I'm happy to announce that LetsDNS release 1.0 is now available and
ready for public use.
Website: https://letsdns.org
GitHub : https://github.com/LetsDNS/letsdns
PyPI : https://pypi.org/project/letsdns/
LetsDNS is a utility to manage DANE TLSA records in DNS servers with
only a few lines of configuration. It supports multiple domains with
multiple TLS certificates each.
LetsDNS can be invoked manually, from cron jobs, or called in hook
functions of ACME clients like dehydrated or certbot. It currently
supports backends via the DNS Update Protocol (RFC 2136), the Hetzner
DNS API, and a generator for nsupdate scripts. Additionally, LetsDNS
is designed be expanded using custom Python modules which are loaded
dynamically during runtime.
I'd appreciate you taking LetsDNS for a leisurely spin, and letting me
know of your experiences. GitHub discussions/issues are preferred, but
you can also send mail to "author at letsdns dot org".
Enjoy.
-Ralph
Hello list members,
I'd like to introduce "LetsDNS", a utility to manage DANE TLSA records
in DNS servers with only a few lines of configuration. It supports
multiple domains with multiple TLS certificates each.
LetsDNS can be invoked manually, from cron jobs, or called in hook
functions of ACME clients like "dehydrated" or "certbot". It currently
supports backends via the DNS Update Protocol (RFC 2136), the Hetzner
DNS API, and a generator for "nsupdate" scripts. Additionally, LetsDNS
is designed be expanded using custom Python modules which are loaded
dynamically during runtime.
LetsDNS has reached a level of maturity at which I feel comfortable
to ask for volunteers who would like to test the software. For more
information, please visit the project's homepage at https://letsdns.org .
I appreciate your feedback.
-Ralph
Summary: The DANE domain count is now 3,172,531 (c.f. 3,171,233 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 18,166,397 (up from 17,945,028 last
month). Thus DANE TLSA is deployed on ~17.46% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
Milestones:
- Over 18 million DNSSEC-signed zones
- .ORG over 4% signed
- .COM over 3% signed
- Over 8,000 DANE MX host zones
As of today I count ~3.17 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1222787 one.com 1239857 one.com
276929 hostpoint.ch 276109 hostpoint.ch
162459 infomaniak.ch 160146 infomaniak.ch
159841 argewebhosting.nl 157827 transip.nl
159047 transip.nl 150199 argewebhosting.nl
107424 domeneshop.no 107297 domeneshop.no
96804 jouwweb.nl 97131 webhostingserver.nl
96629 webhostingserver.nl 95810 loopia.se
96028 loopia.se 95176 jouwweb.nl
75489 forpsi.com 74648 forpsi.com
57815 zxcs.nl 55862 zxcs.nl
47064 active24.com 47053 active24.com
41338 webreus.nl 41756 webreus.nl
39129 antagonist.nl 39085 antagonist.nl
35339 pcextreme.nl 35599 pcextreme.nl
27537 udmedia.de 27485 udmedia.de
26871 web4u.cz 26856 web4u.cz
26105 webhosting.dk 26320 vevida.com
26035 vevida.com 26289 webhosting.dk
24796 protonmail.ch 24182 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
9827 TOTAL 9660 TOTAL
2919 DE, Germany 2843 DE, Germany
1827 NL, Netherlands 1828 NL, Netherlands
1796 US, United States 1766 US, United States
725 FR, France 712 FR, France
331 GB, United Kingdom 337 GB, United Kingdom
315 CZ, Czechia 296 CZ, Czechia
227 FI, Finland 214 CA, Canada
212 CA, Canada 213 FI, Finland
151 AT, Austria 150 AT, Austria
133 DK, Denmark 135 DK, Denmark
128 SG, Singapore 128 SG, Singapore
126 CH, Switzerland 124 CH, Switzerland
106 SE, Sweden 109 SE, Sweden
102 AU, Australia 107 AU, Australia
59 PL, Poland 59 PL, Poland
45 NO, Norway 45 RU, Russia
43 RU, Russia 45 NO, Norway
43 JP, Japan 41 JP, Japan
43 IE, Ireland 41 IE, Ireland
39 IT, Italy 36 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7726 TOTAL 7636 TOTAL
3485 NL, Netherlands 3492 NL, Netherlands
2125 DE, Germany 2105 DE, Germany
808 US, United States 799 US, United States
314 FR, France 299 FR, France
171 CZ, Czechia 158 CZ, Czechia
139 GB, United Kingdom 151 GB, United Kingdom
83 FI, Finland 82 FI, Finland
65 CA, Canada 63 CA, Canada
55 CH, Switzerland 57 CH, Switzerland
47 AU, Australia 49 AU, Australia
43 SE, Sweden 45 SE, Sweden
41 SG, Singapore 42 SG, Singapore
37 RU, Russia 33 AT, Austria
36 IE, Ireland 32 JP, Japan
34 AT, Austria 25 RU, Russia
31 JP, Japan 21 IE, Ireland
20 NO, Norway 19 NO, Norway
20 DK, Denmark 19 DK, Denmark
15 UA, Ukraine 14 BR, Brazil
13 BR, Brazil 11 SI, Slovenia
There are 8,039 unique zones (7,895 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 17,131 (16,959 last
month). These cover 17,403 distinct MX hosts (17,222 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 607 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 346
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.17 million DANE domains, 12,731 (12,742 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1102
(1136 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
86 beta.itcomputers.eu
65 arachne.itcomputers.cz
29 mx.2u2.nu
20 mail.itcomputers.net
19 mx1.mdbraber.com
16 e-vps.hacktheplanet.nl
15 artemis.strebsjig.net
14 web1.ams.dcg.t-host.net
13 dolifarm2.cap-networks.com
10 mx01.mykolab.com
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakeshttps://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…https://mail.sys4.de/pipermail/dane-users/2018-February/000440.htmlhttps://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…https://mail.sys4.de/pipermail/dane-users/2017-August/000417.htmlhttps://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resourceshttps://datatracker.ietf.org/doc/html/rfc7671#section-8.1https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1181 (1148 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
550 registrar-servers.com 569 registrar-servers.com
149 axc.nl 152 axc.nl
80 worldnic.com 82 ebola.cz
78 ebola.cz 56 worldnic.com
35 mijndomein.nl 38 mijndomein.nl
32 openprovider.nl 30 ns01.nl
31 made-easy.ch 29 made-easy.ch
26 ns01.nl 26 hostline.fr
25 register.com 20 register.com
17 dotroll.com 18 cloudflare.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Six of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
icv-crew.com
urbtix.hk
mailazy.net
kprm.gov.pl
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at virusfree.cz herinneringenoplinnen.nl
gmx.at zdravestravovani.cz high5.nl
tip.net.au bayern.de hr.nl
cetelemnegocie.com.br brandenburg.de hro.nl
clubedohardware.com.br bund.de interim-netwerk.nl
e-negociacao.com.br bundesregierung.de lico.nl
e-renegocie.com.br datev.de linhard.nl
nic.br dfn.de luxiez.nl
registro.br elster.de mailplus.nl
activfitness-news.ch fau.de mijnhypotheekonline.nl
cbd420.ch freenet.de mijnsalon.nl
gmx.ch gmx.de mijnuvt.nl
hostpoint.ch hi7.de minbuza.nl
infomaniak.ch jpberlin.de minbzk.nl
linsenkontakt.ch lmu.de mindef.nl
open.ch lrz.de mm1.nl
protonmail.ch mail.de nieuwsservice-rvo.nl
switch.ch mensa.de ns.nl
wog.ch mpg.de orangebag.nl
simplelogin.co posteo.de otys.nl
402automotive.com ruhr-uni-bochum.de ouderportaal.nl
altidev.com tum.de overheid.nl
ansigtsyogaonline.com tutanota.de partijvoordedieren.nl
anubisnetworks.com uni-augsburg.de podiumcadeaukaart.nl
cm.com uni-erlangen.de politie.nl
connectsb.com uni-kl.de pp-prd.nl
dailyplaylists.com uni-muenchen.de previder.nl
datev.com unitymedia.de publicroam.nl
fabfilter.com vicinityclo.de rijksoverheid.nl
fastware-hosting.com web.de rivm.nl
flaneurhomme.com westlotto.de rotterdam.nl
gmx.com actie.deals rvo.nl
habr.com dk-hostmaster.dk sans-mail.nl
hoobly.com fibianet.dk schoudercom.nl
hotelsinduitsland.com handelsbanken.dk schuurman-schoenen.nl
imcnig.com netic.dk sidn.nl
infomaniak.com nota.dk skyaccess.nl
ingthink.com peterhald.dk smartwatchbanden.nl
joomlapolis.com seniornews.dk sportrusten.nl
jula.com shapeit.dk ssonet.nl
kantarresearch.com shellcard.dk stater.nl
kpn.com stil.dk sushipoint.nl
langerhans.com uni-c.dk telefoonglaasje.nl
leszexpertsfle.comtilburguniversity.edu transip.nl
librti.com zone.ee triodos.nl
mactabeauty.com spike.email uitgeverijpica.nl
mail.com spotler.email utwente.nl
mammoetmail.com talentech.email uvt.nl
matilhadobemadestramento.com rediris.es uwv.nl
mplbeauty.com triodos.es vantilburg.nl
mx-relay.com uv.es vimexx.nl
nanolearning.com egu.eu vogeldagboek.nl
nine-pine.com zone.eu voorpositiviteit.nl
one.com zonevs.eu vpo.nl
ppcpcv.com handelsbanken.fi vu.nl
protonmail.com metaburn.fi vvv-venlo.nl
protonvpn.com tarjousrinki.fi waternet.nl
renworkshops.com traficom.fi woongarantvolmacht.nl
run-motion.com ac-strasbourg.fr zorgmail.nl
sankakucomplex.com compagnie-des-sens.fr annabellstefanussen.no
serverclienti.com homeserve.fr audi.no
societe.com kangouroukids.fr bergengokart.no
solvinity.com oo2.fr derute.no
sportnotch.com fidesz.hu domeneshop.no
stater.com bluebiz.info guttelus.no
stellarequipment.com neolink.link hyttefeber.no
t-2.com pm.me idrettenonline.no
thalesgroup.comarmy.mil malestudio.no
theruleofliberty.comdla.mil mystuff.no
triodos.comjten.mil norskgrammatikk.no
tutanota.commail.mil rushtrampoline.no
up2staff.commilitaryonesource.mil uib.no
veganallsorts.comnavy.mil viphuset.no
vitstore.comnga.mil atelkamera.nu
vivaldi.comosd.mil goget.nu
webcruiter.comsocom.mil lenhud.nu
webmailph.comuscg.mildebian.orgwin-rar.comusmc.milfreebsd.orgxfinity.comcomcast.netgentoo.orgxfinityhomesecurity.comfivem.netherobrine.orgxfinitymobile.comgmx.netietf.orgymeuniverse.comhabramail.netirtf.org
bncr.fi.cr hr-manager.netisc.org
akce-incomputer.cz inexio.netmailbox.org
amenit.cz mijngezondheid.netmailop.org
bewooden.cz mpssec.netnetbsd.org
csob.cz procurios.netoraclegirl.org
cuni.cz ripe.netozlabs.org
cvut.cz riseup.netsamba.org
dedra.cz t-2.nettorproject.org
directmail-fraus.cz transip.net asf.com.pt
e-kondomy.cz xs4all.net mobily.com.sa
ekokoza.cz 123watches.nl bilprovningen.se
fio.cz 50plusbeurs.nl ecster.se
itesco.cz amsterdam.nl handelsbanken.se
kb.cz belastingdienst.nl lomervarde.se
klenotyaurum.cz bhsupport.nl loopia.se
klubpevnehozdravi.cz boekwinkeltjes.nl minmyndighetspost.se
ksporting.cz bolerolimonadewinkel.nl polisen.se
manymail.cz boozyshop.nl racketspecialisten.se
mkluzkoviny.cz burgernet.nl skatteverket.se
muni.cz caracamilla.nl teknikdelar.se
nanospace.cz cbr.nl theletter.se
omvnovinky.cz corpoflow.nl voteit.se
onebit.cz derooijfotografie.nl kadernickyservis.sk
optimail.cz dictu.nl mklozkoviny.sk
poptavej.cz digid.nl pneusvet.sk
pre.cz dressuurnatuurlijk.nl rondogo.sk
predplatit.cz duo.nl satro.sk
scrptd.cz eco-logisch.nl toptop.sk
server4u.cz edenhotels.nl zapardrobnych.sk
smtp.cz ezorg.nl triodos.co.uk
sparkys.cz fidus.nl govtrack.us
stoklasa.cz gezond.nl quantum-services.us
vas-server.cz healthcheckcenter.nl ru.ac.za
vcelka.cz
