Today comcast.net published TLSA records for their MX hosts.
comcast.net. IN MX 5 mx1.comcast.net. comcast.net. IN MX 5 mx2.comcast.net. _25._tcp.mx1.comcast.net. IN TLSA 3 1 1 90e2f742b459860c0bbf1343b5a36bc5842a3f45056d30bf25dbb475a62eca47 _25._tcp.mx2.comcast.net. IN TLSA 3 1 1 c8cb2faa4c0b92cb3fd37e61eb4671744055f123c14c0dd31e8d92c379f9f8a3
$ posttls-finger -c -Lsummary -o inet_protocols=ipv4 "[mx1.comcast.net]" posttls-finger: Verified TLS connection established to mx1.comcast.net[96.114.157.80]:25: TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)
$ posttls-finger -c -Lsummary -o inet_protocols=ipv4 "[mx2.comcast.net]" posttls-finger: Verified TLS connection established to mx2.comcast.net[68.87.20.5]:25: TLSv1.2 with cipher DHE-RSA-AES256-SHA (256/256 bits)
Congratulations and thanks to Comcast. They are the first major US email provider to do so. Let's hope their lead will be followed by many others.
My ongoing survey has now found 9389 working DANE domains. Most of these are served by a few domain hosting providers:
5230 udmedia.de 955 nederhost.net 354 transip.email 47 mediaweb-it.net 45 mailbox.org 36 gr-webdesign.de 32 core-networks.de 32 wk-serv.net 30 set-hosting.de 30 dotplex.de
The actual numbers of DANE-enabled hosted domains is much larger, for example udmedia alone reportedly has over 25 thousand. My lists of candidate domains to test are far from complete.
Of these 9389, there are now 28 domains (up from 27 yesterday now that comcast.net is live) that are "large enough" to be listed in Google's email transparency report:
conjur.com.br jpberlin.de comcast.net freebsd.org mypst.com.br lrz.de rrpproxy.net ietf.org registro.br posteo.de t-2.net isc.org societe.com ruhr-uni-bochum.de aanbodpagina.nl netbsd.org t-2.com tum.de xs4all.nl openssl.org bayern.de unitymedia.de debian.org samba.org bund.de lepartidegauche.fr eu.org torproject.org
On the "problem" front. The following DNS hosters still have some issues with correct DNSSEC "denial of existence":
#Domains Provider -------- ---------- 33 binero.se (resolution in progress) 28 isphuset.no (issue acknowledged) 15 axc.nl (notified) 11 papaki.gr (notified) 5 forpsi.net (notified)
And 10 "small" domains currently publish incorrect TLSA records:
bebidaliberada.com.br solucoesglobais.com.br nevodnet.com zx.com 1post.de geekify.de wx0.de tsimnet.eu konundrum.org www.co.tt
If anyone reading this happens to know a usable contact for the above, please let them know their TLSA records need updates.
Finally, I have a list of ~97000 domains that have DNSSEC and at least one "primary" MX host has DNSSEC, but no TLSA records are published as yet. These domains are good candidates for DANE deployment, it is just a matter of deciding out of whether to use "3 1 1" end-entity records or "2 0 1" trust-anchor records, and documenting a key/cert rotation procedure:
https://tools.ietf.org/html/rfc7671#section-5.1 https://tools.ietf.org/html/rfc7671#section-5.2
As always, don't forget:
https://dane.sys4.de/common_mistakes#3 https://dane.sys4.de/common_mistakes#6 https://tools.ietf.org/html/rfc7671#section-8.1 https://tools.ietf.org/html/rfc7671#section-8.4