From ietf-dane at dukhovni.org Wed May 1 23:54:54 2019 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Wed, 1 May 2019 17:54:54 -0400 Subject: Update on stats 2019-04 Message-ID: <20190501215453.GA67459@straasha.imrryr.org> Summary: The DANE domain count is now 1,122,806 The number of domains that return DNSSEC-validated replies in response to MX queries is 9,596,909. Thus DANE TLSA is deployed on 11.69% of domains with DNSSEC. Appeal: The number of domains with neglected outdated TLSA records, has grown to ~500. PLEASE *monitor* your deployment, and implement a cert/key rollover process that does not (even temporarily) disrupt the validity of your certificate chain as compared to the published (cached) TLSA records: https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources If you're willing and able to help reach out to the operators of MX hosts with misconfigured TLSA RRsets, please get in touch. Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 1,122,806 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are: 684247 one.com 124234 transip.nl 96829 domeneshop.no 36048 active24.com 32637 vevida.com 24093 udmedia.de 15998 flexfilter.nl 13011 onebit.cz 11310 zxcs.nl 10924 bhosted.nl 5995 netzone.ch 5642 previder.nl 3876 ips.nl 3434 interconnect.nl 2487 provalue.nl 2331 nederhost.nl 1630 nmugroup.com 1431 yourdomainprovider.net 1323 hi7.de 1311 xcellerate.nl The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). 5123 TOTAL 1710 DE, Germany 1055 US, United States 689 NL, Netherlands 393 FR, France 218 GB, United Kingdom 177 CZ, Czechia 111 CA, Canada 84 SG, Singapore 71 CH, Switzerland 70 SE, Sweden 55 DK, Denmark 46 IE, Ireland 39 AU, Australia 39 AT, Austria 37 FI, Finland 37 BR, Brazil 30 PL, Poland 26 RU, Russia 24 JP, Japan 20 NO, Norway IPv6 is still comparatively rare for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: 1897 TOTAL 721 DE, Germany 315 NL, Netherlands 226 FR, France 140 US, United States 115 CZ, Czechia 81 GB, United Kingdom 44 SE, Sweden 30 CH, Switzerland 27 CA, Canada 24 RU, Russia 20 AT, Austria 16 IE, Ireland 14 NO, Norway 12 SI, Slovenia 11 AU, Australia 10 FI, Finland 9 UA, Ukraine 9 DK, Denmark 7 PL, Poland 7 BE, Belgium There are 4334 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. The number of published MX host TLSA RRsets found is 6402. These cover 6840 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of domains that at some point were listed in Gmail's email transparency report is 234 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 122 are in recent (last 90 days of) reports: univie.ac.at tu-darmstadt.de markteffectmail.nl gmx.at tum.de minbzk.nl nic.br uni-erlangen.de ouderportaal.nl registro.br uni-muenchen.de overheid.nl gmx.ch unitybox.de pathe.nl open.ch unitymedia.de photofacts.nl anubisnetworks.com web.de photofactsacademy.nl fmc-na.com egmontpublishing.dk politie.nl gmx.com netic.dk previder.nl habr.com sitnet.dk rijksoverheid.nl hotelsinduitsland.com tilburguniversity.edu rvo.nl mail.com zone.eu ssonet.nl one.com dovecot.fi transip.nl solvinity.com ac-strasbourg.fr truetickets.nl t-2.com insee.fr uvt.nl trashmail.com octopuce.fr xs4all.nl xfinity.com web200.hu domeneshop.no xfinityhomesecurity.com comcast.net handelsbanken.no xfinitymobile.com dns-oarc.net uib.no active24.cz gmx.net webcruitermail.no atlas.cz habramail.net atelkamera.nu centrum.cz hr-manager.net aegee.org cuni.cz inexio.net debian.org itesco.cz mpssec.net freebsd.org klubpevnehozdravi.cz procurios.net gentoo.org onebit.cz riseup.net ietf.org smtp.cz t-2.net isc.org virusfree.cz transip.net netbsd.org volny.cz vevida.net openssl.org bayern.de xs4all.net ozlabs.org bund.de atletiekunie.nl samba.org elster.de bhosted.nl torproject.org fau.de boekwinkeltjes.nl asf.com.pt freenet.de corpoflow.nl moikrug.ru gmx.de denhaag.nl handelsbanken.se jpberlin.de dictu.nl iis.se lrz.de digid.nl minmyndighetspost.se mail.de hierinloggen.nl personligalmanacka.se mensa.de interconnect.nl skatteverket.se posteo.de intermax.nl govtrack.us ruhr-uni-bochum.de mailplus.nl Of the ~1.12 million domains, 2494 have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 567. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. A partial list is available at: https://github.com/danefail/list To avoid getting listed, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 729. The top 10 name server operators with problem domains are: 194 mijnhostingpartner.nl 38 metaregistrar.nl 34 tiscomhosting.nl 33 dotserv.com 32 binero.se 31 nrdns.nl 29 movenext.nl 26 sylconia.net 26 active24.cz 16 nazwa.pl [ All issues at last month's #2 epik.com are now resolved. Their prompt attention and action is appreciated. Around half of the mijnhostingpartner.nl domains err only in having an extraneous 512-bit RSA ZSK for algorithm 7 which is not used to sign the zone, but leaves the door open to attacks. It also violates a requirement for each algorithm in the DNSKEY RRset to have at least one active key. Violation of the algorithm agility requirement is unlikely to cause interoperability problems in this particular case, but given the needlessly weak keys, I've decided to continue to track these until all the extraneos keys are gone. ] If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Seven of the domains all whose nameservers have broken denial of existence appear in historical Google reports: trt01.gov.br trtrio.gov.br trt1.jus.br trtrj.jus.br accenturealumni.com rackeo.host sauditelecom.com.sa -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.