I've gained access to the full zone files for .com/.net and a few of the newer gTLDs. This makes it possible to do a more comprehensive survey of DANE SMTP support.
The overall DANE domain count is now ~29800, but of course this is not a dramatic rise in adoption, rather an increase in the breadth of the survey. As expected the bulk of the DANE domains are hosted the handful of DNS/hosting providers who've enabled DANE support in bulk for the domains they host. The top five are:
16650 transip.nl 6020 udmedia.de 1110 nederhost.net 663 ec-elements.com 180 core-networks.de 24623 TOTAL
The real numbers are surely larger, because I don't have access to the full zone data for any ccTLDs, and in particular .de and .nl.
There 1850 unique zones in which the underlying MX hosts are found, this counts each of the above registrars as just one zone, so is a measure of the breadth of adoption in terms of servers deployed.
Of the 29800 domains, 336 have "partial" TLSA records, that cover only a subset of the MX hosts, while this protects traffic to some of the MX hosts, the domain is still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands at 50.
The number of domains with bad DNSSEC support is 262. The top 10 DNS providers (by broken domain count) are:
41 isphuset.no 36 tse.jus.br 22 axc.nl 21 active24.cz 20 registrar-servers.com 15 forpsi.net 11 ovh.net 11 cas-com.net 11 bestregistrar.com 10 shockmedia.nl
Forpsi have indicated they are working on a fix. Progress at isphuset.no (ulimately fsdata.se) is still stalled. If someone has working technical contacts at any of the others, please drop me a note.
The number of domains that at some point were listed in Gmail's transparency report is 57 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these 32 are in the most recent report:
gmx.at conjur.com.br registro.br gmx.ch gmx.com mail.com bund.de gmx.de jpberlin.de kabelmail.de lrz.de mail.de posteo.de ruhr-uni-bochum.de tum.de web.de octopuce.fr comcast.net dd24.net gmx.net t-2.net xs4all.net xworks.net xs4all.nl debian.org freebsd.org gentoo.org ietf.org netbsd.org openssl.org samba.org torproject.org
The .br TLD still includes too large a fraction (10/50) of domains with incorrect TLSA RRs. This is a result of DNS hosting by registro.br, where TLSA records are easy to initially publish, but difficult to keep up to date.
If a registrar hosts the DNS, but does not operate the SMTP server, TLSA record support may do more harm than good unless an easy to use API is made available to update the TLSA records (interactive Web UIs don't qualify).
On Wed, May 04, 2016 at 07:27:19PM +0000, Viktor Dukhovni wrote:
The overall DANE domain count is now ~29800, but of course this is not a dramatic rise in adoption, rather an increase in the breadth of the survey.
This count is now at 30976, primarily as new domains are added by the top hosting providers.
As expected the bulk of the DANE domains are hosted the handful of DNS/hosting providers who've enabled DANE support in bulk for the domains they host. The top five are:
16650 transip.nl 6020 udmedia.de 1110 nederhost.net 663 ec-elements.com 180 core-networks.de 24623 TOTAL
The top 5 are now:
17537 transip.nl 6060 udmedia.de 1113 nederhost.net 683 ec-elements.com 225 core-networks.de 25618 TOTAL
The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands at 50.
That count is now 60, the domains are below. If someone has better contacts than WHOIS for these, that'd be great.
f2h.at hanisauland.at bebidaliberada.com.br giantit.com.br lojabrum.com.br prodnsbr.com.br simplesestudio.com.br sistemasranf.com.br solucoesglobais.com.br ticketmt.com.br twsolutions.net.br iress.co 2cv-club-des-ducs.com 4nettech.com aircargo-statistics.com barbarassecret.com dentalembezzlement.com gedankenausbruch.com kkeane.com kriegshysterie.com lastsip.com leatherfest.com nctechcenter.com prosperident.com talideon.com tntmonitoring.com bels.cz 101host.de 1post.de apachedemo.de badf00d.de dopesoft.de mcplayman.de mrkrabat.de thestoneage.de 22december.dk macnaughton.email chets.fr planissimo.fr tni-au.mil.id nonoserver.info chauvet.me rk-mail.me stereochro.me castleturing.net freeservices.net kuzenkova.net linlab.net rk-mail.net steelyard.nl wm.net.nz gazonk.org glux.org myhead.org rogaar.org itaskmanager.ovh kriegshysterie.ovh rk-mail.ovh skyneaker.ovh taskmanager.ovh
The number of domains with bad DNSSEC support is 262.
That's now 214.
The top 10 DNS providers (by broken domain count) are:
34 isphuset.no 19 axc.nl 12 registrar-servers.com 11 cas-com.net 11 active24.cz 10 netcup.net 8 forpsi.net 5 pfsc.com 5 ovh.net 5 metaregistrar.nl
The folks at netcup.net have just reached out, with a bit of luck that'll be resolved in the not too distant future.
Forpsi have indicated they are working on a fix. Progress at isphuset.no (ulimately fsdata.se) is still stalled. If someone has working technical contacts at any of the others, please drop me a note.
Still looking for contacts for the other hosting providers.
The number of domains that at some point were listed in Gmail's transparency report is 57 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain).
That's now 60.
Of these 32 are in the most recent report:
That's now 33, with the addition of unitymedia.de.
The .br TLD still includes too large a fraction (10/50) of domains with incorrect TLSA RRs. This is a result of DNS hosting by registro.br, where TLSA records are easy to initially publish, but difficult to keep up to date.
They've acknowledged my request to drop support for TLSA RRs for the free hosted domains, where there's no easy way to keep the records current. Whether they'll take action on that is not yet clear.
On Wed, May 25, 2016 at 08:45:17AM +0000, Viktor Dukhovni wrote:
The number of domains with bad DNSSEC support is 262.
That's now 214.
And now down to 204, because:
10 netcup.net
The folks at netcup.net have just reached out, with a bit of luck that'll be resolved in the not too distant future.
Problem fixed within a day of the report. It be great if other operators were equally responsive.
On Wed, May 04, 2016 at 07:27:19PM +0000, Viktor Dukhovni wrote:
I've gained access to the full zone files for .com/.net and a few of the newer gTLDs. This makes it possible to do a more comprehensive survey of DANE SMTP support.
Now also .org, and the freely available .se/.nu TLDs, plus some other data sources.
The overall DANE domain count is now ~29800, but of course this is not a dramatic rise in adoption, rather an increase in the breadth of the survey.
Similarly, while the domain count is now ~59300, the bulk of the rise is due to the broader survey.
in bulk for the domains they host. The top five are:
16650 transip.nl 6020 udmedia.de 1110 nederhost.net 663 ec-elements.com 180 core-networks.de 24623 TOTAL
The new top five counts are:
31298 transip.nl 15124 udmedia.de 1799 bhosted.nl 1264 nederhost.net 903 ec-elements.com 50388 TOTAL
There 1850 unique zones in which the underlying MX hosts are found, this counts each of the above registrars as just one zone, so is a measure of the breadth of adoption in terms of servers deployed.
The new zone count is 2212. The number of distinct certificates presented by DANE TLSA SMTP servers is 2165.
Of the 29800 domains, 336 have "partial" TLSA records, that cover only a subset of the MX hosts, while this protects traffic to some of the MX hosts, the domain is still vulnerable to the usual active attacks via the remaining MX hosts.
The partial implementations now number 509.
The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands at 50.
This number has proved reasonably stable, and stands at 53. Notable among these are 25 long-standing problem domains served by just 6 MX hosts that have non-matching TLSA records:
hanisauland.at pinetree.cz therapie-forum.info 2cv-club-des-ducs.com renekliment.cz chauvet.me 4nettech.com bit-cleaner.de datenknoten.me kkeane.com boese-ban.de mirounga.net leatherfest.com alencon.eu acsemb.org nctechcenter.com dhautefeuille.eu kryskool.org tntmonitoring.com therapie-forum.eu hlfh.space davidmosna.cz dinepont.fr marketingpyro.cz achduliebergott.info
and 7 more that publish TLSA records, but don't offer STARTTLS:
lojabrum.com.br gazonk.org xorcist.org gestccon.com.br myhead.org bofjall.se skrivkramp.org
The number of domains with bad DNSSEC support is 262. The top 10 DNS providers (by broken domain count) are:
41 isphuset.no 36 tse.jus.br 22 axc.nl 21 active24.cz 20 registrar-servers.com 15 forpsi.net 11 ovh.net 11 cas-com.net 11 bestregistrar.com 10 shockmedia.nl
The count of DNSSEC problem domains now stands at 736, mostly because I've found a lot more isphuset.no domains. The upstream DNS provider for isphuset.no has finally responded, and promised to deal with this shortly, we'll see what happens!
409 isphuset.no 34 infracom.nl 28 axc.nl 23 registrar-servers.com 19 loopia.se 15 forpsi.net 13 metaregistrar.nl 12 cas-com.net 12 active24.cz 9 jsr-it.nl
I also have a new contact for axc.nl, perhaps that too will progress in the near future.
The number of domains that at some point were listed in Gmail's transparency report is 57 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain).
This number is now 71.
Of these 32 are in the most recent report:
The "most recent report" number is quite variable, because on some days the transparency report includes a lot fewer domains than others. Still, this does give some sense of the "freshness" of this status. Today, that number is 33:
gmx.at jpberlin.de t-2.net nic.br lrz.de xs4all.net registro.br mail.de xs4all.nl gmx.ch posteo.de debian.org open.ch ruhr-uni-bochum.de freebsd.org switch.ch web.de gentoo.org gmx.com octopuce.fr ietf.org mail.com comcast.net netbsd.org xfinity.com dd24.net openssl.org bund.de dns-oarc.net samba.org gmx.de gmx.net torproject.org
The .br TLD still includes too large a fraction (10/50) of domains with incorrect TLSA RRs. This is a result of DNS hosting by registro.br, where TLSA records are easy to initially publish, but difficult to keep up to date.
The .br registrar has taken positive steps to improve the situation, and I am now tracking just 2 broken .br domains.
On Tue, Sep 13, 2016 at 01:59:42AM +0000, Viktor Dukhovni wrote:
The count of DNSSEC problem domains now stands at 736, mostly because I've found a lot more isphuset.no domains. The upstream DNS provider for isphuset.no has finally responded, and promised to deal with this shortly, we'll see what happens!
409 isphuset.no
Perhaps I should have waited a few hours longer before posting. I just got news from isphuset.no that after a nameserver upgrade all their domains are fixed. I've verified that this is indeed the case. So the total DNSSEC trouble count now stands at a more modest 327 domains. And the remaining top 10 all host a much more modest number of problem domains (typically corner-cases involving wildcard records, ...):
34 infracom.nl 28 axc.nl 23 registrar-servers.com 19 loopia.se 15 forpsi.net 13 metaregistrar.nl 12 cas-com.net 12 active24.cz 9 jsr-it.nl 8 ignum.com
I expect to see some of these resolved in the next few months.
participants (1)
-
Viktor Dukhovni