From ietf-dane at dukhovni.org Sun Aug 2 02:34:58 2020 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Sat, 1 Aug 2020 20:34:58 -0400 Subject: Update on stats 2020-07 Message-ID: <20200802003458.GN48007@straasha.imrryr.org> Summary: The DANE domain count is now 1,974,938 Much of the increase from last month is due to ~42k domains hosted by pcextreme.nl. Thank you PCextreme. The number of domains that return DNSSEC-validated replies in response to MX queries is 12,108,902. Thus DANE TLSA is deployed on ~16.30% of domains with DNSSEC. DANE as a percentage of DNSSEC domains is dropping recently, because growth in DNSSEC adoption has started to outpace growth in DANE adoption. This is a good problem to have, deploy even more DNSSEC, please! At this rate, I am anticipating ~13 million signed domains by the end of 2020, but a surprise large-scale deployment would be even better. Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 1,974,938 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. 1034619 one.com 141535 transip.nl 101743 domeneshop.no 89837 loopia.se 83032 infomaniak.ch 42021 pcextreme.nl 41648 webreus.nl 39437 active24.com 32936 antagonist.nl 30714 vevida.com 28703 zxcs.nl 26693 web4u.cz 25440 udmedia.de 17613 bhosted.nl 14851 flexfilter.nl 14114 onebit.cz 11688 protonmail.ch 6829 zonemx.eu 6035 soverin.net 5773 netzone.ch The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). 6864 TOTAL 2191 DE, Germany 1377 US, United States 1046 NL, Netherlands 548 FR, France 287 GB, United Kingdom 225 CZ, Czechia 163 CA, Canada 100 SG, Singapore 97 CH, Switzerland 90 FI, Finland 84 SE, Sweden 71 DK, Denmark 49 AU, Australia 47 AT, Austria 43 IE, Ireland 36 BR, Brazil 33 PL, Poland 32 RU, Russia 31 JP, Japan 30 IN, India IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: 3555 TOTAL 1459 DE, Germany 580 NL, Netherlands 572 US, United States 263 FR, France 127 CZ, Czechia 111 GB, United Kingdom 49 CH, Switzerland 41 RU, Russia 41 CA, Canada 40 SE, Sweden 37 SG, Singapore 25 AT, Austria 19 AU, Australia 16 JP, Japan 16 IE, Ireland 15 DK, Denmark 14 NO, Norway 14 FI, Finland 13 ID, Indonesia 11 BR, Brazil There are 5893 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 8284. These cover 9276 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 356 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 174 are in recent (last 90 days of) reports: ac-strasbourg.fr interim-netwerk.nl ru.ac.za active24.cz isc.org ru.nl aegee.org itesco.cz ruhr-uni-bochum.de atelkamera.nu jpberlin.de rvo.nl atlas.cz kabelmail.de samba.org bayern.de kadernickyservis.sk schoudercom.nl belastingdienst.nl keessmit.nl schuurman-schoenen.nl bhosted.nl klubpevnehozdravi.cz skatteverket.se bluerail.nl kpn.com smtp.cz boekwinkeltjes.nl krypton.cz societe.com boozyshop.nl leszexpertsfle.com solvinity.com boplatssyd-automail.se loopia.se sportfondsen.nl bund.de lrz.de ssonet.nl centrum.cz lugeja.ee star.dk clubedohardware.com.br mail.com stil.dk clubedominante.com mail.de switch.ch comcast.net mailbox.org t-2.com compagnie-des-sens.fr mailplus.nl t-2.net corpoflow.nl mailserver4.de telfort.com cuni.cz mailzerver.com thalesgroup.com debian.org mammoetmail.com theletter.se dictu.nl markteffectmail.nl tilburguniversity.edu digid.nl maximum.nl torproject.org domeneshop.no minbzk.nl transip.net duo.nl mindef.nl triodos.be egmontpublishing.dk minmyndighetspost.se triodos.co.uk elster.de mkbbelangen.nl triodos.com emta.ee mm1.nl triodos.es ezorg.nl mpssec.net triodos.nl fau.de mx-relay.com truetickets.nl fidesz.hu netbsd.org tum.de fmc-na.com netic.dk uib.no freebsd.org nic.br uitgeverijpica.nl freenet.de nic.cz uni-c.dk gentoo.org one.com uni-erlangen.de gerryweber.nl onebit.cz uni-muenchen.de gmx.at open.ch unitybox.de gmx.ch openssl.org unitymedia.de gmx.com optimail.cz univie.ac.at gmx.de ouderportaal.nl utwente.nl gmx.net overheid.nl uv.es goget.nu ozlabs.org uvt.nl govtrack.us pathe.nl virusfree.cz habr.com personligalmanacka.se volny.cz habramail.net politie.nl web.de handelsbanken.no posteo.de webcruitermail.no handelsbanken.se pre-sustainability.com westlotto.de herinneringenoplinnen.nl previder.nl whatpulse.org hostpoint.ch procurios.net xfinity.com hotelsinduitsland.com professioneelbegeleiden.nl xfinityhomesecurity.com hr-manager.net protonmail.ch xfinitymobile.com hr.nl protonmail.com xs4all.net ietf.org rediris.es xs4all.nl inexio.net registro.br xworks.net infomaniak.ch rijksoverheid.nl zaantheater.nl infomaniak.com riseup.net zone.eu ingthink.com rmit.ee zonevs.eu interconnect.nl rotterdam.nl zorgmail.nl Of the ~1.97 million domains, 13448 have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 602. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1093. The top 15 name server operators with problem domains are: 367 axc.nl 350 registrar-servers.com 86 ebola.cz 64 movenext.nl 34 epik.com 28 tiscomhosting.nl 24 metaregistrar.nl 22 nrdns.nl 22 infracom.nl 22 eatserver.nl 11 sylconia.net 11 iterik.nu 11 icosnethosting.com 10 openprovider.nl 10 is.nl [ The situation with epik.com is more worrisome than it looks, while only 34 domains have SMTP servers affected by incorrect TLSA record denial of existence, in fact well over 100k domains exhibit the same symptoms, but presently don't receive email. Given the pervasive failure to provision complete NSEC chains for domains with zone-apex wildcard records, I expect this will get worse, before it gets better. My correspondence with Epik support has not yet reached someone who is able to understand and solve the problem. Essentially the same issue of missing NSEC for the zone-apex wildcard is plaguing axc.nl. Perhaps it is too easy for PowerDNS users to get this wrong. Don't know what can be done to help them correct their provisioning practices. ] If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Six of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br trt1.jus.br trtrj.jus.br bncr.fi.cr mobily.com.sa sauditelecom.com.sa -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. From ietf-dane at dukhovni.org Mon Aug 31 08:20:53 2020 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Mon, 31 Aug 2020 02:20:53 -0400 Subject: Update on stats 2020-08 Message-ID: <20200831062053.GD37422@straasha.imrryr.org> Summary: The DANE domain count is now 2,151,862 Most of the increase from last month can be credited to forpsi.com (~65k domains) and one.com (~109k new domains) Thank you forpsi.com and one.com. Though it is but one domain, it is nice this month to see ripe.net added to the list of domains with DANE TLSA records for their MX hosts. I'm also happy to report that epik.com have resolved all outstanding DNSSEC denial of existence issues, not only for the O(50) domains that had SMTP servers, but also for over 100k domains that did not yet, but might some day. It would be great to see more of the long-term resident DoE "sinners" make amends. The number of domains that return DNSSEC-validated replies in response to MX queries is 12,443,641. Thus DANE TLSA is deployed on ~17.29% of domains with DNSSEC. It might have been higher than 12.5 million, but for a delay in the .NL data feed this month, that is expected instead in early September. Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 2,151,862 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. 1143500 one.com 141329 transip.nl 102015 domeneshop.no 90188 loopia.se 85000 infomaniak.ch 64973 forpsi.com 41646 pcextreme.nl 41210 webreus.nl 39560 active24.com 32959 antagonist.nl 30569 vevida.com 28115 zxcs.nl 26638 web4u.cz 25610 udmedia.de 18038 bhosted.nl 14752 flexfilter.nl 14165 onebit.cz 12197 protonmail.ch 7191 zonemx.eu 6077 soverin.net The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). 6864 TOTAL 2191 DE, Germany 1377 US, United States 1046 NL, Netherlands 548 FR, France 287 GB, United Kingdom 225 CZ, Czechia 163 CA, Canada 100 SG, Singapore 97 CH, Switzerland 90 FI, Finland 84 SE, Sweden 71 DK, Denmark 49 AU, Australia 47 AT, Austria 43 IE, Ireland 36 BR, Brazil 33 PL, Poland 32 RU, Russia 31 JP, Japan 30 IN, India IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: 3593 TOTAL 1472 DE, Germany 614 US, United States 591 NL, Netherlands 258 FR, France 146 CZ, Czechia 105 GB, United Kingdom 48 CH, Switzerland 40 SG, Singapore 37 CA, Canada 34 SE, Sweden 26 AT, Austria 21 RU, Russia 19 AU, Australia 17 JP, Japan 15 FI, Finland 14 NO, Norway 14 IE, Ireland 13 DK, Denmark 12 ID, Indonesia 11 BR, Brazil There are 6056 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 9058. These cover 10054 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 372 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 183 are in recent (last 90 days of) reports: univie.ac.at freenet.de keessmit.nl gmx.at gmx.de mailplus.nl triodos.be jpberlin.de markteffectmail.nl clubedohardware.com.br kabelmail.de minbzk.nl nic.br lrz.de mindef.nl registro.br mail.de mkbbelangen.nl gmx.ch mailserver4.de mm1.nl hostpoint.ch posteo.de ouderportaal.nl infomaniak.ch ruhr-uni-bochum.de overheid.nl open.ch tum.de parlement.nl protonmail.ch uni-erlangen.de pathe.nl switch.ch uni-muenchen.de politie.nl clubedominante.com unitybox.de previder.nl coosto.com unitymedia.de professioneelbegeleiden.nl fmc-na.com web.de rijksoverheid.nl gmx.com westlotto.de rotterdam.nl habr.com egmontpublishing.dk ru.nl hotelsinduitsland.com netic.dk rvo.nl infomaniak.com star.dk schoudercom.nl ingthink.com stil.dk schuurman-schoenen.nl kpn.com uni-c.dk ssonet.nl leszexpertsfle.com tilburguniversity.edu triodos.nl mail.com emta.ee truetickets.nl mailzerver.com rmit.ee tweedekamer.nl mammoetmail.com rediris.es uitgeverijpica.nl mx-relay.com triodos.es utwente.nl one.com uv.es uvt.nl pre-sustainability.com zone.eu wise-guys.nl protonmail.com zonevs.eu xs4all.nl protonvpn.com ac-strasbourg.fr zorgmail.nl societe.com compagnie-des-sens.fr domeneshop.no solvinity.com fidesz.hu handelsbanken.no t-2.com idrinks.hu uib.no telfort.com mszp.hu webcruitermail.no thalesgroup.com comcast.net atelkamera.nu triodos.com gmx.net goget.nu vitstore.com habramail.net aegee.org xfinity.com hr-manager.net debian.org xfinityhomesecurity.com inexio.net freebsd.org xfinitymobile.com mpssec.net gentoo.org active24.cz procurios.net ietf.org akce-incomputer.cz ripe.net isc.org atlas.cz riseup.net mailbox.org centrum.cz t-2.net netbsd.org cuni.cz transip.net openssl.org itesco.cz xs4all.net ozlabs.org klenotyaurum.cz xworks.net samba.org klubpevnehozdravi.cz belastingdienst.nl torproject.org krypton.cz bhosted.nl whatpulse.org nic.cz bluerail.nl asf.com.pt onebit.cz boozyshop.nl boplatssyd-automail.se optimail.cz corpoflow.nl handelsbanken.se poptavej.cz dictu.nl loopia.se reserved.cz digid.nl minmyndighetspost.se smtp.cz duo.nl personligalmanacka.se virusfree.cz ezorg.nl skatteverket.se volny.cz gerryweber.nl theletter.se bayern.de herinneringenoplinnen.nl kadernickyservis.sk bund.de hr.nl triodos.co.uk elster.de interconnect.nl govtrack.us fau.de interim-netwerk.nl ru.ac.za Of the ~2.15 million domains, 13702 have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 650. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1093. The top 15 name server operators with problem domains are: 374 axc.nl 344 registrar-servers.com 86 ebola.cz 66 movenext.nl 27 tiscomhosting.nl 22 eatserver.nl 20 metaregistrar.nl 20 infracom.nl 15 nrdns.nl 15 cloudflare.com 11 sylconia.net 11 iterik.nu 11 is.nl 10 openprovider.nl 10 mobi-net.ch If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Eight of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br trt1.jus.br trtrj.jus.br bncr.fi.cr ofda.gov amsterdam.nl mobily.com.sa sauditelecom.com.sa [2] -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] https://dnsviz.net/d/sauditelecom.com.sa/X0yQQA/dnssec/ Today the entire sauditelecom.com.sa zone is down, the DS records don't match any zone apex DNSKEY RRs... https://twitter.com/VDukhovni/status/1300313582945669120