Summary: The number of DANE-enabled domains that have also been sighted
on Google's email transparency report has increased from 122 to 125.
The total domain count has increased from 172120 to 173857.
The number DNSSEC domains in the survey stands at 5015834,
thus DANE TLSA is deployed on 3.4% of domains with DNSSEC.
Many DNSSEC domains use third-party MX hosts, that don't
have DNSSEC, so they can't benefit from DANE until their
providers secure the MX hosts. Please ask your provider
to enable DNSSEC and DANE on their MX hosts.
As of today I count 173857 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected the bulk of the DANE domains are hosted by the handful of
DNS/hosting providers who've enabled DANE support in bulk for the
domains they host. The top 10 MX host providers by domain count
are:
68513 domeneshop.no
61900 transip.nl
18440 udmedia.de
6396 bhosted.nl
1785 nederhost.net
1284 yourdomainprovider.net
1012 ec-elements.com
507 core-networks.de
391 omc-mail.com
349 mailbox.org
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.nl/.de.
There are 2969 unique zones in which the underlying MX hosts are found,
this counts each of the above providers as just one zone, so is a measure
of the breadth of adoption in terms of servers deployed. There are 3672
distinct MX host certificates matched by the server's TLSA RRset.
The number of published MX host TLSA RRsets found is 4409. These
cover 4659 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).
The number of domains that at some point were listed in Gmail's
email transparency report is 125 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain). Of
these, 76 are in recent reports:
gmx.at mail.de ouderportaal.nl
travelbirdbelgie.be posteo.de overheid.nl
nic.br ruhr-uni-bochum.de pathe.nl
registro.br tum.de uvt.nl
gmx.ch uni-erlangen.de xs4all.nl
open.ch unitybox.de domeneshop.no
anubisnetworks.com unitymedia.de webcruitermail.no
gmx.com web.de debian.orgisavedialogue.com egmontpublishing.dk freebsd.orgmail.comtilburguniversity.edugentoo.orgsolvinity.com enron.email ietf.orgt-2.com octopuce.fr isc.orgtrashmail.comcomcast.netlazarus-ide.orgxfinity.comdd24.netnetbsd.orgxfinityhomesecurity.comgmx.netopenssl.orgxfinitymobile.comhr-manager.netsamba.org
nic.cz t-2.nettorproject.org
bayern.de xs4all.net asf.com.pt
bund.de asp4all.nl handelsbanken.se
fau.de bhosted.nl minmyndighetspost.se
freenet.de bit.nl skatteverket.se
gmx.de boozyshop.nl t-2.si
jpberlin.de hierinloggen.nl mail.co.uk
lrz.de otvi.nl govtrack.us
Of the ~174000 domains, 780 have "partial" TLSA records, that cover
only a subset of the MX hosts. While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to advertise
STARTTLS (even though TLSA records are published) stands today at 198.
Below is a list of the 101 underlying MX hosts that serve these domains
and whose TLSA records don't match reality:
Hall of Shame:
white.agoracon.at mx2.spam-sponge.de mail.misbegotten.net
mail.dipietro.id.au mx3.spam-sponge.de oostergo.net
asp-mxtest.belnet.be mx1.spamsponge.de mx2.oostergo.net
eufront.stansoft.bg mx2.spamsponge.de wfbrace.net
eumembers.stansoft.bg mx3.spamsponge.de mx2.wfbrace.netandbraiz.com mx10.timotoups.de mx2.cbrace.nl
mail.digitalwebpros.com fsck.email mx3.cbrace.nl
mail.dnsmadefree.com smtp.flipmail.es mail.fscker.nl
smtp-1.httrack.com mail.0pc.eu smtp1.lococensus.nl
mail.itsmine.com mail.antoineducret.eu smtp2.lococensus.nl
demo.liveconfig.com mail2.cesidianroot.eu avs.mymailcleaner.nl
mx04.mykolab.com gamepixel.eu mail.myzt.nl
mail.noneuclideanconcepts.com webmail.kassoft.eu nuj-netherlands.nl
lon-do.pieterpottie.com smtp.skolovi.eu mx2.nuj-netherlands.nl
ny-do.pieterpottie.com mail2.subse.eu bounder.steelyard.nl
ma.qbitnet.com smtp.vdlaken.eu mail.abanto-zierbena.orgstmics01.smia-automotive.com mx.quentindavid.fr eumembers.datacentrix.orgromulus.wittsend.com servmail.fr genius.konundrum.orgmail.zx.com mail.demongeot.info mx2.maicolepape.org
mx.bels.cz mail.nonoserver.info smtp2.amadigi.ovh
mail.davidbodnar.cz mx1.email.youwerehere.info smtp3.amadigi.ovh
gaia.nfx.cz mx2.email.youwerehere.info itaskmanager.ovh
petg.cz node1.mxbackup.io mail.bacrau.ro
mail.seslost.cz mail.rapidfuse.io mail.itconnect.ro
mail.zionbit.cz mail.lsd.is mx.itconnect.ro
mail.absynth.de mail.laukas.lt mail.pasion.ro
mail.all4.de mx.datenknoten.me mail.familie-sander.rocks
badf00d.de mx.giesen.me mx1.shevaldin.ru
mail.denniseffing.de rootbox.me halon.gislaved.se
mail.friehm.de mail.adeline.mobi halon02.gislaved.se
mutt.lsexperts.de mail.castleturing.net mail.labbrack.se
www.mtg.demail.culm.net mail.rostit.se
mail.ocmenzel.de anubis.delphij.net mail.xn----ymcadjpj1at5o.xn--wgbh1c
mx1.spam-sponge.de mail.efflam.net
Some recently notified, but the number of long-term problem MX
hosts has been slowly creeping up... Please make sure to monitor
the validity of your TLSA records, and implement a reliable key
rotation procedure. Let's Encrypt users in particular tend to
forget that by default Let's Encrypt certificate renewal replaces
both the key and certificate, please read:
http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436…https://community.letsencrypt.org/t/new-certbot-client-and-csr-option/15766https://www.internetsociety.org/deploy360/blog/2016/03/lets-encrypt-certifi…https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…http://tools.ietf.org/html/rfc7671#section-8.1http://tools.ietf.org/html/rfc7671#section-8.4
When updating the certificate chain you need to temporarily
pre-publish multiple TLSA records matching the current and future
certificate:
https://dane.sys4.de/common_mistakes#3
However, with "3 1 1" + "2 1 1", the rollover process can be
substantially simplified:
http://postfix.1071664.n5.nabble.com/WoSign-StartCom-CA-in-the-news-td86436…https://www.ietf.org/mail-archive/web/uta/current/msg01498.html
After eliminating parked domains that do not accept email of any
kind, the number of "real" email domains with bad DNSSEC support
stands at 132. The top 6 (the rest have too few domains to include
in a top 10) name server operators with problem domains
are:
22 firstfind.nl
7 active24.cz
5 tse.jus.br
4 ignum.com
4 glbns.com
4 army.mil
Only 7 of the DNS-broken domains appear in historical Google Email
transparency reports:
idaho.gov
nsysu.edu.tw
tse.jus.br
rotterdam.nl
tiviths.com.br
trtrj.jus.br
tre-ce.jus.br
The problem DNS queries are:
_25._tcp.mx.tiviths.com.br
_25._tcp.mx1.trtrj.jus.br
_25._tcp.dexter.tse.jus.br
_25._tcp.lalavava.tse.jus.br
_25._tcp.mandark.tse.jus.br
_25._tcp.inbound.idaho.gov
_25._tcp.mail.rotterdam.nl
_25._tcp.barracuda.nsysu.edu.tw
[ See <https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08>,
Much of the TLSA non-response issue seems to be related to a
"feature" of some firewalls, that enables droping of DNS requests
for all but the most common RRtypes. Do not make the mistake
of enabling this firewall "feature". ]
The oldest outstanding DNS issue is an SOA signature issue at
truman.edu dating back to Nov/2014:
http://dnsviz.net/d/_25._tcp.barracuda.truman.edu/VGzORw/dnssec/
I hope some day soon they'll start missing email they care about
and take the time to resolve the problem.
--
Viktor.
[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist. I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.
As of today I count 137620 domains with correct DANE TLSA records
for SMTP. As expected the bulk of the DANE domains are hosted the
handful of DNS/hosting providers who've enabled DANE support in
bulk for the domains they host. The top 10 MX host providers by
domain count are:
60764 domeneshop.no
43961 transip.nl
15734 udmedia.de
3040 bhosted.nl
1493 nederhost.net
904 ec-elements.com
431 core-networks.de
307 uvt.nl
301 bit.nl
287 omc-mail.com
The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, in particular .de, .nl and .no.
There are 2449 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed. Alternatively, a similar number is seen in the count
(2613) of distinct MX host server certificates that support the
same ~137000 domains.
A related number is 4172 TLSA RRsets found for MX host TCP port 25.
This includes secondary MX hosts and domains none of whose primary
MX hosts have TLSA records.
The number of domains that at some point were listed in Gmail's
email transparency report is now 105 (this is my ad-hoc criterion
for a domain being a large-enough actively used email domain). Of
these, 56 are in recent reports (March 2017):
gmx.at jpberlin.de overheid.nl
nic.br lrz.de pathe.nl
registro.br mail.de wooniezie.nl
gmx.ch posteo.de xs4all.nl
open.ch ruhr-uni-bochum.de domeneshop.no
anubisnetworks.com tum.de webcruitermail.no
gmx.com uni-erlangen.de debian.orgmail.com unitymedia.de domainmail.orgpiratenexus.com web.de freebsd.orgpirateperfection.com enron.email gentoo.orgpre-sustainability.com octopuce.fr ietf.orgt-2.comcomcast.netnetbsd.orgtrashmail.comdd24.netnetcoolusers.orgxfinity.comgmx.netopenssl.org
bayern.de hr-manager.netsamba.org
bund.de t-2.nettorproject.org
elster.de xs4all.net minmyndighetspost.se
fau.de asp4all.nl skatteverket.se
gmx.de ouderportaal.nl
A different metric is how many of the DANE-enabled domains received
email from at least 10 Gmail senders in a recent 8 day interval.
Back in Dec/2016 I reported that ~2200 out of ~105k domains met
that criterion. This month, the number was ~3900 out of ~137k
domains. So it seems that a non-negligible fraction of the increase
is from real domains that receive email, and not just parked domains.
Of the ~137000 domains, 655 have "partial" TLSA records, that cover
only a subset of the MX hosts. While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 96 (~30 are recent additions that may be resolved soon,
the remaining ~60 are the for now stable population of broken
domains). This month I'm posting the list of the 44 underlying MX
hosts that serve these domains and whose TLSA records don't match
reality.
Hall of Shame:
mail.dipietro.id.au www.mtg.de mail.inu.nl
clubeararaquarense.org.br mx1.spamsponge.de mail.jekuiken.nl
mail.antiphishing.ch mail.nonoserver.info mail.myzt.nl
mail.digitalwebpros.com mx.datenknoten.me bounder.steelyard.nl
mail.dnsmadefree.com mx.giesen.me mx.wm.net.nz
demo.liveconfig.commail.castleturing.netbaobrien.orgny-do.pieterpottie.comdatawebb.dafcorp.netsmtp.copi.orgdiablo.sgt.comanubis.delphij.neteumembers.datacentrix.orgtusk.sgt.comdorothy.goldenhairdafo.net smtp2.amadigi.ovh
mx.bels.cz hs.kuzenkov.net webmail.headsite.se
johniez.cz oostergo.net protector.rajmax.si
mail.pksvice.cz ren.warunek.net arch-server.hlfh.space
srv01.101host.de mail.e-rave.nl mail.blackcherry-management.co.uk
mail.cdbm.de mail.hhsk.nl email.themcintyres.us
mail.manima.de box.inpoint-mailt.nl
The number of domains with bad DNSSEC support is 322. The top 10
DNS providers (by broken domain count) are:
52 axc.nl - Slated to be resolved
38 infracom.nl - Slated to be resolved
18 loopia.se
18 active24.cz
14 jsr-it.nl
12 rdw.nl
9 cas-com.net
8 metaregistrar.nl
6 tiscomhosting.nl
6 thednscompany.com
Around 60 of the broken domains have at least one working nameserver,
and so are email-reachable, given enough retries.
--
Viktor.
[ Sorry about the delay, I was too busy rewriting major chunks
of the underlying code to produce a report. Better late than
never so the below is the status for today, rather than the end
of September. ]
Summary: The number of DANE-enabled domains that have also been sighted
on Google's email transparency report has increased from 115 to
122, while the number of DNS zones with TLSA-enabled primary MX
hosts has increased from 2708 to 2999. The total domain count
is largely unchanged from 172205 to 172120.
A new type of TLSA record mismatch has cropped up, so far on
just two MX hosts. Their RSA certificate chains match their
TLSA records, but their ECDSA certificate chains do not:
https://mail.sys4.de/pipermail/dane-users/2017-August/000416.htmlhttps://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
As of today I count 172120 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected the bulk of the DANE domains are hosted by the handful of
DNS/hosting providers who've enabled DANE support in bulk for the
domains they host. The top 10 MX host providers by domain count
are:
68399 domeneshop.no
60915 transip.nl
18354 udmedia.de
6460 bhosted.nl
1787 nederhost.net
1294 yourdomainprovider.net
1009 ec-elements.com
505 core-networks.de
384 omc-mail.com
333 mailbox.org
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.nl/.de.
[ The DANE domain counts for the large providers appear to have
plateaued in the past couple of months. Perhaps, absent new more
comprehensive sources of live domain names, I've finally found
as many domains I can reasonably expect to find for these providers,
and there's not much growth in their "visible" domain portfolios. ]
There are 2999 unique zones in which the underlying MX hosts are found,
this counts each of the above providers as just one zone, so is a measure
of the breadth of adoption in terms of servers deployed. Alternatively,
a similar number is seen in the count (2853) of distinct MX host server
certificates that support the same ~172000 domains.
The number of published MX host TLSA RRsets found is 3932. These
cover 4004 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).
The number of domains that at some point were listed in Gmail's
email transparency report is 122 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain). Of
these, 70 are in recent reports (spanning Sep and Oct):
gmx.at posteo.de overheid.nl
travelbirdbelgie.be ruhr-uni-bochum.de pathe.nl
nic.br tum.de uvt.nl
registro.br uni-erlangen.de xs4all.nl
gmx.ch unitybox.de domeneshop.no
open.ch unitymedia.de webcruitermail.no
anubisnetworks.com web.de debian.orggmx.com egmontpublishing.dk freebsd.orgmail.comtilburguniversity.edugentoo.orgsolvinity.com enron.email ietf.orgt-2.com octopuce.fr isc.orgtrashmail.comcomcast.netlazarus-ide.orgxfinity.comdd24.netnetbsd.orgxfinityhomesecurity.comgmx.netopenssl.orgxfinitymobile.comhr-manager.netsamba.org
nic.cz t-2.nettorproject.org
bayern.de xs4all.net asf.com.pt
bund.de asp4all.nl minmyndighetspost.se
fau.de bhosted.nl skatteverket.se
freenet.de bit.nl t-2.si
gmx.de boozyshop.nl mail.co.uk
jpberlin.de hierinloggen.nl govtrack.us
lrz.de otvi.nl
mail.de ouderportaal.nl
Of the ~172000 domains, 545 have "partial" TLSA records, that cover
only a subset of the MX hosts. While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to advertise
STARTTLS (even though TLSA records are published) stands today at 160.
Below is a list of the 100 underlying MX hosts that serve these domains
and whose TLSA records don't match reality:
Hall of Shame:
white.agoracon.at mail.manima.de mx2.wfbrace.net
mail.dipietro.id.au mail.ocmenzel.de mx3.wfbrace.net
asp-mxa.belnet.be supersahnetorten.de wfbrace.net
asp-mxb.belnet.be mx.thorko.de mx2.cbrace.nl
asp-mxtest.belnet.be mail.0pc.eu mx3.cbrace.nl
eufront.stansoft.bg relay.antoineducret.eu mail.lajetee.nl
eumembers.stansoft.bg mail2.cesidianroot.eu smtp1.lococensus.nl
fazendeiro.ifba.edu.br gamepixel.eu smtp2.lococensus.nl
mail.gna.ch webmail.kassoft.eu mail.myzt.nl
andbraiz.com smtp.skolovi.eu mx2.nuj-netherlands.nl
mx1.cloudfiltering.com mail2.subse.eu nuj-netherlands.nl
mx2.cloudfiltering.com smtp.vdlaken.eu mail.solarisinternetgroep.nl
mail.digitalwebpros.com mx.quentindavid.fr bounder.steelyard.nl
mail.itsmine.com servmail.fr mail.abanto-zierbena.orgdemo.liveconfig.com mail.demongeot.info freebox.crans.orgmx04.mykolab.com mail.nonoserver.info soyouz.crans.orgintranet.nctechcenter.com node1.mxbackup.io eumembers.datacentrix.orgmta1-em1.orleans.occnc.com mail.rapidfuse.io genius.konundrum.orgmta3-em1.somerville.occnc.com mail.lsd.is smtp2.amadigi.ovh
lon-do.pieterpottie.com mail.laukas.lt smtp3.amadigi.ovh
ny-do.pieterpottie.com mx.datenknoten.me itaskmanager.ovh
ma.qbitnet.com mx.giesen.me mail.bacrau.ro
stmics01.smia-automotive.com rootbox.me club3d.ro
stmics02.smia-automotive.comlima.ahrain.net mail.itconnect.ro
mail.zx.comavarty.net mx.itconnect.ro
mx.bels.cz mail.castleturing.net mail.pasion.ro
mail.davidbodnar.cz mail.d3fy.net mail.familie-sander.rocks
gaia.nfx.cz mail.efflam.net mx1.shevaldin.ru
petg.cz mail.luyckx.net mail.labbrack.se
mail.seslost.cz mail.misbegotten.net mail2.puggan.se
mail.zionbit.cz mx2.oostergo.net mail.rostit.se
mail.jo8.de oostergo.net mail.muthai.in.th
mail.lanasoft.de mail.qusign.net
mutt.lsexperts.de mail.roeller.net
Some just notified, so I expect this to be a local peak.
After eliminating parked domains that do not accept email of any
kind, The number of "real" email domains with bad DNSSEC support
stands at 175. (The accenture.com domains from the previous
report were all parked). The top 10 name server operators with
problem domains are:
63 jsr-it.nl
17 firstfind.nl
7 active24.cz
5 tse.jus.br
4 glbns.com
3 cas-com.net
2 tiscomhosting.nl
2 sylconia.net
2 psyclonecontacts.net
2 ns01.nl
Only 7 of the DNS-broken domains appear in historical Google Email
transparency reports:
tiviths.com.br
tre-ce.jus.br
trtrj.jus.br
tse.jus.br
idaho.gov
nsysu.edu.tw
The problem DNS queries are:
_25._tcp.mx.tiviths.com.br. IN TLSA ?
_25._tcp.dexter.tse.jus.br. IN TLSA ?
_25._tcp.lalavava.tse.jus.br. IN TLSA ?
_25._tcp.mandark.tse.jus.br. IN TLSA ?
_25._tcp.inbound.idaho.gov. IN TLSA ?
_25._tcp.mx1.trtrj.jus.br. IN TLSA ?
_25._tcp.barracuda.nsysu.edu.tw. IN TLSA ?
[ See <https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08>,
Much of the TLSA non-response issue seems to be related to a
"feature" of some firewalls, that enables droping of DNS requests
for all but the most common RRtypes. Do not make the mistake
of enabling this firewall "feature". ]
The oldest outstanding DNS issue is an SOA signature issue at
truman.edu dating back to Nov/2014:
http://dnsviz.net/d/_25._tcp.barracuda.truman.edu/VGzORw/dnssec/
I hope some day soon they'll start missing email they care about
and take the time to resolve the problem.
--
Viktor.
[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist. I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.
