dane-users

Download

dane-users@list.sys4.de

May 2022

4 participants
2 discussions

DANE verification enabled on MS Exchange Online
by Knubben, Bart 25 May '22

25 May '22

FYI Microsoft recently enabled outbound DANE verification by default for all Exchange Online customers: https://docs.microsoft.com/en-us/microsoft-365/compliance/how-smtp-dane-wor… For other DANE implementations, usage stats etc. see: https://github.com/baknu/DANE-for-SMTP/wiki -- Best regards, Bart Knubben Netherlands Standardisation Forum https://forumstandaardisatie.nl/netherlands-standardisation-forum Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten. This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.

4 6

Update on stats 2022-04
by Viktor Dukhovni 01 May '22

01 May '22

Summary: The DANE domain count is now 3,197,734 (c.f. 3,172,531 last month). The number of domains that return DNSSEC-validated replies in response to MX queries is 18,409,733 (up from 18,166,397 last month). Thus DANE TLSA is deployed on ~17.36% of domains with DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>. [ See the Credits[0] list below my signature. ] As of today I count ~3.20 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last Month ---------- ---------- 1243696 one.com 1222787 one.com 277421 hostpoint.ch 276929 hostpoint.ch 164315 infomaniak.ch 162459 infomaniak.ch 159902 transip.nl 159841 argewebhosting.nl 158479 argewebhosting.nl 159047 transip.nl 107350 domeneshop.no 107424 domeneshop.no 97611 jouwweb.nl 96804 jouwweb.nl 96400 loopia.se 96629 webhostingserver.nl 96065 webhostingserver.nl 96028 loopia.se 75966 forpsi.com 75489 forpsi.com 59337 zxcs.nl 57815 zxcs.nl 47090 active24.com 47064 active24.com 41006 webreus.nl 41338 webreus.nl 39296 antagonist.nl 39129 antagonist.nl 35099 pcextreme.nl 35339 pcextreme.nl 27513 udmedia.de 27537 udmedia.de 26802 web4u.cz 26871 web4u.cz 25925 webhosting.dk 26105 webhosting.dk 25763 vevida.com 26035 vevida.com 25515 protonmail.ch 24796 protonmail.ch The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ---------- ---------- 9944 TOTAL 9827 TOTAL 2956 DE, Germany 2919 DE, Germany 1844 NL, Netherlands 1827 NL, Netherlands 1789 US, United States 1796 US, United States 737 FR, France 725 FR, France 346 GB, United Kingdom 331 GB, United Kingdom 331 CZ, Czechia 315 CZ, Czechia 226 FI, Finland 227 FI, Finland 213 CA, Canada 212 CA, Canada 156 AT, Austria 151 AT, Austria 130 SG, Singapore 133 DK, Denmark 129 CH, Switzerland 128 SG, Singapore 127 DK, Denmark 126 CH, Switzerland 110 SE, Sweden 106 SE, Sweden 106 AU, Australia 102 AU, Australia 59 PL, Poland 59 PL, Poland 48 JP, Japan 45 NO, Norway 46 RU, Russia 43 RU, Russia 46 NO, Norway 43 JP, Japan 43 BR, Brazil 43 IE, Ireland 40 IE, Ireland 39 IT, Italy IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 7816 TOTAL 7726 TOTAL 3507 NL, Netherlands 3485 NL, Netherlands 2162 DE, Germany 2125 DE, Germany 812 US, United States 808 US, United States 317 FR, France 314 FR, France 187 CZ, Czechia 171 CZ, Czechia 158 GB, United Kingdom 139 GB, United Kingdom 82 FI, Finland 83 FI, Finland 63 CA, Canada 65 CA, Canada 60 CH, Switzerland 55 CH, Switzerland 50 AU, Australia 47 AU, Australia 45 AT, Austria 43 SE, Sweden 40 SG, Singapore 41 SG, Singapore 39 SE, Sweden 37 RU, Russia 32 JP, Japan 36 IE, Ireland 30 RU, Russia 34 AT, Austria 22 IE, Ireland 31 JP, Japan 20 DK, Denmark 20 NO, Norway 19 NO, Norway 20 DK, Denmark 15 BG, Bulgaria 15 UA, Ukraine 13 LT, Lithuania 13 BR, Brazil There are 8,119 unique zones (8,039 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 17,295 (17,131 last month). These cover 17,568 distinct MX hosts (17,403 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 625 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 369 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~3.20 million DANE domains, 27,938 (12,731 last month, ~15k new MX-hosted by onebit.cz) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1,147 (1,102 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are: 88 vps01.marcus.services 46 mx2.xarisasp.nl 19 mx1.mdbraber.com 16 e-vps.hacktheplanet.nl 15 web1.ams.dcg.t-host.net 15 artemis.strebsjig.net 13 mta11.pointner.at 13 delos.xs4arabia.com 12 mail-01.dd24.net 10 mx01.mykolab.com To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP… https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-… https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1,408 (1,181 last month). The top 10 name server operators with problem domains are: This Month Last month ---------- ---------- 563 registrar-servers.com 550 registrar-servers.com 151 axc.nl 149 axc.nl 90 worldnic.com 80 worldnic.com 76 ebola.cz 78 ebola.cz 41 epik.com 35 mijndomein.nl 39 mijndomein.nl 32 openprovider.nl 32 openprovider.nl 31 made-easy.ch 31 made-easy.ch 26 ns01.nl 27 register.com 25 register.com 26 ns01.nl 17 dotroll.com If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Five of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br urbtix.hk mailazy.net kprm.gov.pl novathreads.us -- Viktor. [0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at smtp.cz hostingpeople.nl gmx.at sparkys.cz hr.nl tip.net.au stoklasa.cz hro.nl cetelemnegocie.com.br vas-server.cz interim-netwerk.nl clubedohardware.com.br vcelka.cz kralingsebosfestival.nl e-negociacao.com.br virusfree.cz lico.nl e-renegocie.com.br volny.cz linhard.nl nic.br zdravestravovani.cz luxiez.nl registro.br bantschowundbantschow.de mailplus.nl activfitness-news.ch bayern.de managementboek.nl cbd420.ch brandenburg.de markteffectmail.nl erotik-service.ch bund.de mijnuvt.nl gmx.ch bundesregierung.de minbuza.nl hostpoint.ch datev.de minbzk.nl infomaniak.ch dfn.de mindef.nl linsenkontakt.ch elster.de mm1.nl open.ch fau.de mulderretail.nl promorealdeals.ch freenet.de nieuwsservice-rvo.nl protonmail.ch gmx.de ns.nl switch.ch hi7.de orangebag.nl wog.ch jpberlin.de otys.nl simplelogin.co lmu.de ouderenfonds.nl 402automotive.com lrz.de ouderportaal.nl altidev.com mail.de overheid.nl altospam.com mensa.de partijvoordedieren.nl ansigtsyogaonline.com mpg.de podiumcadeaukaart.nl brassthistle.com posteo.de politie.nl cm.com ruhr-uni-bochum.de pp-prd.nl connectsb.com tum.de previder.nl dailyplaylists.com tutanota.de publicroam.nl datev.com uni-augsburg.de rijksoverheid.nl fabfilter.com uni-erlangen.de rivm.nl fastware-hosting.com uni-kl.de rotterdam.nl flaneurhomme.com uni-muenchen.de rvo.nl gmx.com vicinityclo.de sans-mail.nl habr.com web.de schoudercom.nl hoobly.com westlotto.de schuurman-schoenen.nl hotelsinduitsland.com dk-hostmaster.dk sidn.nl imcnig.com fibianet.dk skyaccess.nl infomaniak.com handelsbanken.dk smartwatchbanden.nl ingthink.com netic.dk sportrusten.nl jula.com nota.dk ssonet.nl kantarresearch.com peterhald.dk stater.nl kpn.com seniornews.dk sushipoint.nl langerhans.com shapeit.dk telefoonglaasje.nl leszexpertsfle.com shellcard.dk transip.nl librti.com stil.dk triodos.nl mactabeauty.com uni-c.dk uitgeverijpica.nl mail.com tilburguniversity.edu utwente.nl mammoetmail.com zone.ee uvt.nl matilhadobemadestramento.com spike.email uwv.nl mplbeauty.com spotler.email valys.nl mx-relay.com talentech.email vimexx.nl myvillage.com rediris.es vitalize.nl nanolearning.com triodos.es vogeldagboek.nl nine-pine.com uv.es voorpositiviteit.nl one.com egu.eu vu.nl orsys.com zone.eu vvv-venlo.nl ppcpcv.com zonevs.eu waternet.nl protonmail.com handelsbanken.fi zorgmail.nl protonvpn.com metaburn.fi annabellstefanussen.no renworkshops.com tarjousrinki.fi audi.no run-motion.com traficom.fi bergengokart.no sankakucomplex.com ac-strasbourg.fr deldinbil.no scorecloud.com compagnie-des-sens.fr derute.no serverclienti.com edtm-actu.fr domeneshop.no societe.com oo2.fr guttelus.no solvinity.com fidesz.hu handelsbanken.no sportnotch.com bluebiz.info hyttefeber.no srsforward.com neolink.link idrettenonline.no stater.com pm.me mystuff.no stellarequipment.com army.mil norskgrammatikk.no t-2.com dla.mil raskebriller.no thalesgroup.com jten.mil rushtrampoline.no thepcw.com mail.mil spillfabrikken.no thepcwholesale.com militaryonesource.mil tjenestekompaniet.no theruleofliberty.com navy.mil uib.no triodos.com nga.mil viphuset.no truewaykids.com osd.mil atelkamera.nu tutanota.com socom.mil goget.nu up2staff.com uscg.mil lenhud.nu veganallsorts.com usmc.mil debian.org vitstore.com comcast.net freebsd.org vivaldi.com fivem.net gentoo.org webcruiter.com gmx.net herobrine.org webmailph.com habramail.net ietf.org win-rar.com hr-manager.net irtf.org xfinity.com inexio.net isc.org xfinityhomesecurity.com mijngezondheid.net kindredcircle.org xfinitymobile.com mpssec.net mailbox.org ymeuniverse.com procurios.net mailop.org bncr.fi.cr ripe.net netbsd.org akce-incomputer.cz riseup.net oraclegirl.org amenit.cz t-2.net ozlabs.org atlas.cz transip.net registradores.org bewooden.cz xs4all.net samba.org centrum.cz 123watches.nl torproject.org csob.cz 50plusbeurs.nl biotechnologia.com.pl cuni.cz amsterdam.nl asf.com.pt cvut.cz belastingdienst.nl bilprovningen.se dedra.cz bhosted.nl ecster.se directmail-fraus.cz boekwinkeltjes.nl handelsbanken.se e-kondomy.cz bolerolimonadewinkel.nl lansstyrelsen.se ekokoza.cz boozyshop.nl lomervarde.se fio.cz burgernet.nl loopia.se itesco.cz caracamilla.nl minmyndighetspost.se kb.cz cbr.nl polisen.se klenotyaurum.cz corpoflow.nl racketspecialisten.se klubpevnehozdravi.cz derooijfotografie.nl skatteverket.se ksporting.cz dictu.nl teknikdelar.se manymail.cz digid.nl theletter.se mkluzkoviny.cz digitaleverkiezing.nl centrum.sk muni.cz dressuurnatuurlijk.nl kadernickyservis.sk nanospace.cz duo.nl mklozkoviny.sk nic.cz eco-logisch.nl pneusvet.sk omvnovinky.cz edenhotels.nl rondogo.sk onebit.cz efactuurdirect.nl satro.sk optimail.cz ezorg.nl toptop.sk poptavej.cz fidus.nl zapardrobnych.sk pre.cz gezond.nl triodos.co.uk predplatit.cz healthcheckcenter.nl govtrack.us scrptd.cz herinneringenoplinnen.nl quantum-services.us server4u.cz high5.nl ru.ac.za

1 0