Quick numbers update:
* Top 3 DANE domain MX host providers (in my survey, real numbers much higher). A significant jump in the transip numbers recently:
5077 udmedia.de 1281 mx.transip.email 921 mx.nederhost.net
* Total DANE SMTP domains: 10780 * Total primary MX hosts: 1568 * Top 10 DANE TLDs:
3856 com 2162 de 1333 net 1100 nl 541 org 426 eu 175 info 139 be 126 at 114 ch
I've also noticed a growing presence of MX hosts of the form "box.example.com" with Let's Encrypt certificates and correctly rotated "3 1 1" TLSA records. These seem to be "mail in a box" deployments, that seem to just work. Kudos to the "mail in a box" folks.
And now to the subject of this message. Until quite recently, the number of domains with long-term erroneous incorrect records has been in the 10-15 range at any given time, out of a total of ~11,000 domains served by ~1600 MX hosts.
In the last few weeks I see an uptick of domains whose TLSA records become wrong and stay that way after sloppy key rotation. A noticeable fraction (though not the majority) of the problem domains have recently deployed "Let's Encrypt" certificates, without taking their TLSA records into account.
Please take care to handle key rotation correctly. In Postfix 3.1, which should be released soon (likely this month), there will with any luck be a new tool to help administrators manage keys, certificates, CSRs and TLSA records. I'll post pointers to documentation once this is available.
In the mean time, please don't forget:
https://dane.sys4.de/common_mistakes#3 https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r... http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4 http://tools.ietf.org/html/rfc7671#section-5.2
I am now tracking 25 broken domains that show no sign that they are likely to be fixed soon:
f2h.at allispdv.com.br bebidaliberada.com.br comseo.com.br imagemdigital.com.br mypst.com.br prodnsbr.com.br simplesestudio.com.br solucoesglobais.com.br twsolutions.net.br 4nettech.com lastsip.com nevodnet.com zx.com bels.cz 1post.de 3nw.de neuhaus-city.de tsimnet.eu planissimo.fr castleturing.net linlab.net auxio.org konundrum.org www.co.tt
If anyone on this list either operates one of these, or knows the administrators, please help to get these resolved.
There are 11 more broken domains that are less than a week old, I am hoping some of those will be repaired in the near term, but a few may join the chronically-ill list.
If anyone on this list is in Brazil, perhaps there's a language barrier that's making it more difficult for .br sites to know what to do, or respond to notices of problems. It would be great if there a were a .br version of dane.sys4.de with "common_mistakes" in Portuguese.