From ietf-dane at dukhovni.org Thu Aug 1 07:23:30 2019 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Thu, 1 Aug 2019 01:23:30 -0400 Subject: Update on stats 2019-07 Message-ID: <20190801052330.GH84885@straasha.imrryr.org> Summary: The DANE domain count is now 1,191,805 The number of domains that return DNSSEC-validated replies in response to MX queries is 9,866,733. Thus DANE TLSA is deployed on 12.08% of domains with DNSSEC. [ The total number of tracked signed delegations (DS RRsets) is 10,026,848, but not all the corresponding domains are up and running. ] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 1,191,805 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are: 713339 one.com 127741 transip.nl 98672 domeneshop.no 36445 active24.com 32249 vevida.com 27261 web4u.cz 24283 udmedia.de 15760 flexfilter.nl 13854 zxcs.nl 13118 onebit.cz 11226 bhosted.nl 6026 netzone.ch 5662 previder.nl 3704 ips.nl 3304 interconnect.nl 2568 provalue.nl 2261 nederhost.nl 1706 nmugroup.com 1586 yourdomainprovider.net 1295 xcellerate.nl The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). 5965 TOTAL 1879 DE, Germany 1367 US, United States 804 NL, Netherlands 408 FR, France 278 GB, United Kingdom 179 CZ, Czechia 136 CA, Canada 127 SG, Singapore 75 CH, Switzerland 72 SE, Sweden 57 DK, Denmark 52 JP, Japan 46 AT, Austria 45 IE, Ireland 43 FI, Finland 43 AU, Australia 36 PL, Poland 36 BR, Brazil 33 IN, India 27 RU, Russia IPv6 is less common than IPv4 for MX hosts (but improved IPv6 connectivity on my end this month finds more IPv6 DANE MTAs), and the top 20 countries by DANE MX host IPv6 GeoIP are: 2941 TOTAL 1146 DE, Germany 528 US, United States 396 NL, Netherlands 251 FR, France 119 CZ, Czechia 111 GB, United Kingdom 41 SG, Singapore 35 CH, Switzerland 34 SE, Sweden 30 RU, Russia 27 CA, Canada 25 JP, Japan 24 AT, Austria 16 IE, Ireland 14 SI, Slovenia 14 NO, Norway 14 AU, Australia 13 DK, Denmark 12 ID, Indonesia 12 BR, Brazil There are 4576 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. The number of published MX host TLSA RRsets found is 6971. These cover 7425 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of domains that at some point were listed in Gmail's email transparency report is 255 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 136 are in recent (last 90 days of) reports: univie.ac.at mensa.de mailplus.nl gmx.at posteo.de markteffectmail.nl transip.be ruhr-uni-bochum.de minbzk.nl nic.br tum.de mm1.nl registro.br uni-erlangen.de ouderportaal.nl gmx.ch uni-muenchen.de overheid.nl open.ch unitybox.de pathe.nl anubisnetworks.com unitymedia.de photofacts.nl fmc-na.com web.de politie.nl gmx.com egmontpublishing.dk previder.nl habr.com netic.dk rijksoverheid.nl hotelsinduitsland.com tilburguniversity.edu rotterdam.nl kpn.com web200.eu rvo.nl mail.com zone.eu ssonet.nl one.com ac-strasbourg.fr transip.nl societe.com octopuce.fr truetickets.nl solvinity.com web200.hu utwente.nl t-2.com 247superhost.net uvt.nl telfort.com comcast.net xs4all.nl trashmail.com dns-oarc.net domeneshop.no xfinity.com gmx.net handelsbanken.no xfinityhomesecurity.com habramail.net uib.no xfinitymobile.com hr-manager.net webcruitermail.no active24.cz inexio.net atelkamera.nu atlas.cz mpssec.net aegee.org centrum.cz procurios.net debian.org cuni.cz riseup.net freebsd.org itesco.cz t-2.net gentoo.org klubpevnehozdravi.cz transip.net ietf.org nic.cz transversal.net isc.org onebit.cz vevida.net netbsd.org smtp.cz xs4all.net openssl.org virusfree.cz xworks.net ozlabs.org volny.cz belastingdienst.nl samba.org allsecur.de bhosted.nl torproject.org bayern.de bluerail.nl asf.com.pt bund.de boekwinkeltjes.nl moikrug.ru elster.de boozyshop.nl boplatssyd-automail.se fau.de corpoflow.nl handelsbanken.se freenet.de denhaag.nl minmyndighetspost.se gmx.de dictu.nl personligalmanacka.se jpberlin.de digid.nl skatteverket.se kabelmail.de hr.nl govtrack.us lrz.de interconnect.nl mail.de intermax.nl Of the ~1.19 million domains, 2526 have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 501. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. A partial list is available at: https://github.com/danefail/list To avoid getting listed, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1178. The top 10 name server operators with problem domains are: 489 mijnhostingpartner.nl 41 metaregistrar.nl 38 movenext.nl 34 dotserv.com 33 tiscomhosting.nl 31 nrdns.nl 23 domaincontrol.com 22 sylconia.net 14 is.nl 14 interhand.net [ Seven of the ten problem providers are Dutch. It would be great if SIDN could apply some carrot and stick to incent .NL hosting providers to have correctly working DNSSEC implementations. ] If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Ten of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br (Nameservers REFUSE TLSA lookups) trt01.gov.br (Zone mostly unsigned) trtrio.gov.br (Zone mostly unsigned) trt1.jus.br (Zone mostly unsigned) trtrj.jus.br (Zone mostly unsigned) bluehosting.host (NSEC RRs don't cover wildcard) rackeo.host (NSEC RRs don't cover wildcard) mobily.com.sa (firewall blocks TLSA queries) sauditelecom.com.sa (firewall blocks TLSA queries) bog.gov.sa (firewall blocks TLSA queries) -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.