From ietf-dane at dukhovni.org Wed Jul 1 07:13:25 2020 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Wed, 1 Jul 2020 01:13:25 -0400 Subject: Update on stats 2020-06 Message-ID: <20200701051325.GG48007@straasha.imrryr.org> Summary: The DANE domain count is now 1,929,893 The number of domains that return DNSSEC-validated replies in response to MX queries is 11,728,469. Thus DANE TLSA is deployed on ~16.45% of domains with DNSSEC. DANE as a percentage of DNSSEC domains is dropping recently, because growth in DNSSEC adoption has started to outpace growth in DANE adoption. This is a good problem to have, deploy even more DNSSEC, please! At this rate, I am anticipating ~13 million signed domains by the end of 2020, but a surprise large-scale deployment would be even better. Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 1,929,893 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. 1038314 one.com 140578 transip.nl 101181 domeneshop.no 89447 loopia.se 80663 infomaniak.ch 41035 webreus.nl 39255 active24.com 32282 antagonist.nl 30793 vevida.com 28642 zxcs.nl 26840 web4u.cz 25353 udmedia.de 17599 bhosted.nl 15003 flexfilter.nl 14114 onebit.cz 11144 protonmail.ch 6432 zonemx.eu 5926 soverin.net 5790 netzone.ch 5590 previder.nl The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). 6728 TOTAL 2147 DE, Germany 1336 US, United States 1008 NL, Netherlands 576 FR, France 283 GB, United Kingdom 226 CZ, Czechia 153 CA, Canada 102 SG, Singapore 93 CH, Switzerland 84 FI, Finland 82 SE, Sweden 70 DK, Denmark 51 AU, Australia 48 AT, Austria 42 IE, Ireland 35 BR, Brazil 32 IN, India 30 JP, Japan 28 RU, Russia 26 PL, Poland IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: 3458 TOTAL 1426 DE, Germany 565 US, United States 521 NL, Netherlands 274 FR, France 125 CZ, Czechia 105 GB, United Kingdom 46 RU, Russia 42 CH, Switzerland 40 SG, Singapore 40 CA, Canada 36 SE, Sweden 32 AT, Austria 20 AU, Australia 16 JP, Japan 16 IE, Ireland 14 NO, Norway 14 DK, Denmark 13 ID, Indonesia 12 FI, Finland 11 BR, Brazil There are 5760 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 8056. These cover 9041 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 353 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 172 are in recent (last 90 days of) reports: univie.ac.at jpberlin.de maximum.nl gmx.at kabelmail.de minbzk.nl triodos.be lrz.de mindef.nl clubedohardware.com.br mail.de mkbbelangen.nl nic.br mailserver4.de mm1.nl registro.br posteo.de ouderportaal.nl gmx.ch ruhr-uni-bochum.de overheid.nl hostpoint.ch tu-chemnitz.de pathe.nl infomaniak.ch tum.de politie.nl open.ch uni-erlangen.de previder.nl protonmail.ch uni-muenchen.de professioneelbegeleiden.n switch.ch unitybox.de rijksoverheid.nl clubedominante.com unitymedia.de rotterdam.nl coosto.com web.de ru.nl fmc-na.com westlotto.de rvo.nl gmx.com egmontpublishing.dk schoudercom.nl habr.com netic.dk schuurman-schoenen.nl hotelsinduitsland.com star.dk sportfondsen.nl infomaniak.com lugeja.ee ssonet.nl ingthink.com rediris.es triodos.nl kpn.com triodos.es truetickets.nl leszexpertsfle.com uv.es uitgeverijpica.nl mail.com litebit.eu utwente.nl mailzerver.com zone.eu xs4all.nl mammoetmail.com zonevs.eu zaantheater.nl mx-relay.com ac-strasbourg.fr zorgmail.nl one.com compagnie-des-sens.fr domeneshop.no pre-sustainability.com fidesz.hu handelsbanken.no primexbt.com comcast.net uib.no protonmail.com dns-oarc.net webcruitermail.no societe.com gmx.net atelkamera.nu solvinity.com habramail.net goget.nu t-2.com hr-manager.net aegee.org telfort.com inexio.net debian.org thalesgroup.com mpssec.net freebsd.org triodos.com procurios.net gentoo.org xfinity.com riseup.net ietf.org xfinityhomesecurity.com t-2.net isc.org xfinitymobile.com transip.net lazarus-ide.org active24.cz xs4all.net mailbox.org atlas.cz xworks.net netbsd.org centrum.cz belastingdienst.nl openssl.org cuni.cz bhosted.nl ozlabs.org itesco.cz bluerail.nl samba.org klubpevnehozdravi.cz boekwinkeltjes.nl torproject.org krypton.cz boozyshop.nl whatpulse.org nic.cz corpoflow.nl boplatssyd-automail.se onebit.cz dictu.nl handelsbanken.se optimail.cz digid.nl loopia.se smtp.cz duo.nl minmyndighetspost.se virusfree.cz ezorg.nl personligalmanacka.se volny.cz gerryweber.nl skatteverket.se bayern.de herinneringenoplinnen.nl theletter.se bund.de hr.nl kadernickyservis.sk elster.de interconnect.nl triodos.co.uk fau.de keessmit.nl govtrack.us freenet.de mailplus.nl ru.ac.za gmx.de Of the ~1.93 million domains, 5387 have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 806. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1093. The top 16 name server operators with problem domains are: 379 registrar-servers.com - NameCheap, no ETA... :-( 366 axc.nl - Usually fixed promptly, not this month 86 ebola.cz 71 movenext.nl 36 cdmon.net 31 flevohost.nl 29 tiscomhosting.nl 28 hostnet.nl 24 nrdns.nl 23 eatserver.nl 22 metaregistrar.nl 22 infracom.nl 20 epik.com 17 vandersalm-it.nl 15 is.nl 12 sylconia.net If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Eight of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br trt01.gov.br trtrio.gov.br trt1.jus.br trtrj.jus.br bncr.fi.cr mobily.com.sa sauditelecom.com.sa -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. From pmenzel+dane-users at molgen.mpg.de Wed Jul 1 08:01:37 2020 From: pmenzel+dane-users at molgen.mpg.de (Paul Menzel) Date: Wed, 1 Jul 2020 08:01:37 +0200 Subject: Pilot phase for DNSSEC/DANE for DFN with dfnsec.de in August 2020 Message-ID: <45fc78bd-f955-23de-5f35-9daad67f9ecf@molgen.mpg.de> Dear DANE users, I like to inform you, after several years of waiting, the Deutsche Forschungsnetz will finally offer a solution for using their mail support with DNSSEC/DANE [1]. For whatever reason, they do not want to fiddle/test with dfn.de, and, therefore, are going to introduce the new domain dfnsec.de first. The pilot phase is going to be from August 3rd to 31st, and they are introducing faulty entries on Tuesday and Thursday from 10:00 to 14:00. Kind regards, Paul [1]: https://www.mailsupport.dfn.de/dokumentation/komponenten/dns/dnssec/pilotphase From ietf-dane at dukhovni.org Wed Jul 1 08:27:36 2020 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Wed, 1 Jul 2020 04:27:36 -0200 Subject: Pilot phase for DNSSEC/DANE for DFN with dfnsec.de in August 2020 In-Reply-To: <45fc78bd-f955-23de-5f35-9daad67f9ecf@molgen.mpg.de> References: <45fc78bd-f955-23de-5f35-9daad67f9ecf@molgen.mpg.de> Message-ID: <010AEB9E-FB57-4C7E-8218-D14E0AC5D8B8@dukhovni.org> > On Jul 1, 2020, at 4:01 AM, Paul Menzel wrote: > > I like to inform you, after several years of waiting, the Deutsche Forschungsnetz will finally offer a solution for using their mail support with DNSSEC/DANE [1]. For whatever reason, they do not want to fiddle/test with dfn.de, and, therefore, are going to introduce the new domain dfnsec.de first. > > The pilot phase is going to be from August 3rd to 31st, and they are introducing faulty entries on Tuesday and Thursday from 10:00 to 14:00. I take this to mean that dfn.de is planning to have DNSSEC signed MX hosts with TLSA RRs under a new dfnsec.de domain. That's good news, thanks! In terms of candidate DNSSEC-signed domains currently using dfn.de MX hosts, that could/should consider switching to dfnsec.de, I currently find the following 33 in the DNSSEC/DANE survey dataset: ainin.de beperfekt.de carissma.eu cmbb-fcmh.de fachhochschule-neu-ulm.de fh-ingolstadt.de haw-ingolstadt.de hnu.de hs-ab.de ifw-dresden.de ifw-dresden.eu inp-greifswald.de ipk-gatersleben.de khu-hessen.de ku.de litdok.de magnetoresistance.de magnetwiderstand.de mdc-berlin.de mpg.de mythi.de pidconsortium.net profit-hpc.de project-day.de qcnp.org robdream.eu spinlogik.de superconductivity.de thi.de th-owl.de tu.berlin ugoe.de unigottingen.de It would be nice to see some of these join the pilot. -- Viktor. From pmenzel+dane-users at molgen.mpg.de Wed Jul 1 13:16:06 2020 From: pmenzel+dane-users at molgen.mpg.de (Paul Menzel) Date: Wed, 1 Jul 2020 13:16:06 +0200 Subject: Pilot phase for DNSSEC/DANE for DFN with dfnsec.de in August 2020 In-Reply-To: <010AEB9E-FB57-4C7E-8218-D14E0AC5D8B8@dukhovni.org> References: <45fc78bd-f955-23de-5f35-9daad67f9ecf@molgen.mpg.de> <010AEB9E-FB57-4C7E-8218-D14E0AC5D8B8@dukhovni.org> Message-ID: <7125968e-17d2-1b42-000d-8733f296babe@molgen.mpg.de> Dear Viktor, Am 01.07.20 um 08:27 schrieb Viktor Dukhovni: >> On Jul 1, 2020, at 4:01 AM, Paul Menzel wrote: >> >> I like to inform you, after several years of waiting, the Deutsche >> Forschungsnetz will finally offer a solution for using their mail >> support with DNSSEC/DANE [1]. For whatever reason, they do not want >> to fiddle/test with dfn.de, and, therefore, are going to introduce >> the new domain dfnsec.de first. >> >> The pilot phase is going to be from August 3rd to 31st, and they >> are introducing faulty entries on Tuesday and Thursday from 10:00 >> to 14:00. > > I take this to mean that dfn.de is planning to have DNSSEC signed MX > hosts with TLSA RRs under a new dfnsec.de domain. That's good news, > thanks! Yes, it is meant as opt-in. > In terms of candidate DNSSEC-signed domains currently using dfn.de MX > hosts, that could/should consider switching to dfnsec.de, I currently > find the following 33 in the DNSSEC/DANE survey dataset: [?] A lot of the subdomains of mpg.de use the DFN-MailSupport separately, and from those, to my knowledge, only us ? molgen.mpg.de ? have set up DNSSEC. (The other few DNSSEC users do *not* use the DFN-MailSupport ? for example mpifr-bonn.mpg.de.) > It would be nice to see some of these join the pilot. Yes, we will see. At least after the pilot phase, hopefully, the current DNSSEC users will set up DANE. Kind regards, Paul