From ietf-dane at dukhovni.org Fri Nov 1 19:43:13 2019 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Fri, 1 Nov 2019 14:43:13 -0400 Subject: Update on stats 2019-10 Message-ID: <20191101184313.GI70610@straasha.imrryr.org> Summary: The DANE domain count is now 1,496,391 A significant portion of this month's domain count increase is a result of one.com signing a large number of .DK domains, 120 thousand and counting. Thank you one.com. The number of domains that return DNSSEC-validated replies in response to MX queries is 10,133,312. Thus DANE TLSA is deployed on ~14.76% of domains with DNSSEC. Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 1,496,391 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are: 862263 one.com 131061 transip.nl 98911 domeneshop.no 88102 loopia.se 36969 active24.com 31854 vevida.com 26514 web4u.cz 24392 udmedia.de 17203 bhosted.nl 16582 zxcs.nl 15626 flexfilter.nl 13333 onebit.cz 7765 protonmail.ch 5972 netzone.ch 5608 previder.nl 4683 mailplatform.eu 3623 ips.nl 3202 interconnect.nl 2578 provalue.nl 2321 zonemx.eu The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). 5760 TOTAL 1938 DE, Germany 1159 US, United States 834 NL, Netherlands 417 FR, France 236 GB, United Kingdom 190 CZ, Czechia 117 CA, Canada 96 SG, Singapore 80 CH, Switzerland 76 SE, Sweden 58 FI, Finland 58 DK, Denmark 48 AT, Austria 46 IE, Ireland 37 PL, Poland 35 JP, Japan 33 AU, Australia 29 RU, Russia 29 BR, Brazil 24 IT, Italy IPv6 is less common than IPv4 for MX hosts (but improved IPv6 connectivity on my end this month finds more IPv6 DANE MTAs), and the top 20 countries by DANE MX host IPv6 GeoIP are: 2975 TOTAL 1220 DE, Germany 510 US, United States 422 NL, Netherlands 244 FR, France 105 CZ, Czechia 95 GB, United Kingdom 41 SE, Sweden 36 CH, Switzerland 35 SG, Singapore 28 CA, Canada 26 AT, Austria 25 RU, Russia 24 JP, Japan 19 IE, Ireland 16 DK, Denmark 14 SI, Slovenia 13 NO, Norway 12 FI, Finland 12 BR, Brazil 11 ID, Indonesia There are 4865 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. The number of published MX host TLSA RRsets found is 7418. These cover 8194 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of domains that at some point were listed in Gmail's email transparency report is 275 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 142 are in recent (last 90 days of) reports: univie.ac.at mensa.de minbzk.nl gmx.at posteo.de mm1.nl nic.br ruhr-uni-bochum.de ouderportaal.nl registro.br tum.de overheid.nl buymyweedonline.ca uni-erlangen.de parlement.nl gmx.ch uni-muenchen.de pathe.nl open.ch unitybox.de photofacts.nl protonmail.ch unitymedia.de photofactsacademy.nl anubisnetworks.com web.de politie.nl fmc-na.com egmontpublishing.dk previder.nl gmx.com netic.dk rijksoverheid.nl habr.com tilburguniversity.edu rvo.nl hotelsinduitsland.com web200.eu schoudercom.nl kpn.com zone.eu schuurman-schoenen.nl mail.com ac-strasbourg.fr ssonet.nl mammoetmail.com octopuce.fr truetickets.nl metafaq.com web200.hu tweedekamer.nl one.com 247superhost.net uitgeverijpica.nl protonmail.com comcast.net utwente.nl solvinity.com dns-oarc.net uvt.nl t-2.com gmx.net xs4all.nl telfort.com habramail.net domeneshop.no trashmail.com hr-manager.net handelsbanken.no xfinity.com inexio.net uib.no xfinityhomesecurity.com mpssec.net webcruitermail.no xfinitymobile.com procurios.net atelkamera.nu active24.cz riseup.net debian.org atlas.cz t-2.net freebsd.org centrum.cz transip.net gentoo.org cuni.cz transversal.net ietf.org klubpevnehozdravi.cz vevida.net isc.org onebit.cz xs4all.net netbsd.org optimail.cz belastingdienst.nl openssl.org smtp.cz bhosted.nl ozlabs.org virusfree.cz billybird.nl samba.org volny.cz bluerail.nl torproject.org web4u.cz boozyshop.nl whatpulse.org allsecur.de corpoflow.nl moikrug.ru bayern.de dictu.nl boplatssyd-automail.se bund.de digid.nl handelsbanken.se elster.de digistate.nl loopia.se fau.de ezorg.nl minmyndighetspost.se freenet.de fontys.nl personligalmanacka.se gmx.de hr.nl skatteverket.se jpberlin.de hro.nl theletter.se lc-srv.de intermax.nl govtrack.us lrz.de kingsquare.nl mail.de mailplus.nl Of the ~1.49 million domains, 3142 have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 393. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. A partial list is available at: https://github.com/danefail/list To avoid getting listed, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 988. The top 10 name server operators with problem domains are: 255 mijnhostingpartner.nl 59 egensajt.se 48 movenext.nl 43 metaregistrar.nl 33 tiscomhosting.nl 30 nrdns.nl 29 webscale.co.za 26 hostnet.nl 21 sylconia.net 14 is.nl If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Eight of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br trt01.gov.br trtrio.gov.br trt1.jus.br trtrj.jus.br mobily.com.sa sauditelecom.com.sa bog.gov.sa -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. From dennis at baaten.com Fri Nov 22 14:54:56 2019 From: dennis at baaten.com (Dennis Baaten) Date: Fri, 22 Nov 2019 14:54:56 +0100 Subject: DANE blog and how-to Message-ID: <000701d5a13c$6c597790$450c66b0$@baaten.com> Hi all, For those considering DANE or working on implementing DANE: * Learn about the advantages of DANE by reading our newest blog post: https://blog.apnic.net/2019/11/20/better-mail-security-with-dane-for-smtp/ * Check our how-to for tips and tricks on implementing DANE and other mail standards: https://github.com/internetstandards/toolbox-wiki/ Thanks, Dennis -- ir. Dennis Baaten CISSP Security | Privacy | Ethical Hacking +31 (0)6 212 56 959 dennis at baaten.com Baaten ICT Security https://www.baaten.com KvK: 62077651 -------------- next part -------------- An HTML attachment was scrubbed... URL: