From ietf-dane at dukhovni.org Fri Mar 1 08:04:58 2019 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Fri, 1 Mar 2019 02:04:58 -0500 Subject: Update on stats 2019-02 Message-ID: <20190301070458.GK911@straasha.imrryr.org> Summary: The DANE domain count is now 1,076,237 The number of domains that return DNSSEC-validated replies in response to MX queries is 9,397,166. Thus DANE TLSA is deployed on 11.45% of domains with DNSSEC. Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 1,076,237 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are: 679515 one.com 121564 transip.nl 96967 domeneshop.no 35708 active24.com 32613 vevida.com 24067 udmedia.de 12902 onebit.cz 10954 bhosted.nl 5628 previder.nl 3591 interconnect.nl 2499 provalue.nl 2361 nederhost.nl 1653 nmugroup.com 1460 yourdomainprovider.net 1330 hi7.de 1316 prolocation.net 1285 xcellerate.nl 1261 surfmailfilter.nl 1101 soverin.net 827 mailbox.org The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). 4801 TOTAL 1629 DE, Germany 1001 US, United States 658 NL, Netherlands 356 FR, France 188 GB, United Kingdom 161 CZ, Czechia 97 CA, Canada 78 SG, Singapore 68 CH, Switzerland 64 SE, Sweden 47 DK, Denmark 43 IE, Ireland 42 BR, Brazil 38 AT, Austria 36 AU, Australia 30 FI, Finland 26 PL, Poland 26 JP, Japan 24 RU, Russia 18 NO, Norway IPv6 is still comparatively rare for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: 1834 TOTAL 664 DE, Germany 320 NL, Netherlands 207 FR, France 162 US, United States 117 CZ, Czechia 82 GB, United Kingdom 35 SE, Sweden 32 RU, Russia 30 CH, Switzerland 23 CA, Canada 20 AT, Austria 13 IE, Ireland 12 DK, Denmark 11 NO, Norway 11 AU, Australia 9 SI, Slovenia 9 FI, Finland 8 UA, Ukraine 6 IT, Italy 5 SK, Slovakia There are 4032 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. The number of published MX host TLSA RRsets found is 5941. These cover 6373 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of domains that at some point were listed in Gmail's email transparency report is 225 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 113 are in recent (last 90 days of) reports: univie.ac.at posteo.de ouderportaal.nl gmx.at ruhr-uni-bochum.de overheid.nl nic.br tu-darmstadt.de pathe.nl registro.br tum.de photofacts.nl gmx.ch uni-erlangen.de photofactsacademy.nl open.ch unitybox.de politie.nl anubisnetworks.com unitymedia.de rijksoverheid.nl fmc-na.com web.de ssonet.nl gmx.com dk-hostmaster.dk transip.nl habr.com egmontpublishing.dk truetickets.nl hotelsinduitsland.com netic.dk utwente.nl kpn.com tilburguniversity.edu uvt.nl mail.com dovecot.fi xs4all.nl one.com insee.fr domeneshop.no solvinity.com octopuce.fr handelsbanken.no t-2.com web200.hu webcruitermail.no telfort.com comcast.net atelkamera.nu trashmail.com dd24.net aegee.org xfinity.com gmx.net debian.org xfinityhomesecurity.com habramail.net freebsd.org xfinitymobile.com hr-manager.net gentoo.org active24.cz inexio.net ietf.org cuni.cz mpssec.net isc.org itesco.cz procurios.net mailbox.org klubpevnehozdravi.cz riseup.net netbsd.org onebit.cz t-2.net openssl.org smtp.cz transip.net ozlabs.org virusfree.cz vevida.net samba.org allsecur.de xs4all.net torproject.org bayern.de ardanta.nl asf.com.pt bund.de atletiekunie.nl handelsbanken.se elster.de bhosted.nl iis.se fau.de boozyshop.nl minmyndighetspost.se freenet.de hierinloggen.nl personligalmanacka.se gmx.de interconnect.nl skatteverket.se jpberlin.de intermax.nl t-2.si lrz.de mailplus.nl govtrack.us mail.de minbzk.nl Of the DANE email domains, 2014 are listed in the Alexa top 1 million (web site) list. Of the ~1.08 million domains, 2324 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 259. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. A partial list is available at: https://github.com/danefail/list To avoid getting listed, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 525. The top 10 name server operators with problem domains are: 35 dotserv.com 34 tiscomhosting.nl 31 schefczyk.net 31 nrdns.nl 30 sylconia.net 25 metaregistrar.nl 24 active24.cz (customer zones with broken wildcard cnames) 21 nazwa.pl (customer zones with broken wildcard NS RRs) 19 movenext.nl 12 is.nl If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Seven of the domains all whose nameservers have broken denial of existence appear in historical Google reports: trt01.gov.br trtrio.gov.br trt1.jus.br trtrj.jus.br accenturealumni.com rackeo.host sauditelecom.com.sa -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.