From ietf-dane at dukhovni.org Mon Jul 1 07:39:48 2019 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Mon, 1 Jul 2019 01:39:48 -0400 Subject: Update on stats 2019-06 Message-ID: <20190701053948.GG84885@straasha.imrryr.org> Summary: The DANE domain count is now 1,185,097 The number of domains that return DNSSEC-validated replies in response to MX queries is 9,810,062. Thus DANE TLSA is deployed on 12.08% of domains with DNSSEC. Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. Appeal: A handful of providers still have long-term broken DNSSEC denial of existence. It would be really great if (at least): mijnhostingpartner.nl (Much improved, remediation in progress) metaregistrar.nl (Wrong empty non-terminal handling) tiscomhosting.nl (Missing wildcard NSEC for NODATA response) dotserv.com (invalid NSEC chain order) movenext.nl (NSEC replies don't cover wildcard) nrdns.nl (Malformed NSEC3 or ServFail) sylconia.nl (Malformed NSEC3 chain) fixed their nameserver and/or zone provisioning code. While the O(10^3) affected domains are a small fraction of the O(10^7) signed domains, they are a much larger fraction of the signed domains for those particular providers. Appeal: The number of domains with neglected outdated TLSA records, has grown to ~600. PLEASE *monitor* your deployment, and implement a cert/key rollover process that does not (even temporarily) disrupt the validity of your certificate chain as compared to the published (cached) TLSA records: https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources If you're willing and able to help reach out to the operators of MX hosts with misconfigured TLSA RRsets, please get in touch. As of today I count 1,185,097 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are: 710477 one.com 126697 transip.nl 97776 domeneshop.no 36407 active24.com 32344 vevida.com 27345 web4u.cz 24153 udmedia.de 15734 flexfilter.nl 13127 zxcs.nl 13003 onebit.cz 11082 bhosted.nl 6024 netzone.ch 5644 previder.nl 3768 ips.nl 3393 interconnect.nl 2574 provalue.nl 2277 nederhost.nl 1694 nmugroup.com 1573 yourdomainprovider.net 1322 hi7.de The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). 5347 TOTAL 1782 DE, Germany 1123 US, United States 745 NL, Netherlands 382 FR, France 220 GB, United Kingdom 173 CZ, Czechia 122 CA, Canada 86 SG, Singapore 73 SE, Sweden 72 CH, Switzerland 58 DK, Denmark 43 AT, Austria 41 FI, Finland 40 IE, Ireland 38 PL, Poland 37 BR, Brazil 34 AU, Australia 29 JP, Japan 27 RU, Russia 20 IT, Italy IPv6 is still comparatively rare for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: 1884 TOTAL 711 DE, Germany 314 NL, Netherlands 217 FR, France 165 US, United States 121 CZ, Czechia 72 GB, United Kingdom 39 SE, Sweden 36 RU, Russia 31 CH, Switzerland 22 AT, Austria 19 CA, Canada 15 IE, Ireland 13 NO, Norway 11 SI, Slovenia 11 AU, Australia 10 FI, Finland 10 DK, Denmark 10 BR, Brazil 5 LT, Republic of Lithuania 5 IT, Italy There are 4505 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. The number of published MX host TLSA RRsets found is 6827. These cover 7282 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of domains that at some point were listed in Gmail's email transparency report is 255 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 136 are in recent (last 90 days of) reports: univie.ac.at posteo.de mailplus.nl gmx.at ruhr-uni-bochum.de markteffectmail.nl transip.be tum.de minbzk.nl nic.br uni-erlangen.de mm1.nl registro.br uni-muenchen.de ouderportaal.nl gmx.ch unitybox.de overheid.nl open.ch unitymedia.de pathe.nl anubisnetworks.com web.de photofacts.nl fmc-na.com egmontpublishing.dk politie.nl gmx.com netic.dk previder.nl habr.com tilburguniversity.edu rijksoverheid.nl hotelsinduitsland.com web200.eu rotterdam.nl kpn.com zone.eu rvo.nl mail.com ac-strasbourg.fr specsaversrelation.nl one.com insee.fr ssonet.nl solvinity.com octopuce.fr transip.nl t-2.com web200.hu truetickets.nl telfort.com 247superhost.net utwente.nl trashmail.com comcast.net uvt.nl xfinity.com dd24.net xs4all.nl xfinityhomesecurity.com dns-oarc.net domeneshop.no xfinitymobile.com gmx.net handelsbanken.no active24.cz habramail.net uib.no atlas.cz hr-manager.net webcruitermail.no centrum.cz inexio.net atelkamera.nu cuni.cz mpssec.net aegee.org itesco.cz procurios.net debian.org klubpevnehozdravi.cz riseup.net freebsd.org nic.cz t-2.net gentoo.org onebit.cz transip.net ietf.org server4u.cz transversal.net isc.org smtp.cz vevida.net netbsd.org virusfree.cz xs4all.net openssl.org volny.cz xworks.net ozlabs.org allsecur.de belastingdienst.nl samba.org bayern.de bhosted.nl torproject.org bund.de bluerail.nl asf.com.pt elster.de boekwinkeltjes.nl moikrug.ru fau.de corpoflow.nl boplatssyd-automail.se freenet.de denhaag.nl handelsbanken.se gmx.de dictu.nl minmyndighetspost.se jpberlin.de digid.nl personligalmanacka.se kabelmail.de hierinloggen.nl skatteverket.se lrz.de hr.nl govtrack.us mail.de interconnect.nl mensa.de intermax.nl Of the ~1.18 million domains, 2533 have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 615. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. A partial list is available at: https://github.com/danefail/list To avoid getting listed, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 759. The top 10 name server operators with problem domains are: 174 mijnhostingpartner.nl 40 metaregistrar.nl 34 tiscomhosting.nl 34 movenext.nl 34 dotserv.com 31 nrdns.nl 20 sylconia.nl 14 is.nl 12 dnscluster.nl 11 vultr.com [ Both epik.com and binero.se have resolved all issues since last month. And mijnhostingpartner.nl is making great progress, if the root cause is resolved this month, this could be the last time they're mentioned here in a negative light. Eight of the ten problem providers are Dutch. It would be great if SIDN could apply some carrot and stick to incent .NL hosting providers to have correctly working DNSSEC implementations. ] If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Nine of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br trt01.gov.br trtrio.gov.br trt1.jus.br trtrj.jus.br key.com keybank.com sauditelecom.com.sa bog.gov.sa -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.