From ietf-dane at dukhovni.org Tue Oct 1 04:10:17 2019 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Mon, 30 Sep 2019 22:10:17 -0400 Subject: Update on stats 2019-09 Message-ID: <20191001021017.GE70610@straasha.imrryr.org> Summary: The DANE domain count is now 1,334,411 A significant portion of this month's domain count increase is a result of new DANE TLSA records at loopia.se, serving just over 88 thousand domains. Thank you loopia.se. The number of domains that return DNSSEC-validated replies in response to MX queries is 9,997,451. Thus DANE TLSA is deployed on ~13.34% of domains with DNSSEC. Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 1,334,411 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are: 741311 one.com 130008 transip.nl 98598 domeneshop.no 88127 loopia.se 36931 active24.com 31978 vevida.com 26891 web4u.cz 24424 udmedia.de 17089 bhosted.nl 15705 zxcs.nl 15680 flexfilter.nl 13349 onebit.cz 7394 protonmail.ch 5978 netzone.ch 5626 previder.nl 4678 mailplatform.eu 3635 ips.nl 3279 interconnect.nl 2578 provalue.nl 2214 nederhost.nl The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). 6227 TOTAL 1964 DE, Germany 1397 US, United States 879 NL, Netherlands 436 FR, France 284 GB, United Kingdom 187 CZ, Czechia 140 CA, Canada 128 SG, Singapore 75 SE, Sweden 73 CH, Switzerland 58 DK, Denmark 52 JP, Japan 51 FI, Finland 49 IE, Ireland 45 AT, Austria 44 AU, Australia 40 IN, India 36 PL, Poland 32 BR, Brazil 28 RU, Russia IPv6 is less common than IPv4 for MX hosts (but improved IPv6 connectivity on my end this month finds more IPv6 DANE MTAs), and the top 20 countries by DANE MX host IPv6 GeoIP are: 3081 TOTAL 1222 DE, Germany 562 US, United States 425 NL, Netherlands 258 FR, France 110 GB, United Kingdom 105 CZ, Czechia 43 SG, Singapore 41 SE, Sweden 32 CH, Switzerland 30 CA, Canada 27 JP, Japan 25 RU, Russia 25 AT, Austria 19 IE, Ireland 15 DK, Denmark 14 NO, Norway 14 IN, India 13 AU, Australia 12 SI, Slovenia 12 ID, Indonesia There are 4738 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. The number of published MX host TLSA RRsets found is 7241. These cover 7766 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of domains that at some point were listed in Gmail's email transparency report is 273 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 142 are in recent (last 90 days of) reports: univie.ac.at mensa.de ouderportaal.nl gmx.at posteo.de overheid.nl nic.br ruhr-uni-bochum.de parlement.nl registro.br tum.de pathe.nl buymyweedonline.ca uni-erlangen.de photofacts.nl gmx.ch unitybox.de photofactsacademy.nl open.ch unitymedia.de politie.nl protonmail.ch web.de previder.nl anubisnetworks.com egmontpublishing.dk rijksoverheid.nl fmc-na.com netic.dk rvo.nl gmx.com tilburguniversity.edu schuurman-schoenen.nl habr.com web200.eu ssonet.nl hotelsinduitsland.com zone.eu transip.nl kpn.com ac-strasbourg.fr truetickets.nl mail.com octopuce.fr tweedekamer.nl mammoetmail.com web200.hu uitgeverijpica.nl metafaq.com 247superhost.net utwente.nl one.com comcast.net uvt.nl protonmail.com dns-oarc.net xs4all.nl societe.com gmx.net domeneshop.no solvinity.com habramail.net handelsbanken.no t-2.com hr-manager.net uib.no telfort.com inexio.net webcruitermail.no trashmail.com mpssec.net atelkamera.nu xfinity.com procurios.net debian.org xfinityhomesecurity.com riseup.net freebsd.org xfinitymobile.com t-2.net gentoo.org active24.cz transip.net ietf.org atlas.cz transversal.net isc.org centrum.cz vevida.net netbsd.org cuni.cz xs4all.net openssl.org klubpevnehozdravi.cz belastingdienst.nl ozlabs.org onebit.cz bhosted.nl samba.org optimail.cz billybird.nl torproject.org smtp.cz bluerail.nl whatpulse.org virusfree.cz boozyshop.nl asf.com.pt volny.cz corpoflow.nl moikrug.ru web4u.cz dictu.nl boplatssyd-automail.se allsecur.de digid.nl handelsbanken.se bayern.de digistate.nl loopia.se bund.de fontys.nl minmyndighetspost.se elster.de hr.nl personligalmanacka.se fau.de hro.nl skatteverket.se freenet.de interconnect.nl theletter.se gmx.de intermax.nl truepos.se jpberlin.de mailplus.nl govtrack.us lrz.de minbzk.nl mail.de mm1.nl Of the ~1.33 million domains, 2884 have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 391. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. A partial list is available at: https://github.com/danefail/list To avoid getting listed, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 768. The top 10 name server operators with problem domains are: 164 mijnhostingpartner.nl 49 movenext.nl 41 metaregistrar.nl 33 tiscomhosting.nl 31 nrdns.nl 26 hostnet.nl 21 sylconia.net 15 is.nl 13 interhand.net 12 dnscluster.nl [ The above list no longer includes "gransy.com" where all issues were recently resolved. Thanks! Nine of the ten problem providers are Dutch! More progress by .NL DNS providers would be great. ] If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Ten of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br trt01.gov.br trtrio.gov.br trt1.jus.br trtrj.jus.br key.com keybank.com mobily.com.sa sauditelecom.com.sa bog.gov.sa -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.