dane-users

Download

dane-users@list.sys4.de

August 2022

2 participants
2 discussions

Announcement: LetsDNS release 1.0.1
by Ralph Seichter 06 Aug '22

06 Aug '22

LetsDNS release 1.0.1 is now publicly available. Website: https://letsdns.org GitHub : https://github.com/LetsDNS/letsdns PyPI : https://pypi.org/project/letsdns/ LetsDNS is a utility to manage DANE TLSA records in DNS servers with only a few lines of configuration. It supports multiple domains with multiple TLS certificates each. LetsDNS can be invoked manually, from cron jobs, or called in hook functions of ACME clients like dehydrated or certbot. It currently supports backends via the DNS Update Protocol (RFC 2136), the Hetzner DNS API, and a generator for nsupdate scripts. Additionally, LetsDNS is designed be expanded using custom Python modules which are loaded dynamically during runtime. -Ralph

1 0

Update on stats 2022-07
by Viktor Dukhovni 01 Aug '22

01 Aug '22

Summary: The DANE domain count is now 3,584,050 (c.f. 3,553,159 last month). The number of domains that return DNSSEC-validated replies in response to MX queries is 19,130,407 (up from 18,845,352 last month). Thus DANE TLSA is deployed on ~18.73% of domains with DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>. [ See the Credits[0] list below my signature. ] As of today I count ~3.58 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last Month ---------- ---------- 1236935 one.com 1241738 one.com 280585 hostpoint.ch 279135 hostpoint.ch 189107 infomaniak.ch 184346 mijndomein.nl 184512 mijndomein.nl 176747 infomaniak.ch 162755 transip.nl 162079 transip.nl 159073 argewebhosting.nl 158826 argewebhosting.nl 112570 hostnet.nl 112883 hostnet.nl 107805 domeneshop.no 107551 domeneshop.no 104255 jouwweb.nl 101152 jouwweb.nl 96819 loopia.se 96925 loopia.se 94919 webhostingserver.nl 95235 webhostingserver.nl 77692 forpsi.com 77276 forpsi.com 63160 zxcs.nl 62102 zxcs.nl 47265 active24.com 47236 active24.com 40191 webreus.nl 40429 webreus.nl 39451 antagonist.nl 39297 antagonist.nl 34401 pcextreme.nl 34585 pcextreme.nl 29158 protonmail.ch 28545 protonmail.ch 27581 udmedia.de 27627 udmedia.de 26543 web4u.cz 26577 web4u.cz The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be, .pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ----------- ---------- 10134 TOTAL 10177 TOTAL 3005 DE, Germany 2978 DE, Germany 1894 NL, Netherlands 1890 NL, Netherlands 1774 US, United States 1811 US, United States 763 FR, France 763 FR, France 356 GB, United Kingdom 362 GB, United Kingdom 338 CZ, Czechia 340 CZ, Czechia 235 FI, Finland 236 CA, Canada 224 CA, Canada 232 FI, Finland 156 AT, Austria 154 AT, Austria 129 CH, Switzerland 130 CH, Switzerland 127 SG, Singapore 126 SG, Singapore 127 DK, Denmark 126 DK, Denmark 110 SE, Sweden 115 SE, Sweden 110 AU, Australia 108 AU, Australia 56 PL, Poland 57 PL, Poland 54 RU, Russia 56 JP, Japan 54 JP, Japan 50 RU, Russia 48 NO, Norway 50 HU, Hungary 41 IE, Ireland 44 NO, Norway 40 BR, Brazil 42 BR, Brazil IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 7968 TOTAL 7936 TOTAL 3557 NL, Netherlands 3552 NL, Netherlands 2241 DE, Germany 2216 DE, Germany 831 US, United States 801 US, United States 347 FR, France 337 FR, France 172 CZ, Czechia 193 CZ, Czechia 149 GB, United Kingdom 163 GB, United Kingdom 77 CH, Switzerland 74 FI, Finland 76 FI, Finland 71 CA, Canada 65 CA, Canada 59 CH, Switzerland 54 AU, Australia 53 AU, Australia 43 SE, Sweden 45 AT, Austria 36 SG, Singapore 42 SE, Sweden 36 JP, Japan 39 SG, Singapore 35 AT, Austria 38 JP, Japan 24 RU, Russia 27 RU, Russia 21 NO, Norway 22 IE, Ireland 20 DK, Denmark 19 DK, Denmark 19 IE, Ireland 18 NO, Norway 16 BR, Brazil 15 BR, Brazil 12 LT, Lithuania 12 LT, Lithuania There are 8,375 unique zones (8,342 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 17,725 (17,639 last month). These cover 18,019 distinct MX hosts (17,929 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 702 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 410 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~3.58 million DANE domains, 13,921 (14,518 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 2,442 (1,026 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are: 1270 unit.nmugroup.com 86 beta.itcomputers.eu 44 relay-1.rws.nl 43 relay-2.rws.nl 35 mx2.synetcon.net 26 fsn1-c04.xemo-net.de 19 mx1.mdbraber.com 15 artemis.strebsjig.net 14 e-vps.hacktheplanet.nl 12 mail.blanketmail.de To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP… https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-… https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 2,068 (1,408 last month). The top 10 name server operators with problem domains are: This Month Last month ---------- ---------- 593 registrar-servers.com 591 registrar-servers.com 402 worldnic.com 302 worldnic.com 249 mijndomein.nl 245 mijndomein.nl 138 axc.nl 137 axc.nl 77 ebola.cz 79 ebola.cz 60 openprovider.nl 46 psi-japan.net 55 zihlmann.net 32 openprovider.nl 41 psi-japan.net 30 made-easy.ch 29 made-easy.ch 30 ispapi.net 26 ns01.nl 27 register.com If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Three of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: urbtix.hk mailazy.net novathreads.us -- Viktor. [0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at 123watches.de hobbygigant.nl gmx.at bayern.de hostnet.nl vbv.at brandenburg.de hr.nl tip.net.au bund.de interconnect.nl cetelemnegocie.com.br bundesregierung.de interim-netwerk.nl e-negociacao.com.br datev.de jayno.nl nic.br dfn.de kiesrijk.nl registro.br elster.de lico.nl 20km.ch ewetel.de luxiez.nl activfitness-news.ch fau.de mail-studio.nl cbd420.ch freenet.de mailplus.nl gmx.ch gmx.de mailshover.nl hostpoint.ch jpberlin.de managementboek.nl infomaniak.ch lmu.de markteffectmail.nl linsenkontakt.ch lrz.de mcmta.nl migros-runnwin.ch mail.de mijndomein.nl onemillionrun.ch mensa.de minbzk.nl open.ch mpg.de mindef.nl protonmail.ch posteo.de mm1.nl sms-gagnant.ch ruhr-uni-bochum.de mulderretail.nl switch.ch spacenet.de netsamen.nl travailler-en-suisse.ch tum.de nieuwsservice-rvo.nl simplelogin.co tutanota.de ns.nl 402automotive.com uni-augsburg.de nuudcare.nl albourne.com uni-erlangen.de orangebag.nl altospam.com uni-kl.de otys.nl bymalina.com uni-muenchen.de ouderportaal.nl cm.com vicinityclo.de overheid.nl connectsb.com web.de partijvoordedieren.nl cryptowallet.com westlotto.de ploegendienst-festival.nl dailyplaylists.com allbuy.dk politie.nl datev.com egmontpublishing.dk pp-prd.nl exegy.com fibianet.dk previder.nl fabfilter.com inkpro.dk rdw.nl fastware-hosting.com juliesandlau.dk revolt.nl flaneurhomme.com netic.dk rijksoverheid.nl gmx.com nordd.dk roken.nl groed.com nota.dk rug.nl habr.com peterhald.dk rvo.nl hoobly.com powerhosting.dk sans-mail.nl hotelsinduitsland.com seniornews.dk schoudercom.nl imcnig.com shapeit.dk schuurman-schoenen.nl infomaniak.com shellcard.dk smartwatchbanden.nl ingthink.com stil.dk sportrusten.nl joomlapolis.com tricommerce.dk ssonet.nl jula.com uvm.dk stater.nl kabayarefashion.com webhosting.dk telefoonglaasje.nl klbrlive.com tilburguniversity.edu thealphamen.nl leszexpertsfle.com holtmail.ee transip.nl librti.com just.ee travelclown.nl liefleven.com rik.ee triodos.nl mactabeauty.com myownconference.email uitgeverijpica.nl mail.com spike.email utwente.nl mailfence.com spotler.email uvt.nl matilhadobemadestramento.com nuudcare.es uwv.nl mplbeauty.com rediris.es valys.nl mx-relay.com triodos.es venauto.nl nanolearning.com uv.es vimexx.nl nine-pine.com egu.eu vitalize.nl nuudcare.com finesoftware.eu vogeldagboek.nl one.com litebit.eu voorpositiviteit.nl orsys.com zone.eu vrijevolkfestival.nl pieter-pot.com zonevs.eu wannahavesfashion.nl polyas.com fsol.fi watchbandjes-shop.nl pompomlondon.com handelsbanken.fi waternet.nl ppcpcv.com metaburn.fi xel.nl protonmail.com tarjousrinki.fi ziggo.nl protonvpn.com ac-strasbourg.fr zorgmail.nl renworkshops.com compagnie-des-sens.fr annabellstefanussen.no run-motion.com edtm-actu.fr audi.no runbox.com kangouroukids.fr deldinbil.no sankakucomplex.com nuudcare.fr derute.no scorecloud.com oo2.fr domeneshop.no serverclienti.com privea.fr guttelus.no societe.com fidesz.hu handelsbanken.no solvinity.com pandi.id hyttefeber.no stater.com bluebiz.info idrettenonline.no stellarequipment.com eurocontrol.int mystuff.no t-2.com neolink.link norskgrammatikk.no thalesgroup.com pm.me plukkselv.no thegreenery.com proton.me raskebriller.no thepcw.com army.mil rushtrampoline.no thepcwholesale.com dla.mil spillfabrikken.no triodos.com jten.mil uib.no truewaykids.com mail.mil viphuset.no tutanota.com militaryonesource.mil analysedanmark.nu up2staff.com navy.mil atelkamera.nu veganallsorts.com nga.mil goget.nu vivaldi.com osd.mil lenhud.nu webcruiter.com socom.mil debian.org webmailph.com uscg.mil freebsd.org xfinity.com usmc.mil gentoo.org xfinityhomesecurity.com benjaminfulford.net ietf.org xfinitymobile.com comcast.net isc.org bncr.fi.cr ewetel.net mailbox.org akce-incomputer.cz fivem.net mailop.org amenit.cz gmx.net netbsd.org atlas.cz habramail.net openssl.org bewooden.cz hr-manager.net oraclegirl.org centrum.cz inexio.net ozlabs.org csob.cz mijngezondheid.net samba.org cuni.cz mpssec.net torproject.org cvut.cz procurios.net biotechnologia.com.pl dedra.cz ripe.net asf.com.pt directmail-fraus.cz riseup.net mobily.com.sa e-kondomy.cz t-2.net barons.se ekokoza.cz transip.net bilprovningen.se fio.cz xs4all.net ecster.se itesco.cz 123watches.nl geflemetalfestival.se itnetwork.cz amsterdam.nl handelsbanken.se kb.cz aquastorexl.nl kronofogden.se klenotyaurum.cz argeweb.nl lomervarde.se klubpevnehozdravi.cz belastingdienst.nl loopia.se ksporting.cz beterspellen.nl loopiahosting.se manymail.cz blushfashionstore.nl minmyndighetspost.se markomat.cz bobo.nl parksnackan.se mfcr.cz boekwinkeltjes.nl polisen.se mkluzkoviny.cz boozyshop.nl silverdotter.se muni.cz bratsites-grs.nl skatteverket.se nanospace.cz bruut.nl teknikdelar.se nic.cz burgernet.nl theletter.se onebit.cz cbr.nl websupport.se optimail.cz cbs.nl centrum.sk outlet-alpine.cz corpoflow.nl dovypredania.sk poptavej.cz derooijfotografie.nl kadernickyservis.sk pre.cz devoorleeshoek.nl mklozkoviny.sk predplatit.cz dictu.nl pneusvet.sk scrptd.cz digid.nl pobox.sk server4u.cz dimehouse.nl rondogo.sk smtp.cz duo.nl satro.sk sparkys.cz eco-logisch.nl zapardrobnych.sk vas-server.cz edenhotels.nl nuudcare.co.uk vcelka.cz expeditionfestival.nl triodos.co.uk virusfree.cz extinctionrebellion.nl govtrack.us volny.cz ezorg.nl quantum-services.us zdravestravovani.cz fivecityspa.nl ru.ac.za zlate-mince.cz herinneringenoplinnen.nl

1 0