From ietf-dane at dukhovni.org Sat Jan 1 13:07:59 2022 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Sat, 1 Jan 2022 07:07:59 -0500 Subject: Update on stats 2021-12 Message-ID: Summary: The DANE domain count is now 2,998,143 (c.f. 3,005,393 last month and 2,522,820 this time last year). The number of domains that return DNSSEC-validated replies in response to MX queries is 17,263,168 (up from 16,982,372 last month and 13,559,686 this time last year). Thus DANE TLSA is deployed on ~17.36% of domains with DNSSEC. For more stats, see . [ See the Credits[0] list below my signature. ] As of today I count ~3.0 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last Month Last year ---------- ---------- --------- 1214915 one.com 1230165 one.com 1197409 one.com 273907 hostpoint.ch 272727 hostpoint.ch 146757 transip.nl 156065 infomaniak.ch 154952 transip.nl 146041 argewebhosting.nl 155803 transip.nl 154347 infomaniak.ch 103374 domeneshop.no 150793 argewebhosting.nl 149718 argewebhosting.nl 98861 webhostingserver.nl 106219 domeneshop.no 106004 domeneshop.no 96166 infomaniak.ch 97607 webhostingserver.nl 98029 webhostingserver.nl 92051 loopia.se 95145 loopia.se 95100 loopia.se 66772 forpsi.com 72612 forpsi.com 71946 forpsi.com 41264 webreus.nl 50892 zxcs.nl 48270 zxcs.nl 40642 active24.com 46657 active24.com 46581 active24.com 39895 pcextreme.nl 41634 webreus.nl 42121 webreus.nl 35523 antagonist.nl 38388 antagonist.nl 38213 antagonist.nl 31194 zxcs.nl 36106 pcextreme.nl 36362 pcextreme.nl 30096 vevida.com 27209 udmedia.de 27450 vevida.com 27456 webhosting.dk 27073 vevida.com 26984 udmedia.de 26566 web4u.cz 26765 webhosting.dk 26916 webhosting.dk 25718 udmedia.de 26430 web4u.cz 26483 web4u.cz 18487 bhosted.nl 23331 hosting2go.nl 23612 hosting2go.nl 14530 protonmail.ch 22745 protonmail.ch 22118 protonmail.ch 14434 onebit.cz The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month Last year ---------- ---------- --------- 9262 TOTAL 9230 TOTAL 7799 TOTAL 2704 DE, Germany 2691 DE, Germany 2390 DE, Germany 1785 NL, Netherlands 1781 NL, Netherlands 1497 US, United States 1723 US, United States 1710 US, United States 1437 NL, Netherlands 674 FR, France 697 FR, France 637 FR, France 338 GB, United Kingdom 325 GB, United Kingdom 279 GB, United Kingdom 275 CZ, Czechia 264 CZ, Czechia 227 CZ, Czechia 202 FI, Finland 206 CA, Canada 170 CA, Canada 199 CA, Canada 204 FI, Finland 123 FI, Finland 132 DK, Denmark 131 AT, Austria 113 DK, Denmark 132 AT, Austria 129 DK, Denmark 109 SG, Singapore 114 SG, Singapore 118 SG, Singapore 99 CH, Switzerland 113 CH, Switzerland 108 CH, Switzerland 88 SE, Sweden 99 SE, Sweden 98 SE, Sweden 63 AU, Australia 99 AU, Australia 93 AU, Australia 62 AT, Austria 54 PL, Poland 56 PL, Poland 42 IE, Ireland 46 RU, Russia 44 NO, Norway 40 BR, Brazil 42 IE, Ireland 43 RU, Russia 38 IN, India 41 NO, Norway 43 IE, Ireland 34 JP, Japan 39 JP, Japan 38 JP, Japan 33 PL, Poland 37 BR, Brazil 38 BR, Brazil 30 RU, Russia IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month Last year ---------- ---------- --------- 7177 TOTAL 7274 TOTAL 6378 TOTAL 3323 NL, Netherlands 3431 NL, Netherlands 3183 NL, Netherlands 1926 DE, Germany 1903 DE, Germany 1587 DE, Germany 759 US, United States 757 US, United States 606 US, United States 288 FR, France 300 FR, France 287 FR, France 164 CZ, Czechia 156 CZ, Czechia 136 CZ, Czechia 144 GB, United Kingdom 133 GB, United Kingdom 112 GB, United Kingdom 82 FI, Finland 80 FI, Finland 48 CA, Canada 60 CA, Canada 60 CA, Canada 44 CH, Switzerland 44 CH, Switzerland 45 CH, Switzerland 42 AT, Austria 43 SE, Sweden 42 SG, Singapore 38 SG, Singapore 42 AU, Australia 42 SE, Sweden 36 SE, Sweden 40 SG, Singapore 38 AU, Australia 27 RU, Russia 32 AT, Austria 31 AT, Austria 22 IE, Ireland 28 JP, Japan 28 JP, Japan 19 UA, Ukraine 23 IE, Ireland 26 RU, Russia 19 JP, Japan 18 NO, Norway 23 IE, Ireland 18 AU, Australia 16 BR, Brazil 19 NO, Norway 17 NO, Norway 15 DK, Denmark 18 DK, Denmark 17 FI, Finland 12 IN, India 15 BR, Brazil 17 DK, Denmark 11 PL, Poland 13 IN, India 14 BR, Brazil There are 7,482 unique zones (7,451 last month and 6,291 this time last year) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 16,403 (16,295 last month and 14,130 this time last year). These cover 16,670 distinct MX hosts (16,562 last month and 14,328 this time last year, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 575 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 330 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~3.0 million DANE domains, 12,621 (12,750 last month and 13,070 this time last year) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1225 (1086 last month and 1155 this time last year). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are: 90 beta.itcomputers.eu 44 smtp.meninadoporto.shop 32 node1.4spam.nl 19 mx1.mdbraber.com 16 mail.odissee.net 16 e-vps.hacktheplanet.nl 15 web1.ams.dcg.t-host.net 15 smtp.meninodoporto.com.pt 15 artemis.strebsjig.net 12 mail.bi9.de To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1181 (1148 last month). The top 10 name server operators with problem domains are: This Month Last month Last year ---------- ---------- --------- 579 registrar-servers.com 564 registrar-servers.com 325 registrar-servers.com 164 axc.nl 124 axc.nl 116 movenext.nl 87 ebola.cz 88 ebola.cz 86 ebola.cz 39 worldnic.com 33 worldnic.com 25 tiscomhosting.nl 32 mijndomein.nl 30 mijndomein.nl 24 epik.com 29 ns01.nl 30 made-easy.ch 23 eatserver.nl 29 made-easy.ch 16 cloudflare.com 17 infracom.nl 17 cloudflare.com 11 vtx.ch 14 ns01.nl 14 register.com 11 openprovider.nl 12 renault.fr 11 epik.com 10 register.com 11 nrdns.nl If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Six of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br tjap.jus.br icv-crew.com bncr.fi.cr urbtix.hk novathreads.us -- Viktor. [0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: 123watches.nl ingthink.com quantum-services.us 30tidennivyzva.cz interestexplorer.io racketspecialisten.se ac-strasbourg.fr interim-netwerk.nl rdw.nl actie.deals isc.org rediris.es activfitness-news.ch itesco.cz registro.br aegee.org joomlapolis.com rijksoverheid.nl akce-incomputer.cz jpberlin.de ripe.net amsterdam.nl jten.mil riseup.net annabellstefanussen.no jula.com rivm.nl ansigtsyogaonline.com jule-sweaters.dk rondogo.sk argeweb.nl juliesandlau.dk rotterdam.nl army.mil just.ee ruhr-uni-bochum.de artsenzorg.nl justis.nl rushtrampoline.no asf.com.pt kadernickyservis.sk samba.org atelkamera.nu kapitalkontroll.no sankakucomplex.com audi.no kb.cz sans-mail.nl axmarin.se klenotyaurum.cz schizinfo.com bayern.de klubpevnehozdravi.cz schoudercom.nl belastingdienst.nl kpn.com schuurman-schoenen.nl bhsupport.nl leszexpertsfle.com scrptd.cz bilprovningen.se librti.com seniornews.dk bluebiz.info linsenkontakt.ch server4u.cz bluerail.nl lomervarde.se serverclienti.com boekenwereld.com loopia.se shapeit.dk boekwinkeltjes.nl loopiahosting.se shellcard.dk bolerolimonadewinkel.nl lrz.de simplelogin.co boozyshop.be luxiez.nl skatteverket.se boozyshop.nl mail.com smartwatchbanden.nl boplatssyd-automail.se mail.de smtp.cz brandenburg.de mail.mil societe.com bund.de mailbox.org socom.mil bundesregierung.de mailop.org solvinity.com burgernet.nl mailplus.nl spareklubbnorge.com calyxinstitute.org mailshover.nl sparkys.cz cbr.nl mammoetmail.com spike.email cbs.nl mantapsurvey.com sportrusten.nl cesnet.cz manymail.cz spotler.email cetelemnegocie.com.br markteffectmail.nl srci.fr cm.com mastersport.sk ssonet.nl comcast.net matilhadobemadestramento.com stellarequipment.com compagnie-des-sens.fr mijngezondheid.net stoklasa.cz connectsb.com mijnuvt.nl switch.ch corpoflow.nl militaryonesource.mil t-2.net csob.cz minbuza.nl talentech.email cuni.cz minbzk.nl tarjousrinki.fi cvut.cz mindef.nl teknikdelar.se dailyplaylists.com minmyndighetspost.se telefoonglaasje.nl datev.com minvenj.nl thalesgroup.com datev.de mklozkoviny.sk theletter.se debian.org mkluzkoviny.cz thepcw.com derooijfotografie.nl mm1.nl thepcwholesale.com derute.no mobily.com.sa tilburguniversity.edu dfn.de mpg.de tip.net.au digid.nl mplbeauty.com toptop.sk dla.mil mpssec.net torproject.org domeneshop.no mszp.hu traficom.fi dovypredania.sk mulderretail.nl transip.net duo.nl muni.cz travailler-en-suisse.ch e-renegocie.com.br mvnet.de triodos.be eco-logisch.nl mx-relay.com triodos.co.uk ecster.se mystuff.no triodos.com edenhotels.nl najlacnejsisport.sk triodos.es edtm-actu.fr nanolearning.com triodos.nl egu.eu nanospace.cz tum.de ekokoza.cz navy.mil tutanota.com elster.de netbsd.org tutanota.de emailn.de netic.dk tweedekamer.nl envie.email neutraler-versand.de uib.no exegy.com nic.br uitgeverijpica.nl exoticmix.dk nic.cz uni-augsburg.de ezorg.nl nieuwsservice-rvo.nl uni-erlangen.de fabfilter.com nine-pine.com uni-muenchen.de fau.de norskgrammatikk.no unitymedia.de fibianet.dk nota.dk univie.ac.at fidesz.hu ns.nl uscg.mil fivem.net nst.dk usmc.mil flaneurhomme.com one.com utwente.nl forbrukslaan.no onebit.cz uv.es freebsd.org oo2.fr uvm.dk freenet.de open.ch uvt.nl gentoo.org openssl.org uwv.nl gigalekarna.cz optimail.cz vas-server.cz glowliving.eu orangebag.nl vbv.at gmx.at osd.mil veganallsorts.com gmx.ch ouderenfonds.nl viphuset.no gmx.com ouderportaal.nl virusfree.cz gmx.de outsystems.com vitstore.com gmx.net overheid.nl vivaldi.com goget.nu ozlabs.org voorpositiviteit.nl govtrack.us parlement.nl vpo.nl habr.com partijvoordedieren.nl vu.nl habramail.net paypro.nl waternet.nl handelsbanken.dk pcug.org.au wavell.dk handelsbanken.fi pictolezen.be web.de handelsbanken.no plukkselv.no webcruiter.com handelsbanken.se plusticket.nl webhosting.dk healthcheckcenter.nl pm.me webmailph.com heilbron.nl podiumcadeaukaart.nl websupport.se herinneringenoplinnen.nl politie.nl westlotto.de hoobly.com poptavej.cz whatpulse.org hostpoint.ch posteo.de woongarantvolmacht.nl hotelsinduitsland.com powerhosting.dk xfinity.com hr-manager.net pp-prd.nl xfinityhomesecurity.com huizenzoeker.nl previder.nl xfinitymobile.com idrettenonline.no procurios.net xs4all.net ietf.org protonmail.ch ymeuniverse.com imcnig.com protonmail.com zdravestravovani.cz inexio.net protonvpn.com zone.eu infomaniak.ch psgaz.pl zonevs.eu infomaniak.com purdey.nl zorgmail.nl From ietf-dane at dukhovni.org Fri Jan 7 03:04:25 2022 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Fri, 7 Jan 2022 13:04:25 +1100 Subject: Microsoft's DANE rollout for Exchange Online Message-ID: <01147A22-EA46-458B-ABFD-ACABE77F086F@dukhovni.org> Starting this month through May 2022, Microsoft will incrementally roll out outbound DANE support (*enabled by default*) for all hosted Exchange Online domains: https://m365admin.handsontek.net/upcoming-release-outbound-smtp-dane-and-dnssec-in-microsoft-365-exchange-online/ > As previously announced in the blog post Support of DANE and DNSSEC in Office 365 Exchange Online, we will be adding support for SMTP DANE and DNSSEC to Exchange Online (EXO). DANE combined with DNSSEC is the state-of-the-art for securing email, and to optimize its effectiveness both standards will be enabled by default at the system level for all EXO customers. If your cert rollover practices are sloppy, with transient certificate chain validation failures after each key/cert rollover, as stale TLSA records age out from caches or are only updated after problem reports, then this is a good time to either up your game, or stop publishing TLSA records. Having stale TLSA records that delay or break email delivery does neither you nor the people sending you email any good. Please follow best-practice and pre-publish matching TLSA records for the upcoming certs a few TTLs before certificate deployment. If that's too hard, disable DANE until you can implement a more robust rollover process. -- Viktor. From bart.knubben at forumstandaardisatie.nl Mon Jan 17 20:53:16 2022 From: bart.knubben at forumstandaardisatie.nl (Knubben, Bart) Date: Mon, 17 Jan 2022 19:53:16 +0000 Subject: Microsoft's DANE rollout for Exchange Online In-Reply-To: <01147A22-EA46-458B-ABFD-ACABE77F086F@dukhovni.org> References: <01147A22-EA46-458B-ABFD-ACABE77F086F@dukhovni.org> Message-ID: <592d532bda5a423996d6cee78a90f19b@SV1601472.frd.shsdir.nl> See also today's blog post "Exchange Online Introduces DANE and DNSSEC for Outbound Email" on https://practical365.com/exchange-online-dnssec-dane/. > -----Oorspronkelijk bericht----- > Van: dane-users Namens Viktor Dukhovni > Verzonden: vrijdag 7 januari 2022 03:04 > Aan: dane-users at sys4.de > Onderwerp: Microsoft's DANE rollout for Exchange Online > > > Starting this month through May 2022, Microsoft will incrementally > roll out outbound DANE support (*enabled by default*) for all hosted > Exchange Online domains: > > https://m365admin.handsontek.net/upcoming-release-outbound-smtp- > dane-and-dnssec-in-microsoft-365-exchange-online/ > > > As previously announced in the blog post Support of DANE and DNSSEC in Office > 365 Exchange Online, we will be adding support for SMTP DANE and DNSSEC to > Exchange Online (EXO). DANE combined with DNSSEC is the state-of-the-art for > securing email, and to optimize its effectiveness both standards will be enabled by > default at the system level for all EXO customers. > > If your cert rollover practices are sloppy, with transient certificate > chain validation failures after each key/cert rollover, as stale TLSA > records age out from caches or are only updated after problem reports, > then this is a good time to either up your game, or stop publishing TLSA > records. Having stale TLSA records that delay or break email delivery > does neither you nor the people sending you email any good. > > Please follow best-practice and pre-publish matching TLSA records for > the upcoming certs a few TTLs before certificate deployment. If that's > too hard, disable DANE until you can implement a more robust rollover > process. > > -- > Viktor. Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.