[mailop] Results DANE for SMTP Survey

Mon Nov 29 11:52:21 CET 2021

Hi Moritz

First of all - thanks (to all the article authors) for providing research in DANE deployments - it is very much appreciated.

I would however really wish that you compared the amount (in %) of mismanaged SMTP servers doing DANE to the in general amount (in %) of mismanaged SMTP servers. In order to provide some sort of “baseline”.
My gut feeling is that the amount of mismanaged SMTP servers handling DANE is very very low, comared to the in general mismanaged SMTP servers.

I also hope that you have read and taken Viktors remarks (regarding the initial paper from 2020) into account in the new version:
http://dnssec-stats.ant.isi.edu/~viktor/usenix-security-dane-response.html <http://dnssec-stats.ant.isi.edu/~viktor/usenix-security-dane-response.html>

Since you mention Antagonist.nl in the report:
Antagonist has been bought by Group.ONE : https://group.one/group-one-acquires-antagonist/ <https://group.one/group-one-acquires-antagonist/>

I had hoped, that I had a chance to pull some statistics out of our one.com <http://one.com/> outbound mailservers, with some real % on errors that we see, and share, but unfortunately I simply havn’t had time. :-(
It looks like the USENIX Security ’22 is in August - so that gives me some possibilities to look into that next year before the conference. :-)

Kind Regards,
Sidsel Jensen
Team manager Mail & Abuse, Systems Engineer @ One.com <http://one.com/>

> On 29 Nov 2021, at 10.55, Moritz Müller via mailop <mailop at mailop.org> wrote:
> 
> Signed PGP part
> Hi all,
> 
> A while ago we’ve asked the members of this mailing list to fill in a survey about DANE management.
> First of all: Thanks to everyone who filled in the survey!
> 
> We’ve processed the results which are now part of our paper "Under the Hood of DANE Mismanagement in SMTP”, which is going to be published at usenix security [1].
> 
> Overall, we see that the vast majority of domain names that outsource their SMTP server (which is the majority of all domain names) configure DANE correctly.
> Self hosted SMTP servers, however, are misconfigured frequently.
> Especially keeping the TLSA records from a name server and certificates from an SMTP server synchronized is not straightforward.
> 
> You can read the full abstract and paper here [1].
> 
> —
> Moritz
> 
> [1] https://www.usenix.org/conference/usenixsecurity22/presentation/lee
> 
> 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mail.sys4.de/pipermail/dane-users/attachments/20211129/4e4825ec/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <https://mail.sys4.de/pipermail/dane-users/attachments/20211129/4e4825ec/attachment.asc>