dane-users
Threads by month
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
August 2023
- 3 participants
- 2 discussions
As you're may be aware, I actively promote adoption of DANE SMTP, many
thanks to everyone who's moved forward with DANE SMTP deployment!
That said, I also always stress that, when deploying DANE SMTP,
*monitoring* must come first, and publishing of DANE TLSA records
second. If your DANE TLSA deployment is unmonitored, it will some day
fail, with you being the last to know that something is wrong when some
email fails to arrive on time or at all. Unmonitored security is a
ticking time-bomb.
Please implement monitoring of your DANE TLSA records vs. the live
certificate chain through regular probing of your MX hosts (I'd suggest
hourly if not more often for more critical servers). Of course you
also need to have good automation of the certificate rollover process
so that normally TLSA records aren't out sync with the certificates
even during a rollover.
If you don't yet have monitoring in place, the below could be a useful
building block for your monitoring scripts.
The "danesmtp" shell (bash) function can take an optional explicit IP
address to connect to, so you can test each of the IP addresses of a
host in turn:
danesmtp () {
local OPTIND=1 opt
local -a rrs sslopts
local rr i=0 host addr
while getopts a: opt; do
case $opt in
a) addr=$OPTARG
case $addr in *:*) addr="[$addr]";; esac;;
*) printf 'usage: danesmtp [-a addr] host [ssloption ...]\n'
return 1;;
esac
done
shift $((OPTIND - 1))
host=$1
shift
if [[ -z "$addr" ]]; then
addr="$host"
fi
sslopts=(-starttls smtp -connect "$addr:25"
-verify 9 -verify_return_error
-dane_ee_no_namechecks -dane_tlsa_domain "$host")
rrs=( $(dig +short +nosplit -t tlsa "_25._tcp.$host" |
grep -Ei '^[23] [01] [012] [0-9a-f]+$') )
while (( i < ${#rrs[@]} - 3 )); do
rr=${rrs[@]:$i:4}
i=$((i+4))
sslopts=("${sslopts[@]}" "-dane_tlsa_rrdata" "$rr")
done
( sleep 1; printf "QUIT\r\n" ) | openssl s_client -brief "${sslopts[@]}" "$@"
}
--
Viktor.
4
7
Summary: The DANE domain count is now 3,912,433 (c.f. 3,884,225 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 22,903,540 (up from 22,676,526 last
month). Thus DANE TLSA is deployed on ~17.08% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today, I count ~3.91 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1333382 one.com 1324503 one.com
299458 hostpoint.ch 296480 hostpoint.ch
203039 infomaniak.ch 201194 infomaniak.ch
171198 transip.nl 170591 transip.nl
168858 mijndomein.nl 169148 mijndomein.nl
146592 jouwweb.nl 145940 argewebhosting.nl
144707 argewebhosting.nl 142604 jouwweb.nl
132528 simply.com 133765 simply.com
111147 hostnet.nl 111038 hostnet.nl
109837 domeneshop.no 109875 domeneshop.no
105606 loopia.se 105482 loopia.se
91554 webhostingserver.nl 91989 webhostingserver.nl
82952 forpsi.com 82865 forpsi.com
73635 zxcs.nl 72170 zxcs.nl
42379 protonmail.ch 41229 protonmail.ch
40463 antagonist.nl 40369 antagonist.nl
40012 active24.com 40341 active24.com
37765 webreus.nl 37912 webreus.nl
30673 pcextreme.nl 30944 pcextreme.nl
28631 xel.nl 28694 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl,
.de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
11268 TOTAL 11221 TOTAL
3525 DE, Germany 3506 DE, Germany
1889 NL, Netherlands 1883 NL, Netherlands
1866 US, United States 1870 US, United States
825 FR, France 803 FR, France
444 CZ, Czechia 439 CZ, Czechia
368 GB, United Kingdom 368 GB, United Kingdom
264 FI, Finland 260 FI, Finland
203 CA, Canada 207 CA, Canada
198 AT, Austria 204 AT, Austria
160 SE, Sweden 157 SE, Sweden
149 CH, Switzerland 148 CH, Switzerland
143 DK, Denmark 142 DK, Denmark
141 AU, Australia 138 AU, Australia
123 SG, Singapore 123 SG, Singapore
85 PL, Poland 89 PL, Poland
84 RU, Russia 83 RU, Russia
65 JP, Japan 61 JP, Japan
49 NO, Norway 49 NO, Norway
48 BR, Brazil 42 BR, Brazil
40 IT, Italy 41 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
8828 TOTAL 8772 TOTAL
3802 NL, Netherlands 3787 NL, Netherlands
2564 DE, Germany 2551 DE, Germany
847 US, United States 847 US, United States
364 FR, France 360 FR, France
183 GB, United Kingdom 184 CZ, Czechia
177 CZ, Czechia 182 GB, United Kingdom
115 FI, Finland 111 FI, Finland
83 CA, Canada 81 CA, Canada
80 SE, Sweden 73 SE, Sweden
72 AU, Australia 71 AU, Australia
65 CH, Switzerland 60 CH, Switzerland
48 SG, Singapore 49 SG, Singapore
48 AT, Austria 49 AT, Austria
43 RU, Russia 38 JP, Japan
42 JP, Japan 27 DK, Denmark
30 RO, Romania 25 RU, Russia
27 DK, Denmark 25 RO, Romania
24 NO, Norway 24 NO, Norway
19 BR, Brazil 21 UA, Ukraine
18 IE, Ireland 18 IE, Ireland
There are 9,324 unique zones (9,245 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 20,191 (20,077 last
month). These cover 20,488 distinct MX hosts (20,367 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 1,028 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 562
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.91 million DANE domains, 14,246 (14,304 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,796
(1,660 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
148 mx1.systemhaus-ehst.de
138 mx2.dotxs.nl
110 mail.blueconsulting.cz
69 mx1.risse.cloud
35 mx1.mdbraber.com
23 mx1.dtsmail.me
23 fsn1-c04.xemo-net.de
22 semark.dk
19 web2.sys.ccs-baumann.de
18 mail.sig-io.nl
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,539 (1,805 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
1131 neostrada.nl 1312 neostrada.nl
94 worldnic.com 96 worldnic.com
65 ebola.cz 66 ebola.cz
39 openprovider.nl 47 epik.com
16 dnssrv.nl 40 openprovider.nl
15 sectigoweb.com 33 dnssrv.nl
13 register.com 15 sectigoweb.com
10 ispapi.net 14 register.com
8 resolver.domains 10 ispapi.net
8 axc.nl 9 axc.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at vicinityclo.de huurexpert.nl
gmx.at web.de hz.nl
vbv.at westlotto.de ikdeburger.nl
vorsorgekasse.at aeldresagen.dk interconnect.nl
atmozreunion.be allbuy.dk interim-netwerk.nl
boozyshop.be annes-atelier.dk jo-lyn.nl
vanbreda.be australian-bodycare.dk kiesrijk.nl
digsys.bg avabeauty.dk kwo.nl
cetelemnegocie.com.br bambustoej.dk lcrdm.nl
dwvmail.com.br barons.dk lico.nl
e-negociacao.com.br bigsaver.dk liveatamsterdamsebos.nl
e-renegocie.com.br bog.dk luxiez.nl
informativoclicksophia.com.br buchcopenhagen.dk mail-studio.nl
nic.br calisweats.dk mailmore.nl
registro.br camillakroeyer.dk mailon.nl
activfitness-news.ch casanova.dk mailplus.nl
blackout-bonusclub.ch computerworld.dk managementboek.nl
coronavirusensuisse.ch damask.dk markteffectmail.nl
creditum.ch danielspengetips.dk mcmta.nl
gmx.ch danskebank.dk messen.nl
hostpoint.ch datafordeler.dk mijndomein.nl
infomaniak.ch def.dk minbzk.nl
migros-runnwin.ch densidsteflaske.dk mindef.nl
msochrono.ch dfi.dk mm1.nl
open.ch dk-hostmaster.dk nederweert.nl
protonmail.ch eftcentret.dk netpoint.nl
sherlockhomes.ch ens.dk netpointfactoring.nl
sms-gagnant.ch fibianet.dk nieuwsservice-rvo.nl
switch.ch fvst.dk nmnhevents.nl
simplelogin.co gastrotools.dk notbranded.nl
albourne.com globestudios.dk noties.nl
anonaddy.com idelig.dk ns.nl
ansigtsyogaonline.com iphoneopladere.dk nuudcare.nl
aotax.com konkurspriser.dk nuwegexclusief.nl
boozyshop.com kystfisken.dk otys.nl
cm.com labelking.dk ouderenfonds.nl
colourfulrebel.com lacabra.dk ouderportaal.nl
connectsb.com lbst.dk overheid.nl
danskebank.com lederstof.dk oxilionhosted.nl
datev.com lncrew.dk parlement.nl
fabfilter.com lysetikloster.dk partijvoordedieren.nl
farmergracy.com mobilcovers.dk partnermail.nl
fastware-hosting.com mobilepay.dk paypro.nl
fromanteel-watches.com musclehouse.dk pipdenhaag.nl
gmx.com netic.dk podiumcadeaukaart.nl
groed.com nickolinecamille.dk politie.nl
habr.com nimara.dk pp-prd.nl
highcharts.com nordd.dk previder.nl
infomaniak.com nota.dk prorun-mail.nl
ingthink.com opdagverden.dk quicknet.nl
intakt.com punktum.dk rdw.nl
johnbeerens.com seniornews.dk revolt.nl
joomlapolis.com shapeit.dk rijksoverheid.nl
jula.com sitnet.dk rivm.nl
kabayarefashion.com skjold-burne.dk rvo.nl
kolabnow.com smoon.dk sans-mail.nl
librti.com sneakerzone.dk schoudercom.nl
mactabeauty.com stil.dk schuurman-schoenen.nl
mail.com thenap.dk shampoobars.nl
mailzerver.com thesneakerstore.dk shirtbyhand.nl
medimeisterschaften.com trueliving.dk shoesme.nl
mixx.com venderbys.dk sidn.nl
mplbeauty.com vin-huset.dk sietskescholten.nl
nanolearning.com vind.dk sizzthebrand.nl
nine-pine.com yuaiahaircare.dk smartwatchbanden.nl
offshorecorptalk.com tilburguniversity.edu soclever.nl
one.com just.ee sportrusten.nl
orsys.com kohus.ee ssonet.nl
pieter-pot.com rik.ee stater.nl
pompomlondon.com turunduslabor.ee svb.nl
ppcpcv.com myownconference.email technicus.nl
protonmail.com spam-filter.email telefoonglaasje.nl
protonvpn.com spotler.email thealphamen.nl
renworkshops.com talentech.email transip.nl
run-motion.com nuudcare.es truetickets.nl
runbox.com egu.eu tudelft.nl
sankakucomplex.com finesoftware.eu tweedekamer.nl
scorecloud.com iaccept.eu uitgeverijpica.nl
serverclienti.com litebit.eu upcmail.nl
solvinity.com zonevs.eu uvt.nl
speciale-offre.com danskebank.fi uwv.nl
stasdock.com handelsbanken.fi vacaturesonline.nl
stater.com metaburn.fi vimexx.nl
stellarequipment.com raumanteatteri.fi watchbandjes-shop.nl
tcs.com tarjousrinki.fi waternet.nl
theintercept.com traficom.fi werkzoeken.nl
thepcw.com ac-strasbourg.fr ziggo.nl
thepcwholesale.com braceletsmartwatch.fr zorgmail.nl
thesmmacademy.com compagnie-des-sens.fr zoweg-mail.nl
tutanota.com edtm-actu.fr 8-bits.no
up2staff.com nuudcare.fr annabellstefanussen.no
veganallsorts.com oo2.fr babybanden.no
vivaldi.com passefranceallemagne.fr bergengokart.no
webcruiter.com privea.fr bull-ski-kajakk.no
webmailph.com tid.gov.hk chillout.no
win-rar.com fidesz.hu domeneshop.no
workvector.com italiamail.hu frivannsliv.no
xfinity.com bluebiz.info godvar.no
xfinityhomesecurity.com eurocontrol.int guttelus.no
xfinitymobile.com infinex.io handelsbanken.no
bncr.fi.cr rootnet.io helsefysio.no
airbank.cz nuudcare.it hyttefeber.no
akce-incomputer.cz neolink.link idrettenonline.no
avatech.cz anonaddy.me kashmina.no
balikovna.cz pm.me lagerpriser.no
bewooden.cz proton.me marikrogshus.no
cermat.cz army.mil mystuff.no
cokoladovnajanek.cz dla.mil nordicprint.no
cpost.cz health.mil norskgrammatikk.no
csob.cz jten.mil raskebriller.no
cuni.cz mail.mil rushtrampoline.no
dashofer.cz navy.mil sillysanta.no
dedra.cz nga.mil smaaungene.no
e-kondomy.cz osd.mil spillfabrikken.no
fio.cz socom.mil strikkia.no
fishmax.cz uscg.mil atelkamera.nu
gynkrup.cz usmc.mil fitnessnu.nu
hypotecnibanka.cz benjaminfulford.net goget.nu
innogy.cz comcast.net aarding.org
itesco.cz ewetel.net agirpourlenvironnement.org
justice.cz ficbook.net debian.org
kb.cz fivem.net eduroam.org
klenotyaurum.cz gmx.net freebsd.org
klubpevnehozdravi.cz graphistepro.net fridaysforfuture.org
ksporting.cz habramail.net gentoo.org
manymail.cz hr-manager.net ietf.org
mbank.cz mailanyone.net isc.org
mfcr.cz masterinter.net mailbox.org
mkluzkoviny.cz mijngezondheid.net mailop.org
mojedatovaschranka.cz mpssec.net netbsd.org
mrakyhracek.cz procurios.net openssl.org
muni.cz relai-smtp.net ozlabs.org
nic.cz ripe.net postfix.org
o2.cz riseup.net samba.org
optimail.cz soverin.net torproject.org
outlet-alpine.cz speedkom.net biotechnologia.com.pl
p-info.cz t-2.net brebank.com.pl
pivoteka.cz yourdomainprovider.net mobily.com.sa
poptavej.cz amsterdam.nl arbetsformedlingen.se
pre.cz aquastorexl.nl australian-bodycare.se
psp.cz argeweb.nl bearplayshop.se
scrptd.cz belastingdienst.nl bilprovningen.se
senat.cz beterspellen.nl du.se
smtp.cz bewustpuur.nl ecster.se
stoklasa.cz bhosted.nl ellevio.se
tiscali.cz biblionetdrenthe.nl fashion-copenhagen.se
vas-server.cz blushfashionstore.nl handelsbanken.se
virusfree.cz bobo.nl hellomantle.se
vitalpoint.cz body-supplies.nl huskvarnafolketspark.se
vshosting.cz boekwinkeltjes.nl koreanbeauty.se
web4u.cz bolerolimonadewinkel.nl lnu.se
zafido.cz boozyshop.nl lomervarde.se
zdravestravovani.cz box.nl loopia.se
zonky.cz bruut.nl merchsweden.se
bayern.de burgernet.nl minmyndighetspost.se
brandenburg.de caracamilla.nl naprapatlandslaget.se
bund.de carre.nl nordicprint.se
bundesregierung.de casema.nl performcollection.se
datev.de cbr.nl polisen.se
deutsch-franzoesischer-freundschaftspass.de chello.nl silverdotter.se
dfn.de clubplanner.nl skatteverket.se
ekom21.de degros.nl skolverket.se
elster.de deijsvogel.nl snbostader.se
ewetel.de deonlinetandarts.nl soleplus.se
fau.de derooijfotografie.nl sunet.se
fh-rosenheim.de desan.nl svenskhusman.se
freenet.de dewoningzoeker.nl teknikdelar.se
gmx.de dictu.nl theletter.se
huellen-shop.de digid.nl websupport.se
jpberlin.de dimehouse.nl agatinsvet.sk
lmu.de dorcas.nl fio.sk
lrz.de druten.nl kadernickyservis.sk
mail.de duo.nl lenivakucharka.sk
mensa.de eabstest.nl mklozkoviny.sk
mpg.de eduid.nl rondogo.sk
posteo.de esuals.nl satro.sk
ruhr-uni-bochum.de expeditionfestival.nl toptop.sk
smartwatcharmbaender.de extinctionrebellion.nl vyvado.sk
sys4.de ezorg.nl zapardrobnych.sk
telefonseelsorge.de fivecityspa.nl clientnews3.co.uk
th-rosenheim.de glamouryourhair.nl herantapimesra.co.uk
tu-darmstadt.de haarlem.nl millieandblake.co.uk
tum.de hobbygigant.nl nuudcare.co.uk
tutanota.de home.nl thewordman.co.uk
uni-augsburg.de hoogenboezem-nieuwsbrieven.nl nuudcare.us
uni-bielefeld.de hr.nl quantum-services.us
uni-erlangen.de hro.nl ru.ac.za
uni-muenchen.de
1
0