From ietf-dane at dukhovni.org Wed Dec 1 05:42:44 2021 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Tue, 30 Nov 2021 23:42:44 -0500 Subject: Update on stats 2021-11 Message-ID: Summary: The DANE domain count is now 3,005,393 (up from 2,974,861 last month). The number of domains that return DNSSEC-validated replies in response to MX queries is 16,982,372 (up from 16,638,332 last month). Thus DANE TLSA is deployed on ~17.69% of domains with DNSSEC. See https://stats.dnssec-tools.org/ for more stats. [ See the Credits[0] list below my signature. ] As of today I count ~3.0 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last month ---------- ---------- 1230165 one.com 1219713 one.com 272727 hostpoint.ch 270842 hostpoint.ch 154952 transip.nl 154249 transip.nl 154347 infomaniak.ch 152372 infomaniak.ch 149718 argewebhosting.nl 150807 argewebhosting.nl 106004 domeneshop.no 105814 domeneshop.no 98029 webhostingserver.nl 98302 webhostingserver.nl 95100 loopia.se 94851 loopia.se 71946 forpsi.com 71517 forpsi.com 48270 zxcs.nl 46431 active24.com 46581 active24.com 45675 zxcs.nl 42121 webreus.nl 42325 webreus.nl 38213 antagonist.nl 38150 antagonist.nl 36362 pcextreme.nl 36614 pcextreme.nl 27450 vevida.com 27758 vevida.com 26984 udmedia.de 27035 webhosting.dk 26916 webhosting.dk 26937 udmedia.de 26483 web4u.cz 26456 web4u.cz 23612 hosting2go.nl 23884 hosting2go.nl 22118 protonmail.ch 21623 protonmail.ch The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ---------- ---------- 9230 TOTAL 9206 TOTAL 2691 DE, Germany 2692 DE, Germany 1781 NL, Netherlands 1768 NL, Netherlands 1710 US, United States 1731 US, United States 697 FR, France 699 FR, France 325 GB, United Kingdom 334 GB, United Kingdom 264 CZ, Czechia 245 CZ, Czechia 206 CA, Canada 208 CA, Canada 204 FI, Finland 203 FI, Finland 131 AT, Austria 127 DK, Denmark 129 DK, Denmark 121 AT, Austria 118 SG, Singapore 120 SG, Singapore 108 CH, Switzerland 107 CH, Switzerland 98 SE, Sweden 100 AU, Australia 93 AU, Australia 98 SE, Sweden 56 PL, Poland 54 PL, Poland 44 NO, Norway 44 RU, Russia 43 RU, Russia 44 NO, Norway 43 IE, Ireland 42 IE, Ireland 38 JP, Japan 41 BR, Brazil 38 BR, Brazil 36 JP, Japan IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 7274 TOTAL 7202 TOTAL 3431 NL, Netherlands 3389 NL, Netherlands 1903 DE, Germany 1889 DE, Germany 757 US, United States 767 US, United States 300 FR, France 290 FR, France 156 CZ, Czechia 153 CZ, Czechia 133 GB, United Kingdom 136 GB, United Kingdom 80 FI, Finland 78 FI, Finland 60 CA, Canada 61 CA, Canada 45 CH, Switzerland 42 SG, Singapore 42 SG, Singapore 42 CH, Switzerland 42 SE, Sweden 41 SE, Sweden 38 AU, Australia 40 AU, Australia 31 AT, Austria 37 AT, Austria 28 JP, Japan 24 JP, Japan 26 RU, Russia 22 IE, Ireland 23 IE, Ireland 20 NO, Norway 19 NO, Norway 17 DK, Denmark 18 DK, Denmark 15 BR, Brazil 15 BR, Brazil 14 RU, Russia 13 IN, India 11 SI, Slovenia There are 7,451 unique zones (7,410 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 16,295 (16,101 last month). These cover 16,562 distinct MX hosts (16,358 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 557 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 331 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~3.0 million DANE domains, 12,750 (12,735 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1086 (1802 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are: 90 beta.itcomputers.eu 44 fsn1-c04.xemo-net.de 19 mx1.mdbraber.com 16 mail.odissee.net 16 e-vps.hacktheplanet.nl 15 web1.ams.dcg.t-host.net 15 artemis.strebsjig.net 13 entrante.svnt.com 12 mail.bi9.de 8 postmark.flame.org To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1181 (1148 last month). The top 10 name server operators with problem domains are: This month Last month ---------- ---------- 564 registrar-servers.com 553 registrar-servers.com 124 axc.nl 122 axc.nl 88 ebola.cz 87 ebola.cz 33 worldnic.com 33 made-easy.ch 30 mijndomein.nl 32 mijndomein.nl 30 made-easy.ch 30 worldnic.com 16 cloudflare.com 17 cloudflare.com 11 vtx.ch 11 openprovider.nl 11 openprovider.nl 10 vtx.ch 10 register.com 8 register.com If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Six of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br icv-crew.com tdnewissues.com urbtix.hk kprm.gov.pl novathreads.us -- Viktor. [0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at fau.de herinneringenoplinnen.nl gmx.at freenet.de hetamsterdamsverbond.nl tip.net.au gmx.de huizenzoeker.nl pcug.org.au jpberlin.de interconnect.nl pictolezen.be lrz.de interim-netwerk.nl triodos.be mail.de justis.nl tbibank.bg mpg.de luxiez.nl cetelemnegocie.com.br mvnet.de mailplus.nl e-renegocie.com.br neutraler-versand.de mailshover.nl nic.br posteo.de markteffectmail.nl registro.br ruhr-uni-bochum.de mijnuvt.nl ehefueralle.ch tum.de minbuza.nl gmx.ch tutanota.de minbzk.nl hostpoint.ch uni-erlangen.de mindef.nl infomaniak.ch uni-muenchen.de minvenj.nl linsenkontakt.ch unitymedia.de mm1.nl open.ch web.de mulderretail.nl protonmail.ch westlotto.de nieuwsservice-rvo.nl switch.ch actie.deals ns.nl travailler-en-suisse.ch dk-hostmaster.dk orangebag.nl simplelogin.co fibianet.dk ouderenfonds.nl altospam.com handelsbanken.dk overheid.nl ansigtsyogaonline.com netic.dk parlement.nl boekenwereld.com nota.dk partijvoordedieren.nl bornomail.com nst.dk paypro.nl cm.com powerhosting.dk podiumcadeaukaart.nl connectsb.com shapeit.dk politie.nl dailyplaylists.com shellcard.dk pp-prd.nl datev.com uvm.dk previder.nl exegy.com wavell.dk purdey.nl flaneurhomme.com webhosting.dk rdw.nl gmx.com tilburguniversity.edu rijksoverheid.nl habr.com just.ee rivm.nl hotelsinduitsland.com envie.email rotterdam.nl imcnig.com spike.email sans-mail.nl infomaniak.com spotler.email schoudercom.nl ingthink.com talentech.email schuurman-schoenen.nl intakt.com rediris.es smartwatchbanden.nl joomlapolis.com triodos.es sportrusten.nl jula.com uv.es ssonet.nl kpn.com egu.eu telefoonglaasje.nl leszexpertsfle.com glowliving.eu triodos.nl mail.com zone.eu truetickets.nl mailfence.com zonevs.eu tweedekamer.nl mammoetmail.com handelsbanken.fi uitgeverijpica.nl mantapsurvey.com tarjousrinki.fi utwente.nl matilhadobemadestramento.com traficom.fi uvt.nl mx-relay.com ac-strasbourg.fr uwv.nl nanolearning.com compagnie-des-sens.fr veilinghuispeerdeman.nl nine-pine.com edtm-actu.fr voorpositiviteit.nl one.com oo2.fr vu.nl outsystems.com srci.fr waternet.nl protonmail.com excelsior.hu werkenbijaldautomotive.nl protonvpn.com fidesz.hu zorgmail.nl renworkshops.com gardrobom.hu annabellstefanussen.no sankakucomplex.com mszp.hu audi.no schizinfo.com obiserver.hu derute.no serverclienti.com otthonplus.hu domeneshop.no societe.com bluebiz.info forbrukslaan.no solvinity.com interestexplorer.io handelsbanken.no spareklubbnorge.com neolink.link idrettenonline.no stellarequipment.com pm.me kapitalkontroll.no t-2.com army.mil leadmail.no thalesgroup.com dla.mil mystuff.no thepcw.com jten.mil norskgrammatikk.no thepcwholesale.com mail.mil plukkselv.no triodos.com militaryonesource.mil uib.no tutanota.com navy.mil viphuset.no veganallsorts.com osd.mil atelkamera.nu vitstore.com socom.mil goget.nu vivaldi.com uscg.mil debian.org webcruiter.com usmc.mil exim.org webmailph.com comcast.net freebsd.org xfinity.com fivem.net gentoo.org xfinityhomesecurity.com gmx.net ietf.org xfinitymobile.com habramail.net isc.org 30tidennivyzva.cz hr-manager.net mailbox.org akce-incomputer.cz inexio.net mailop.org cesnet.cz mijngezondheid.net netbsd.org csob.cz mpssec.net openssl.org cuni.cz procurios.net ozlabs.org cvut.cz prolocation.net samba.org ekokoza.cz ripe.net torproject.org gigalekarna.cz riseup.net whatpulse.org itesco.cz t-2.net psgaz.pl klenotyaurum.cz transip.net asf.com.pt klubpevnehozdravi.cz xs4all.net mobily.com.sa manymail.cz 123watches.nl alterskjaer.se mkluzkoviny.cz amsterdam.nl axmarin.se muni.cz argeweb.nl bilprovningen.se nic.cz artsenzorg.nl boplatssyd-automail.se omvnovinky.cz awcloud.nl ecster.se onebit.cz belastingdienst.nl handelsbanken.se optimail.cz bhosted.nl loopia.se poptavej.cz bhsupport.nl loopiahosting.se scrptd.cz bluerail.nl minmyndighetspost.se server4u.cz boekwinkeltjes.nl racketspecialisten.se smtp.cz bolerolimonadewinkel.nl skatteverket.se sparkys.cz boozyshop.nl teknikdelar.se stoklasa.cz burgernet.nl theletter.se vas-server.cz cbr.nl websupport.se virusfree.cz cbs.nl kadernickyservis.sk zdravestravovani.cz corpoflow.nl mklozkoviny.sk bayern.de derooijfotografie.nl najlacnejsisport.sk brandenburg.de digid.nl rondogo.sk bund.de duo.nl toptop.sk bundesregierung.de edenhotels.nl triodos.co.uk datev.de ezorg.nl govtrack.us dfn.de healthcheckcenter.nl quantum-services.us dvz-mv.de heilbron.nl ru.ac.za elster.de From johnpc at xs4all.net Fri Dec 17 09:28:37 2021 From: johnpc at xs4all.net (Jan-Pieter Cornet) Date: Fri, 17 Dec 2021 09:28:37 +0100 Subject: XS4ALL stopped using DANE Message-ID: <97299187-cc49-1cb9-29fb-b5581d3589ad@xs4all.net> I regret to inform you that XS4ALL stopped using DANE, both inbound for xs4all.nl and outbound. The reason is that the XS4ALL systems are being dismantled, and the customers are moving to KPN, who do not use nor publish DANE records. If anyone still has "xs4all.nl" in a "strict dane" list, please remove us. I saw a bounce from one.com indicating that possibly one of their systems still expects DANE records for xs4all.nl. -- Jan-Pieter Cornet Systeembeheer XS4ALL Internet bv www.xs4all.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From ietf-dane at dukhovni.org Fri Dec 17 09:34:22 2021 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Fri, 17 Dec 2021 03:34:22 -0500 Subject: XS4ALL stopped using DANE In-Reply-To: <97299187-cc49-1cb9-29fb-b5581d3589ad@xs4all.net> References: <97299187-cc49-1cb9-29fb-b5581d3589ad@xs4all.net> Message-ID: <9C3F254D-7437-42B8-8745-5006797DD1C4@dukhovni.org> > On 17 Dec 2021, at 3:28 am, Jan-Pieter Cornet wrote: > > I regret to inform you that XS4ALL stopped using DANE, both inbound for xs4all.nl and outbound. > > The reason is that the XS4ALL systems are being dismantled, and the customers are moving to KPN, who do not use nor publish DANE records. Oh well, perhaps one of these days we can convince KPN to pick up the mantle... > If anyone still has "xs4all.nl" in a "strict dane" list, please remove us. I saw a bounce from one.comindicating that possibly one of their systems still expects DANE records for xs4all.nl. This is odd, because the whole of DANE is one generally does not need to pin local DANE policy, it is enforced when the TLSA records are published for the MX hosts, and not otherwise. I can't rule out local policy enforcing DANE, but this should only happen by prior coordination with and consent of the receiving systems. Otherwise, ... expect breakage. Survey says, ... you're no longer doing DANE: https://stats.dnssec-tools.org/explore/?xs4all.nl -- Viktor. From sje at one.com Fri Dec 17 10:32:42 2021 From: sje at one.com (Sidsel Jensen) Date: Fri, 17 Dec 2021 10:32:42 +0100 Subject: XS4ALL stopped using DANE In-Reply-To: <9C3F254D-7437-42B8-8745-5006797DD1C4@dukhovni.org> References: <97299187-cc49-1cb9-29fb-b5581d3589ad@xs4all.net> <9C3F254D-7437-42B8-8745-5006797DD1C4@dukhovni.org> Message-ID: <3F566233-728F-41A8-B42D-0852FB45B748@one.com> Hi Guys > On 17 Dec 2021, at 09.34, Viktor Dukhovni wrote: > > >> On 17 Dec 2021, at 3:28 am, Jan-Pieter Cornet wrote: >> >> I regret to inform you that XS4ALL stopped using DANE, both inbound for xs4all.nl and outbound. >> >> The reason is that the XS4ALL systems are being dismantled, and the customers are moving to KPN, who do not use nor publish DANE records. > :-( > Oh well, perhaps one of these days we can convince KPN to pick up the mantle... KPN are using Halons as far as I recall, so it should be possible. Time for a little Viktor nudging? > >> If anyone still has "xs4all.nl" in a "strict dane" list, please remove us. I saw a bounce from one.comindicating that possibly one of their systems still expects DANE records for xs4all.nl. > > This is odd, because the whole of DANE is one generally does not > need to pin local DANE policy, it is enforced when the TLSA records > are published for the MX hosts, and not otherwise. > We do not have any such local strict dane list - I suspect it might be a case of DNS TTLs, when the TLSA records where removed, but I asked Jan-Pieter for at logsnippet off-list in order to investigate. > I can't rule out local policy enforcing DANE, but this should only > happen by prior coordination with and consent of the receiving > systems. Otherwise, ... expect breakage. > > Survey says, ... you're no longer doing DANE: > > https://stats.dnssec-tools.org/explore/?xs4all.nl > > -- > Viktor. > Kind Regards, Sidsel Jensen Team manager Mail & Abuse, Systems Engineer @ One.com -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: