June 2017 - dane-users - list.sys4.de

Update on stats
by Viktor Dukhovni 13 Nov '17

13 Nov '17

As of today I count 137620 domains with correct DANE TLSA records for SMTP. As expected the bulk of the DANE domains are hosted the handful of DNS/hosting providers who've enabled DANE support in bulk for the domains they host. The top 10 MX host providers by domain count are: 60764 domeneshop.no 43961 transip.nl 15734 udmedia.de 3040 bhosted.nl 1493 nederhost.net 904 ec-elements.com 431 core-networks.de 307 uvt.nl 301 bit.nl 287 omc-mail.com The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, in particular .de, .nl and .no. There are 2449 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. Alternatively, a similar number is seen in the count (2613) of distinct MX host server certificates that support the same ~137000 domains. A related number is 4172 TLSA RRsets found for MX host TCP port 25. This includes secondary MX hosts and domains none of whose primary MX hosts have TLSA records. The number of domains that at some point were listed in Gmail's email transparency report is now 105 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 56 are in recent reports (March 2017): gmx.at jpberlin.de overheid.nl nic.br lrz.de pathe.nl registro.br mail.de wooniezie.nl gmx.ch posteo.de xs4all.nl open.ch ruhr-uni-bochum.de domeneshop.no anubisnetworks.com tum.de webcruitermail.no gmx.com uni-erlangen.de debian.org mail.com unitymedia.de domainmail.org piratenexus.com web.de freebsd.org pirateperfection.com enron.email gentoo.org pre-sustainability.com octopuce.fr ietf.org t-2.com comcast.net netbsd.org trashmail.com dd24.net netcoolusers.org xfinity.com gmx.net openssl.org bayern.de hr-manager.net samba.org bund.de t-2.net torproject.org elster.de xs4all.net minmyndighetspost.se fau.de asp4all.nl skatteverket.se gmx.de ouderportaal.nl A different metric is how many of the DANE-enabled domains received email from at least 10 Gmail senders in a recent 8 day interval. Back in Dec/2016 I reported that ~2200 out of ~105k domains met that criterion. This month, the number was ~3900 out of ~137k domains. So it seems that a non-negligible fraction of the increase is from real domains that receive email, and not just parked domains. Of the ~137000 domains, 655 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 96 (~30 are recent additions that may be resolved soon, the remaining ~60 are the for now stable population of broken domains). This month I'm posting the list of the 44 underlying MX hosts that serve these domains and whose TLSA records don't match reality. Hall of Shame: mail.dipietro.id.au www.mtg.de mail.inu.nl clubeararaquarense.org.br mx1.spamsponge.de mail.jekuiken.nl mail.antiphishing.ch mail.nonoserver.info mail.myzt.nl mail.digitalwebpros.com mx.datenknoten.me bounder.steelyard.nl mail.dnsmadefree.com mx.giesen.me mx.wm.net.nz demo.liveconfig.com mail.castleturing.net baobrien.org ny-do.pieterpottie.com datawebb.dafcorp.net smtp.copi.org diablo.sgt.com anubis.delphij.net eumembers.datacentrix.org tusk.sgt.com dorothy.goldenhairdafo.net smtp2.amadigi.ovh mx.bels.cz hs.kuzenkov.net webmail.headsite.se johniez.cz oostergo.net protector.rajmax.si mail.pksvice.cz ren.warunek.net arch-server.hlfh.space srv01.101host.de mail.e-rave.nl mail.blackcherry-management.co.uk mail.cdbm.de mail.hhsk.nl email.themcintyres.us mail.manima.de box.inpoint-mailt.nl The number of domains with bad DNSSEC support is 322. The top 10 DNS providers (by broken domain count) are: 52 axc.nl - Slated to be resolved 38 infracom.nl - Slated to be resolved 18 loopia.se 18 active24.cz 14 jsr-it.nl 12 rdw.nl 9 cas-com.net 8 metaregistrar.nl 6 tiscomhosting.nl 6 thednscompany.com Around 60 of the broken domains have at least one working nameserver, and so are email-reachable, given enough retries. -- Viktor.

1 1

Update on stats 2017-06
by Viktor Dukhovni 30 Jun '17

30 Jun '17

As of today I count 171460 domains with correct DANE TLSA records for SMTP. As expected the bulk of the DANE domains are hosted the handful of DNS/hosting providers who've enabled DANE support in bulk for the domains they host. The top 10 MX host providers by domain count are: 69368 domeneshop.no 59835 transip.nl 18351 udmedia.de 6665 bhosted.nl 1820 nederhost.net 1007 ec-elements.com 1001 networking4all.net 514 core-networks.de 375 omc-mail.com 364 yourdomainprovider.net The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.nl/.de. There are 2615 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. Alternatively, a similar number is seen in the count (2707) of distinct MX host server certificates that support the same ~171000 domains. A related number is 3955 TLSA RRsets found for MX host TCP port 25. This includes secondary MX hosts and domains none of whose primary MX hosts have TLSA records. The number of domains that at some point were listed in Gmail's email transparency report is 111 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 54 are in recent reports: anubisnetworks.com gmx.net posteo.de asf.com.pt hr-manager.net registro.br asp4all.nl ietf.org ruhr-uni-bochum.de bayern.de isc.org samba.org bund.de jpberlin.de solvinity.com comcast.net lrz.de t-2.net dd24.net mail.com tilburguniversity.ed debian.org mail.de torproject.org domeneshop.no mpssec.net trashmail.com elster.de netbsd.org tum.de enron.email nic.br uni-erlangen.de fau.de octopuce.fr unitymedia.de freebsd.org open.ch uvt.nl gentoo.org openssl.org web.de gmx.at otvi.nl webcruitermail.no gmx.ch ouderportaal.nl xfinity.com gmx.com overheid.nl xs4all.net gmx.de pathe.nl xs4all.nl Of the ~171000 domains, 835 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 108. Below is a list of the 53 underlying MX hosts that serve these domains and whose TLSA records don't match reality: Hall of Shame: mail.dipietro.id.au mx1.spamsponge.de dorothy.goldenhairdafo.net eumembers.stansoft.bg smtp2.strotmann.de oostergo.net catabra.com.br mx.thorko.de cinnamon.nl mail.pgp.inf.br smtp.flipmail.es mail.e-rave.nl mail.danmolik.com mail.0pc.eu mail.jekuiken.nl mail.digitalwebpros.com gamepixel.eu mail.myzt.nl demo.liveconfig.com mx.quentindavid.fr bounder.steelyard.nl intranet.nctechcenter.com servmail.fr beerstra.org ny-do.pieterpottie.com mail.nonoserver.info eumembers.datacentrix.org diablo.sgt.com mail.bax.is smtp3.amadigi.ovh tusk.sgt.com mail.lsd.is itaskmanager.ovh mx1.wittsend.com mail.laukas.lt mail.pasion.ro mx.bels.cz mx.datenknoten.me mail.lahl.rocks gaia.nfx.cz mx.giesen.me puggan.se badf00d.de mail.castleturing.net mail.rostit.se mail.denniseffing.de mail.culm.net protector.rajmax.si mail.manima.de datawebb.dafcorp.net email.themcintyres.us www.mtg.de anubis.delphij.net The number of domains with bad DNSSEC support is 423. The top 10 DNS providers with problem domains are: 68 jsr-it.nl 53 infracom.nl - Was slated to be resolved in March, delayed... 25 tiscomhosting.nl 25 active24.cz 15 rdw.nl 15 firstfind.nl 11 loopia.se 10 metaregistrar.nl 9 cas-com.net 8 ovh.net 7 ignum.com Around 50 of the broken domains have at least one working nameserver, and so are email-reachable, given enough retries. Only 6 of the DNS-broken domains appear in historical Google Email transparency reports: tiviths.com.br tre-sp.jus.br trt1.jus.br trtrj.jus.br tse.jus.br rzd.ru The associated DNS lookup issues are: _25._tcp.mx.tiviths.com.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.mx.tiviths.com.br/dnssec/ _25._tcp.mx1.trt1.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trt1.jus.br/dnssec/ _25._tcp.mx1.trtrj.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trtrj.jus.br/dnssec/ _25._tcp.dexter.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.dexter.tse.jus.br/dnssec/ _25._tcp.lalavava.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.lalavava.tse.jus.br/dnssec/ _25._tcp.mandark.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.mandark.tse.jus.br/dnssec/ _25._tcp.ims1.rzd.ru. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.ims1.rzd.ru/dnssec/ _25._tcp.ims2.rzd.ru. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.ims2.rzd.ru/dnssec/ [ See <https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08>, Much of the TLSA non-response issue seems to be related to a "feature" of Arbor Networks firewalls, that enables droping of DNS requests for all but the most common RRtypes. Do not make the mistake of enabling this firewall "feature". ] The oldest outstanding DNS issue is another SOA signature issue at truman.edu dating back to Nov/2014: http://dnsviz.net/d/_25._tcp.barracuda.truman.edu/VGzORw/dnssec/ I hope some day soon they'll start missing email they care about and take the time to resolve the problem. -- Viktor.

1 0

Update on stats 2017-05
by Viktor Dukhovni 01 Jun '17

01 Jun '17

As of today I count 169812 domains with correct DANE TLSA records for SMTP. As expected the bulk of the DANE domains are hosted the handful of DNS/hosting providers who've enabled DANE support in bulk for the domains they host. The top 10 MX host providers by domain count are: 69614 domeneshop.no 59404 transip.nl 18372 udmedia.de 6733 bhosted.nl 1831 nederhost.net 997 ec-elements.com 501 core-networks.de 339 bit.nl 334 omc-mail.com 309 uvt.nl [ The 365 "networking4all.net" domains from last month are gone, because they got bought by metaregistrar.nl and the new MX hosts are not in DNSSEC signed zones. Otherwise, the total would now have been over 170000. ] The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.nl/.de. There are 2567 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. Alternatively, a similar number is seen in the count (2667) of distinct MX host server certificates that support the same ~169000 domains. A related number is 3818 TLSA RRsets found for MX host TCP port 25. This includes secondary MX hosts and domains none of whose primary MX hosts have TLSA records. The number of domains that at some point were listed in Gmail's email transparency report is 108 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 54 are in recent reports: anubisnetworks.com gmx.de posteo.de asf.com.pt gmx.net registro.br asp4all.nl hr-manager.net ruhr-uni-bochum.de bayern.de ietf.org samba.org bhosted.nl isc.org solvinity.com bund.de jpberlin.de t-2.com comcast.net lrz.de t-2.net dd24.net mail.com t-2.si debian.org mail.de torproject.org domeneshop.no netbsd.org trashmail.com elster.de nic.br tum.de enron.email nic.cz uni-erlangen.de fau.de octopuce.fr unitymedia.de freebsd.org open.ch web.de gentoo.org openssl.org webcruitermail.no gmx.at ouderportaal.nl xfinity.com gmx.ch overheid.nl xs4all.net gmx.com pathe.nl xs4all.nl Of the ~169000 domains, 749 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 93. The list of the 54 underlying MX hosts that serve these domains and whose TLSA records don't match reality. Hall of Shame: mail.dipietro.id.au mail.enzevalos.de dorothy.goldenhairdafo.ne eumembers.stansoft.bg hmserver.de hs.kuzenkov.net catabra.com.br mail.manima.de oostergo.net server29.prazernavida.com www.mtg.de ren.warunek.net mail.pgp.inf.br mx1.spamsponge.de cinnamon.nl my.mai1.ch mail.0pc.eu mail.e-rave.nl alpaca.attackllama.com gamepixel.eu mail.jekuiken.nl mail.danmolik.com mx.quentindavid.fr mail.myzt.nl mail.digitalwebpros.com servmail.fr bounder.steelyard.nl demo.liveconfig.com mail.nonoserver.info mx.wm.net.nz ny-do.pieterpottie.com mx.datenknoten.me beerstra.org diablo.sgt.com mx.giesen.me smtp.copi.org tusk.sgt.com smtp.aechelon.net eumembers.datacentrix.org mx1.wittsend.com mail.castleturing.net smtp3.amadigi.ovh mx.bels.cz mail.d3fy.net mail.pasion.ro gaia.nfx.cz datawebb.dafcorp.net mail.lahl.rocks badf00d.de anubis.delphij.net protector.rajmax.si mail.denniseffing.de goldenhairdafo.net email.themcintyres.us The number of domains with bad DNSSEC support is 438. The increase is due to a comprehensive scan of all 4.6 million DNSSEC domains in the survey, previously some parts of the survey did not record SERVFAIL results. the top 10 DNS providers with problem domains are: 68 jsr-it.nl 58 infracom.nl - Was slated to be resolved in March, delayed... 27 is.nl 24 active24.cz 23 tiscomhosting.nl 18 metaregistrar.nl 15 rdw.nl 10 firstfind.nl 9 cas-com.net 8 loopia.se Around 50 of the broken domains have at least one working nameserver, and so are email-reachable, given enough retries. Only 6 of these DNS-broken domains appear in historical Google Email transparency reports: rzd.ru tse.jus.br tiviths.com.br trt1.jus.br trtrj.jus.br tjce.jus.br The associated DNS lookup issues are: _25._tcp.ims1.rzd.ru. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.ims1.rzd.ru/dnssec/ _25._tcp.ims2.rzd.ru. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.ims2.rzd.ru/dnssec/ _25._tcp.lalavava.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.lalavava.tse.jus.br/dnssec/ _25._tcp.mx.tiviths.com.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.mx.tiviths.com.br/dnssec/ _25._tcp.mx1.trt1.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trt1.jus.br/dnssec/ _25._tcp.mx1.trtrj.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trtrj.jus.br/dnssec/ _25._tcp.mx2.tjce.jus.br. IN TLSA ? ; SOA signature failure: http://dnsviz.net/d/_25._tcp.mx2.tjce.jus.br/dnssec/ [ See <https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08>, Much of the TLSA non-response issue seems to be related to a "feature" of Arbor Networks firewalls, that enables droping of DNS requests for all but the most common RRtypes. Do not make the mistake of enabling this firewall "feature". ] The oldest outstanding DNS issue is another SOA signature issue at truman.edu dating back to Nov/2014: http://dnsviz.net/d/_25._tcp.barracuda.truman.edu/VGzORw/dnssec/ I hope some day soon they'll start missing email they care about and take the time to resolve the problem. -- Viktor.

1 1