dane-users

Download

dane-users@list.sys4.de

October 2017

1 participants
2 discussions

Update on stats
by Viktor Dukhovni 13 Nov '17

13 Nov '17

As of today I count 137620 domains with correct DANE TLSA records for SMTP. As expected the bulk of the DANE domains are hosted the handful of DNS/hosting providers who've enabled DANE support in bulk for the domains they host. The top 10 MX host providers by domain count are: 60764 domeneshop.no 43961 transip.nl 15734 udmedia.de 3040 bhosted.nl 1493 nederhost.net 904 ec-elements.com 431 core-networks.de 307 uvt.nl 301 bit.nl 287 omc-mail.com The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, in particular .de, .nl and .no. There are 2449 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. Alternatively, a similar number is seen in the count (2613) of distinct MX host server certificates that support the same ~137000 domains. A related number is 4172 TLSA RRsets found for MX host TCP port 25. This includes secondary MX hosts and domains none of whose primary MX hosts have TLSA records. The number of domains that at some point were listed in Gmail's email transparency report is now 105 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 56 are in recent reports (March 2017): gmx.at jpberlin.de overheid.nl nic.br lrz.de pathe.nl registro.br mail.de wooniezie.nl gmx.ch posteo.de xs4all.nl open.ch ruhr-uni-bochum.de domeneshop.no anubisnetworks.com tum.de webcruitermail.no gmx.com uni-erlangen.de debian.org mail.com unitymedia.de domainmail.org piratenexus.com web.de freebsd.org pirateperfection.com enron.email gentoo.org pre-sustainability.com octopuce.fr ietf.org t-2.com comcast.net netbsd.org trashmail.com dd24.net netcoolusers.org xfinity.com gmx.net openssl.org bayern.de hr-manager.net samba.org bund.de t-2.net torproject.org elster.de xs4all.net minmyndighetspost.se fau.de asp4all.nl skatteverket.se gmx.de ouderportaal.nl A different metric is how many of the DANE-enabled domains received email from at least 10 Gmail senders in a recent 8 day interval. Back in Dec/2016 I reported that ~2200 out of ~105k domains met that criterion. This month, the number was ~3900 out of ~137k domains. So it seems that a non-negligible fraction of the increase is from real domains that receive email, and not just parked domains. Of the ~137000 domains, 655 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 96 (~30 are recent additions that may be resolved soon, the remaining ~60 are the for now stable population of broken domains). This month I'm posting the list of the 44 underlying MX hosts that serve these domains and whose TLSA records don't match reality. Hall of Shame: mail.dipietro.id.au www.mtg.de mail.inu.nl clubeararaquarense.org.br mx1.spamsponge.de mail.jekuiken.nl mail.antiphishing.ch mail.nonoserver.info mail.myzt.nl mail.digitalwebpros.com mx.datenknoten.me bounder.steelyard.nl mail.dnsmadefree.com mx.giesen.me mx.wm.net.nz demo.liveconfig.com mail.castleturing.net baobrien.org ny-do.pieterpottie.com datawebb.dafcorp.net smtp.copi.org diablo.sgt.com anubis.delphij.net eumembers.datacentrix.org tusk.sgt.com dorothy.goldenhairdafo.net smtp2.amadigi.ovh mx.bels.cz hs.kuzenkov.net webmail.headsite.se johniez.cz oostergo.net protector.rajmax.si mail.pksvice.cz ren.warunek.net arch-server.hlfh.space srv01.101host.de mail.e-rave.nl mail.blackcherry-management.co.uk mail.cdbm.de mail.hhsk.nl email.themcintyres.us mail.manima.de box.inpoint-mailt.nl The number of domains with bad DNSSEC support is 322. The top 10 DNS providers (by broken domain count) are: 52 axc.nl - Slated to be resolved 38 infracom.nl - Slated to be resolved 18 loopia.se 18 active24.cz 14 jsr-it.nl 12 rdw.nl 9 cas-com.net 8 metaregistrar.nl 6 tiscomhosting.nl 6 thednscompany.com Around 60 of the broken domains have at least one working nameserver, and so are email-reachable, given enough retries. -- Viktor.

1 1

Belated update on stats 2017-09/2017-10
by Viktor Dukhovni 11 Nov '17

11 Nov '17

[ Sorry about the delay, I was too busy rewriting major chunks of the underlying code to produce a report. Better late than never so the below is the status for today, rather than the end of September. ] Summary: The number of DANE-enabled domains that have also been sighted on Google's email transparency report has increased from 115 to 122, while the number of DNS zones with TLSA-enabled primary MX hosts has increased from 2708 to 2999. The total domain count is largely unchanged from 172205 to 172120. A new type of TLSA record mismatch has cropped up, so far on just two MX hosts. Their RSA certificate chains match their TLSA records, but their ECDSA certificate chains do not: https://mail.sys4.de/pipermail/dane-users/2017-August/000416.html https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html As of today I count 172120 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected the bulk of the DANE domains are hosted by the handful of DNS/hosting providers who've enabled DANE support in bulk for the domains they host. The top 10 MX host providers by domain count are: 68399 domeneshop.no 60915 transip.nl 18354 udmedia.de 6460 bhosted.nl 1787 nederhost.net 1294 yourdomainprovider.net 1009 ec-elements.com 505 core-networks.de 384 omc-mail.com 333 mailbox.org The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.nl/.de. [ The DANE domain counts for the large providers appear to have plateaued in the past couple of months. Perhaps, absent new more comprehensive sources of live domain names, I've finally found as many domains I can reasonably expect to find for these providers, and there's not much growth in their "visible" domain portfolios. ] There are 2999 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. Alternatively, a similar number is seen in the count (2853) of distinct MX host server certificates that support the same ~172000 domains. The number of published MX host TLSA RRsets found is 3932. These cover 4004 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs). The number of domains that at some point were listed in Gmail's email transparency report is 122 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 70 are in recent reports (spanning Sep and Oct): gmx.at posteo.de overheid.nl travelbirdbelgie.be ruhr-uni-bochum.de pathe.nl nic.br tum.de uvt.nl registro.br uni-erlangen.de xs4all.nl gmx.ch unitybox.de domeneshop.no open.ch unitymedia.de webcruitermail.no anubisnetworks.com web.de debian.org gmx.com egmontpublishing.dk freebsd.org mail.com tilburguniversity.edu gentoo.org solvinity.com enron.email ietf.org t-2.com octopuce.fr isc.org trashmail.com comcast.net lazarus-ide.org xfinity.com dd24.net netbsd.org xfinityhomesecurity.com gmx.net openssl.org xfinitymobile.com hr-manager.net samba.org nic.cz t-2.net torproject.org bayern.de xs4all.net asf.com.pt bund.de asp4all.nl minmyndighetspost.se fau.de bhosted.nl skatteverket.se freenet.de bit.nl t-2.si gmx.de boozyshop.nl mail.co.uk jpberlin.de hierinloggen.nl govtrack.us lrz.de otvi.nl mail.de ouderportaal.nl Of the ~172000 domains, 545 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 160. Below is a list of the 100 underlying MX hosts that serve these domains and whose TLSA records don't match reality: Hall of Shame: white.agoracon.at mail.manima.de mx2.wfbrace.net mail.dipietro.id.au mail.ocmenzel.de mx3.wfbrace.net asp-mxa.belnet.be supersahnetorten.de wfbrace.net asp-mxb.belnet.be mx.thorko.de mx2.cbrace.nl asp-mxtest.belnet.be mail.0pc.eu mx3.cbrace.nl eufront.stansoft.bg relay.antoineducret.eu mail.lajetee.nl eumembers.stansoft.bg mail2.cesidianroot.eu smtp1.lococensus.nl fazendeiro.ifba.edu.br gamepixel.eu smtp2.lococensus.nl mail.gna.ch webmail.kassoft.eu mail.myzt.nl andbraiz.com smtp.skolovi.eu mx2.nuj-netherlands.nl mx1.cloudfiltering.com mail2.subse.eu nuj-netherlands.nl mx2.cloudfiltering.com smtp.vdlaken.eu mail.solarisinternetgroep.nl mail.digitalwebpros.com mx.quentindavid.fr bounder.steelyard.nl mail.itsmine.com servmail.fr mail.abanto-zierbena.org demo.liveconfig.com mail.demongeot.info freebox.crans.org mx04.mykolab.com mail.nonoserver.info soyouz.crans.org intranet.nctechcenter.com node1.mxbackup.io eumembers.datacentrix.org mta1-em1.orleans.occnc.com mail.rapidfuse.io genius.konundrum.org mta3-em1.somerville.occnc.com mail.lsd.is smtp2.amadigi.ovh lon-do.pieterpottie.com mail.laukas.lt smtp3.amadigi.ovh ny-do.pieterpottie.com mx.datenknoten.me itaskmanager.ovh ma.qbitnet.com mx.giesen.me mail.bacrau.ro stmics01.smia-automotive.com rootbox.me club3d.ro stmics02.smia-automotive.com lima.ahrain.net mail.itconnect.ro mail.zx.com avarty.net mx.itconnect.ro mx.bels.cz mail.castleturing.net mail.pasion.ro mail.davidbodnar.cz mail.d3fy.net mail.familie-sander.rocks gaia.nfx.cz mail.efflam.net mx1.shevaldin.ru petg.cz mail.luyckx.net mail.labbrack.se mail.seslost.cz mail.misbegotten.net mail2.puggan.se mail.zionbit.cz mx2.oostergo.net mail.rostit.se mail.jo8.de oostergo.net mail.muthai.in.th mail.lanasoft.de mail.qusign.net mutt.lsexperts.de mail.roeller.net Some just notified, so I expect this to be a local peak. After eliminating parked domains that do not accept email of any kind, The number of "real" email domains with bad DNSSEC support stands at 175. (The accenture.com domains from the previous report were all parked). The top 10 name server operators with problem domains are: 63 jsr-it.nl 17 firstfind.nl 7 active24.cz 5 tse.jus.br 4 glbns.com 3 cas-com.net 2 tiscomhosting.nl 2 sylconia.net 2 psyclonecontacts.net 2 ns01.nl Only 7 of the DNS-broken domains appear in historical Google Email transparency reports: tiviths.com.br tre-ce.jus.br trtrj.jus.br tse.jus.br idaho.gov nsysu.edu.tw The problem DNS queries are: _25._tcp.mx.tiviths.com.br. IN TLSA ? _25._tcp.dexter.tse.jus.br. IN TLSA ? _25._tcp.lalavava.tse.jus.br. IN TLSA ? _25._tcp.mandark.tse.jus.br. IN TLSA ? _25._tcp.inbound.idaho.gov. IN TLSA ? _25._tcp.mx1.trtrj.jus.br. IN TLSA ? _25._tcp.barracuda.nsysu.edu.tw. IN TLSA ? [ See <https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08>, Much of the TLSA non-response issue seems to be related to a "feature" of some firewalls, that enables droping of DNS requests for all but the most common RRtypes. Do not make the mistake of enabling this firewall "feature". ] The oldest outstanding DNS issue is an SOA signature issue at truman.edu dating back to Nov/2014: http://dnsviz.net/d/_25._tcp.barracuda.truman.edu/VGzORw/dnssec/ I hope some day soon they'll start missing email they care about and take the time to resolve the problem. -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.

1 1