From ietf-dane at dukhovni.org Tue Dec 1 03:24:32 2020 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Mon, 30 Nov 2020 21:24:32 -0500 Subject: Update on stats 2020-11 Message-ID: <20201201022432.GK1459@straasha.imrryr.org> Summary: The DANE domain count is now 2,351,764 (up from 2,312,209 last month). The number of domains that return DNSSEC-validated replies in response to MX queries is 13,221,772 (up from 12,951,015 last month). Thus DANE TLSA is deployed on ~17.78% of domains with DNSSEC. Please be mindful of the upcoming Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 and E1/E2. See: http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 2,351,764 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last Month ---------- ---------- 1,131,984 one.com 1,135,322 one.com 145,526 transip.nl 147,497 argewebhosting.nl 145,371 argewebhosting.nl 144,505 transip.nl 103,043 domeneshop.no 102,517 domeneshop.no 93,223 infomaniak.ch 91,246 loopia.se 91,856 loopia.se 90,381 infomaniak.ch 66,281 forpsi.com 65,843 forpsi.com 41,628 webreus.nl 41,983 webreus.nl 40,442 active24.com 40,816 pcextreme.nl 40,363 pcextreme.nl 40,094 active24.com 34,985 antagonist.nl 34,527 antagonist.nl 30,298 zxcs.nl 30,427 vevida.com 30,200 vevida.com 29,638 zxcs.nl 29,937 webhostingserver.nl 26,515 web4u.cz 26,412 web4u.cz 25,522 udmedia.de 25,722 udmedia.de 18,409 bhosted.nl 18,438 bhosted.nl 14,660 flexfilter.nl 14,501 flexfilter.nl 14,272 onebit.cz 14,340 onebit.cz 13,133 protonmail.ch 13,807 protonmail.ch 8,151 zonemx.eu The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last Month ---------- ---------- 7,559 TOTAL 7,347 TOTAL 2,386 DE, Germany 2,332 DE, Germany 1,465 US, United States 1,439 US, United States 1,261 NL, Netherlands 1,175 NL, Netherlands 624 FR, France 602 FR, France 293 GB, United Kingdom 289 GB, United Kingdom 236 CZ, Czechia 233 CZ, Czechia 166 CA, Canada 170 CA, Canada 113 FI, Finland 112 FI, Finland 111 SG, Singapore 108 SG, Singapore 99 CH, Switzerland 102 CH, Switzerland 90 SE, Sweden 90 SE, Sweden 79 DK, Denmark 76 DK, Denmark 60 AU, Australia 56 AU, Australia 51 AT, Austria 50 AT, Austria 45 IE, Ireland 46 IE, Ireland 39 IN, India 39 IN, India 39 BR, Brazil 37 JP, Japan 37 RU, Russia 36 BR, Brazil 37 PL, Poland 35 RU, Russia 35 JP, Japan 34 PL, Poland IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This Month Last month ---------- ---------- 4,384 TOTAL 3,786 TOTAL 1,577 DE, Germany 1,549 DE, Germany 1,215 NL, Netherlands 628 NL, Netherlands 598 US, United States 595 US, United States 289 FR, France 280 FR, France 133 CZ, Czechia 139 CZ, Czechia 113 GB, United Kingdom 113 GB, United Kingdom 45 SE, Sweden 49 RU, Russia 45 CH, Switzerland 49 CH, Switzerland 45 CA, Canada 43 CA, Canada 39 SG, Singapore 38 SG, Singapore 36 AT, Austria 36 SE, Sweden 22 RU, Russia 32 AT, Austria 22 IE, Ireland 21 IE, Ireland 19 JP, Japan 20 JP, Japan 18 FI, Finland 16 NO, Norway 16 NO, Norway 16 FI, Finland 15 BR, Brazil 16 DK, Denmark 15 AU, Australia 16 AU, Australia 14 DK, Denmark 14 LV, Latvia 10 UA, Ukraine 14 BR, Brazil There are 6,721 (6,457 last month) unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 11,089 (9,296 last month). These cover 11,288 (10,622 last month) distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 409 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 257 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~2.35 million domains, 13,189 (13,253 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 817 (771 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1491 (1431 last month). The top 15 name server operators with problem domains are: This Month Last month ---------- ---------- 425 registrar-servers.com 412 registrar-servers.com 406 axc.nl 385 axc.nl 107 movenext.nl 107 movenext.nl 89 ebola.cz 85 ebola.cz 25 tiscomhosting.nl 25 tiscomhosting.nl 25 mijndomein.nl 25 eatserver.nl 24 eatserver.nl 20 epik.com 22 epik.com 18 metaregistrar.nl 17 infracom.nl 18 infracom.nl 15 cloudflare.com 14 cloudflare.com 13 ns01.nl 12 ns01.nl 11 nrdns.nl 12 nrdns.nl 11 iterik.nu 11 sylconia.net 11 accenture.com 11 iterik.nu 10 sylconia.net 10 mobi-net.ch If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Seven of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br trt1.jus.br trtrj.jus.br accenturealumni.com bncr.fi.cr ofda.gov sauditelecom.com.sa -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at gmx.de mailplus.nl gmx.at jpberlin.de markteffectmail.nl boozyshop.be lrz.de mijnuvt.nl tjek.be mail.de minbuza.nl triodos.be mailserver4.de minbzk.nl clubedohardware.com.br mensa.de mindef.nl corridaeaventura.com.br mpg.de mkbbelangen.nl nic.br posteo.de mm1.nl registro.br ruhr-uni-bochum.de nieuwsservice-rvo.nl abuse.ch tum.de ns.nl gmx.ch uni-erlangen.de ouderportaal.nl hostpoint.ch uni-muenchen.de overheid.nl infomaniak.ch unitybox.de parlement.nl open.ch unitymedia.de partijvoordedieren.nl protonmail.ch web.de pathe.nl switch.ch westlotto.de politie.nl altospam.com dfi.dk powerslim.nl connectsb.com dk-hostmaster.dk pp-prd.nl datev.com egmontpublishing.dk previder.nl ecstase.com hormonterapeut.dk rijksoverheid.nl fmc-na.com netic.dk rotterdam.nl gmx.com nota.dk ru.nl habr.com powerhosting.dk rvo.nl horagames.com star.dk sans-mail.nl hotelsinduitsland.com tilburguniversity.edu schoudercom.nl imcnig.com just.ee schuurman-schoenen.nl infomaniak.com spam-filter.email sportrusten.nl ingthink.com spike.email ssonet.nl intakt.com spotler.email stater.nl joomlapolis.com rediris.es telefoonglaasje.nl kpn.com triodos.es ticketapp.nl leszexpertsfle.com uv.es triodos.nl mail.com inetadmin.eu truetickets.nl mammoetmail.com zone.eu tweedekamer.nl matilhadobemadestramento.com zonevs.eu uitgeverijpica.nl one.com ac-strasbourg.fr utwente.nl orverkiezing.com bloctel.fr uvt.nl protonmail.com compagnie-des-sens.fr vu.nl protonvpn.com kangouroukids.fr xs4all.nl solvinity.com orsys.fr zorgmail.nl stater.com srci.fr annabellstefanussen.no stellarequipment.com fidesz.hu derute.no t-2.com mszp.hu domeneshop.no telfort.com interestexplorer.io handelsbanken.no thalesgroup.com pm.me idrettenonline.no thepcw.com comcast.net nordicprint.no triodos.com gmx.net norskgrammatikk.no ugritone.com habramail.net rushtrampoline.no veganallsorts.com hr-manager.net uib.no vitstore.com inexio.net viphuset.no xfinity.com mijngezondheid.net atelkamera.nu xfinityhomesecurity.com mpssec.net goget.nu xfinitymobile.com nedport.net lenhud.nu active24.cz procurios.net debian.org akce-incomputer.cz ripe.net freebsd.org amenit.cz riseup.net gentoo.org atlas.cz t-2.net ietf.org blueconsulting.cz transip.net isc.org centrum.cz triodos.net mailbox.org cuni.cz xs4all.net mailop.org isetos.cz 123watches.nl netbsd.org isportsystem.cz amsterdam.nl openssl.org itesco.cz awcloud.nl ozlabs.org klenotyaurum.cz belastingdienst.nl samba.org klubpevnehozdravi.cz bhosted.nl torproject.org krypton.cz bhsupport.nl whatpulse.org omvnovinky.cz bluerail.nl asf.com.pt onebit.cz boekwinkeltjes.nl boplatssyd-automail.se optimail.cz bolerolimonadewinkel.nl digitaltolk.se poptavej.cz boozyshop.nl ecster.se reserved.cz burgernet.nl ekokul.se smtp.cz buzaservices.nl handelsbanken.se vas-server.cz cbr.nl loopia.se vcelka.cz chipbizz.nl minmyndighetspost.se virusfree.cz corpoflow.nl nordicprint.se volny.cz derooijfotografie.nl personligalmanacka.se zdravestravovani.cz dictu.nl skatteverket.se bayern.de digid.nl teknikdelar.se brandenburg.de duo.nl theletter.se bund.de efactuurdirect.nl websupport.se bundesregierung.de ezorg.nl kadernickyservis.sk datev.de gerryweber.nl triodos.co.uk dfn.de hostingpeople.nl govtrack.us elster.de hr.nl quantum-services.us fau.de hro.nl ru.ac.za freenet.de interim-netwerk.nl From ietf-dane at dukhovni.org Sun Dec 6 04:02:04 2020 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Sun, 6 Dec 2020 01:02:04 -0200 Subject: PLEASE NOTE: Upcoming changes in Let's Encrypt issuer certificates In-Reply-To: References: Message-ID: <06554E84-72B7-4A68-A249-39498FB33488@dukhovni.org> > On Sep 21, 2020, at 4:22 AM, Viktor Dukhovni wrote: > > Please note that the Let's Encrypt intermediate CA certificate "X3" will soon be > phased out in favour of "R3" and "E1" which have new keys, and so any DANE TLSA > "2 1 1" records matching "X3" will not match "R3" or "E1". This has now happened. New Let's Encrypt certificates are being issued via "R3" and "X3" has been retired: http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html https://letsencrypt.org/certificates/#intermediate-certificates Over the next 60-90 days the remaining not yet expired or renewed certificate chains issued by "X3" are still will age out, at which point no one will need to include the "X3" or "X4" hashes in their TLSA records. If your TLSA records still include only "X3", the current renewal cycle is your last opportunity to add the hashes "R3", "R4", "E1" and "E2" to your your TLSA RRset. The extant "X3" hash can be removed once a new certificate issued by one of the new CAs is deployed. Over the last few days the DANE survey has started reporting a handful of new failures each day that resulted from a new "R3" certificate for an MX host whose TLSA RRset included only the "X3" hash. Please save yourself and me the trouble of dealing with this only after an initial outage. Also as explained in: http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html Please avoid issuer TLSA records with selector Cert(0), i.e. "2 0 1" and "2 0 2". These are much more fragile, and worse, "R3" and "R4" are cross-signed by two different issuers, so there are two differnt full cert hashes for R3 and R4, but just one underlying public key and corresponding "2 1 1" hash. DO NOT use "2 0 1" or "2 0 2" records. The best choice is "2 1 1". -- Viktor.