From ietf-dane at dukhovni.org Fri Apr 1 06:11:24 2022 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Fri, 1 Apr 2022 00:11:24 -0400 Subject: Update on stats 2022-03 Message-ID: Summary: The DANE domain count is now 3,172,531 (c.f. 3,171,233 last month). The number of domains that return DNSSEC-validated replies in response to MX queries is 18,166,397 (up from 17,945,028 last month). Thus DANE TLSA is deployed on ~17.46% of domains with DNSSEC. For more stats, see . [ See the Credits[0] list below my signature. ] Milestones: - Over 18 million DNSSEC-signed zones - .ORG over 4% signed - .COM over 3% signed - Over 8,000 DANE MX host zones As of today I count ~3.17 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last Month ---------- ---------- 1222787 one.com 1239857 one.com 276929 hostpoint.ch 276109 hostpoint.ch 162459 infomaniak.ch 160146 infomaniak.ch 159841 argewebhosting.nl 157827 transip.nl 159047 transip.nl 150199 argewebhosting.nl 107424 domeneshop.no 107297 domeneshop.no 96804 jouwweb.nl 97131 webhostingserver.nl 96629 webhostingserver.nl 95810 loopia.se 96028 loopia.se 95176 jouwweb.nl 75489 forpsi.com 74648 forpsi.com 57815 zxcs.nl 55862 zxcs.nl 47064 active24.com 47053 active24.com 41338 webreus.nl 41756 webreus.nl 39129 antagonist.nl 39085 antagonist.nl 35339 pcextreme.nl 35599 pcextreme.nl 27537 udmedia.de 27485 udmedia.de 26871 web4u.cz 26856 web4u.cz 26105 webhosting.dk 26320 vevida.com 26035 vevida.com 26289 webhosting.dk 24796 protonmail.ch 24182 protonmail.ch The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ---------- ---------- 9827 TOTAL 9660 TOTAL 2919 DE, Germany 2843 DE, Germany 1827 NL, Netherlands 1828 NL, Netherlands 1796 US, United States 1766 US, United States 725 FR, France 712 FR, France 331 GB, United Kingdom 337 GB, United Kingdom 315 CZ, Czechia 296 CZ, Czechia 227 FI, Finland 214 CA, Canada 212 CA, Canada 213 FI, Finland 151 AT, Austria 150 AT, Austria 133 DK, Denmark 135 DK, Denmark 128 SG, Singapore 128 SG, Singapore 126 CH, Switzerland 124 CH, Switzerland 106 SE, Sweden 109 SE, Sweden 102 AU, Australia 107 AU, Australia 59 PL, Poland 59 PL, Poland 45 NO, Norway 45 RU, Russia 43 RU, Russia 45 NO, Norway 43 JP, Japan 41 JP, Japan 43 IE, Ireland 41 IE, Ireland 39 IT, Italy 36 BR, Brazil IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 7726 TOTAL 7636 TOTAL 3485 NL, Netherlands 3492 NL, Netherlands 2125 DE, Germany 2105 DE, Germany 808 US, United States 799 US, United States 314 FR, France 299 FR, France 171 CZ, Czechia 158 CZ, Czechia 139 GB, United Kingdom 151 GB, United Kingdom 83 FI, Finland 82 FI, Finland 65 CA, Canada 63 CA, Canada 55 CH, Switzerland 57 CH, Switzerland 47 AU, Australia 49 AU, Australia 43 SE, Sweden 45 SE, Sweden 41 SG, Singapore 42 SG, Singapore 37 RU, Russia 33 AT, Austria 36 IE, Ireland 32 JP, Japan 34 AT, Austria 25 RU, Russia 31 JP, Japan 21 IE, Ireland 20 NO, Norway 19 NO, Norway 20 DK, Denmark 19 DK, Denmark 15 UA, Ukraine 14 BR, Brazil 13 BR, Brazil 11 SI, Slovenia There are 8,039 unique zones (7,895 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 17,131 (16,959 last month). These cover 17,403 distinct MX hosts (17,222 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 607 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 346 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~3.17 million DANE domains, 12,731 (12,742 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1102 (1136 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are: 86 beta.itcomputers.eu 65 arachne.itcomputers.cz 29 mx.2u2.nu 20 mail.itcomputers.net 19 mx1.mdbraber.com 16 e-vps.hacktheplanet.nl 15 artemis.strebsjig.net 14 web1.ams.dcg.t-host.net 13 dolifarm2.cap-networks.com 10 mx01.mykolab.com To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1181 (1148 last month). The top 10 name server operators with problem domains are: This Month Last month ---------- ---------- 550 registrar-servers.com 569 registrar-servers.com 149 axc.nl 152 axc.nl 80 worldnic.com 82 ebola.cz 78 ebola.cz 56 worldnic.com 35 mijndomein.nl 38 mijndomein.nl 32 openprovider.nl 30 ns01.nl 31 made-easy.ch 29 made-easy.ch 26 ns01.nl 26 hostline.fr 25 register.com 20 register.com 17 dotroll.com 18 cloudflare.com If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Six of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br icv-crew.com urbtix.hk mailazy.net kprm.gov.pl novathreads.us -- Viktor. [0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at virusfree.cz herinneringenoplinnen.nl gmx.at zdravestravovani.cz high5.nl tip.net.au bayern.de hr.nl cetelemnegocie.com.br brandenburg.de hro.nl clubedohardware.com.br bund.de interim-netwerk.nl e-negociacao.com.br bundesregierung.de lico.nl e-renegocie.com.br datev.de linhard.nl nic.br dfn.de luxiez.nl registro.br elster.de mailplus.nl activfitness-news.ch fau.de mijnhypotheekonline.nl cbd420.ch freenet.de mijnsalon.nl gmx.ch gmx.de mijnuvt.nl hostpoint.ch hi7.de minbuza.nl infomaniak.ch jpberlin.de minbzk.nl linsenkontakt.ch lmu.de mindef.nl open.ch lrz.de mm1.nl protonmail.ch mail.de nieuwsservice-rvo.nl switch.ch mensa.de ns.nl wog.ch mpg.de orangebag.nl simplelogin.co posteo.de otys.nl 402automotive.com ruhr-uni-bochum.de ouderportaal.nl altidev.com tum.de overheid.nl ansigtsyogaonline.com tutanota.de partijvoordedieren.nl anubisnetworks.com uni-augsburg.de podiumcadeaukaart.nl cm.com uni-erlangen.de politie.nl connectsb.com uni-kl.de pp-prd.nl dailyplaylists.com uni-muenchen.de previder.nl datev.com unitymedia.de publicroam.nl fabfilter.com vicinityclo.de rijksoverheid.nl fastware-hosting.com web.de rivm.nl flaneurhomme.com westlotto.de rotterdam.nl gmx.com actie.deals rvo.nl habr.com dk-hostmaster.dk sans-mail.nl hoobly.com fibianet.dk schoudercom.nl hotelsinduitsland.com handelsbanken.dk schuurman-schoenen.nl imcnig.com netic.dk sidn.nl infomaniak.com nota.dk skyaccess.nl ingthink.com peterhald.dk smartwatchbanden.nl joomlapolis.com seniornews.dk sportrusten.nl jula.com shapeit.dk ssonet.nl kantarresearch.com shellcard.dk stater.nl kpn.com stil.dk sushipoint.nl langerhans.com uni-c.dk telefoonglaasje.nl leszexpertsfle.com tilburguniversity.edu transip.nl librti.com zone.ee triodos.nl mactabeauty.com spike.email uitgeverijpica.nl mail.com spotler.email utwente.nl mammoetmail.com talentech.email uvt.nl matilhadobemadestramento.com rediris.es uwv.nl mplbeauty.com triodos.es vantilburg.nl mx-relay.com uv.es vimexx.nl nanolearning.com egu.eu vogeldagboek.nl nine-pine.com zone.eu voorpositiviteit.nl one.com zonevs.eu vpo.nl ppcpcv.com handelsbanken.fi vu.nl protonmail.com metaburn.fi vvv-venlo.nl protonvpn.com tarjousrinki.fi waternet.nl renworkshops.com traficom.fi woongarantvolmacht.nl run-motion.com ac-strasbourg.fr zorgmail.nl sankakucomplex.com compagnie-des-sens.fr annabellstefanussen.no serverclienti.com homeserve.fr audi.no societe.com kangouroukids.fr bergengokart.no solvinity.com oo2.fr derute.no sportnotch.com fidesz.hu domeneshop.no stater.com bluebiz.info guttelus.no stellarequipment.com neolink.link hyttefeber.no t-2.com pm.me idrettenonline.no thalesgroup.com army.mil malestudio.no theruleofliberty.com dla.mil mystuff.no triodos.com jten.mil norskgrammatikk.no tutanota.com mail.mil rushtrampoline.no up2staff.com militaryonesource.mil uib.no veganallsorts.com navy.mil viphuset.no vitstore.com nga.mil atelkamera.nu vivaldi.com osd.mil goget.nu webcruiter.com socom.mil lenhud.nu webmailph.com uscg.mil debian.org win-rar.com usmc.mil freebsd.org xfinity.com comcast.net gentoo.org xfinityhomesecurity.com fivem.net herobrine.org xfinitymobile.com gmx.net ietf.org ymeuniverse.com habramail.net irtf.org bncr.fi.cr hr-manager.net isc.org akce-incomputer.cz inexio.net mailbox.org amenit.cz mijngezondheid.net mailop.org bewooden.cz mpssec.net netbsd.org csob.cz procurios.net oraclegirl.org cuni.cz ripe.net ozlabs.org cvut.cz riseup.net samba.org dedra.cz t-2.net torproject.org directmail-fraus.cz transip.net asf.com.pt e-kondomy.cz xs4all.net mobily.com.sa ekokoza.cz 123watches.nl bilprovningen.se fio.cz 50plusbeurs.nl ecster.se itesco.cz amsterdam.nl handelsbanken.se kb.cz belastingdienst.nl lomervarde.se klenotyaurum.cz bhsupport.nl loopia.se klubpevnehozdravi.cz boekwinkeltjes.nl minmyndighetspost.se ksporting.cz bolerolimonadewinkel.nl polisen.se manymail.cz boozyshop.nl racketspecialisten.se mkluzkoviny.cz burgernet.nl skatteverket.se muni.cz caracamilla.nl teknikdelar.se nanospace.cz cbr.nl theletter.se omvnovinky.cz corpoflow.nl voteit.se onebit.cz derooijfotografie.nl kadernickyservis.sk optimail.cz dictu.nl mklozkoviny.sk poptavej.cz digid.nl pneusvet.sk pre.cz dressuurnatuurlijk.nl rondogo.sk predplatit.cz duo.nl satro.sk scrptd.cz eco-logisch.nl toptop.sk server4u.cz edenhotels.nl zapardrobnych.sk smtp.cz ezorg.nl triodos.co.uk sparkys.cz fidus.nl govtrack.us stoklasa.cz gezond.nl quantum-services.us vas-server.cz healthcheckcenter.nl ru.ac.za vcelka.cz From ralph at ml.seichter.de Fri Apr 8 22:48:38 2022 From: ralph at ml.seichter.de (Ralph Seichter) Date: Fri, 08 Apr 2022 22:48:38 +0200 Subject: LetsDNS - Manage DANE TLSA records in DNS servers // Testers wanted Message-ID: <87sfqnl2s9.fsf@ra.horus-it.com> Hello list members, I'd like to introduce "LetsDNS", a utility to manage DANE TLSA records in DNS servers with only a few lines of configuration. It supports multiple domains with multiple TLS certificates each. LetsDNS can be invoked manually, from cron jobs, or called in hook functions of ACME clients like "dehydrated" or "certbot". It currently supports backends via the DNS Update Protocol (RFC 2136), the Hetzner DNS API, and a generator for "nsupdate" scripts. Additionally, LetsDNS is designed be expanded using custom Python modules which are loaded dynamically during runtime. LetsDNS has reached a level of maturity at which I feel comfortable to ask for volunteers who would like to test the software. For more information, please visit the project's homepage at https://letsdns.org . I appreciate your feedback. -Ralph From ralph at ml.seichter.de Tue Apr 12 15:15:09 2022 From: ralph at ml.seichter.de (Ralph Seichter) Date: Tue, 12 Apr 2022 15:15:09 +0200 Subject: Announcement: LetsDNS release 1.0 is now available Message-ID: <87v8veh28y.fsf@ra.horus-it.com> I'm happy to announce that LetsDNS release 1.0 is now available and ready for public use. Website: https://letsdns.org GitHub : https://github.com/LetsDNS/letsdns PyPI : https://pypi.org/project/letsdns/ LetsDNS is a utility to manage DANE TLSA records in DNS servers with only a few lines of configuration. It supports multiple domains with multiple TLS certificates each. LetsDNS can be invoked manually, from cron jobs, or called in hook functions of ACME clients like dehydrated or certbot. It currently supports backends via the DNS Update Protocol (RFC 2136), the Hetzner DNS API, and a generator for nsupdate scripts. Additionally, LetsDNS is designed be expanded using custom Python modules which are loaded dynamically during runtime. I'd appreciate you taking LetsDNS for a leisurely spin, and letting me know of your experiences. GitHub discussions/issues are preferred, but you can also send mail to "author at letsdns dot org". Enjoy. -Ralph From ralph at ml.seichter.de Tue Apr 12 22:03:23 2022 From: ralph at ml.seichter.de (Ralph Seichter) Date: Tue, 12 Apr 2022 22:03:23 +0200 Subject: LetsDNS working example configuration In-Reply-To: <87v8veh28y.fsf@ra.horus-it.com> References: <87v8veh28y.fsf@ra.horus-it.com> Message-ID: <87bkx65at0.fsf@ra.horus-it.com> Re Viktor mentioning earlier on the Postfix mailing list that "there's a need for an example complete config file": https://letsdns.org/example.html shows a complete and functioning example, in which I have only changed the domain name to example.com. Dehydrated stores newly issued (i.e. queued) Let's Encrypt certificates in /var/lib/dehydrated/certs/example.com and calls LetsDNS from a hook function. LD generates DNS records for both the queued and the active certificate (found in /etc/postfix/tls). Two days later the queued cert is copied over the active one. This ensures a non-breaking certificate roll-over, further backed by the TLSA records LetsDNS generates for the CA certificate. Also, as is mentioned in the docs, LetsDNS deduplicates TLSA records automatically to avoid superfluous entries if possible. I hope this sheds a bit more light on what is happening. -Ralph From ietf-dane at dukhovni.org Tue Apr 12 22:32:55 2022 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Tue, 12 Apr 2022 16:32:55 -0400 Subject: LetsDNS working example configuration In-Reply-To: <87bkx65at0.fsf@ra.horus-it.com> References: <87v8veh28y.fsf@ra.horus-it.com> <87bkx65at0.fsf@ra.horus-it.com> Message-ID: On Tue, Apr 12, 2022 at 10:03:23PM +0200, Ralph Seichter wrote: > Re Viktor mentioning earlier on the Postfix mailing list that "there's > a need for an example complete config file": > > https://letsdns.org/example.html shows a complete and functioning > example, in which I have only changed the domain name to example.com. > > Dehydrated stores newly issued (i.e. queued) Let's Encrypt certificates > in /var/lib/dehydrated/certs/example.com and calls LetsDNS from a hook > function. LD generates DNS records for both the queued and the active > certificate (found in /etc/postfix/tls). Two days later the queued cert > is copied over the active one. > > This ensures a non-breaking certificate roll-over, further backed by the > TLSA records LetsDNS generates for the CA certificate. Also, as is > mentioned in the docs, LetsDNS deduplicates TLSA records automatically > to avoid superfluous entries if possible. > > I hope this sheds a bit more light on what is happening. Yes, this is helpful, and I encourage you to write up how the certificate lifecycle integrates with "letsdns", what custom actions are supposed to do, ... who's resposible for activating the "queued" certificate, ... Presently it is not clear to me how the new tool is to be used. I hope you'll have some cycles to document the key use cases. -- Viktor. From ralph at ml.seichter.de Wed Apr 13 15:57:54 2022 From: ralph at ml.seichter.de (Ralph Seichter) Date: Wed, 13 Apr 2022 15:57:54 +0200 Subject: LetsDNS working example configuration In-Reply-To: References: <87v8veh28y.fsf@ra.horus-it.com> <87bkx65at0.fsf@ra.horus-it.com> Message-ID: <87ee216q71.fsf@ra.horus-it.com> * Viktor Dukhovni: > Presently it is not clear to me how the new tool is to be used. > I hope you'll have some cycles to document the key use cases. I have fleshed out the example use case (Postfix and DANE TLSA). I hope to add an example for Webserver use soonish. -Ralph