Hi Moritz
First of all - thanks (to all the article authors) for providing research in DANE deployments - it is very much appreciated.
I would however really wish that you compared the amount (in %) of mismanaged SMTP servers doing DANE to the in general amount (in %) of mismanaged SMTP servers. In order to provide some sort of “baseline”. My gut feeling is that the amount of mismanaged SMTP servers handling DANE is very very low, comared to the in general mismanaged SMTP servers.
I also hope that you have read and taken Viktors remarks (regarding the initial paper from 2020) into account in the new version: http://dnssec-stats.ant.isi.edu/~viktor/usenix-security-dane-response.html http://dnssec-stats.ant.isi.edu/~viktor/usenix-security-dane-response.html
Since you mention Antagonist.nl in the report: Antagonist has been bought by Group.ONE : https://group.one/group-one-acquires-antagonist/ https://group.one/group-one-acquires-antagonist/
I had hoped, that I had a chance to pull some statistics out of our one.com http://one.com/ outbound mailservers, with some real % on errors that we see, and share, but unfortunately I simply havn’t had time. :-( It looks like the USENIX Security ’22 is in August - so that gives me some possibilities to look into that next year before the conference. :-)
Kind Regards, Sidsel Jensen Team manager Mail & Abuse, Systems Engineer @ One.com http://one.com/
On 29 Nov 2021, at 10.55, Moritz Müller via mailop mailop@mailop.org wrote:
Signed PGP part Hi all,
A while ago we’ve asked the members of this mailing list to fill in a survey about DANE management. First of all: Thanks to everyone who filled in the survey!
We’ve processed the results which are now part of our paper "Under the Hood of DANE Mismanagement in SMTP”, which is going to be published at usenix security [1].
Overall, we see that the vast majority of domain names that outsource their SMTP server (which is the majority of all domain names) configure DANE correctly. Self hosted SMTP servers, however, are misconfigured frequently. Especially keeping the TLSA records from a name server and certificates from an SMTP server synchronized is not straightforward.
You can read the full abstract and paper here [1].
— Moritz
[1] https://www.usenix.org/conference/usenixsecurity22/presentation/lee