Hi Moritz
First of all - thanks (to all the article authors) for providing research in DANE deployments - it is very much appreciated.
I would however really wish that you compared the amount (in %) of mismanaged SMTP servers doing DANE to the in general amount (in %) of mismanaged SMTP servers. In order to provide some sort of “baseline”.
My gut feeling is that the amount of mismanaged SMTP servers handling DANE is very very low, comared to the in general mismanaged SMTP servers.
I also hope that you have read and taken Viktors remarks (regarding the initial paper from 2020) into account in the new version:
http://dnssec-stats.ant.isi.edu/~viktor/usenix-security-dane-response.html <http://dnssec-stats.ant.isi.edu/~viktor/usenix-security-dane-response.html>
Since you mention Antagonist.nl in the report:
Antagonist has been bought by Group.ONE : https://group.one/group-one-acquires-antagonist/ <https://group.one/group-one-acquires-antagonist/>
I had hoped, that I had a chance to pull some statistics out of our one.com <http://one.com/> outbound mailservers, with some real % on errors that we see, and share, but unfortunately I simply havn’t had time. :-(
It looks like the USENIX Security ’22 is in August - so that gives me some possibilities to look into that next year before the conference. :-)
Kind Regards,
Sidsel Jensen
Team manager Mail & Abuse, Systems Engineer @ One.com <http://one.com/>
> On 29 Nov 2021, at 10.55, Moritz Müller via mailop <mailop(a)mailop.org> wrote:
>
> Signed PGP part
> Hi all,
>
> A while ago we’ve asked the members of this mailing list to fill in a survey about DANE management.
> First of all: Thanks to everyone who filled in the survey!
>
> We’ve processed the results which are now part of our paper "Under the Hood of DANE Mismanagement in SMTP”, which is going to be published at usenix security [1].
>
> Overall, we see that the vast majority of domain names that outsource their SMTP server (which is the majority of all domain names) configure DANE correctly.
> Self hosted SMTP servers, however, are misconfigured frequently.
> Especially keeping the TLSA records from a name server and certificates from an SMTP server synchronized is not straightforward.
>
> You can read the full abstract and paper here [1].
>
> —
> Moritz
>
> [1] https://www.usenix.org/conference/usenixsecurity22/presentation/lee
>
>
Hi all,
A while ago we’ve asked the members of this mailing list to fill in a survey about DANE management.
First of all: Thanks to everyone who filled in the survey!
We’ve processed the results which are now part of our paper "Under the Hood of DANE Mismanagement in SMTP”, which is going to be published at usenix security [1].
Overall, we see that the vast majority of domain names that outsource their SMTP server (which is the majority of all domain names) configure DANE correctly.
Self hosted SMTP servers, however, are misconfigured frequently.
Especially keeping the TLSA records from a name server and certificates from an SMTP server synchronized is not straightforward.
You can read the full abstract and paper here [1].
—
Moritz
[1] https://www.usenix.org/conference/usenixsecurity22/presentation/lee
Summary: The DANE domain count is now 2,974,861 (up from 2,912,048 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 16,638,332 (up from 16,310,355 last
month). Thus DANE TLSA is deployed on ~17.87% of domains with
DNSSEC. See https://stats.dnssec-tools.org/ for more stats.
[ See the Credits[0] list below my signature. ]
As of today I count ~2.97 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last month
---------- ----------
1219713 one.com 1225237 one.com
270842 hostpoint.ch 211135 hostpoint.ch
154249 transip.nl 153581 transip.nl
152372 infomaniak.ch 151214 argewebhosting.nl
150807 argewebhosting.nl 150461 infomaniak.ch
105814 domeneshop.no 105846 domeneshop.no
98302 webhostingserver.nl 98581 webhostingserver.nl
94851 loopia.se 94743 loopia.se
71517 forpsi.com 71205 forpsi.com
46431 active24.com 46199 active24.com
45675 zxcs.nl 43026 zxcs.nl
42325 webreus.nl 40150 webreus.nl
38150 antagonist.nl 37893 antagonist.nl
36614 pcextreme.nl 36906 pcextreme.nl
27758 vevida.com 28102 vevida.com
27035 webhosting.dk 27607 webhosting.dk
26937 udmedia.de 26882 udmedia.de
26456 web4u.cz 26468 web4u.cz
23884 hosting2go.nl 24184 hosting2go.nl
21623 protonmail.ch 20972 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
9206 TOTAL 9030 TOTAL
2692 DE, Germany 2649 DE, Germany
1768 NL, Netherlands 1723 US, United States
1731 US, United States 1720 NL, Netherlands
699 FR, France 690 FR, France
334 GB, United Kingdom 330 GB, United Kingdom
245 CZ, Czechia 231 CZ, Czechia
208 CA, Canada 205 CA, Canada
203 FI, Finland 196 FI, Finland
127 DK, Denmark 125 DK, Denmark
121 AT, Austria 119 SG, Singapore
120 SG, Singapore 117 AT, Austria
107 CH, Switzerland 109 CH, Switzerland
100 AU, Australia 98 SE, Sweden
98 SE, Sweden 95 AU, Australia
54 PL, Poland 50 PL, Poland
44 RU, Russia 45 RU, Russia
44 NO, Norway 42 NO, Norway
42 IE, Ireland 40 IE, Ireland
41 BR, Brazil 37 IT, Italy
36 JP, Japan 35 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7202 TOTAL 7116 TOTAL
3389 NL, Netherlands 3368 NL, Netherlands
1889 DE, Germany 1862 DE, Germany
767 US, United States 728 US, United States
290 FR, France 294 FR, France
153 CZ, Czechia 141 CZ, Czechia
136 GB, United Kingdom 136 GB, United Kingdom
78 FI, Finland 76 FI, Finland
61 CA, Canada 63 CA, Canada
42 SG, Singapore 50 CH, Switzerland
42 CH, Switzerland 44 SE, Sweden
41 SE, Sweden 43 SG, Singapore
40 AU, Australia 39 AU, Australia
37 AT, Austria 30 RU, Russia
24 JP, Japan 30 AT, Austria
22 IE, Ireland 23 JP, Japan
20 NO, Norway 21 IE, Ireland
17 DK, Denmark 17 NO, Norway
15 BR, Brazil 17 DK, Denmark
14 RU, Russia 14 BR, Brazil
11 SI, Slovenia 11 PL, Poland
There are 7,410 unique zones (7,308 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 16,101 (15,915 last
month). These cover 16,358 distinct MX hosts (16,170 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 543 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 309
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.97 million DANE domains, 12,735 (12,805 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1802
(1110 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
780 mta1.vaiadigital.net (explains this month's "bump")
71 vps01.marcus.services
41 mx1.redpill.servernetz.biz
16 mail.odissee.net
16 e-vps.hacktheplanet.nl
15 web1.ams.dcg.t-host.net
15 artemis.strebsjig.net
13 entrante.svnt.com
11 smtp.hoggins.fr
9 mail.syngenuity.com
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakeshttps://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…https://mail.sys4.de/pipermail/dane-users/2018-February/000440.htmlhttps://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…https://mail.sys4.de/pipermail/dane-users/2017-August/000417.htmlhttps://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resourceshttps://datatracker.ietf.org/doc/html/rfc7671#section-8.1https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1148 (1148 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
553 registrar-servers.com 546 registrar-servers.com
122 axc.nl 119 axc.nl
87 ebola.cz 85 ebola.cz
33 made-easy.ch 35 made-easy.ch
32 mijndomein.nl 29 mijndomein.nl
30 worldnic.com 19 cloudflare.com
17 cloudflare.com 16 worldnic.com
11 openprovider.nl 13 renault.fr
10 vtx.ch 11 openprovider.nl
8 register.com 9 vtx.ch
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Four of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
icv-crew.com
kprm.gov.pl
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at fau.de digid.nl
gmx.at followerpilot.de duo.nl
pictolezen.be freenet.de edenhotels.nl
triodos.be gmx.de ezorg.nl
tbibank.bg jpberlin.de healthcheckcenter.nl
cetelemnegocie.com.br lrz.de herinneringenoplinnen.nl
e-negociacao.com.br mail.de hetamsterdamsverbond.nl
e-renegocie.com.br mensa.de huizenzoeker.nl
nic.br mpg.de interconnect.nl
registro.br mvnet.de interim-netwerk.nl
ehefueralle.ch neutraler-versand.de luxiez.nl
gmx.ch posteo.de mailplus.nl
hostpoint.ch ruhr-uni-bochum.de mailshover.nl
infomaniak.ch tum.de markteffectmail.nl
linsenkontakt.ch tutanota.de mijnuvt.nl
open.ch uni-erlangen.de minbuza.nl
protonmail.ch uni-muenchen.de minbzk.nl
switch.ch unitymedia.de mindef.nl
travailler-en-suisse.ch web.de mm1.nl
wog.ch westlotto.de mulderretail.nl
simplelogin.co actie.deals nieuwsservice-rvo.nl
altospam.com dk-hostmaster.dk ns.nl
bornomail.com fibianet.dk orangebag.nl
cm.com handelsbanken.dk overheid.nl
connectsb.com netic.dk partijvoordedieren.nl
dailyplaylists.com nota.dk paypro.nl
datev.com peterhald.dk podiumcadeaukaart.nl
flaneurhomme.com powerhosting.dk politie.nl
gmx.com shapeit.dk pp-prd.nl
habr.com shellcard.dk previder.nl
hotelsinduitsland.com webhosting.dk purdey.nl
imcnig.comtilburguniversity.edu rijksoverheid.nl
infomaniak.com just.ee rotterdam.nl
ingthink.com envie.email sans-mail.nl
intakt.com spike.email schoudercom.nl
joomlapolis.com spotler.email schuurman-schoenen.nl
jula.com rediris.es sportrusten.nl
kpn.com triodos.es ssonet.nl
leszexpertsfle.com uv.es telefoonglaasje.nl
mail.com egu.eu triodos.nl
mailfence.com qard.eu truetickets.nl
mammoetmail.com zone.eu uitgeverijpica.nl
matilhadobemadestramento.com zonevs.eu utwente.nl
mx-relay.com handelsbanken.fi uvt.nl
nanolearning.com tarjousrinki.fi uwv.nl
nine-pine.com ac-strasbourg.fr veilinghuispeerdeman.nl
one.com compagnie-des-sens.fr voorpositiviteit.nl
outsystems.com edtm-actu.fr vu.nl
protonmail.com oo2.fr waternet.nl
protonvpn.com srci.fr werkenbijaldautomotive.nl
renworkshops.com excelsior.hu xs4all.nl
sankakucomplex.com fidesz.hu zorgmail.nl
schizinfo.com gardrobom.hu annabellstefanussen.no
societe.com obiserver.hu audi.no
solvinity.com otthonplus.hu derute.no
spareklubbnorge.com popfilm.hu domeneshop.no
stellarequipment.com pandi.id handelsbanken.no
t-2.com bluebiz.info idrettenonline.no
thalesgroup.com interestexplorer.io leadmail.no
thepcw.com neolink.link norskgrammatikk.no
thepcwholesale.com pm.me uib.no
triodos.comarmy.mil viphuset.no
tutanota.comdla.mil atelkamera.nu
veganallsorts.comjten.mil goget.nu
vitstore.commail.mildebian.orgvivaldi.commilitaryonesource.milexim.orgwebcruiter.comnavy.milfreebsd.orgwebmailph.comnga.milgentoo.orgxfinity.comosd.milietf.orgxfinityhomesecurity.comsocom.milisc.orgxfinitymobile.comuscg.milmailbox.org
30tidennivyzva.cz usmc.milmailop.org
akce-incomputer.cz comcast.netnetbsd.org
cuni.cz fivem.netopenssl.org
ekokoza.cz gmx.netozlabs.org
gigalekarna.cz habramail.netsamba.org
itesco.cz hr-manager.nettorproject.org
klenotyaurum.cz inexio.netwhatpulse.org
klubpevnehozdravi.cz mijngezondheid.net psgaz.pl
manymail.cz mpssec.net asf.com.pt
mkluzkoviny.cz procurios.net mobily.com.sa
nic.cz prolocation.net alterskjaer.se
omvnovinky.cz ripe.net bilprovningen.se
onebit.cz riseup.net boplatssyd-automail.se
optimail.cz s-qrc.net ecster.se
poptavej.cz t-2.net handelsbanken.se
scrptd.cz transip.net loopia.se
server4u.cz xs4all.net loopiahosting.se
smtp.cz 123watches.nl minmyndighetspost.se
sparkys.cz amsterdam.nl parkerat.se
stoklasa.cz argeweb.nl skatteverket.se
vas-server.cz artsenzorg.nl teknikdelar.se
virusfree.cz awcloud.nl theletter.se
zdravestravovani.cz belastingdienst.nl websupport.se
bayern.de bhosted.nl flagranti.sk
brandenburg.de bluerail.nl mklozkoviny.sk
bund.de boekwinkeltjes.nl najlacnejsisport.sk
bundesregierung.de boozyshop.nl rondogo.sk
datev.de burgernet.nl toptop.sk
dfn.de cbr.nl triodos.co.uk
dvz-mv.de cbs.nl govtrack.us
ekom21.de corpoflow.nl quantum-services.us
elster.de derooijfotografie.nl ru.ac.za
