dane-users

Download

dane-users@list.sys4.de

July 2021

2 participants
1 discussions

Update on stats 2021-06
by Viktor Dukhovni 05 Jul '21

05 Jul '21

NOTE: When using NSEC3 to sign your domain, please make sure your extra iteration count is not needlessly large (i.e. above ~25, 0 is best). For details see: https://mail.sys4.de/pipermail/dane-users/2021-March/000594.html https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-00 Summary: The DANE domain count is now 2,671,696 (up from 2,638,525 last month). The number of domains that return DNSSEC-validated replies in response to MX queries is 15,370,647 (up from 15,118,039 last month). Thus DANE TLSA is deployed on ~17.38% of domains with DNSSEC. See https://stats.dnssec-tools.org/ for more stats. The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has taken place, and all previously issued X3-issued certificates are now expired. If you're still publishing the X3 hash in your TLSA RRSet, it is best removed: http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. As of today I count 2,671,696 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last month ---------- ---------- 1229596 one.com 1228949 one.com 150659 transip.nl 150486 transip.nl 150607 argewebhosting.nl 150288 argewebhosting.nl 112821 infomaniak.ch 110793 infomaniak.ch 105401 domeneshop.no 104816 domeneshop.no 99195 webhostingserver.nl 99494 webhostingserver.nl 94181 loopia.se 93948 loopia.se 70039 forpsi.com 69464 forpsi.com 42040 active24.com 41882 active24.com 39239 webreus.nl 39617 webreus.nl 38021 zxcs.nl 38179 pcextreme.nl 37715 pcextreme.nl 37449 antagonist.nl 37563 antagonist.nl 37023 zxcs.nl 28958 vevida.com 29200 vevida.com 27525 webhosting.dk 27706 webhosting.dk 26607 web4u.cz 26564 web4u.cz 26407 udmedia.de 26255 udmedia.de 24915 hosting2go.nl 25168 hosting2go.nl 24728 spamservice.nl 18914 bhosted.nl 19280 protonmail.ch 18594 protonmail.ch The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ---------- ---------- 8751 TOTAL 8677 TOTAL 2635 DE, Germany 2631 DE, Germany 1677 US, United States 1664 US, United States 1668 NL, Netherlands 1644 NL, Netherlands 653 FR, France 636 FR, France 317 GB, United Kingdom 328 GB, United Kingdom 227 CZ, Czechia 224 CZ, Czechia 202 CA, Canada 201 CA, Canada 169 FI, Finland 167 FI, Finland 124 DK, Denmark 124 DK, Denmark 121 SG, Singapore 120 SG, Singapore 106 CH, Switzerland 100 SE, Sweden 97 SE, Sweden 98 CH, Switzerland 81 AU, Australia 79 AU, Australia 72 AT, Austria 73 AT, Austria 45 PL, Poland 44 PL, Poland 39 NO, Norway 41 IE, Ireland 39 IE, Ireland 39 NO, Norway 38 RU, Russia 37 BR, Brazil 37 JP, Japan 36 JP, Japan 37 BR, Brazil 35 RU, Russia IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 6912 TOTAL 6851 TOTAL 3291 NL, Netherlands 3253 NL, Netherlands 1807 DE, Germany 1802 DE, Germany 699 US, United States 664 US, United States 292 FR, France 296 FR, France 143 GB, United Kingdom 145 CZ, Czechia 138 CZ, Czechia 142 GB, United Kingdom 75 FI, Finland 76 FI, Finland 59 CA, Canada 58 CA, Canada 45 CH, Switzerland 45 SG, Singapore 44 SG, Singapore 44 CH, Switzerland 41 SE, Sweden 43 SE, Sweden 30 AU, Australia 29 AT, Austria 28 AT, Austria 28 AU, Australia 25 JP, Japan 27 RU, Russia 18 DK, Denmark 26 JP, Japan 17 RU, Russia 17 NO, Norway 16 NO, Norway 17 IE, Ireland 16 IE, Ireland 17 DK, Denmark 14 BR, Brazil 14 BR, Brazil 11 PL, Poland 12 PL, Poland There are 7,132 unique zones (7,053 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 15,568 (15,479 last month). These cover 15,805 distinct MX hosts (15,711 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 489 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 294 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~2.67 million domains, 12,786 (12,757 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1187 (1976 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP… https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-… https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1661 (1295 last month). The top 10 name server operators with problem domains are: This month Last month ---------- ---------- 526 registrar-servers.com 509 registrar-servers.com 393 serverion.nl 122 axc.nl 118 axc.nl 93 ebola.cz 89 ebola.cz 45 epik.com 50 epik.com 32 mijndomein.nl 29 made-easy.ch 29 made-easy.ch 28 mijndomein.nl 24 tiscomhosting.nl 24 tiscomhosting.nl 22 cloudflare.com 22 cloudflare.com 18 movenext.nl 16 movenext.nl 17 openprovider.nl 17 worldnic.com If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Three of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: bncr.fi.cr kmutt.ac.th sauditelecom.com.sa -- Viktor. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at jpberlin.de duo.nl gmx.at kabelmail.de expeditionfestival.nl triodos.be lrz.de ezorg.nl cetelemnegocie.com.br mail.de herinneringenoplinnen.nl clubedohardware.com.br mensa.de hr.nl contactflex.com.br mpg.de huizenzoeker.nl corridaeaventura.com.br neutraler-versand.de interim-netwerk.nl nic.br posteo.de luxiez.nl registro.br ruhr-uni-bochum.de mail-studio.nl pdac.ca tum.de mailplus.nl gmx.ch tutanota.de markteffectmail.nl hostpoint.ch uni-erlangen.de mijnuvt.nl infomaniak.ch uni-muenchen.de minbuza.nl open.ch unitymedia.de minbzk.nl protonmail.ch web.de mindef.nl switch.ch westlotto.de mkbbelangen.nl travailler-en-suisse.ch actie.deals mm1.nl simplelogin.co dfi.dk nieuwsservice-rvo.nl ansigtsyogaonline.com dk-hostmaster.dk ns.nl connectsb.com fibianet.dk ouderportaal.nl coremultichain.com fvst.dk overheid.nl dailyplaylists.com handelsbanken.dk partijvoordedieren.nl datev.com netic.dk politie.nl ecstase.com shapeit.dk powerslim.nl exegy.com shellcard.dk pp-prd.nl flaneurhomme.com stil.dk previder.nl gmx.com tilburguniversity.edu pvv.nl habr.com holt.ee rijksoverheid.nl hotelsinduitsland.com just.ee rivm.nl imcnig.com riigikogu.ee rotterdam.nl infomaniak.com envie.email rvo.nl ingthink.com spam-filter.email sans-mail.nl intakt.com spike.email schoudercom.nl jula.com spotler.email schuurman-schoenen.nl kpn.com rediris.es sportrusten.nl leszexpertsfle.com triodos.es ssonet.nl mail.com uv.es telefoonglaasje.nl mammoetmail.com litebit.eu triodos.nl matilhadobemadestramento.com transadvise.eu truetickets.nl mx-relay.com zone.eu uitgeverijpica.nl nine-pine.com zonevs.eu utwente.nl one.com handelsbanken.fi uvt.nl orverkiezing.com traficom.fi uwv.nl outsystems.com ac-strasbourg.fr veilinghuispeerdeman.nl protonmail.com compagnie-des-sens.fr voorpositiviteit.nl protonvpn.com edtm-actu.fr vu.nl sanderrossel.com oo2.fr waternet.nl sankakucomplex.com srci.fr xs4all.nl societe.com fidesz.hu zorgmail.nl solvinity.com mszp.hu annabellstefanussen.no stellarequipment.com tuta.io audi.no t-2.com pm.me bergengokart.no thalesgroup.com army.mil derute.no triodos.com dla.mil domeneshop.no tutanota.com jten.mil handelsbanken.no veganallsorts.com mail.mil idrettenonline.no vitstore.com militaryonesource.mil norskgrammatikk.no webcruiter.com navy.mil rushtrampoline.no xfinity.com nga.mil uib.no xfinityhomesecurity.com osd.mil viphuset.no xfinitymobile.com socom.mil webcruitermail.no active24.cz uscg.mil atelkamera.nu akce-incomputer.cz usmc.mil goget.nu bewooden.cz comcast.net aegee.org colours.cz gmx.net debian.org cuni.cz habramail.net freebsd.org ekokoza.cz hr-manager.net gentoo.org gigalekarna.cz inexio.net ietf.org itesco.cz mijngezondheid.net irtf.org klenotyaurum.cz mpssec.net isc.org klubpevnehozdravi.cz procurios.net mailbox.org manymail.cz ripe.net mailop.org nic.cz riseup.net mkpbelgium.org omvnovinky.cz t-2.net netbsd.org onebit.cz transip.net openssl.org optimail.cz xs4all.net ozlabs.org poptavej.cz xworks.net samba.org reserved.cz 123watches.nl torproject.org scrptd.cz amsterdam.nl whatpulse.org server4u.cz awcloud.nl asf.com.pt smtp.cz belastingdienst.nl mobily.com.sa stoklasa.cz beterspellen.nl bilprovningen.se toplist.cz bhosted.nl boplatssyd-automail.se vas-server.cz bhsupport.nl ecster.se vcelka.cz bibliotheekdenhaag.nl handelsbanken.se virusfree.cz bluerail.nl loopia.se zdravestravovani.cz boekwinkeltjes.nl matlistan.se bayern.de bolerolimonadewinkel.nl minmyndighetspost.se brandenburg.de boozyshop.nl personligalmanacka.se bund.de bratpack-charly.nl skatteverket.se bundesregierung.de bratsites-grs.nl teknikdelar.se datev.de burgernet.nl theletter.se dfn.de cbr.nl websupport.se ekom21.de corpoflow.nl triodos.co.uk elster.de denhaag.nl xepay.co.uk fau.de derooijfotografie.nl govtrack.us freenet.de dictu.nl quantum-services.us gmx.de digid.nl ru.ac.za

2 2