From ietf-dane at dukhovni.org Tue Sep 3 00:12:28 2019 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Mon, 2 Sep 2019 18:12:28 -0400 Subject: Update on stats 2019-08 Message-ID: <20190902221228.GA70610@straasha.imrryr.org> Summary: The DANE domain count is now 1,227,756. The number of domains that return DNSSEC-validated replies in response to MX queries is 9,878,661. Thus DANE TLSA is deployed on ~12.42% of domains with DNSSEC. Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 1,227,756 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are: 734903 one.com 127486 transip.nl 98404 domeneshop.no 36596 active24.com 32070 vevida.com 26968 web4u.cz 24317 udmedia.de 16392 bhosted.nl 15667 flexfilter.nl 13799 zxcs.nl 13156 onebit.cz 7109 protonmail.ch 6010 netzone.ch 5620 previder.nl 3664 ips.nl 3298 interconnect.nl 2572 provalue.nl 2225 nederhost.nl 1913 spamcluster.nl 1701 nmugroup.com The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). 6089 TOTAL 1917 DE, Germany 1385 US, United States 839 NL, Netherlands 414 FR, France 274 GB, United Kingdom 181 CZ, Czechia 143 CA, Canada 128 SG, Singapore 78 CH, Switzerland 71 SE, Sweden 59 DK, Denmark 51 JP, Japan 49 AT, Austria 48 FI, Finland 45 IE, Ireland 43 AU, Australia 39 PL, Poland 38 IN, India 32 BR, Brazil 28 RU, Russia IPv6 is less common than IPv4 for MX hosts (but improved IPv6 connectivity on my end this month finds more IPv6 DANE MTAs), and the top 20 countries by DANE MX host IPv6 GeoIP are: 3002 TOTAL 1172 DE, Germany 523 US, United States 410 NL, Netherlands 254 FR, France 116 CZ, Czechia 110 GB, United Kingdom 43 SG, Singapore 41 RU, Russia 35 CH, Switzerland 34 SE, Sweden 34 CA, Canada 26 JP, Japan 24 AT, Austria 18 IE, Ireland 15 IN, India 15 DK, Denmark 14 SI, Slovenia 14 AU, Australia 13 NO, Norway 12 ID, Indonesia There are 4654 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. The number of published MX host TLSA RRsets found is 7097. These cover 7555 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of domains that at some point were listed in Gmail's email transparency report is 263 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 134 are in recent (last 90 days of) reports: univie.ac.at kabelmail.de intermax.nl gmx.at lrz.de mailplus.nl nic.br mail.de markteffectmail.nl registro.br mensa.de mm1.nl gmx.ch posteo.de ouderportaal.nl open.ch ruhr-uni-bochum.de overheid.nl protonmail.ch tum.de parlement.nl anubisnetworks.com uni-erlangen.de pathe.nl fmc-na.com unitybox.de photofacts.nl gmx.com unitymedia.de politie.nl habr.com web.de previder.nl hotelsinduitsland.com egmontpublishing.dk rvo.nl kpn.com netic.dk transip.nl mail.com tilburguniversity.edu truetickets.nl mammoetmail.com web200.eu tweedekamer.nl metafaq.com zone.eu uitgeverijpica.nl one.com ac-strasbourg.fr utwente.nl protonmail.com octopuce.fr uvt.nl societe.com web200.hu xs4all.nl solvinity.com 247superhost.net domeneshop.no t-2.com comcast.net handelsbanken.no telfort.com dns-oarc.net uib.no trashmail.com gmx.net webcruitermail.no xfinity.com habramail.net atelkamera.nu xfinityhomesecurity.com hr-manager.net aegee.org xfinitymobile.com inexio.net debian.org active24.cz mpssec.net freebsd.org atlas.cz procurios.net gentoo.org centrum.cz riseup.net ietf.org cuni.cz t-2.net isc.org itesco.cz transip.net netbsd.org klubpevnehozdravi.cz transversal.net openssl.org nic.cz vevida.net ozlabs.org onebit.cz xs4all.net samba.org smtp.cz xworks.net torproject.org virusfree.cz belastingdienst.nl whatpulse.org volny.cz bhosted.nl asf.com.pt allsecur.de billybird.nl moikrug.ru bayern.de bluerail.nl boplatssyd-automail.se bund.de boozyshop.nl handelsbanken.se elster.de corpoflow.nl minmyndighetspost.se fau.de dictu.nl personligalmanacka.se freenet.de digid.nl skatteverket.se gmx.de hr.nl govtrack.us jpberlin.de interconnect.nl Of the ~1.23 million domains, 2868 have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 537. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. A partial list is available at: https://github.com/danefail/list To avoid getting listed, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1278. The top 10 name server operators with problem domains are: 526 mijnhostingpartner.nl 44 movenext.nl 39 metaregistrar.nl 38 gransy.com 33 tiscomhosting.nl 31 nrdns.nl 26 hostnet.nl 21 sylconia.net 16 serv-ict.net 16 axc.nl [ The above list no longer includes "dotserv.com" where all issues were recently resolved. Thanks! Nine of the ten problem providers are Dutch! It would be great if SIDN could apply some carrot and stick to incent .NL hosting providers to have correctly working DNSSEC implementations. ] If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Eight of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br trt01.gov.br trtrio.gov.br trt1.jus.br trtrj.jus.br mobily.com.sa sauditelecom.com.sa bog.gov.sa -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.