From ietf-dane at dukhovni.org Thu Oct 1 06:12:56 2020 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Thu, 1 Oct 2020 00:12:56 -0400 Subject: Update on stats 2020-09 Message-ID: <20201001041256.GC97113@straasha.imrryr.org> Summary: The DANE domain count is now 2,303,613 Most of the increase from last month can be credited to argewebhosting.nl (~150k domains). Thank you argewebhosting.nl. On a smaller scale, but also notable, dfn.de enabled DANE SMTP for their own domain and a number of affiliated research insitutitions (34 domains in all). Thanks also to dnf.de. The number of domains that return DNSSEC-validated replies in response to MX queries is 12,743,720. Thus DANE TLSA is deployed on ~18.07% of domains with DNSSEC. Speaking of stats, you can now qiery the survey's view of your (DNSSEC-signed) via the "Explore" button at: https://stats.dnssec-tools.org/ The site makes no live queries, it shows the status of a domain during the most recent daily survey run. Please be mindful of the upcoming Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 and E1/E2. See: https://mail.sys4.de/pipermail/dane-users/2020-September/thread.html#578 Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 2,303,613 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last Month ---------- ---------- 1135621 one.com 1143500 one.com 148737 argewebhosting.nl 141329 transip.nl 143441 transip.nl 102015 domeneshop.no 102226 domeneshop.no 90188 loopia.se 90725 loopia.se 85000 infomaniak.ch 87624 infomaniak.ch 64973 forpsi.com 65609 forpsi.com 41646 pcextreme.nl 42657 webreus.nl 41210 webreus.nl 41291 pcextreme.nl 39560 active24.com 39806 active24.com 32959 antagonist.nl 33919 antagonist.nl 30569 vevida.com 30527 vevida.com 28115 zxcs.nl 29222 zxcs.nl 26638 web4u.cz 26601 web4u.cz 25610 udmedia.de 25494 udmedia.de 18038 bhosted.nl 18283 bhosted.nl 14752 flexfilter.nl 14784 flexfilter.nl 14165 onebit.cz 14256 onebit.cz 12197 protonmail.ch 12646 protonmail.ch 7191 zonemx.eu 7678 zonemx.eu 6077 soverin.net The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last Month ---------- ---------- 7177 TOTAL 6864 TOTAL 2307 DE, Germany 2191 DE, Germany 1435 US, United States 1377 US, United States 1089 NL, Netherlands 1046 NL, Netherlands 596 FR, France 548 FR, France 292 GB, United Kingdom 287 GB, United Kingdom 226 CZ, Czechia 225 CZ, Czechia 161 CA, Canada 163 CA, Canada 107 SG, Singapore 100 SG, Singapore 97 CH, Switzerland 97 CH, Switzerland 94 FI, Finland 90 FI, Finland 89 SE, Sweden 84 SE, Sweden 76 DK, Denmark 71 DK, Denmark 59 AU, Australia 49 AU, Australia 51 AT, Austria 47 AT, Austria 45 IE, Ireland 43 IE, Ireland 37 RU, Russia 36 BR, Brazil 36 BR, Brazil 33 PL, Poland 34 PL, Poland 32 RU, Russia 34 JP, Japan 31 JP, Japan 34 IN, India 30 IN, India IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This Month Last month ---------- ---------- 3659 TOTAL 3593 TOTAL 1520 DE, Germany 1472 DE, Germany 631 US, United States 614 US, United States 574 NL, Netherlands 591 NL, Netherlands 264 FR, France 258 FR, France 135 CZ, Czechia 146 CZ, Czechia 111 GB, United Kingdom 105 GB, United Kingdom 46 CH, Switzerland 48 CH, Switzerland 39 SG, Singapore 40 SG, Singapore 39 CA, Canada 37 CA, Canada 37 SE, Sweden 34 SE, Sweden 36 AT, Austria 26 AT, Austria 20 AU, Australia 21 RU, Russia 19 RU, Russia 19 AU, Australia 19 JP, Japan 17 JP, Japan 16 FI, Finland 15 FI, Finland 15 NO, Norway 14 NO, Norway 15 DK, Denmark 14 IE, Ireland 12 IE, Ireland 13 DK, Denmark 12 BR, Brazil 12 ID, Indonesia 10 PL, Poland 11 BR, Brazil There are 6220 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 9296. These cover 10309 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 395 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 193 are in recent (last 90 days of) reports: univie.ac.at gmx.de interconnect.nl gmx.at jpberlin.de interim-netwerk.nl triodos.be kabelmail.de keessmit.nl clubedohardware.com.br lrz.de mailplus.nl nic.br mail.de markteffectmail.nl registro.br mailserver4.de minbzk.nl gmx.ch mensa.de mindef.nl hostpoint.ch mpg.de mkbbelangen.nl infomaniak.ch posteo.de mm1.nl open.ch ruhr-uni-bochum.de ns.nl protonmail.ch tum.de ouderportaal.nl switch.ch uni-erlangen.de overheid.nl altospam.com uni-muenchen.de parlement.nl clubedominante.com unitybox.de pathe.nl coosto.com unitymedia.de politie.nl fmc-na.com web.de positievepsychologiecongres.nl gmx.com westlotto.de previder.nl habr.com dk-hostmaster.dk rijksoverheid.nl hotelsinduitsland.com egmontpublishing.dk ru.nl infomaniak.com netic.dk rvo.nl ingthink.com star.dk sans-mail.nl joomlapolis.com stil.dk schoudercom.nl kpn.com uni-c.dk schuurman-schoenen.nl leszexpertsfle.com tilburguniversity.edu sportfondsen.nl mail.com emta.ee sportrusten.nl mammoetmail.com rmit.ee ssonet.nl mx-relay.com rediris.es triodos.nl one.com triodos.es truetickets.nl ppcpcv.com uv.es tweedekamer.nl pre-sustainability.com zone.eu uitgeverijpica.nl protonmail.com zonevs.eu uvt.nl protonvpn.com ac-strasbourg.fr wise-guys.nl societe.com compagnie-des-sens.fr xs4all.nl solvinity.com fidesz.hu zorgmail.nl t-2.com idrinks.hu domeneshop.no telfort.com mszp.hu handelsbanken.no thalesgroup.com comcast.net uib.no triodos.com gmx.net atelkamera.nu vitstore.com habramail.net goget.nu xfinity.com hr-manager.net debian.org xfinityhomesecurity.com inexio.net freebsd.org xfinitymobile.com mpssec.net gentoo.org active24.cz procurios.net ietf.org akce-incomputer.cz ripe.net isc.org atlas.cz riseup.net mailbox.org centrum.cz t-2.net mailop.org cuni.cz transip.net netbsd.org itesco.cz xs4all.net openssl.org klenotyaurum.cz xworks.net ozlabs.org klubpevnehozdravi.cz amsterdam.nl samba.org krypton.cz awcloud.nl torproject.org onebit.cz belastingdienst.nl whatpulse.org optimail.cz bhosted.nl asf.com.pt poptavej.cz bluerail.nl boplatssyd-automail.se reserved.cz boozyshop.nl handelsbanken.se smtp.cz burgernet.nl loopia.se vas-server.cz corpoflow.nl minmyndighetspost.se virusfree.cz dictu.nl personligalmanacka.se volny.cz duo.nl skatteverket.se bayern.de ezorg.nl theletter.se bund.de gerryweber.nl kadernickyservis.sk dfn.de herinneringenoplinnen.nl triodos.co.uk elster.de hr.nl govtrack.us fau.de hro.nl ru.ac.za freenet.de Of the ~2.3 million domains, 13780 have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 706. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1331. The top 15 name server operators with problem domains are: This Month Last month ---------- ---------- 372 axc.nl 374 axc.nl 361 registrar-servers.com 344 registrar-servers.com 100 movenext.nl 86 ebola.cz 85 ebola.cz 66 movenext.nl 25 tiscomhosting.nl 27 tiscomhosting.nl 25 eatserver.nl 22 eatserver.nl 24 metaregistrar.nl 20 metaregistrar.nl 18 infracom.nl 20 infracom.nl 15 cloudflare.com 15 nrdns.nl 12 nrdns.nl 15 cloudflare.com 11 iterik.nu 11 sylconia.net 11 epik.com 11 iterik.nu 10 sylconia.net 11 is.nl 10 mobi-net.ch 10 openprovider.nl 9 openprovider.nl 10 mobi-net.ch If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Seven of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br trt1.jus.br trtrj.jus.br accenturealumni.com bncr.fi.cr ofda.gov mobily.com.sa -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.