From ietf-dane at dukhovni.org Sat Feb 1 09:33:21 2020 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Sat, 1 Feb 2020 03:33:21 -0500 Subject: Update on stats 2020-01 Message-ID: <20200201083321.GO11496@straasha.imrryr.org> Summary: The DANE domain count is now 1,815,489. The number of domains that return DNSSEC-validated replies in response to MX queries is 10,778,108. Thus DANE TLSA is deployed on ~16.84% of domains with DNSSEC. This month I'd like to welcome infomaniak.ch to the list of top 20 DANE SMTP hosting providers. They're now in 5th place with >66k domains. Also, domeneshop.no, one of the earliest entries on the list, have crossed 100k entries for the first time this month. Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 1,815,489 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. 1021399 one.com 134322 transip.nl 100062 domeneshop.no 88088 loopia.se 66415 infomaniak.ch 37617 active24.com 31413 vevida.com 30081 antagonist.nl 26687 web4u.cz 24682 udmedia.de 19815 zxcs.nl 17317 bhosted.nl 15387 flexfilter.nl 13560 onebit.cz 9169 protonmail.ch 5854 netzone.ch 5583 previder.nl 4860 soverin.net 4741 mailplatform.eu 3771 zonemx.eu The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). 6099 TOTAL 2042 DE, Germany 1218 US, United States 910 NL, Netherlands 486 FR, France 238 GB, United Kingdom 202 CZ, Czechia 128 CA, Canada 82 CH, Switzerland 76 SE, Sweden 72 SG, Singapore 67 DK, Denmark 51 FI, Finland 46 AT, Austria 45 IE, Ireland 42 JP, Japan 40 AU, Australia 34 PL, Poland 28 BR, Brazil 27 RU, Russia 22 NO, Norway IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: 3133 TOTAL 1287 DE, Germany 534 US, United States 470 NL, Netherlands 266 FR, France 106 CZ, Czechia 99 GB, United Kingdom 45 SE, Sweden 33 AT, Austria 31 SG, Singapore 31 CA, Canada 30 JP, Japan 29 CH, Switzerland 18 RU, Russia 16 IE, Ireland 16 DK, Denmark 14 SI, Slovenia 13 NO, Norway 13 AU, Australia 12 BR, Brazil 9 FI, Finland There are 5122 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 7866. These cover 8799 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of domains that at some point were listed in Gmail's email transparency report is 310 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 155 are in recent (last 90 days of) reports: univie.ac.at jpberlin.de jasperalblas.nl gmx.at lrz.de mailplus.nl register.bg mail.de minbzk.nl nic.br posteo.de mindef.nl registro.br ruhr-uni-bochum.de mm1.nl buymyweedonline.ca tum.de ouderportaal.nl gmx.ch uni-erlangen.de overheid.nl open.ch uni-muenchen.de pathe.nl protonmail.ch unitybox.de photofacts.nl anubisnetworks.com unitymedia.de photofactsacademy.nl clubedominante.com web.de politie.nl gmx.com egmontpublishing.dk previder.nl habr.com netic.dk rijksoverheid.nl hotelsinduitsland.com star.dk ru.nl ingthink.com tilburguniversity.edu rvo.nl kpn.com rediris.es schoudercom.nl mail.com uv.es schuurman-schoenen.nl mammoetmail.com komfortkasse.eu ssonet.nl one.com web200.eu truetickets.nl primexbt.com zone.eu uvt.nl protonmail.com ac-strasbourg.fr xs4all.nl societe.com kangouroukids.fr domeneshop.no solvinity.com octopuce.fr handelsbanken.no t-2.com web200.hu uib.no telfort.com comcast.net webcruitermail.no trashmail.com dns-oarc.net atelkamera.nu xfinity.com gmx.net debian.org xfinityhomesecurity.com habramail.net freebsd.org xfinitymobile.com hr-manager.net gentoo.org active24.cz inexio.net ietf.org atlas.cz mpssec.net isc.org centrum.cz procurios.net lazarus-ide.org cuni.cz riseup.net mailbox.org itesco.cz t-2.net netbsd.org klubpevnehozdravi.cz transip.net openssl.org krypton.cz vevida.net ozlabs.org onebit.cz xs4all.net samba.org optimail.cz belastingdienst.nl torproject.org server4u.cz bhosted.nl whatpulse.org smtp.cz billybird.nl moikrug.ru virusfree.cz bluerail.nl boplatssyd-automail.se volny.cz boozyshop.nl handelsbanken.se web4u.cz corpoflow.nl loopia.se bayern.de denhaag.nl minmyndighetspost.se bund.de dictu.nl personligalmanacka.se elster.de digid.nl skatteverket.se fau.de ezorg.nl theletter.se freenet.de fontys.nl govtrack.us gmx.de intermax.nl ru.ac.za Of the ~1.82 million domains, 4167 have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 414. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1642. The top 13 name server operators with problem domains are: 425 registrar-servers.com 304 mijnhostingpartner.nl (varies between 200 and 500+) 96 egensajt.se 66 eurodns.com 64 2is.nl 63 movenext.nl 50 ebola.cz 45 metaregistrar.nl 31 tiscomhosting.nl 27 hostnet.nl 25 infracom.nl 22 cdmon.net 20 sylconia.net If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Eight of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: trt01.gov.br trtrio.gov.br trt1.jus.br trtrj.jus.br flytoyourheart.com topdecorationworld.com mobily.com.sa sauditelecom.com.sa threadteaching.co.uk -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.