Kingdom
    70 CZ, Czech Republic
    37 SE, Sweden
    27 SG, Singapore
    19 CH, Switzerland
    17 AT, Austria

There are 3571 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.

The number of published MX host TLSA RRsets found is 5087.  These
cover 5449 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 168 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 86 are in recent (last 90 days of) reports:

  gmx.at                   lrz.de                  ouderportaal.nl
  transip.be               mail.de                 overheid.nl
  nic.br                   posteo.de               pathe.nl
  registro.br              ruhr-uni-bochum.de      politie.nl
  gmx.ch                   tum.de                  transip.nl
  open.ch                  uni-erlangen.de         truetickets.nl
  anubisnetworks.com       unitybox.de             uvt.nl
  gmx.com                  unitymedia.de           xs4all.nl
  mail.com                 web.de                  domeneshop.no
  societe.com              dk-hostmaster.dk        handelsbanken.no
  solvinity.com            egmontpublishing.dk     rushtrondheim.no
  t-2.com                  netic.dk                webcruitermail.no
  trashmail.com            tilburguniversity.edu   aegee.org
  xfinity.com              insee.fr                debian.org
  xfinityhomesecurity.com  octopuce.fr             freebsd.org
  xfinitymobile.com        comcast.net             gentoo.org
  active24.cz              gmx.net                 ietf.org
  cuni.cz                  hr-manager.net          isc.org
  destroystores.cz         inexio.net              netbsd.org
  klubpevnehozdravi.cz     mpssec.net              openssl.org
  optimail.cz              t-2.net                 samba.org
  smtp.cz                  transip.net             torproject.org
  bayern.de                xs4all.net              asf.com.pt
  bund.de                  bhosted.nl              handelsbanken.se
  elster.de                boozyshop.nl            minmyndighetspost.se
  fau.de                   deltion.nl              skatteverket.se
  freenet.de               hierinloggen.nl         t-2.si
  gmx.de                   interconnect.nl         govtrack.us
  jpberlin.de              intermax.nl

Of the ~317000 domains, 1390 have "partial" TLSA records, that
cover only a subset of the MX hosts.  While this protects traffic
to some of the MX hosts, such domains are still vulnerable to the
usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 258. Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts.  A partial list is available at:

  https://github.com/danefail/list

To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure.  See:

    https://dane.sys4.de/common_mistakes
    http://imrryr.org/~viktor/ICANN61-viktor.pdf
    http://imrryr.org/~viktor/icann61-viktor.mp3

    http://tools.ietf.org/html/rfc7671#section-8.1
    http://tools.ietf.org/html/rfc7671#section-8.4

The DNSSEC denial of existence breakage is lower this month, as a
result of a complete resolution of all issues at is.nl and dotroll.com.
After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
531.  The top 20 name server operators with problem domains are:

    51 dotserv.com
    39 tiscomhosting.nl
    35 metaregistrar.nl
    33 sylconia.net
    31 nrdns.nl
    25 active24.cz		(some broken wildcard cnames)
    20 host-redirect.com
    19 nazwa.pl			(some broken wildcard NS RRs)
    12 psb1.org
    11 blauwblaatje.nl
    10 eth-services.de
    10 army.mil
     9 vultr.com
     9 dnscluster.nl
     8 pcextreme.nl
     8 forpsi.net
     7 ovh.net
     6 loopia.se
     6 domdom.hu
     5 1cocomo.com

If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage
possible.

None of the domains all whose nameservers have broken denial of
existence appear in historical Google reports.  So it is likely
that the DNSSEC denial of existence problems are not felt by most
email senders.

-- 
        Viktor.

[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.

More information about the dane-users mailing list