From ietf-dane at dukhovni.org Mon Jun 1 04:57:27 2020 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Sun, 31 May 2020 22:57:27 -0400 Subject: Update on stats 2020-05 Message-ID: <20200601025727.GE48007@straasha.imrryr.org> Summary: The DANE domain count is now 1,915,922. The number of domains that return DNSSEC-validated replies in response to MX queries is 11,527,814. Thus DANE TLSA is deployed on ~16.61% of domains with DNSSEC. Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 1,915,922 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. 1037280 one.com 139399 transip.nl 100897 domeneshop.no 89161 loopia.se 78214 infomaniak.ch 38950 active24.com 35233 webreus.nl 31605 antagonist.nl 30879 vevida.com 28311 zxcs.nl 26922 web4u.cz 25215 udmedia.de 17576 bhosted.nl 14932 flexfilter.nl 14026 onebit.cz 10759 protonmail.ch 6048 zonemx.eu 5785 netzone.ch 5780 soverin.net 5580 previder.nl The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). 6637 TOTAL 2140 DE, Germany 1312 US, United States 991 NL, Netherlands 563 FR, France 273 GB, United Kingdom 225 CZ, Czechia 156 CA, Canada 96 SG, Singapore 88 CH, Switzerland 80 SE, Sweden 77 FI, Finland 68 DK, Denmark 54 AU, Australia 46 AT, Austria 45 IE, Ireland 35 BR, Brazil 34 IN, India 30 RU, Russia 30 PL, Poland 27 JP, Japan IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: 3386 TOTAL 1407 DE, Germany 545 US, United States 518 NL, Netherlands 263 FR, France 120 CZ, Czechia 108 GB, United Kingdom 42 CA, Canada 41 CH, Switzerland 39 SG, Singapore 35 SE, Sweden 31 RU, Russia 31 AT, Austria 19 IE, Ireland 19 AU, Australia 16 JP, Japan 15 DK, Denmark 12 NO, Norway 12 ID, Indonesia 12 FI, Finland 11 BR, Brazil There are 5649 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 7879. These cover 8848 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 353 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 184 are in recent (last 90 days of) reports: univie.ac.at lrz.de keessmit.nl gmx.at mail.de kingsquare.nl triodos.be mailserver4.de mailplus.nl nic.br mensa.de minbzk.nl registro.br posteo.de mindef.nl gmx.ch ruhr-uni-bochum.de mkbbelangen.nl hostpoint.ch tu-chemnitz.de mm1.nl infomaniak.ch tum.de ouderportaal.nl open.ch uni-erlangen.de overheid.nl protonmail.ch uni-muenchen.de pathe.nl switch.ch unitybox.de politie.nl clubedominante.com unitymedia.de previder.nl comeseetv.com web.de professioneelbegeleiden.n coosto.com westlotto.de rijksoverheid.nl fmc-na.com dk-hostmaster.dk rotterdam.nl gmx.com egmontpublishing.dk ru.nl habr.com netic.dk rvo.nl hotelsinduitsland.com star.dk schoudercom.nl infomaniak.com stil.dk schuurman-schoenen.nl ingthink.com uni-c.dk sportfondsen.nl kpn.com tilburguniversity.edu ssonet.nl leszexpertsfle.com emta.ee triodos.nl mail.com lugeja.ee truetickets.nl mailzerver.com rmit.ee uitgeverijpica.nl mammoetmail.com rediris.es utwente.nl mx-relay.com triodos.es uvt.nl one.com uv.es xs4all.nl orverkiezing.com litebit.eu zaantheater.nl pre-sustainability.com zone.eu zorgmail.nl primexbt.com zonevs.eu domeneshop.no protonmail.com ac-strasbourg.fr handelsbanken.no societe.com compagnie-des-sens.fr uib.no solvinity.com fidesz.hu webcruitermail.no t-2.com comcast.net atelkamera.nu telfort.com dns-oarc.net goget.nu thalesgroup.com gmx.net aegee.org trashmail.com habramail.net debian.org triodos.com hr-manager.net freebsd.org xfinity.com inexio.net gentoo.org xfinityhomesecurity.com mpssec.net ietf.org xfinitymobile.com procurios.net isc.org active24.cz riseup.net lazarus-ide.org atlas.cz t-2.net mailbox.org centrum.cz transip.net netbsd.org cuni.cz xs4all.net openssl.org itesco.cz xworks.net ozlabs.org klubpevnehozdravi.cz belastingdienst.nl samba.org krypton.cz bhosted.nl torproject.org nic.cz bluerail.nl whatpulse.org onebit.cz boekwinkeltjes.nl asf.com.pt optimail.cz boozyshop.nl boplatssyd-automail.se smtp.cz corpoflow.nl handelsbanken.se virusfree.cz dictu.nl loopia.se volny.cz digid.nl minmyndighetspost.se bayern.de duo.nl personligalmanacka.se bund.de ezorg.nl skatteverket.se elster.de gerryweber.nl theletter.se fau.de herinneringenoplinnen.nl kadernickyservis.sk freenet.de hierinloggen.nl triodos.co.uk gmx.de hr.nl govtrack.us jpberlin.de intermax.nl ru.ac.za kabelmail.de Of the ~1.92 million domains, 5001 have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 528. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1093. The top 13 name server operators with problem domains are: 344 registrar-servers.com 81 ebola.cz 72 movenext.nl 38 cdmon.net 33 flevohost.nl 30 tiscomhosting.nl 28 hostnet.nl 23 nrdns.nl 22 infracom.nl 19 metaregistrar.nl 18 eatserver.nl 17 epik.com 16 is.nl If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Eight of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br trt01.gov.br trtrio.gov.br trt1.jus.br trtrj.jus.br bncr.fi.cr mobily.com.sa sauditelecom.com.sa -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. From andreas.schulze at datev.de Wed Jun 24 11:14:06 2020 From: andreas.schulze at datev.de (A. Schulze) Date: Wed, 24 Jun 2020 11:14:06 +0200 Subject: dane.sys4.de Message-ID: <381a8d3e-bdf2-ec2b-af69-ec7a150eda9e@datev.de> Hello, first, thanks for the service! second my question: is there an API that allow me easier integration in automated monitoring? Andreas From p at sys4.de Wed Jun 24 11:39:24 2020 From: p at sys4.de (Patrick Ben Koetter) Date: Wed, 24 Jun 2020 11:39:24 +0200 Subject: dane.sys4.de In-Reply-To: <381a8d3e-bdf2-ec2b-af69-ec7a150eda9e@datev.de> References: <381a8d3e-bdf2-ec2b-af69-ec7a150eda9e@datev.de> Message-ID: <20200624093924.pvgjf2ingqnl2reh@sys4.de> Hi Andreas, * A. Schulze : > Hello, > > first, thanks for the service! > second my question: is there an API that allow me easier integration in > automated monitoring? I'm glad you mention this, because this is something I've been thinking about many times when I thought about $THINGS we can do to improve dane.sys4.de. Besides some obvious improvements on the web interface etc. a "monitoring and alarming service" has been on the roadmap and Victor and I discussed this a few times. I can come up with some service features and processes, but given the fact that you ? and hopefully others too ? are interested in such a service I'd rather listen to your needs and see we can fit them into "a yet to be built" service. So please feel free to let us know what you think the service should deliver to you. What makes it useful? p at rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG,80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4436 bytes Desc: not available URL: