From ietf-dane at dukhovni.org Thu Apr 1 03:44:20 2021 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Wed, 31 Mar 2021 21:44:20 -0400 Subject: Update on stats 2021-03 Message-ID: NOTE: When using NSEC3, please make sure your iteration count is not needlessly large (above ~25). For details see: https://mail.sys4.de/pipermail/dane-users/2021-March/000594.html Summary: The DANE domain count is now 2,580,510 (up from 2,568,169 last month). The number of domains that return DNSSEC-validated replies in response to MX queries is 14,597,373 (up from 14,288,417 last month). Thus DANE TLSA is deployed on ~17.67% of domains with DNSSEC. https://stats.dnssec-tools.org/ The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has taken place, and all previously issued X3-issued certificates are now expired. If you're still publishing the X3 hash in your TLSA RRSet, it is best removed: http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 2,580,510 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last month ---------- ---------- 1219094 one.com 1219827 one.com 149627 transip.nl 148553 transip.nl 148446 argewebhosting.nl 147435 argewebhosting.nl 106039 infomaniak.ch 104178 domeneshop.no 104614 domeneshop.no 102904 infomaniak.ch 99953 webhostingserver.nl 99738 webhostingserver.nl 93378 loopia.se 92884 loopia.se 68008 forpsi.com 67647 forpsi.com 41460 active24.com 41221 active24.com 40278 webreus.nl 40647 webreus.nl 38710 pcextreme.nl 39035 pcextreme.nl 36833 antagonist.nl 36298 antagonist.nl 34505 zxcs.nl 33417 zxcs.nl 29520 vevida.com 29790 vevida.com 27896 webhosting.dk 27967 webhosting.dk 26473 web4u.cz 26531 web4u.cz 25964 udmedia.de 25882 udmedia.de 18829 bhosted.nl 18695 bhosted.nl 17072 protonmail.ch 16210 protonmail.ch 14579 onebit.cz 14555 onebit.cz The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ---------- ---------- 8450 TOTAL 8200 TOTAL 2555 DE, Germany 2467 DE, Germany 1628 US, United States 1591 US, United States 1628 NL, Netherlands 1567 NL, Netherlands 624 FR, France 632 FR, France 306 GB, United Kingdom 302 GB, United Kingdom 229 CZ, Czechia 225 CZ, Czechia 199 CA, Canada 190 CA, Canada 150 FI, Finland 144 FI, Finland 121 SG, Singapore 119 DK, Denmark 121 DK, Denmark 114 SG, Singapore 95 SE, Sweden 94 CH, Switzerland 93 CH, Switzerland 92 SE, Sweden 77 AU, Australia 71 AU, Australia 69 AT, Austria 63 AT, Austria 39 RU, Russia 38 PL, Poland 39 PL, Poland 37 JP, Japan 39 BR, Brazil 36 RU, Russia 38 JP, Japan 36 IE, Ireland 37 NO, Norway 36 BR, Brazil 37 IE, Ireland 33 NO, Norway IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 6706 TOTAL 6537 TOTAL 3238 NL, Netherlands 3203 NL, Netherlands 1747 DE, Germany 1682 DE, Germany 678 US, United States 641 US, United States 289 FR, France 280 FR, France 144 CZ, Czechia 145 CZ, Czechia 132 GB, United Kingdom 123 GB, United Kingdom 53 CA, Canada 49 CA, Canada 44 CH, Switzerland 44 CH, Switzerland 42 SG, Singapore 42 SE, Sweden 42 AT, Austria 42 AT, Austria 41 SE, Sweden 39 SG, Singapore 25 FI, Finland 26 FI, Finland 23 AU, Australia 23 AU, Australia 21 JP, Japan 21 JP, Japan 20 RU, Russia 17 IE, Ireland 18 DK, Denmark 17 DK, Denmark 17 IE, Ireland 15 NO, Norway 16 NO, Norway 14 BR, Brazil 14 BR, Brazil 13 RU, Russia 11 PL, Poland 10 PL, Poland There are 6,808 unique zones (6,612 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 15,010 (14,671 last month). These cover 15,241 distinct MX hosts (14,882 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 465 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 297 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~2.58 million domains, 12,913 (12,871 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1801 (1028 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1298 (940 last month). The top 10 name server operators with problem domains are: This month Last month ---------- ---------- 468 registrar-servers.com 439 registrar-servers.com 122 movenext.nl 119 movenext.nl 93 ebola.cz 93 ebola.cz 46 axc.nl 46 axc.nl 43 epik.com 45 made-easy.ch 31 mijndomein.nl 39 epik.com 29 made-easy.ch 34 mijndomein.nl 25 tiscomhosting.nl 26 tiscomhosting.nl 18 infracom.nl 22 eatserver.nl 16 eatserver.nl 19 infracom.nl If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Five of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: trt1.jus.br bncr.fi.cr ofda.gov mobily.com.sa sauditelecom.com.sa -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at mpg.de hetamsterdamsverbond.nl gmx.at posteo.de hr.nl idec.at ruhr-uni-bochum.de interim-netwerk.nl triodos.be tum.de introweb.nl clubedohardware.com.br uni-erlangen.de mailplus.nl outeletro.com.br uni-muenchen.de mailshover.nl nic.br unitybox.de markteffectmail.nl registro.br unitymedia.de mijnhypotheekonline.nl gmx.ch web.de mijnsalon.nl hostpoint.ch westlotto.de mijnuvt.nl infomaniak.ch actie.deals minbuza.nl open.ch bridgewalking.dk minbzk.nl protonmail.ch dk-hostmaster.dk mindef.nl switch.ch egmontpublishing.dk minienw.nl travailler-en-suisse.ch fibianet.dk mkbbelangen.nl simplelogin.co labelking.dk mm1.nl connectsb.com netic.dk nieuwsservice-rvo.nl dailyplaylists.com nota.dk ns.nl datev.com nst.dk ongehoordnederland.nl digitalelections.com peterhald.dk ouderportaal.nl ecstase.com powerhosting.dk overheid.nl exegy.com shapeit.dk parlement.nl flaneurhomme.com star.dk partijvoordedieren.nl fmc-na.com stil.dk plusticket.nl gmx.com uni-c.dk podiumcadeaukaart.nl habr.com uvm.dk politie.nl horagames.com tilburguniversity.edu powerslim.nl hotelsinduitsland.com emta.ee pp-prd.nl imcnig.com lugeja.ee previder.nl infomaniak.com rmit.ee provalue.nl ingthink.com envie.email rijksoverheid.nl jula.com spike.email rivm.nl kpn.com spotler.email rotterdam.nl leszexpertsfle.com rediris.es ru.nl mail.com triodos.es rvo.nl mammoetmail.com uv.es sans-mail.nl matilhadobemadestramento.com litebit.eu schoudercom.nl mx-relay.com transadvise.eu schuurman-schoenen.nl one.com zone.eu sportrusten.nl outsystems.com zonevs.eu ssonet.nl protonmail.com traficom.fi stater.nl protonvpn.com ac-strasbourg.fr telefoonglaasje.nl sankakucomplex.com bloctel.fr triodos.nl schizinfo.com compagnie-des-sens.fr truetickets.nl societe.com srci.fr tweedekamer.nl solvinity.com fidesz.hu uitgeverijpica.nl stater.com mszp.hu utwente.nl stellarequipment.com voorbeeldsollicitatiebrief.info uvt.nl t-2.com interestexplorer.io uwv.nl thalesgroup.com pm.me vu.nl thepcw.com dla.mil waternet.nl triodos.com jten.mil webcentral.nl ugritone.com mail.mil wehkampfinance.nl vanderkam.com militaryonesource.mil xs4all.nl veganallsorts.com navy.mil zorgmail.nl vitstore.com nga.mil annabellstefanussen.no webmailph.com osd.mil audi.no xfinity.com socom.mil derute.no xfinityhomesecurity.com uscg.mil domeneshop.no xfinitymobile.com usmc.mil handelsbanken.no active24.cz comcast.net idrettenonline.no akce-incomputer.cz gmx.net leadmail.no amenit.cz habramail.net nordicprint.no cuni.cz hr-manager.net norskgrammatikk.no flagranti.cz inexio.net uib.no gigalekarna.cz mijngezondheid.net viphuset.no itesco.cz mpssec.net atelkamera.nu klenotyaurum.cz procurios.net goget.nu klubpevnehozdravi.cz prolocation.net debian.org manymail.cz ripe.net freebsd.org nic.cz riseup.net gentoo.org omvnovinky.cz t-2.net ietf.org onebit.cz transip.net isc.org optimail.cz triodos.net mailbox.org poptavej.cz xs4all.net mailop.org reserved.cz 50plusbeurs.nl netbsd.org server4u.cz amsterdam.nl openssl.org smtp.cz argeweb.nl ozlabs.org stoklasa.cz argewebhosting.nl samba.org toplist.cz arrangementenparade.nl torproject.org vas-server.cz awcloud.nl whatpulse.org vcelka.cz belastingdienst.nl psgaz.pl virusfree.cz bhosted.nl asf.com.pt zdravestravovani.cz bhsupport.nl bilprovningen.se agdsn.de bluerail.nl boplatssyd-automail.se bayern.de boeketcadeau.nl ecster.se brandenburg.de boekwinkeltjes.nl handelsbanken.se bund.de boozyshop.nl loopia.se bundesregierung.de burgernet.nl minmyndighetspost.se datev.de cbr.nl nordicprint.se dfn.de chipbizz.nl personligalmanacka.se ekom21.de corpoflow.nl skatteverket.se elster.de derooijfotografie.nl teknikdelar.se fau.de dictu.nl theletter.se freenet.de digid.nl pneusvet.sk gmx.de duo.nl triodos.co.uk jpberlin.de etz.nl govtrack.us lrz.de ezorg.nl quantum-services.us mail.de herinneringenoplinnen.nl ru.ac.za From lutz at donnerhacke.de Thu Apr 1 08:00:53 2021 From: lutz at donnerhacke.de (Lutz Donnerhacke) Date: Thu, 1 Apr 2021 08:00:53 +0200 Subject: IMPORTANT: Please ensure your NSEC3 iteration count is sufficiently low In-Reply-To: References: <3AC8C6BC-6B75-4CBB-8076-1711DDB4616F@sys4.de> <607F46B6-2B13-4B2E-9AB8-D637F95F173D@dukhovni.org> Message-ID: <20210401060053.GA9116@belenus.iks-jena.de> On Wed, Mar 31, 2021 at 05:20:25PM -0400, Viktor Dukhovni wrote: > If your DNS zone is configured to use NSEC3, please: > > - Reduce the iteration count to 10 or less. > > - Disable opt-out, you're very unlikely to need it. > > - Either rotate the salt each time you sign, or skip > it entirely. But a short fixed salt is harmless if > leaving it alone easier than changing it. > > Of course, if your zone is small enough (just the zone apex and a > handful of already public or easy to guess names) or in any case has > nothing to hide, even better is to use just plain NSEC. You get smaller > negative replies (less exposure to DoS) and more effective negative > caching at resolvers. So in many cases, it is even simpler to abandon > NSEC3 entirely. Please also consider the pros/cons of that option. Thank you. Back to the basics.