From ietf-dane at dukhovni.org Mon May 1 00:07:53 2023 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Sun, 30 Apr 2023 18:07:53 -0400 Subject: Update on stats 2023-04 Message-ID: Summary: The DANE domain count is now 3,764,298 (c.f. 3,757,347 last month). The number of domains that return DNSSEC-validated replies in response to MX queries is 21,920,074 (up from 21,668,375 last month). Thus DANE TLSA is deployed on ~17.17% of domains with DNSSEC. For more stats, see . [ See the Credits[0] list below my signature. ] As of today, I count ~3.76 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last Month ---------- ---------- 1214014 one.com 1216468 one.com 293253 hostpoint.ch 291651 hostpoint.ch 199295 infomaniak.ch 198402 infomaniak.ch 170621 mijndomein.nl 171386 mijndomein.nl 169316 transip.nl 168662 transip.nl 149043 argewebhosting.nl 150632 argewebhosting.nl 136880 simply.com 132031 simply.com 135485 jouwweb.nl 131058 jouwweb.nl 111153 hostnet.nl 111481 hostnet.nl 109739 domeneshop.no 109384 domeneshop.no 105386 loopia.se 105514 loopia.se 92908 webhostingserver.nl 93365 webhostingserver.nl 82361 forpsi.com 81969 forpsi.com 71933 zxcs.nl 70541 zxcs.nl 41575 active24.com 42507 active24.com 40197 antagonist.nl 40146 antagonist.nl 39401 protonmail.ch 38632 webreus.nl 38308 webreus.nl 38462 protonmail.ch 31629 pcextreme.nl 31898 pcextreme.nl 28965 xel.nl 29021 xel.nl The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be, .pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ----------- ---------- 11001 TOTAL 10944 TOTAL 3398 DE, Germany 3373 DE, Germany 1908 NL, Netherlands 1893 NL, Netherlands 1835 US, United States 1881 US, United States 776 FR, France 795 FR, France 431 CZ, Czechia 423 CZ, Czechia 364 GB, United Kingdom 360 GB, United Kingdom 245 FI, Finland 248 FI, Finland 214 CA, Canada 210 CA, Canada 193 AT, Austria 183 AT, Austria 149 SE, Sweden 143 CH, Switzerland 138 DK, Denmark 142 SE, Sweden 138 CH, Switzerland 136 DK, Denmark 136 AU, Australia 133 AU, Australia 118 SG, Singapore 117 SG, Singapore 86 PL, Poland 84 PL, Poland 76 RU, Russia 60 RU, Russia 59 JP, Japan 59 JP, Japan 51 NO, Norway 51 NO, Norway 45 BR, Brazil 42 IT, Italy 42 IT, Italy 41 BR, Brazil IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 8613 TOTAL 8576 TOTAL 3736 NL, Netherlands 3700 NL, Netherlands 2472 DE, Germany 2466 DE, Germany 855 US, United States 887 US, United States 364 FR, France 374 FR, France 186 CZ, Czechia 173 CZ, Czechia 175 GB, United Kingdom 170 GB, United Kingdom 106 FI, Finland 107 FI, Finland 78 CA, Canada 80 CA, Canada 72 AU, Australia 71 AU, Australia 66 SE, Sweden 65 CH, Switzerland 59 CH, Switzerland 59 SE, Sweden 52 AT, Austria 59 AT, Austria 42 SG, Singapore 43 SG, Singapore 37 JP, Japan 36 JP, Japan 25 NO, Norway 25 DK, Denmark 23 DK, Denmark 24 NO, Norway 22 RO, Romania 21 RO, Romania 21 RU, Russia 19 IE, Ireland 20 IE, Ireland 17 UA, Ukraine 18 UA, Ukraine 15 BR, Brazil There are 9,124 unique zones (9,085 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 19,650 (19,555 last month). These cover 19,940 distinct MX hosts (19,853 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 926 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 561 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~3.76 million DANE domains, 12,942 (12,979 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 3,354 (3,139 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are: 144 mx1.dotxs.net 141 mx2.solutive.nl 109 mail.blueconsulting.cz 100 mx01.kdmails.de 37 mx1.mdbraber.com 30 mx1.synetcon.net 23 fsn1-c04.xemo-net.de 18 web2.sys.ccs-baumann.de 18 semark.dk 18 mx1.traxion.com To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 2,137 (2,998 last month). The top 10 name server operators with problem domains are: This Month Last month ---------- ---------- 1633 neostrada.nl 1868 neostrada.nl 101 worldnic.com 117 worldnic.com 82 epik.com 83 epik.com 71 ebola.cz 79 dnssrv.nl 52 dnssrv.nl 71 ebola.cz 43 openprovider.nl 46 openprovider.nl 17 register.com 17 register.com 16 sectigoweb.com 16 sectigoweb.com 11 ispapi.net 12 ispapi.net 10 axc.nl 10 axc.nl If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Just one of the domains whose nameservers have broken denial of existence appears in the last 120 days of Google transparency reports: mailazy.net -- Viktor. [0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at australian-bodycare.dk mailmore.nl gmx.at avabeauty.dk mailon.nl boozyshop.be barons.dk mailplus.nl digsys.bg bog.dk managementboek.nl cetelemnegocie.com.br borgerforslag.dk markteffectmail.nl e-negociacao.com.br byravn.dk marktnet.nl e-renegocie.com.br camillakroeyer.dk mcmta.nl nic.br computerworld.dk messen.nl registro.br damask.dk mijndomein.nl 20km.ch danielspengetips.dk minbzk.nl activfitness-news.ch densidsteflaske.dk mindef.nl blackout-bonusclub.ch dfi.dk mm1.nl cbd420.ch digst.dk nederweert.nl coronavirusensuisse.ch dk-hostmaster.dk nieuwsservice-rvo.nl gmx.ch ens.dk ns.nl hostpoint.ch fibianet.dk nubeterengels.nl infomaniak.ch foraeldresparring.dk nuudcare.nl msochrono.ch fvst.dk orangebag.nl open.ch gastrotools.dk otys.nl protonmail.ch gibbu.dk ouderenfonds.nl sms-gagnant.ch globestudios.dk ouderportaal.nl switch.ch idelig.dk overheid.nl santeglobale.club incover.dk oxilion.nl simplelogin.co kfst.dk oxilionhosted.nl albourne.com kodbilen.dk parlement.nl altospam.com konkurspriser.dk partijvoordedieren.nl anonaddy.com kystfisken.dk partnermail.nl ansigtsyogaonline.com labelking.dk paypro.nl aotax.com lacabra.dk petsonline.nl appliedgo.com localfitness.dk ploegendienst-festival.nl beaconx.com mobilcovers.dk podiumcadeaukaart.nl cm.com musclehouse.dk politie.nl colourfulrebel.com netic.dk pp-prd.nl connectsb.com nimara.dk previder.nl cryptowallet.com nordd.dk prorun-mail.nl datev.com nota.dk pvv.nl denhaag.com opdagverden.dk quicknet.nl exegy.com rmc.dk rdw.nl fabfilter.com seniornews.dk rijksoverheid.nl farmergracy.com shapeit.dk rivm.nl fastware-hosting.com skjold-burne.dk rvo.nl financialafrik.com smoon.dk sans-mail.nl flaneurhomme.com sneakerzone.dk schoudercom.nl gmx.com soelvstein.dk schuurman-schoenen.nl groed.com stil.dk shampoobars.nl habr.com sundhedspolitisktidsskrift.dk shapeit.nl highcharts.com themeatclub.dk shoesme.nl infomaniak.com thenap.dk sizzthebrand.nl ingthink.com thesneakerstore.dk smartwatchbanden.nl intakt.com tricommerce.dk soclever.nl johnbeerens.com trueliving.dk spamservice.nl joomlapolis.com uni-c.dk sportrusten.nl jula.com uvm.dk ssonet.nl kabayarefashion.com venderbys.dk stater.nl leszexpertsfle.com yuaiahaircare.dk surfspot.nl librti.com tilburguniversity.edu svb.nl mactabeauty.com just.ee technishow.nl mail.com mkm.ee telefoonglaasje.nl mplbeauty.com turunduslabor.ee thealphamen.nl nanolearning.com envie.email transip.nl nine-pine.com myownconference.email triodos.nl offshorecorptalk.com spam-filter.email truetickets.nl one.com spike.email tudelft.nl orsys.com spotler.email tweedekamer.nl pieter-pot.com talentech.email uitgeverijpica.nl pompomlondon.com nuudcare.es upcmail.nl ppcpcv.com triodos.es uvt.nl protonmail.com egu.eu uwv.nl protonvpn.com litebit.eu valys.nl renworkshops.com qard.eu venauto.nl run-motion.com tbibank.eu vimexx.nl sankakucomplex.com zonevs.eu vlissingen.nl schizinfo.com fsol.fi vogeldagboek.nl scorecloud.com handelsbanken.fi voorschoten.nl serverclienti.com metaburn.fi vunzigedeuntjes.nl solvinity.com tarjousrinki.fi wassenaar.nl speciale-offre.com traficom.fi watchbandjes-shop.nl stasdock.com ac-strasbourg.fr waternet.nl stater.com braceletsmartwatch.fr webreus.nl stellarequipment.com chiens-guides-idf.fr wierden.nl t-2.com compagnie-des-sens.fr xel.nl tcs.com edtm-actu.fr ziggo.nl teamfdm.com nuudcare.fr zorgmail.nl thalesgroup.com oo2.fr akt.no theintercept.com privea.fr annabellstefanussen.no thepcw.com fidesz.hu babybanden.no thepcwholesale.com italiamail.hu bergengokart.no thesmmacademy.com mszp.hu bull-ski-kajakk.no triodos.com eurocontrol.int chillout.no tutanota.com rootnet.io domeneshop.no up2staff.com nuudcare.it guttelus.no veganallsorts.com neolink.link handelsbanken.no veka.com education.lu hoppin.no vendiblelabs.com anonaddy.me hyttefeber.no vivaldi.com pm.me idrettenonline.no webcruiter.com proton.me kashmina.no webmailph.com army.mil lagerpriser.no win-rar.com dla.mil marikrogshus.no xfinity.com health.mil mystuff.no xfinityhomesecurity.com jten.mil nordicprint.no xfinitymobile.com mail.mil norskgrammatikk.no bncr.fi.cr navy.mil raskebriller.no airbank.cz nga.mil rushtrampoline.no akce-incomputer.cz osd.mil sillysanta.no avatech.cz socom.mil spillfabrikken.no balikovna.cz uscg.mil storytravel.no bewooden.cz usmc.mil uib.no cokoladovnajanek.cz apnic.net webcruitermail.no cpost.cz benjaminfulford.net atelkamera.nu csob.cz bleucitron.net goget.nu cuni.cz comcast.net lenhud.nu dashofer.cz ewetel.net aegee.org dedra.cz ficbook.net agirpourlenvironnement.org e-kondomy.cz fivem.net debian.org fio.cz gmx.net freebsd.org fnusa.cz graphistepro.net gentoo.org gov.cz habramail.net ietf.org hypotecnibanka.cz hr-manager.net irtf.org itesco.cz masterinter.net isc.org jcu.cz mijngezondheid.net mailbox.org kb.cz mpssec.net mailop.org klenotyaurum.cz procurios.net netbsd.org klubpevnehozdravi.cz ripe.net openssl.org ksporting.cz riseup.net ozlabs.org manymail.cz soverin.net postfix.org mbank.cz t-2.net samba.org mfcr.cz transip.net torproject.org mkluzkoviny.cz webreus.net biotechnologia.com.pl mojedatovaschranka.cz yourdomainprovider.net brebank.com.pl mrakyhracek.cz 4ps.nl holandiajobs.pl muni.cz amsterdam.nl anacom.pt nic.cz aquastorexl.nl cm-portimao.pt o2.cz artsenzorg.nl loopia.rs optimail.cz bankhoesdiscounter.nl mobily.com.sa outlet-alpine.cz belastingdienst.nl advania.se p-info.cz beterinbeleggen.nl arbetsformedlingen.se poptavej.cz beterspellen.nl bearplayshop.se pre.cz bewustpuur.nl bilprovningen.se predplatit.cz bhosted.nl crtzoo.se scrptd.cz blushfashionstore.nl ecster.se server4u.cz bobo.nl ellevio.se shopex.cz body-supplies.nl enkoping.se smtp.cz boekwinkeltjes.nl fashion-copenhagen.se stoklasa.cz boksen.nl halmstad.se tiscali.cz bolerolimonadewinkel.nl handelsbanken.se vas-server.cz boozyshop.nl hellomantle.se virusfree.cz box.nl huskvarnafolketspark.se vshosting.cz bronckhorst.nl jul-troja.se web4u.cz bruut.nl klasspengar.se zafido.cz burgernet.nl lnu.se zdravestravovani.cz camperexpo.nl lomervarde.se zlate-mince.cz caracamilla.nl loopia.se zonky.cz casema.nl merchsweden.se bayern.de cbr.nl minmyndighetspost.se brandenburg.de chello.nl nordicprint.se bund.de clubplanner.nl polisen.se bundesregierung.de degros.nl refitness.se datev.de deonlinetandarts.nl sillysanta.se dfn.de derooijfotografie.nl silverdotter.se elster.de desan.nl skatteverket.se ewetel.de dictu.nl skolverket.se fau.de digibtw.nl soleplus.se fn.de digid.nl spelfabrik.se freenet.de digitaleverkiezing.nl sunet.se gmx.de dimehouse.nl teknikdelar.se huellen-shop.de domain-registry.nl theletter.se jpberlin.de duo.nl vaccinova.se lmu.de eabstest.nl websupport.se lrz.de efactuurdirect.nl fio.sk mail.de esuals.nl kadernickyservis.sk mensa.de expeditionfestival.nl mklozkoviny.sk mpg.de extinctionrebellion.nl pneusvet.sk posteo.de ezorg.nl rondogo.sk ruhr-uni-bochum.de fivecityspa.nl satro.sk smartwatcharmbaender.de hilversum.nl toptop.sk sys4.de hobbygigant.nl zapardrobnych.sk tum.de home.nl afinepairofshoes.co.uk tutanota.de hostingpeople.nl clientnews3.co.uk uni-augsburg.de hostnet.nl clientnews4.co.uk uni-bielefeld.de huurexpert.nl handelsbanken.co.uk uni-erlangen.de interim-netwerk.nl nuudcare.co.uk uni-muenchen.de kaagenbraassem.nl sanjaya-courirs.co.uk vicinityclo.de kiesrijk.nl triodos.co.uk web.de kralingsebosfestival.nl nuudcare.us westlotto.de ledlichtstunter.nl quantum-services.us allbuy.dk ledstripxl.nl ru.ac.za annes-atelier.dk lico.nl stargaze.zone From p at sys4.de Wed May 31 11:23:06 2023 From: p at sys4.de (Patrick Ben Koetter) Date: Wed, 31 May 2023 11:23:06 +0200 Subject: ANN: New mailing list address dane-users@list.sys4.de / termination of old list address dane-users@sys4.de Message-ID: <9aa574fe-2844-d3d1-a010-6e27440a8283@sys4.de> Greetings, please update your address book. The new address for this list is dane-users at list.sys4.de and the old address will be discontinued immediately in order to avoid misunderstandings where communication should take place. We will migrate the existing mailing list archive within the next weeks. If you want to configure settings concerning your list membership turn to the list's homepage , register an account, verify the mail address you're currently using for this list and then start changing settings. *Email Authentication* All messages from the new address will carry a DKIM signature for list.sys4.de *and* and ARC signature in case your own message had been DKIM signed when you sent it to dane-users at list.sys4.de. Messages from list.sys4.de have a dedicated SPF record: $ dig +short TXT list.sys4.de "v=spf1 include:_spf.list.sys4.de -all" $ dig +short TXT _spf.list.sys4.de "v=spf1 ip4:188.68.34.52 ip6:2a03:4000:10:51d:b8ce:63ff:feca:a5a0 -all" And they have their own DMARC-policy: $ dig +short TXT _dmarc.list.sys4.de "v=DMARC1; p=quarantine; rua=mailto:sys4.de at dmarc.reports.sys4.de,mailto:10ewslq7 at ag.eu.dmarcian.com;" * * *TLS / DANE* Of course list.sys4.de supports DANE in- and outbound as well as traditional TLS. Regards, p at rick -- [*] sys4 AG https://sys4.de, +49 (89) 30 90 46 64 Schlei?heimer Stra?e 26/MG,80333 M?nchen Sitz der Gesellschaft: M?nchen, Amtsgericht M?nchen: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief Aufsichtsratsvorsitzender: Florian Kirstein -------------- next part -------------- An HTML attachment was scrubbed... URL: -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 4207 bytes Desc: S/MIME Cryptographic Signature URL: