From ietf-dane at dukhovni.org Sun Nov 1 03:36:58 2020 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Sat, 31 Oct 2020 22:36:58 -0400 Subject: Update on stats 2020-10 Message-ID: <20201101023658.GH1459@straasha.imrryr.org> Summary: The DANE domain count is now 2,312,209 The number of domains that return DNSSEC-validated replies in response to MX queries is 12,951,015. Thus DANE TLSA is deployed on ~17.85% of domains with DNSSEC. Please be mindful of the upcoming Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 and E1/E2. See: http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 2,312,209 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last Month ---------- ---------- 1,135,322 one.com 1,135,621 one.com 147,497 argewebhosting.nl 148,737 argewebhosting.nl 144,505 transip.nl 143,441 transip.nl 102,517 domeneshop.no 102,226 domeneshop.no 91,246 loopia.se 90,725 loopia.se 90,381 infomaniak.ch 87,624 infomaniak.ch 65,843 forpsi.com 65,609 forpsi.com 41,983 webreus.nl 42,657 webreus.nl 40,816 pcextreme.nl 41,291 pcextreme.nl 40,094 active24.com 39,806 active24.com 34,527 antagonist.nl 33,919 antagonist.nl 30,427 vevida.com 30,527 vevida.com 29,638 zxcs.nl 29,222 zxcs.nl 26,515 web4u.cz 26,601 web4u.cz 25,522 udmedia.de 25,494 udmedia.de 18,409 bhosted.nl 18,283 bhosted.nl 14,660 flexfilter.nl 14,784 flexfilter.nl 14,272 onebit.cz 14,256 onebit.cz 13,133 protonmail.ch 12,646 protonmail.ch 8,151 zonemx.eu 7,678 zonemx.eu The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last Month ---------- ---------- 7347 TOTAL 7177 TOTAL 2332 DE, Germany 2307 DE, Germany 1439 US, United States 1435 US, United States 1175 NL, Netherlands 1089 NL, Netherlands 602 FR, France 596 FR, France 289 GB, United Kingdom 292 GB, United Kingdom 233 CZ, Czechia 226 CZ, Czechia 170 CA, Canada 161 CA, Canada 112 FI, Finland 107 SG, Singapore 108 SG, Singapore 97 CH, Switzerland 102 CH, Switzerland 94 FI, Finland 90 SE, Sweden 89 SE, Sweden 76 DK, Denmark 76 DK, Denmark 56 AU, Australia 59 AU, Australia 50 AT, Austria 51 AT, Austria 46 IE, Ireland 45 IE, Ireland 39 IN, India 37 RU, Russia 37 JP, Japan 36 BR, Brazil 36 BR, Brazil 34 PL, Poland 35 RU, Russia 34 JP, Japan 34 PL, Poland 34 IN, India IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This Month Last month ---------- ---------- 3786 TOTAL 3659 TOTAL 1549 DE, Germany 1520 DE, Germany 628 NL, Netherlands 631 US, United States 595 US, United States 574 NL, Netherlands 280 FR, France 264 FR, France 139 CZ, Czechia 135 CZ, Czechia 113 GB, United Kingdom 111 GB, United Kingdom 49 RU, Russia 46 CH, Switzerland 49 CH, Switzerland 39 SG, Singapore 43 CA, Canada 39 CA, Canada 38 SG, Singapore 37 SE, Sweden 36 SE, Sweden 36 AT, Austria 32 AT, Austria 20 AU, Australia 21 IE, Ireland 19 RU, Russia 20 JP, Japan 19 JP, Japan 16 NO, Norway 16 FI, Finland 16 FI, Finland 15 NO, Norway 16 DK, Denmark 15 DK, Denmark 16 AU, Australia 12 IE, Ireland 14 LV, Latvia 12 BR, Brazil 14 BR, Brazil 10 PL, Poland There are 6457 (6220 last month) unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 9618 (9296 last month). These cover 10622 (10309 last month) distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 389 (395 last month, this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 190 (193 last month) are in recent (last 90 days of) reports: univie.ac.at gmx.de mailplus.nl gmx.at jpberlin.de markteffectmail.nl tjek.be lrz.de minbuza.nl triodos.be mail.de minbzk.nl clubedohardware.com.br mailserver4.de mindef.nl nic.br mensa.de mkbbelangen.nl registro.br mpg.de mm1.nl gmx.ch posteo.de ns.nl hostpoint.ch ruhr-uni-bochum.de ouderportaal.nl infomaniak.ch tum.de overheid.nl open.ch uni-erlangen.de parlement.nl protonmail.ch uni-muenchen.de pathe.nl switch.ch unitybox.de politie.nl altospam.com unitymedia.de previder.nl clubedominante.com web.de rijksoverheid.nl coosto.com westlotto.de ru.nl fmc-na.com dk-hostmaster.dk rvo.nl gmx.com egmontpublishing.dk sans-mail.nl habr.com netic.dk schoudercom.nl hotelsinduitsland.com powerhosting.dk schuurman-schoenen.nl infomaniak.com star.dk sportfondsen.nl ingthink.com tilburguniversity.edu sportrusten.nl kpn.com just.ee ssonet.nl leszexpertsfle.com rediris.es triodos.nl mail.com triodos.es truetickets.nl mammoetmail.com uv.es tweedekamer.nl one.com inetadmin.eu uitgeverijpica.nl orverkiezing.com zone.eu utwente.nl ppcpcv.com zonevs.eu uvt.nl protonmail.com ac-strasbourg.fr vu.nl protonvpn.com compagnie-des-sens.fr wise-guys.nl solvinity.com kangouroukids.fr xs4all.nl t-2.com fidesz.hu zorgmail.nl telfort.com mszp.hu domeneshop.no thalesgroup.com comcast.net handelsbanken.no triodos.com gmx.net uib.no vitstore.com habramail.net atelkamera.nu xfinity.com hr-manager.net goget.nu xfinityhomesecurity.com inexio.net debian.org xfinitymobile.com mpssec.net freebsd.org active24.cz procurios.net gentoo.org akce-incomputer.cz ripe.net ietf.org amenit.cz riseup.net isc.org atlas.cz t-2.net mailbox.org centrum.cz transip.net mailop.org cuni.cz xs4all.net netbsd.org itesco.cz amsterdam.nl openssl.org klenotyaurum.cz awcloud.nl ozlabs.org klubpevnehozdravi.cz belastingdienst.nl samba.org krypton.cz bhosted.nl torproject.org onebit.cz bluerail.nl whatpulse.org optimail.cz boekwinkeltjes.nl asf.com.pt poptavej.cz boozyshop.nl boplatssyd-automail.se reserved.cz burgernet.nl handelsbanken.se smtp.cz corpoflow.nl loopia.se vas-server.cz dictu.nl minmyndighetspost.se virusfree.cz digid.nl personligalmanacka.se volny.cz duo.nl skatteverket.se bayern.de ezorg.nl theletter.se bund.de gerryweber.nl kadernickyservis.sk dfn.de hr.nl triodos.co.uk elster.de hro.nl govtrack.us fau.de interim-netwerk.nl ru.ac.za freenet.de Of the ~2.3 million domains, 13253 (13780 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 771 (706 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1431 (1331 last month). The top 15 name server operators with problem domains are: This Month Last month ---------- ---------- 412 registrar-servers.com 372 axc.nl 385 axc.nl 361 registrar-servers.com 107 movenext.nl 100 movenext.nl 85 ebola.cz 85 ebola.cz 25 tiscomhosting.nl 25 tiscomhosting.nl 25 eatserver.nl 25 eatserver.nl 20 epik.com 24 metaregistrar.nl 18 metaregistrar.nl 18 infracom.nl 18 infracom.nl 15 cloudflare.com 14 cloudflare.com 12 nrdns.nl 12 ns01.nl 11 iterik.nu 12 nrdns.nl 11 epik.com 11 sylconia.net 10 sylconia.net 11 iterik.nu 10 mobi-net.ch 10 mobi-net.ch 9 openprovider.nl If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Seven of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br trt1.jus.br trtrj.jus.br accenturealumni.com bncr.fi.cr ofda.gov mobily.com.sa sauditelecom.com.sa -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. From km at krot.org Wed Nov 25 12:52:01 2020 From: km at krot.org (Kirill Miazine) Date: Wed, 25 Nov 2020 12:52:01 +0100 Subject: DANE-TA TLSA records for LE and Buypass Go Message-ID: Hi, dane-users I'd like to share that a couple of months ago I've set up tlsa.is to host always up-to-date TLSA records for Let's Encrypt and Buypass Go. The records are generated automatically. At the time of writing they look as following: ; Let's Encrypt (https://letsencrypt.org/certificates/) _letsencrypt TLSA 2 1 1 60b87575447dcba2a36b7d11ac09fb24a9db406fee12d2cc90180517616e8a18 TLSA 2 1 1 8d02536c887482bc34ff54e41d2ba659bf85b341a0a20afadb5813dcfbcf286d TLSA 2 1 1 276fe8a8c4ec7611565bf9fce6dcace9be320c1b5bea27596b2204071ed04f10 TLSA 2 1 1 b111dd8a1c2091a89bd4fd60c57f0716cce50feeff8137cdbee0326e02cf362b TLSA 2 1 1 e5545e211347241891c554a03934cde9b749664a59d26d615fe58f77990f2d03 TLSA 2 1 1 bd936e72b212ef6f773102c6b77d38f94297322efc25396bc3279422e0c89270 *._letsencrypt CNAME _letsencrypt ; Buypass (https://www.buypass.com/security/buypass-root-certificates) _buypass-go TLSA 2 1 1 42519999c31433a6bcf82c4bd9399301fa180a6f9f5c0a2e033cca602c46a2cb *._buypass-go CNAME _buypass-go Using the records is easy: ; Using CNAME for a single service _25._tcp.mail IN CNAME _letsencrypt.tlsa.is. ; Using DNAME for all services _tcp.mail6 IN DNAME _letsencrypt.tlsa.is. More details -- and the code behind this for local deployments -- are all available at https://tlsa.is/. I've set up automatic monitoring of the web pages where signing details are published and intend to keep this running, but any use is on own risk. Please let me know if you have discovered an error, if some TLSA records for the supported authorities should be added, deleted or updated. Best Kirill -- -- Kirill Miazine