From ietf-dane at dukhovni.org Sat May 1 20:49:14 2021 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Sat, 1 May 2021 14:49:14 -0400 Subject: Update on stats 2021-04 Message-ID: NOTE: When using NSEC3, please make sure your iteration count is not needlessly large (above ~25). For details see: https://mail.sys4.de/pipermail/dane-users/2021-March/000594.html Summary: The DANE domain count is now 2,623,358 (up from 2,580,510 last month). The number of domains that return DNSSEC-validated replies in response to MX queries is 14,890,975 (up from 14,597,373 last month). Thus DANE TLSA is deployed on ~17.61% of domains with DNSSEC. https://stats.dnssec-tools.org/ The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has taken place, and all previously issued X3-issued certificates are now expired. If you're still publishing the X3 hash in your TLSA RRSet, it is best removed: http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 2,623,358 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last month ---------- ---------- 1227082 one.com 1219094 one.com 150090 transip.nl 149627 transip.nl 149333 argewebhosting.nl 148446 argewebhosting.nl 108672 infomaniak.ch 106039 infomaniak.ch 104762 domeneshop.no 104614 domeneshop.no 99669 webhostingserver.nl 99953 webhostingserver.nl 93660 loopia.se 93378 loopia.se 68752 forpsi.com 68008 forpsi.com 41710 active24.com 41460 active24.com 39907 webreus.nl 40278 webreus.nl 38426 pcextreme.nl 38710 pcextreme.nl 37231 antagonist.nl 36833 antagonist.nl 35720 zxcs.nl 34505 zxcs.nl 29296 vevida.com 29520 vevida.com 27736 webhosting.dk 27896 webhosting.dk 26588 web4u.cz 26473 web4u.cz 25968 udmedia.de 25964 udmedia.de 25447 hosting2go.nl 18829 bhosted.nl 18827 bhosted.nl 17072 protonmail.ch 17855 protonmail.ch 14579 onebit.cz The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ---------- ---------- 8579 TOTAL 8450 TOTAL 2595 DE, Germany 2555 DE, Germany 1650 US, United States 1628 US, United States 1648 NL, Netherlands 1628 NL, Netherlands 631 FR, France 624 FR, France 313 GB, United Kingdom 306 GB, United Kingdom 226 CZ, Czechia 229 CZ, Czechia 197 CA, Canada 199 CA, Canada 165 FI, Finland 150 FI, Finland 125 DK, Denmark 121 SG, Singapore 116 SG, Singapore 121 DK, Denmark 95 SE, Sweden 95 SE, Sweden 95 CH, Switzerland 93 CH, Switzerland 75 AU, Australia 77 AU, Australia 70 AT, Austria 69 AT, Austria 45 PL, Poland 39 RU, Russia 39 NO, Norway 39 PL, Poland 39 BR, Brazil 39 BR, Brazil 38 JP, Japan 38 JP, Japan 37 IE, Ireland 37 NO, Norway 36 IN, India 37 IE, Ireland IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 6806 TOTAL 6706 TOTAL 3268 NL, Netherlands 3238 NL, Netherlands 1782 DE, Germany 1747 DE, Germany 659 US, United States 678 US, United States 299 FR, France 289 FR, France 147 GB, United Kingdom 144 CZ, Czechia 134 CZ, Czechia 132 GB, United Kingdom 52 CA, Canada 53 CA, Canada 46 SG, Singapore 44 CH, Switzerland 46 SE, Sweden 42 SG, Singapore 46 CH, Switzerland 42 AT, Austria 42 RU, Russia 41 SE, Sweden 33 FI, Finland 25 FI, Finland 26 AU, Australia 23 AU, Australia 26 AT, Austria 21 JP, Japan 24 JP, Japan 20 RU, Russia 17 NO, Norway 18 DK, Denmark 17 DK, Denmark 17 IE, Ireland 16 IE, Ireland 16 NO, Norway 14 BR, Brazil 14 BR, Brazil 10 SI, Slovenia 11 PL, Poland There are 6,934 unique zones (6,808 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 15,467 (15,010 last month). These cover 15,701 distinct MX hosts (15,241 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 478 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 297 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~2.62 million domains, 12,852 (12,913 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1999 (1801 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1295 (1298 last month). The top 10 name server operators with problem domains are: This month Last month ---------- ---------- 485 registrar-servers.com 468 registrar-servers.com 119 axc.nl 122 movenext.nl 94 ebola.cz 93 ebola.cz 48 yourict.net 46 axc.nl 45 epik.com 43 epik.com 29 mijndomein.nl 31 mijndomein.nl 29 made-easy.ch 29 made-easy.ch 25 tiscomhosting.nl 25 tiscomhosting.nl 18 movenext.nl 18 infracom.nl 17 infracom.nl 16 eatserver.nl If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Five of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: fed.be trt1.jus.br bncr.fi.cr sauditelecom.com.sa kmutt.ac.th -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at mail.de herinneringenoplinnen.nl gmx.at mensa.de hetamsterdamsverbond.nl idec.at mpg.de hr.nl triodos.be posteo.de huizenzoeker.nl clubedohardware.com.br ruhr-uni-bochum.de interim-netwerk.nl nic.br tum.de mailplus.nl registro.br uni-erlangen.de mailshover.nl gmx.ch uni-muenchen.de markteffectmail.nl hostpoint.ch unitybox.de mijnhypotheekonline.nl infomaniak.ch unitymedia.de mijnsalon.nl open.ch web.de mijnuvt.nl protonmail.ch westlotto.de minbzk.nl switch.ch actie.deals mindef.nl travailler-en-suisse.ch bridgewalking.dk minienw.nl simplelogin.co dfi.dk mkbbelangen.nl connectsb.com dk-hostmaster.dk mm1.nl dailyplaylists.com fibianet.dk ns.nl datev.com handelsbanken.dk ongehoordnederland.nl digitalelections.com labelking.dk ouderportaal.nl ecstase.com netic.dk overheid.nl exegy.com nst.dk partijvoordedieren.nl flaneurhomme.com shapeit.dk podiumcadeaukaart.nl gmx.com star.dk politie.nl habr.com stil.dk powerslim.nl horagames.com uni-c.dk pp-prd.nl hotelsinduitsland.com uvm.dk previder.nl imcnig.com tilburguniversity.edu provalue.nl infomaniak.com emta.ee rijksoverheid.nl ingthink.com lugeja.ee rivm.nl jula.com riigikogu.ee rotterdam.nl kpn.com rmit.ee rvo.nl leszexpertsfle.com envie.email sans-mail.nl mail.com spike.email schoudercom.nl mammoetmail.com spotler.email schuurman-schoenen.nl matilhadobemadestramento.com rediris.es sportrusten.nl mx-relay.com triodos.es ssonet.nl one.com uv.es stater.nl orverkiezing.com litebit.eu telefoonglaasje.nl outsystems.com transadvise.eu triodos.nl protonmail.com zone.eu truetickets.nl protonvpn.com zonevs.eu uitgeverijpica.nl sankakucomplex.com handelsbanken.fi utwente.nl schizinfo.com traficom.fi uvt.nl societe.com ac-strasbourg.fr uwv.nl solvinity.com bloctel.fr veilinghuispeerdeman.nl stater.com compagnie-des-sens.fr voorpositiviteit.nl stellarequipment.com oo2.fr vu.nl t-2.com srci.fr waternet.nl thalesgroup.com fidesz.hu xs4all.nl thepcw.com mszp.hu zorgmail.nl triodos.com interestexplorer.io annabellstefanussen.no ugritone.com pm.me audi.no vanderkam.com dla.mil derute.no veganallsorts.com jten.mil domeneshop.no vitstore.com mail.mil handelsbanken.no webmailph.com militaryonesource.mil idrettenonline.no xfinity.com navy.mil leadmail.no xfinityhomesecurity.com nga.mil nordicprint.no xfinitymobile.com osd.mil norskgrammatikk.no active24.cz socom.mil uib.no akce-incomputer.cz uscg.mil viphuset.no colours.cz usmc.mil webcruitermail.no cuni.cz comcast.net atelkamera.nu flagranti.cz gmx.net goget.nu gigalekarna.cz habramail.net aegee.org itesco.cz hr-manager.net debian.org klenotyaurum.cz inexio.net freebsd.org klubpevnehozdravi.cz mijngezondheid.net gentoo.org manymail.cz mpssec.net ietf.org nic.cz procurios.net irtf.org omvnovinky.cz ripe.net isc.org onebit.cz riseup.net mailbox.org optimail.cz t-2.net mailop.org poptavej.cz transip.net mkpbelgium.org reserved.cz triodos.net netbsd.org scrptd.cz xs4all.net openssl.org server4u.cz xworks.net ozlabs.org smtp.cz 123watches.nl samba.org stoklasa.cz 50plusbeurs.nl torproject.org toplist.cz amsterdam.nl whatpulse.org vas-server.cz argeweb.nl psgaz.pl vcelka.cz awcloud.nl asf.com.pt virusfree.cz belastingdienst.nl mobily.com.sa zdravestravovani.cz bhosted.nl bilprovningen.se agdsn.de bhsupport.nl boplatssyd-automail.se bayern.de bluerail.nl ecster.se brandenburg.de boeketcadeau.nl handelsbanken.se bund.de boekwinkeltjes.nl loopia.se bundesregierung.de boozyshop.nl minmyndighetspost.se datev.de burgernet.nl nordicprint.se dfn.de chipbizz.nl personligalmanacka.se ekom21.de corpoflow.nl skatteverket.se elster.de derooijfotografie.nl teknikdelar.se fau.de dictu.nl theletter.se freenet.de digid.nl pneusvet.sk gmx.de duo.nl triodos.co.uk jpberlin.de etz.nl govtrack.us kabelmail.de expeditionfestival.nl quantum-services.us lrz.de ezorg.nl ru.ac.za From bart.knubben at forumstandaardisatie.nl Wed May 26 21:05:40 2021 From: bart.knubben at forumstandaardisatie.nl (Knubben, Bart) Date: Wed, 26 May 2021 19:05:40 +0000 Subject: Overview of outbound DANE for SMTP support In-Reply-To: <9be9de5e1e114f50be6403972416af98@SV1601472.frd.shsdir.nl> References: <20180820200129.GL28851@straasha.imrryr.org> <360d1eb0ae254e25ae5e79f499186ad6@SV1601472.frd.shsdir.nl> <9be9de5e1e114f50be6403972416af98@SV1601472.frd.shsdir.nl> Message-ID: <269b102d1669460ca9494898efc24b19@SV1601472.frd.shsdir.nl> Hi, We recently added some more software products, like Baruwa, Proofpoint ("limited implementation") and Fortimail, to the list with software that supports DANE verification on https://github.com/baknu/DANE-for-SMTP/wiki/3.-Software-and-service-support Additions/remarks are welcome. -- Best regards, Bart Knubben Dutch Standardisation Forum https://www.forumstandaardisatie.nl/content/english > -----Oorspronkelijk bericht----- > Van: Knubben, B.S.J. (Bart) - Forum Standaardisatie > Verzonden: dinsdag 27 november 2018 17:04 > Aan: dane-users at sys4.de > Onderwerp: RE: Overview of outbound DANE for SMTP support > > Cisco added support for outbound DANE verification to their Email Security > Appliance (AsyncOS v12.0): > > * https://www.cisco.com/c/dam/en/us/td/docs/security/esa/esa12-0/ESA_12- > 0_Release_Notes.pdf > * https://www.cisco.com/c/en/us/td/docs/security/esa/esa12- > 0/user_guide/b_ESA_Admin_Guide_12_0/b_ESA_Admin_Guide_12_0_chapter_011 > 000.html#id_85605 > > > > Are you keeping this list on a website somewhere? > I put the list with software that supports DANE verification and some other pointers > to DANE materials/resources on https://github.com/baknu/DANE-for-SMTP/wiki > Feel free to reuse. Suggestions/remarks are welcome. > > -- > Best regards, > > Bart Knubben > Dutch Standardisation Forum > https://www.forumstandaardisatie.nl/content/english > > > Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.