From ietf-dane at dukhovni.org Mon Nov 1 06:05:29 2021 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Mon, 1 Nov 2021 01:05:29 -0400 Subject: Update on stats 2021-10 Message-ID: Summary: The DANE domain count is now 2,974,861 (up from 2,912,048 last month). The number of domains that return DNSSEC-validated replies in response to MX queries is 16,638,332 (up from 16,310,355 last month). Thus DANE TLSA is deployed on ~17.87% of domains with DNSSEC. See https://stats.dnssec-tools.org/ for more stats. [ See the Credits[0] list below my signature. ] As of today I count ~2.97 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last month ---------- ---------- 1219713 one.com 1225237 one.com 270842 hostpoint.ch 211135 hostpoint.ch 154249 transip.nl 153581 transip.nl 152372 infomaniak.ch 151214 argewebhosting.nl 150807 argewebhosting.nl 150461 infomaniak.ch 105814 domeneshop.no 105846 domeneshop.no 98302 webhostingserver.nl 98581 webhostingserver.nl 94851 loopia.se 94743 loopia.se 71517 forpsi.com 71205 forpsi.com 46431 active24.com 46199 active24.com 45675 zxcs.nl 43026 zxcs.nl 42325 webreus.nl 40150 webreus.nl 38150 antagonist.nl 37893 antagonist.nl 36614 pcextreme.nl 36906 pcextreme.nl 27758 vevida.com 28102 vevida.com 27035 webhosting.dk 27607 webhosting.dk 26937 udmedia.de 26882 udmedia.de 26456 web4u.cz 26468 web4u.cz 23884 hosting2go.nl 24184 hosting2go.nl 21623 protonmail.ch 20972 protonmail.ch The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ---------- ---------- 9206 TOTAL 9030 TOTAL 2692 DE, Germany 2649 DE, Germany 1768 NL, Netherlands 1723 US, United States 1731 US, United States 1720 NL, Netherlands 699 FR, France 690 FR, France 334 GB, United Kingdom 330 GB, United Kingdom 245 CZ, Czechia 231 CZ, Czechia 208 CA, Canada 205 CA, Canada 203 FI, Finland 196 FI, Finland 127 DK, Denmark 125 DK, Denmark 121 AT, Austria 119 SG, Singapore 120 SG, Singapore 117 AT, Austria 107 CH, Switzerland 109 CH, Switzerland 100 AU, Australia 98 SE, Sweden 98 SE, Sweden 95 AU, Australia 54 PL, Poland 50 PL, Poland 44 RU, Russia 45 RU, Russia 44 NO, Norway 42 NO, Norway 42 IE, Ireland 40 IE, Ireland 41 BR, Brazil 37 IT, Italy 36 JP, Japan 35 BR, Brazil IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 7202 TOTAL 7116 TOTAL 3389 NL, Netherlands 3368 NL, Netherlands 1889 DE, Germany 1862 DE, Germany 767 US, United States 728 US, United States 290 FR, France 294 FR, France 153 CZ, Czechia 141 CZ, Czechia 136 GB, United Kingdom 136 GB, United Kingdom 78 FI, Finland 76 FI, Finland 61 CA, Canada 63 CA, Canada 42 SG, Singapore 50 CH, Switzerland 42 CH, Switzerland 44 SE, Sweden 41 SE, Sweden 43 SG, Singapore 40 AU, Australia 39 AU, Australia 37 AT, Austria 30 RU, Russia 24 JP, Japan 30 AT, Austria 22 IE, Ireland 23 JP, Japan 20 NO, Norway 21 IE, Ireland 17 DK, Denmark 17 NO, Norway 15 BR, Brazil 17 DK, Denmark 14 RU, Russia 14 BR, Brazil 11 SI, Slovenia 11 PL, Poland There are 7,410 unique zones (7,308 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 16,101 (15,915 last month). These cover 16,358 distinct MX hosts (16,170 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 543 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 309 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~2.97 million DANE domains, 12,735 (12,805 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1802 (1110 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are: 780 mta1.vaiadigital.net (explains this month's "bump") 71 vps01.marcus.services 41 mx1.redpill.servernetz.biz 16 mail.odissee.net 16 e-vps.hacktheplanet.nl 15 web1.ams.dcg.t-host.net 15 artemis.strebsjig.net 13 entrante.svnt.com 11 smtp.hoggins.fr 9 mail.syngenuity.com To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1148 (1148 last month). The top 10 name server operators with problem domains are: This month Last month ---------- ---------- 553 registrar-servers.com 546 registrar-servers.com 122 axc.nl 119 axc.nl 87 ebola.cz 85 ebola.cz 33 made-easy.ch 35 made-easy.ch 32 mijndomein.nl 29 mijndomein.nl 30 worldnic.com 19 cloudflare.com 17 cloudflare.com 16 worldnic.com 11 openprovider.nl 13 renault.fr 10 vtx.ch 11 openprovider.nl 8 register.com 9 vtx.ch If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Four of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br icv-crew.com kprm.gov.pl novathreads.us -- Viktor. [0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at fau.de digid.nl gmx.at followerpilot.de duo.nl pictolezen.be freenet.de edenhotels.nl triodos.be gmx.de ezorg.nl tbibank.bg jpberlin.de healthcheckcenter.nl cetelemnegocie.com.br lrz.de herinneringenoplinnen.nl e-negociacao.com.br mail.de hetamsterdamsverbond.nl e-renegocie.com.br mensa.de huizenzoeker.nl nic.br mpg.de interconnect.nl registro.br mvnet.de interim-netwerk.nl ehefueralle.ch neutraler-versand.de luxiez.nl gmx.ch posteo.de mailplus.nl hostpoint.ch ruhr-uni-bochum.de mailshover.nl infomaniak.ch tum.de markteffectmail.nl linsenkontakt.ch tutanota.de mijnuvt.nl open.ch uni-erlangen.de minbuza.nl protonmail.ch uni-muenchen.de minbzk.nl switch.ch unitymedia.de mindef.nl travailler-en-suisse.ch web.de mm1.nl wog.ch westlotto.de mulderretail.nl simplelogin.co actie.deals nieuwsservice-rvo.nl altospam.com dk-hostmaster.dk ns.nl bornomail.com fibianet.dk orangebag.nl cm.com handelsbanken.dk overheid.nl connectsb.com netic.dk partijvoordedieren.nl dailyplaylists.com nota.dk paypro.nl datev.com peterhald.dk podiumcadeaukaart.nl flaneurhomme.com powerhosting.dk politie.nl gmx.com shapeit.dk pp-prd.nl habr.com shellcard.dk previder.nl hotelsinduitsland.com webhosting.dk purdey.nl imcnig.com tilburguniversity.edu rijksoverheid.nl infomaniak.com just.ee rotterdam.nl ingthink.com envie.email sans-mail.nl intakt.com spike.email schoudercom.nl joomlapolis.com spotler.email schuurman-schoenen.nl jula.com rediris.es sportrusten.nl kpn.com triodos.es ssonet.nl leszexpertsfle.com uv.es telefoonglaasje.nl mail.com egu.eu triodos.nl mailfence.com qard.eu truetickets.nl mammoetmail.com zone.eu uitgeverijpica.nl matilhadobemadestramento.com zonevs.eu utwente.nl mx-relay.com handelsbanken.fi uvt.nl nanolearning.com tarjousrinki.fi uwv.nl nine-pine.com ac-strasbourg.fr veilinghuispeerdeman.nl one.com compagnie-des-sens.fr voorpositiviteit.nl outsystems.com edtm-actu.fr vu.nl protonmail.com oo2.fr waternet.nl protonvpn.com srci.fr werkenbijaldautomotive.nl renworkshops.com excelsior.hu xs4all.nl sankakucomplex.com fidesz.hu zorgmail.nl schizinfo.com gardrobom.hu annabellstefanussen.no societe.com obiserver.hu audi.no solvinity.com otthonplus.hu derute.no spareklubbnorge.com popfilm.hu domeneshop.no stellarequipment.com pandi.id handelsbanken.no t-2.com bluebiz.info idrettenonline.no thalesgroup.com interestexplorer.io leadmail.no thepcw.com neolink.link norskgrammatikk.no thepcwholesale.com pm.me uib.no triodos.com army.mil viphuset.no tutanota.com dla.mil atelkamera.nu veganallsorts.com jten.mil goget.nu vitstore.com mail.mil debian.org vivaldi.com militaryonesource.mil exim.org webcruiter.com navy.mil freebsd.org webmailph.com nga.mil gentoo.org xfinity.com osd.mil ietf.org xfinityhomesecurity.com socom.mil isc.org xfinitymobile.com uscg.mil mailbox.org 30tidennivyzva.cz usmc.mil mailop.org akce-incomputer.cz comcast.net netbsd.org cuni.cz fivem.net openssl.org ekokoza.cz gmx.net ozlabs.org gigalekarna.cz habramail.net samba.org itesco.cz hr-manager.net torproject.org klenotyaurum.cz inexio.net whatpulse.org klubpevnehozdravi.cz mijngezondheid.net psgaz.pl manymail.cz mpssec.net asf.com.pt mkluzkoviny.cz procurios.net mobily.com.sa nic.cz prolocation.net alterskjaer.se omvnovinky.cz ripe.net bilprovningen.se onebit.cz riseup.net boplatssyd-automail.se optimail.cz s-qrc.net ecster.se poptavej.cz t-2.net handelsbanken.se scrptd.cz transip.net loopia.se server4u.cz xs4all.net loopiahosting.se smtp.cz 123watches.nl minmyndighetspost.se sparkys.cz amsterdam.nl parkerat.se stoklasa.cz argeweb.nl skatteverket.se vas-server.cz artsenzorg.nl teknikdelar.se virusfree.cz awcloud.nl theletter.se zdravestravovani.cz belastingdienst.nl websupport.se bayern.de bhosted.nl flagranti.sk brandenburg.de bluerail.nl mklozkoviny.sk bund.de boekwinkeltjes.nl najlacnejsisport.sk bundesregierung.de boozyshop.nl rondogo.sk datev.de burgernet.nl toptop.sk dfn.de cbr.nl triodos.co.uk dvz-mv.de cbs.nl govtrack.us ekom21.de corpoflow.nl quantum-services.us elster.de derooijfotografie.nl ru.ac.za From moritz.muller at sidn.nl Mon Nov 29 10:56:16 2021 From: moritz.muller at sidn.nl (=?utf-8?Q?Moritz_M=C3=BCller?=) Date: Mon, 29 Nov 2021 10:56:16 +0100 Subject: Results DANE for SMTP Survey Message-ID: <4AB4E9A7-4A8E-494D-B240-F5AC1DF335BB@sidn.nl> Hi all, A while ago we?ve asked the members of this mailing list to fill in a survey about DANE management. First of all: Thanks to everyone who filled in the survey! We?ve processed the results which are now part of our paper "Under the Hood of DANE Mismanagement in SMTP?, which is going to be published at usenix security [1]. Overall, we see that the vast majority of domain names that outsource their SMTP server (which is the majority of all domain names) configure DANE correctly. Self hosted SMTP servers, however, are misconfigured frequently. Especially keeping the TLSA records from a name server and certificates from an SMTP server synchronized is not straightforward. You can read the full abstract and paper here [1]. ? Moritz [1] https://www.usenix.org/conference/usenixsecurity22/presentation/lee -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: From sje at one.com Mon Nov 29 11:52:21 2021 From: sje at one.com (Sidsel Jensen) Date: Mon, 29 Nov 2021 11:52:21 +0100 Subject: [mailop] Results DANE for SMTP Survey In-Reply-To: References: Message-ID: Hi Moritz First of all - thanks (to all the article authors) for providing research in DANE deployments - it is very much appreciated. I would however really wish that you compared the amount (in %) of mismanaged SMTP servers doing DANE to the in general amount (in %) of mismanaged SMTP servers. In order to provide some sort of ?baseline?. My gut feeling is that the amount of mismanaged SMTP servers handling DANE is very very low, comared to the in general mismanaged SMTP servers. I also hope that you have read and taken Viktors remarks (regarding the initial paper from 2020) into account in the new version: http://dnssec-stats.ant.isi.edu/~viktor/usenix-security-dane-response.html Since you mention Antagonist.nl in the report: Antagonist has been bought by Group.ONE : https://group.one/group-one-acquires-antagonist/ I had hoped, that I had a chance to pull some statistics out of our one.com outbound mailservers, with some real % on errors that we see, and share, but unfortunately I simply havn?t had time. :-( It looks like the USENIX Security ?22 is in August - so that gives me some possibilities to look into that next year before the conference. :-) Kind Regards, Sidsel Jensen Team manager Mail & Abuse, Systems Engineer @ One.com > On 29 Nov 2021, at 10.55, Moritz M?ller via mailop wrote: > > Signed PGP part > Hi all, > > A while ago we?ve asked the members of this mailing list to fill in a survey about DANE management. > First of all: Thanks to everyone who filled in the survey! > > We?ve processed the results which are now part of our paper "Under the Hood of DANE Mismanagement in SMTP?, which is going to be published at usenix security [1]. > > Overall, we see that the vast majority of domain names that outsource their SMTP server (which is the majority of all domain names) configure DANE correctly. > Self hosted SMTP servers, however, are misconfigured frequently. > Especially keeping the TLSA records from a name server and certificates from an SMTP server synchronized is not straightforward. > > You can read the full abstract and paper here [1]. > > ? > Moritz > > [1] https://www.usenix.org/conference/usenixsecurity22/presentation/lee > > -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 833 bytes Desc: Message signed with OpenPGP URL: