Hi,
Some of you might have seen our invitation to fill out our survey on DANE and SMTP usage before.
In case you've already taken the time to fill in the survey: thanks a lot!
For the others that wonder what this is all about:
Together with researchers from Seoul National University, Virginia Tech and the University of Twente, we would like to understand which challenges operators face when deploying DANE for SMTP.
Also, we would like to understand how operators deploy DANE successfully.
Finally, we want to develop solutions to simplify DANE deployment for SMTP.
Filling out the survey should take between 10 and 20 minutes.
We would highly appreciate your participation.
https://forms.gle/AAEsdAGRQNjrqpNY7
Don’t hesitate to drop me a mail if you have questions or remarks.
We’ll share the results with the list after evaluation.
— Moritz
—
Moritz Müller | Research Engineer
SIDN | Meander 501 | 6825 MD | Postbus 5022 | 6802 EA | ARNHEM
T +31 (0)26 352 55 00
moritz.muller(a)sidn.nl | www.sidn.nl
NOTE: When using NSEC3 to sign your domain, please make sure your iteration
count is not needlessly large (above ~25). For details see:
https://mail.sys4.de/pipermail/dane-users/2021-March/000594.htmlhttps://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-00
Summary: The DANE domain count is now 2,638,525 (up from 2,623,358 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 15,118,039 (up from 14,890,975 last
month). Thus DANE TLSA is deployed on ~17.45% of domains with
DNSSEC. See https://stats.dnssec-tools.org/ for more stats.
The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has
taken place, and all previously issued X3-issued certificates
are now expired. If you're still publishing the X3 hash in
your TLSA RRSet, it is best removed:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,638,525 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last month
---------- ----------
1228949 one.com 1227082 one.com
150486 transip.nl 150090 transip.nl
150288 argewebhosting.nl 149333 argewebhosting.nl
110793 infomaniak.ch 108672 infomaniak.ch
104816 domeneshop.no 104762 domeneshop.no
99494 webhostingserver.nl 99669 webhostingserver.nl
93948 loopia.se 93660 loopia.se
69464 forpsi.com 68752 forpsi.com
41882 active24.com 41710 active24.com
39617 webreus.nl 39907 webreus.nl
38179 pcextreme.nl 38426 pcextreme.nl
37449 antagonist.nl 37231 antagonist.nl
37023 zxcs.nl 35720 zxcs.nl
29200 vevida.com 29296 vevida.com
27706 webhosting.dk 27736 webhosting.dk
26564 web4u.cz 26588 web4u.cz
26255 udmedia.de 25968 udmedia.de
25168 hosting2go.nl 25447 hosting2go.nl
18914 bhosted.nl 18827 bhosted.nl
18594 protonmail.ch 17855 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
8677 TOTAL 8579 TOTAL
2631 DE, Germany 2595 DE, Germany
1664 US, United States 1650 US, United States
1644 NL, Netherlands 1648 NL, Netherlands
636 FR, France 631 FR, France
328 GB, United Kingdom 313 GB, United Kingdom
224 CZ, Czechia 226 CZ, Czechia
201 CA, Canada 197 CA, Canada
167 FI, Finland 165 FI, Finland
124 DK, Denmark 125 DK, Denmark
120 SG, Singapore 116 SG, Singapore
100 SE, Sweden 95 SE, Sweden
98 CH, Switzerland 95 CH, Switzerland
79 AU, Australia 75 AU, Australia
73 AT, Austria 70 AT, Austria
44 PL, Poland 45 PL, Poland
41 IE, Ireland 39 NO, Norway
39 NO, Norway 39 BR, Brazil
37 BR, Brazil 38 JP, Japan
36 JP, Japan 37 IE, Ireland
35 RU, Russia 36 IN, India
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
6851 TOTAL 6806 TOTAL
3253 NL, Netherlands 3268 NL, Netherlands
1802 DE, Germany 1782 DE, Germany
664 US, United States 659 US, United States
296 FR, France 299 FR, France
145 CZ, Czechia 147 GB, United Kingdom
142 GB, United Kingdom 134 CZ, Czechia
76 FI, Finland 52 CA, Canada
58 CA, Canada 46 SG, Singapore
45 SG, Singapore 46 SE, Sweden
44 CH, Switzerland 46 CH, Switzerland
43 SE, Sweden 42 RU, Russia
29 AT, Austria 33 FI, Finland
28 AU, Australia 26 AU, Australia
27 RU, Russia 26 AT, Austria
26 JP, Japan 24 JP, Japan
17 NO, Norway 17 NO, Norway
17 IE, Ireland 17 DK, Denmark
17 DK, Denmark 16 IE, Ireland
14 BR, Brazil 14 BR, Brazil
12 PL, Poland 10 SI, Slovenia
There are 7,053 unique zones (6,934 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 15,479 (15,467 last
month). These cover 15,711 distinct MX hosts (15,701 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 475 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 291
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.64 million domains, 12,757 (12,852 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1976
(1999 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakeshttps://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…https://mail.sys4.de/pipermail/dane-users/2018-February/000440.htmlhttps://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…https://mail.sys4.de/pipermail/dane-users/2017-August/000417.htmlhttps://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resourceshttp://tools.ietf.org/html/rfc7671#section-8.1http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1295 (1298 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
509 registrar-servers.com 485 registrar-servers.com
122 axc.nl 119 axc.nl
93 ebola.cz 94 ebola.cz
45 epik.com 48 yourict.net
32 mijndomein.nl 45 epik.com
29 made-easy.ch 29 mijndomein.nl
24 tiscomhosting.nl 29 made-easy.ch
22 cloudflare.com 25 tiscomhosting.nl
18 movenext.nl 18 movenext.nl
17 openprovider.nl 17 infracom.nl
17 WORLDNIC.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Four of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
frontmta.com.br
bncr.fi.cr
sauditelecom.com.sa
kmutt.ac.th
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at gmx.de duo.nl
gmx.at jpberlin.de expeditionfestival.nl
idec.at kabelmail.de ezorg.nl
triodos.be lrz.de herinneringenoplinnen.nl
clubedohardware.com.br mail.de hr.nl
contactflex.com.br mensa.de huizenzoeker.nl
corridaeaventura.com.br mpg.de interim-netwerk.nl
nic.br posteo.de mailplus.nl
registro.br ruhr-uni-bochum.de mailshover.nl
gmx.ch tum.de markteffectmail.nl
hostpoint.ch uni-erlangen.de mijnsalon.nl
infomaniak.ch uni-muenchen.de mijnuvt.nl
open.ch unitymedia.de minbuza.nl
protonmail.ch web.de minbzk.nl
switch.ch westlotto.de mindef.nl
travailler-en-suisse.ch actie.deals mkbbelangen.nl
simplelogin.co bridgewalking.dk mm1.nl
ansigtsyogaonline.com dfi.dk ns.nl
connectsb.com dk-hostmaster.dk ongehoordnederland.nl
dailyplaylists.com fibianet.dk ouderportaal.nl
datev.com handelsbanken.dk overheid.nl
digitalelections.com netic.dk partijvoordedieren.nl
ecstase.com shapeit.dk politie.nl
exegy.com stil.dk powerslim.nl
flaneurhomme.com uni-c.dk pp-prd.nl
gmx.com uvm.dk previder.nl
habr.comtilburguniversity.edu provalue.nl
horagames.com emta.ee rijksoverheid.nl
hotelsinduitsland.com holt.ee rivm.nl
imcnig.com just.ee rotterdam.nl
infomaniak.com lugeja.ee rvo.nl
ingthink.com riigikogu.ee sans-mail.nl
jula.com rmit.ee schoudercom.nl
kpn.com envie.email schuurman-schoenen.nl
leszexpertsfle.com spike.email sportrusten.nl
mail.com spotler.email ssonet.nl
mammoetmail.com rediris.es telefoonglaasje.nl
matilhadobemadestramento.com triodos.es triodos.nl
mx-relay.com uv.es truetickets.nl
nine-pine.com litebit.eu uitgeverijpica.nl
one.com transadvise.eu utwente.nl
orverkiezing.com zone.eu uvt.nl
outsystems.com zonevs.eu uwv.nl
protonmail.com handelsbanken.fi veilinghuispeerdeman.nl
protonvpn.com traficom.fi voorpositiviteit.nl
sankakucomplex.com ac-strasbourg.fr vu.nl
schizinfo.com compagnie-des-sens.fr waternet.nl
societe.com oo2.fr xs4all.nl
solvinity.com srci.fr zorgmail.nl
stellarequipment.com fidesz.hu annabellstefanussen.no
t-2.com mszp.hu audi.no
thalesgroup.com pm.me derute.no
thepcw.comarmy.mil domeneshop.no
triodos.comdla.mil handelsbanken.no
ugritone.comjten.mil idrettenonline.no
veganallsorts.commail.mil nordicprint.no
vitstore.commilitaryonesource.mil norskgrammatikk.no
webcruiter.comnavy.mil uib.no
xfinity.comnga.mil viphuset.no
xfinityhomesecurity.comosd.mil webcruitermail.no
xfinitymobile.comsocom.mil atelkamera.nu
active24.cz uscg.mil goget.nu
akce-incomputer.cz usmc.milaegee.org
bewooden.cz comcast.netdebian.org
colours.cz gmx.netfreebsd.org
cuni.cz habramail.netgentoo.org
ekokoza.cz hr-manager.netietf.org
gigalekarna.cz inexio.netirtf.org
itesco.cz mijngezondheid.netisc.org
klenotyaurum.cz mpssec.netmailbox.org
klubpevnehozdravi.cz procurios.netmailop.org
manymail.cz ripe.netmkpbelgium.org
nic.cz riseup.netnetbsd.org
omvnovinky.cz t-2.netopenssl.org
onebit.cz transip.netozlabs.org
optimail.cz triodos.netsamba.org
poptavej.cz xs4all.nettorproject.org
reserved.cz xworks.netwhatpulse.org
scrptd.cz 123watches.nl psgaz.pl
server4u.cz 50plusbeurs.nl asf.com.pt
smtp.cz amsterdam.nl mobily.com.sa
stoklasa.cz argeweb.nl bilprovningen.se
toplist.cz awcloud.nl boplatssyd-automail.se
vas-server.cz belastingdienst.nl ecster.se
vcelka.cz bhosted.nl handelsbanken.se
virusfree.cz bhsupport.nl loopia.se
zdravestravovani.cz bibliotheekdenhaag.nl matlistan.se
bayern.de bluerail.nl minmyndighetspost.se
brandenburg.de boekwinkeltjes.nl personligalmanacka.se
bund.de bolerolimonadewinkel.nl skatteverket.se
bundesregierung.de boozyshop.nl teknikdelar.se
datev.de burgernet.nl theletter.se
dfn.de corpoflow.nl pneusvet.sk
ekom21.de denhaag.nl triodos.co.uk
elster.de derooijfotografie.nl govtrack.us
fau.de dictu.nl quantum-services.us
freenet.de digid.nl ru.ac.za
