NEWSFLASH: DANE TLSA records published for web.de!
The web.de domain has just published DANE TLSA records for its MX hosts:
web.de. IN MX 100 mx-ha02.web.de. ; AD=1 _25._tcp.mx-ha02.web.de. IN TLSA 3 1 1 409c9e91a2a9f4d7881dbf0094b3839d4343a4a57d9bf559fdeb0c1f4c5b8b3e ; passed
Subject = CN=mx-ha02.web.de,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE Issuer = CN=TeleSec ServerPass DE-2,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=Nordrhein Westfalen,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE Inception = 2014-07-22T11:21:46Z Expiration = 2017-07-27T23:59:59Z
web.de. IN MX 100 mx-ha03.web.de. ; AD=1 _25._tcp.mx-ha03.web.de. IN TLSA 3 1 1 33fccf0e82584b6133cf18d24ae592cc6cbc9cfcab13291a5585a2b20a30eb19 ; passed
Subject = CN=mx-ha03.web.de,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE Issuer = CN=TeleSec ServerPass DE-2,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=Nordrhein Westfalen,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE Inception = 2014-07-22T11:22:46Z Expiration = 2017-07-27T23:59:59Z
This is a major milestone in DANE adoption.
Zitat von Viktor Dukhovni ietf-dane@dukhovni.org:
The web.de domain has just published DANE TLSA records for its MX hosts:
web.de. IN MX 100 mx-ha02.web.de. ; AD=1 _25._tcp.mx-ha02.web.de. IN TLSA 3 1 1409c9e91a2a9f4d7881dbf0094b3839d4343a4a57d9bf559fdeb0c1f4c5b8b3e ; passed
Subject =CN=mx-ha02.web.de,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE Issuer = CN=TeleSec ServerPass DE-2,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=Nordrhein Westfalen,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE Inception = 2014-07-22T11:21:46Z Expiration = 2017-07-27T23:59:59Z
web.de. IN MX 100 mx-ha03.web.de. ; AD=1 _25._tcp.mx-ha03.web.de. IN TLSA 3 1 133fccf0e82584b6133cf18d24ae592cc6cbc9cfcab13291a5585a2b20a30eb19 ; passed
Subject =CN=mx-ha03.web.de,emailAddress=server-certs@1und1.de,L=Montabaur,ST=Rhineland-Palatinate,O=1&1 Mail & Media GmbH,C=DE Issuer = CN=TeleSec ServerPass DE-2,street=Untere Industriestr. 20,L=Netphen,postalCode=57250,ST=Nordrhein Westfalen,OU=T-Systems Trust Center,O=T-Systems International GmbH,C=DE Inception = 2014-07-22T11:22:46Z Expiration = 2017-07-27T23:59:59Z
This is a major milestone in DANE adoption.
I wonder if the rest of the "United Internet" brands will follow soon. With gmx.de and web.de this company is responsible for around 50% of the non-commercial german e-mail traffic. It looks like they also switched their US based brand mail.com to use DANE (https://dane.sys4.de/smtp/mail.com).
Regards
Andreas
* lst_hoe02@kwsoft.de lst_hoe02@kwsoft.de:
Zitat von Viktor Dukhovni ietf-dane@dukhovni.org:
This is a major milestone in DANE adoption.
I wonder if the rest of the "United Internet" brands will follow soon. With gmx.de and web.de this company is responsible for around 50% of the non-commercial german e-mail traffic. It looks like they also switched their US based brand mail.com to use DANE (https://dane.sys4.de/smtp/mail.com).
Like other German mail providers, who want their platform to be BSI certified, the are/will be required to DANE enable their SMTP service.
They are among the first to adopt the requirements laid out in https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Publikationen/Technische.... I certainly hope many others will follow.
p@rick
Hi,
it seems that GMX will start publishing DANE TLSA records within the next few hours. DNSSec records were published yesterday. web.de had a delay of less than 48 hours between publishing DNSSec and TLSA, I think it will be the same at GMX (both are part of United Internet).
Regards Andreas
The web.de domain has just published DANE TLSA records for its MX hosts:
web.de. IN MX 100 mx-ha02.web.de. ; AD=1 _25._tcp.mx-ha02.web.de. IN TLSA 3 1 1
On Thu, Apr 21, 2016 at 01:05:11PM +0200, Andreas Pothe wrote:
it seems that GMX will start publishing DANE TLSA records within the next few hours. DNSSec records were published yesterday. web.de had a delay of less than 48 hours between publishing DNSSec and TLSA, I think it will be the same at GMX (both are part of United Internet).
Yes:
https://www.ietf.org/mail-archive/web/uta/current/msg01511.html
So to the small number of domains with incorrect TLSA records, please fix or delete them, otherwise you're just losing email and causing grief to senders.
f2h.at hanisauland.at allispdv.com.br bebidaliberada.com.br conjur.com.br giantit.com.br idsys.com.br lojabrum.com.br netlig.com.br prodnsbr.com.br simplesestudio.com.br solucoesglobais.com.br ticketmt.com.br twsolutions.net.br reich-trade.ch 4nettech.com barbarassecret.com kkeane.com lastsip.com leatherfest.com missourivalleyambulance.com nctechcenter.com tntmonitoring.com bels.cz 101host.de 1post.de 3nw.de bieberium.de florian-lehner.de jenserat.de omni128.de dhautefeuille.eu chets.fr dinepont.fr planissimo.fr mailserver.guru nonoserver.info wetterstation-pliening.info peeters.io castleturing.net der-flo.net freeservices.net kuzenkova.net linlab.net steelyard.nl wm.net.nz acsemb.org auxio.org dotbsd-fr.org gazonk.org hlfh.space
If anyone knows the administrators of any of the above, please give them a not so gentle nudge.
On the DNSSEC front, still waiting on isphuset.no (nudged them again), and a few others to fix either non-response to TLSA queries, or incorrect "authenticated denial of existence":
Problem domains | DNS provider 41 isphuset.no 22 axc.nl 15 tse.jus.br 11 active24.cz 10 forpsi.net 8 netcup.net 5 shockmedia.nl
Note that for some of the above providers (like forpsi) the observed problems are edge-cases, with most domains working fine. Still, it would be great to have these issues resolved.
participants (4)
-
Andreas Pothe -
lst_hoe02@kwsoft.de -
Patrick Ben Koetter -
Viktor Dukhovni