From ietf-dane at dukhovni.org Wed Sep 1 06:25:40 2021 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Wed, 1 Sep 2021 00:25:40 -0400 Subject: Update on stats 2021-08 Message-ID: Summary: The DANE domain count is now 2,779,500 (up from 2,653,718 last month). The number of domains that return DNSSEC-validated replies in response to MX queries is 16,107,719 (up from 15,663,538 last month). Thus DANE TLSA is deployed on ~17.26% of domains with DNSSEC. See https://stats.dnssec-tools.org/ for more stats. [ A major part of the increase in both DNSSEC and DANE domains is a result of a significant expansion of use of DNSSEC among .CH domains, particularly at hostpoint.ch and infomaniak.ch. Congratulations and thanks to both and also switch.ch. The .CH TLD is now the 9th largest by count of signed delegations in the survey dataset, just behind .NO, perhaps not for long, if the present growth rate holds up. ] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 2,779,500 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last month ---------- ---------- 1225124 one.com 1227184 one.com 152779 transip.nl 151493 transip.nl 150719 argewebhosting.nl 150376 argewebhosting.nl 148426 infomaniak.ch 114457 infomaniak.ch 105493 domeneshop.no 105236 domeneshop.no 98765 webhostingserver.nl 98871 webhostingserver.nl 94403 loopia.se 94187 loopia.se 86961 hostpoint.ch 70345 forpsi.com 70606 forpsi.com 42190 active24.com 46019 active24.com 39057 zxcs.nl 40474 zxcs.nl 38973 webreus.nl 40396 webreus.nl 37753 antagonist.nl 37911 antagonist.nl 37509 pcextreme.nl 37226 pcextreme.nl 28712 vevida.com 28411 vevida.com 27550 webhosting.dk 27416 webhosting.dk 26580 web4u.cz 26691 udmedia.de 26555 udmedia.de 26509 web4u.cz 24671 hosting2go.nl 24443 hosting2go.nl 19910 protonmail.ch 20574 protonmail.ch 18975 bhosted.nl The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ---------- ---------- 8890 TOTAL 8815 TOTAL 2655 DE, Germany 2631 DE, Germany 1715 US, United States 1693 US, United States 1686 NL, Netherlands 1676 NL, Netherlands 654 FR, France 662 FR, France 330 GB, United Kingdom 313 GB, United Kingdom 226 CZ, Czechia 226 CZ, Czechia 202 CA, Canada 206 CA, Canada 185 FI, Finland 174 FI, Finland 125 DK, Denmark 124 DK, Denmark 114 SG, Singapore 122 SG, Singapore 107 CH, Switzerland 106 CH, Switzerland 99 SE, Sweden 102 SE, Sweden 88 AU, Australia 84 AU, Australia 84 AT, Austria 76 AT, Austria 44 PL, Poland 41 RU, Russia 43 IE, Ireland 41 PL, Poland 40 RU, Russia 41 IE, Ireland 40 BR, Brazil 40 NO, Norway 39 NO, Norway 40 BR, Brazil 35 IT, Italy 38 JP, Japan IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 7009 TOTAL 6948 TOTAL 3336 NL, Netherlands 3301 NL, Netherlands 1826 DE, Germany 1810 DE, Germany 714 US, United States 710 US, United States 290 FR, France 297 FR, France 145 CZ, Czechia 154 CZ, Czechia 136 GB, United Kingdom 137 GB, United Kingdom 74 FI, Finland 71 FI, Finland 59 CA, Canada 61 CA, Canada 47 CH, Switzerland 44 SG, Singapore 44 SE, Sweden 43 SE, Sweden 42 SG, Singapore 42 CH, Switzerland 30 AU, Australia 32 AU, Australia 29 AT, Austria 29 AT, Austria 26 RU, Russia 27 JP, Japan 23 JP, Japan 20 IE, Ireland 21 IE, Ireland 17 RU, Russia 17 DK, Denmark 17 DK, Denmark 16 NO, Norway 16 NO, Norway 14 BR, Brazil 14 BR, Brazil 11 SI, Slovenia 12 IN, India There are 7,242 unique zones (7,168 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 15,791 (15,673 last month). These cover 16,039 distinct MX hosts (15,908 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 517 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 301 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~2.78 million DANE domains, 12,794 (12,719 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1298 (1187 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1298 (1329 last month). The top 10 name server operators with problem domains are: This month Last month ---------- ---------- 542 registrar-servers.com 548 registrar-servers.com 119 axc.nl 119 axc.nl 89 ebola.cz 88 ebola.cz 59 westgatehosting.com 48 epik.com 49 netcup.net 28 made-easy.ch 46 epik.com 27 mijndomein.nl 30 made-easy.ch 26 3zy.de 27 mijndomein.nl 24 tiscomhosting.nl 19 cloudflare.com 22 netcup.net 15 worldnic.com 20 cloudflare.com If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Five of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br icv-crew.com bncr.fi.cr pedulilindungi.id novathreads.us -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at followerpilot.de healthcheckcenter.nl gmx.at freenet.de herinneringenoplinnen.nl triodos.be gmx.de hetamsterdamsverbond.nl cetelemnegocie.com.br jpberlin.de hostingpeople.nl clubedohardware.com.br lmu.de interconnect.nl corridaeaventura.com.br lrz.de interim-netwerk.nl nic.br mail.de luxiez.nl registro.br mensa.de mailplus.nl pdac.ca mpg.de markteffectmail.nl gmx.ch neutraler-versand.de mijnuvt.nl hostpoint.ch posteo.de minbuza.nl infomaniak.ch ruhr-uni-bochum.de minbzk.nl linsenkontakt.ch tum.de mindef.nl open.ch tutanota.de mkbbelangen.nl protonmail.ch uni-erlangen.de mm1.nl switch.ch uni-muenchen.de mulderretail.nl travailler-en-suisse.ch unitymedia.de nieuwsservice-rvo.nl wog.ch web.de ns.nl simplelogin.co westlotto.de ouderportaal.nl beaconx.com actie.deals overheid.nl connectsb.com fibianet.dk parlement.nl coremultichain.com fvst.dk partijvoordedieren.nl dailyplaylists.com handelsbanken.dk paypro.nl datev.com netic.dk politie.nl flaneurhomme.com peterhald.dk powerslim.nl gmx.com shapeit.dk pp-prd.nl habr.com shellcard.dk previder.nl hotelsinduitsland.com stil.dk purdey.nl imcnig.com tilburguniversity.edu rijksoverheid.nl infomaniak.com just.ee rotterdam.nl ingthink.com rik.ee sans-mail.nl intakt.com spam-filter.email schoudercom.nl joomlapolis.com spike.email schuurman-schoenen.nl jula.com spotler.email sportrusten.nl kpn.com rediris.es ssonet.nl leszexpertsfle.com triodos.es telefoonglaasje.nl mail.com uv.es triodos.nl mammoetmail.com egu.eu truetickets.nl matilhadobemadestramento.com qard.eu tweedekamer.nl mx-relay.com transadvise.eu uitgeverijpica.nl mychildlebensborn.com zone.eu utwente.nl nine-pine.com zonevs.eu uvt.nl one.com handelsbanken.fi uwv.nl outsystems.com tarjousrinki.fi veilinghuispeerdeman.nl protonmail.com ac-strasbourg.fr vogeldagboek.nl protonvpn.com compagnie-des-sens.fr voorpositiviteit.nl sanderrossel.com edtm-actu.fr vu.nl sankakucomplex.com oo2.fr waternet.nl societe.com fidesz.hu xs4all.nl solvinity.com gardrobom.hu zorgmail.nl spareklubbnorge.com mindigbutor.hu annabellstefanussen.no stellarequipment.com mszp.hu audi.no t-2.com popfilm.hu bergengokart.no thalesgroup.com pandi.id derute.no thepcw.com interestexplorer.io domeneshop.no thepcwholesale.com pm.me handelsbanken.no triodos.com army.mil idrettenonline.no tutanota.com dla.mil norskgrammatikk.no veganallsorts.com jten.mil rushtrampoline.no veoliasophos.com mail.mil uib.no vitstore.com militaryonesource.mil viphuset.no webcruiter.com navy.mil atelkamera.nu xfinity.com nga.mil goget.nu xfinityhomesecurity.com osd.mil debian.org xfinitymobile.com socom.mil freebsd.org 30tidennivyzva.cz uscg.mil gentoo.org active24.cz comcast.net ietf.org akce-incomputer.cz fivem.net isc.org cuni.cz gmx.net mailbox.org ekokoza.cz habramail.net mailop.org gigalekarna.cz hr-manager.net netbsd.org itesco.cz inexio.net openssl.org klenotyaurum.cz mijngezondheid.net ozlabs.org klubpevnehozdravi.cz mpssec.net samba.org manymail.cz procurios.net torproject.org mkluzkoviny.cz riseup.net whatpulse.org nic.cz s-qrc.net psgaz.pl omvnovinky.cz t-2.net asf.com.pt onebit.cz transip.net mobily.com.sa optimail.cz xs4all.net bilprovningen.se poptavej.cz 123watches.nl boplatssyd-automail.se reserved.cz amsterdam.nl ecster.se scrptd.cz awcloud.nl handelsbanken.se server4u.cz belastingdienst.nl loopia.se smtp.cz bhosted.nl loopiahosting.se stoklasa.cz bluerail.nl minmyndighetspost.se toplist.cz boekwinkeltjes.nl personligalmanacka.se vas-server.cz bolerolimonadewinkel.nl skatteverket.se vcelka.cz boozyshop.nl teknikdelar.se virusfree.cz burgernet.nl theletter.se zdravestravovani.cz cbr.nl websupport.se 123watches.de cbs.nl flagranti.sk bayern.de citrusveiling.nl najlacnejsisport.sk brandenburg.de corpoflow.nl rondogo.sk bund.de derooijfotografie.nl toptop.sk bundesregierung.de digid.nl triodos.co.uk datev.de duo.nl xepay.co.uk dfn.de edenhotels.nl govtrack.us ekom21.de efactuurdirect.nl quantum-services.us elster.de ezorg.nl ru.ac.za fau.de From ietf-dane at dukhovni.org Thu Sep 30 17:30:26 2021 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Thu, 30 Sep 2021 11:30:26 -0400 Subject: Please drop TLSA records matching retired Let's Encrypt CAs Message-ID: The DANE survey continues to observe a "long tail" of MX hosts with TLSA records that match the retired "X3" and/or "X4" Let's Encrypt issuer Cas. If you're publishing TLSA records with Let's Encrypt issuer CA hashes, the "X3" and "X4" CAs should no longer appear in your TLSA RRset. Also be sure to use "2 1 1" and not "2 0 1" or "2 0 2" TLSA parameters. For details see: http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html The MX host counts for the various LE CAs are: # | CA ------+---- 538 | X3 248 | X4 1133 | R3 436 | R4 483 | E1 396 | E2 * The counts for X3 and X4 should by now be 0. * Every MX host that publishes R3 should also publish R4. * Every MX host publishing E1 should also publish E2. * The simplest strategy is to publish all four of R3,R4,E1 and E2 -- Viktor. From me at junc.eu Thu Sep 30 17:49:24 2021 From: me at junc.eu (Benny Pedersen) Date: Thu, 30 Sep 2021 17:49:24 +0200 Subject: Please drop TLSA records matching retired Let's Encrypt CAs In-Reply-To: References: Message-ID: On 2021-09-30 17:30, Viktor Dukhovni wrote: > The DANE survey continues to observe a "long tail" of MX hosts with > TLSA > records that match the retired "X3" and/or "X4" Let's Encrypt issuer > Cas. X-Spamd-Bar: / Authentication-Results: mail.sys4.de; none X-Rspamd-Server: echo X-Rspamd-Queue-Id: 4HKxyj0s1fz1fv9 X-Spamd-Result: default: False [0.00 / 6.00]; TAGGED_RCPT(0.00)[dane-users,lists,dane-sys4,ml.dane-users] X-Spam: Yes why would it not be removed that header when recipient is not local ? :) hope rspamd developpers can fix this From johnpc at xs4all.net Thu Sep 30 20:20:35 2021 From: johnpc at xs4all.net (Jan-Pieter Cornet) Date: Thu, 30 Sep 2021 20:20:35 +0200 Subject: Please drop TLSA records matching retired Let's Encrypt CAs In-Reply-To: References: Message-ID: <1ce2e57d-7cc2-046e-52af-c500a6b9e36f@xs4all.net> On 30-9-21 17:49, Benny Pedersen wrote: > On 2021-09-30 17:30, Viktor Dukhovni wrote: >> The DANE survey continues to observe a "long tail" of MX hosts with TLSA >> records that match the retired "X3" and/or "X4" Let's Encrypt issuer Cas. > > X-Spamd-Bar: / > Authentication-Results: mail.sys4.de; > ????none > X-Rspamd-Server: echo > X-Rspamd-Queue-Id: 4HKxyj0s1fz1fv9 > X-Spamd-Result: default: False [0.00 / 6.00]; > ???? TAGGED_RCPT(0.00)[dane-users,lists,dane-sys4,ml.dane-users] These headers are in my copy of Victor's message too, but are either standard or shouldn't make a difference. > X-Spam: Yes Not in the message I saw. I'm guessing your anti-spam solution inserted that one itself. > why would it not be removed that header when recipient is not local ? :) Maybe Rspamd is in front of the mailinglist? It shouldn't matter to you. -- Jan-Pieter Cornet Systeembeheer XS4ALL Internet bv www.xs4all.nl -------------- next part -------------- A non-text attachment was scrubbed... Name: OpenPGP_signature Type: application/pgp-signature Size: 840 bytes Desc: OpenPGP digital signature URL: From me at junc.eu Thu Sep 30 20:42:30 2021 From: me at junc.eu (Benny Pedersen) Date: Thu, 30 Sep 2021 20:42:30 +0200 Subject: Please drop TLSA records matching retired Let's Encrypt CAs In-Reply-To: <1ce2e57d-7cc2-046e-52af-c500a6b9e36f@xs4all.net> References: <1ce2e57d-7cc2-046e-52af-c500a6b9e36f@xs4all.net> Message-ID: <1dd2e7cfc2bc65197c1e97d7217cb2b0@junc.eu> On 2021-09-30 20:20, Jan-Pieter Cornet wrote: > Maybe Rspamd is in front of the mailinglist? It shouldn't matter to > you. hope its solved on mondays X-Spam-Status: No, score=-0.9 required=5.0 tests=CLEAR_TEXT_SASL_AUTH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,NICE_REPLY_A, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 3.4.5 (2021-03-20) on localhost.junc.eu X-Spam-Relay-Country: NL ** X-Spam-Uri-Domains-Ham: xs4all.net xs4all.nl X-Spam-ASN: AS3265 2001:888::/32 2001:888::/29 2001:888::/30 X-Fuglu-Incomingport: 10025 X-Fuglu-Suspect: ff686095d81742b9977e70b6b8c76614 as you see i dont use rspamd