As of today I count 169812 domains with correct DANE TLSA records for SMTP. As expected the bulk of the DANE domains are hosted the handful of DNS/hosting providers who've enabled DANE support in bulk for the domains they host. The top 10 MX host providers by domain count are:
69614 domeneshop.no 59404 transip.nl 18372 udmedia.de 6733 bhosted.nl 1831 nederhost.net 997 ec-elements.com 501 core-networks.de 339 bit.nl 334 omc-mail.com 309 uvt.nl
[ The 365 "networking4all.net" domains from last month are gone, because they got bought by metaregistrar.nl and the new MX hosts are not in DNSSEC signed zones. Otherwise, the total would now have been over 170000. ]
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.nl/.de.
There are 2567 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. Alternatively, a similar number is seen in the count (2667) of distinct MX host server certificates that support the same ~169000 domains.
A related number is 3818 TLSA RRsets found for MX host TCP port 25. This includes secondary MX hosts and domains none of whose primary MX hosts have TLSA records.
The number of domains that at some point were listed in Gmail's email transparency report is 108 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 54 are in recent reports:
anubisnetworks.com gmx.de posteo.de asf.com.pt gmx.net registro.br asp4all.nl hr-manager.net ruhr-uni-bochum.de bayern.de ietf.org samba.org bhosted.nl isc.org solvinity.com bund.de jpberlin.de t-2.com comcast.net lrz.de t-2.net dd24.net mail.com t-2.si debian.org mail.de torproject.org domeneshop.no netbsd.org trashmail.com elster.de nic.br tum.de enron.email nic.cz uni-erlangen.de fau.de octopuce.fr unitymedia.de freebsd.org open.ch web.de gentoo.org openssl.org webcruitermail.no gmx.at ouderportaal.nl xfinity.com gmx.ch overheid.nl xs4all.net gmx.com pathe.nl xs4all.nl
Of the ~169000 domains, 749 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 93. The list of the 54 underlying MX hosts that serve these domains and whose TLSA records don't match reality.
Hall of Shame:
mail.dipietro.id.au mail.enzevalos.de dorothy.goldenhairdafo.ne eumembers.stansoft.bg hmserver.de hs.kuzenkov.net catabra.com.br mail.manima.de oostergo.net server29.prazernavida.com www.mtg.de ren.warunek.net mail.pgp.inf.br mx1.spamsponge.de cinnamon.nl my.mai1.ch mail.0pc.eu mail.e-rave.nl alpaca.attackllama.com gamepixel.eu mail.jekuiken.nl mail.danmolik.com mx.quentindavid.fr mail.myzt.nl mail.digitalwebpros.com servmail.fr bounder.steelyard.nl demo.liveconfig.com mail.nonoserver.info mx.wm.net.nz ny-do.pieterpottie.com mx.datenknoten.me beerstra.org diablo.sgt.com mx.giesen.me smtp.copi.org tusk.sgt.com smtp.aechelon.net eumembers.datacentrix.org mx1.wittsend.com mail.castleturing.net smtp3.amadigi.ovh mx.bels.cz mail.d3fy.net mail.pasion.ro gaia.nfx.cz datawebb.dafcorp.net mail.lahl.rocks badf00d.de anubis.delphij.net protector.rajmax.si mail.denniseffing.de goldenhairdafo.net email.themcintyres.us
The number of domains with bad DNSSEC support is 438. The increase is due to a comprehensive scan of all 4.6 million DNSSEC domains in the survey, previously some parts of the survey did not record SERVFAIL results.
the top 10 DNS providers with problem domains are:
68 jsr-it.nl 58 infracom.nl - Was slated to be resolved in March, delayed... 27 is.nl 24 active24.cz 23 tiscomhosting.nl 18 metaregistrar.nl 15 rdw.nl 10 firstfind.nl 9 cas-com.net 8 loopia.se
Around 50 of the broken domains have at least one working nameserver, and so are email-reachable, given enough retries. Only 6 of these DNS-broken domains appear in historical Google Email transparency reports:
rzd.ru tse.jus.br tiviths.com.br trt1.jus.br trtrj.jus.br tjce.jus.br
The associated DNS lookup issues are:
_25._tcp.ims1.rzd.ru. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.ims1.rzd.ru/dnssec/ _25._tcp.ims2.rzd.ru. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.ims2.rzd.ru/dnssec/ _25._tcp.lalavava.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.lalavava.tse.jus.br/dnssec/ _25._tcp.mx.tiviths.com.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.mx.tiviths.com.br/dnssec/ _25._tcp.mx1.trt1.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trt1.jus.br/dnssec/ _25._tcp.mx1.trtrj.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trtrj.jus.br/dnssec/ _25._tcp.mx2.tjce.jus.br. IN TLSA ? ; SOA signature failure: http://dnsviz.net/d/_25._tcp.mx2.tjce.jus.br/dnssec/
[ See https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08, Much of the TLSA non-response issue seems to be related to a "feature" of Arbor Networks firewalls, that enables droping of DNS requests for all but the most common RRtypes. Do not make the mistake of enabling this firewall "feature". ]
The oldest outstanding DNS issue is another SOA signature issue at truman.edu dating back to Nov/2014:
http://dnsviz.net/d/_25._tcp.barracuda.truman.edu/VGzORw/dnssec/
I hope some day soon they'll start missing email they care about and take the time to resolve the problem.
On Sun, May 28, 2017 at 07:05:31PM +0000, Viktor Dukhovni wrote:
As of today I count 169812 domains with correct DANE TLSA records
The updated total for this month (still May 31 as I write this) is 171321 DANE-enabled domains.
The top 10 MX host providers by domain count are:
Updated:
69572 domeneshop.no 59498 transip.nl 18376 udmedia.de 6730 bhosted.nl 1834 nederhost.net 1012 networking4all.net 1001 ec-elements.com 502 core-networks.de 371 yourdomainprovider.net 339 bit.nl
[ The 365 "networking4all.net" domains from last month are gone ] because they got bought by metaregistrar.nl and the
All are now back, and many new ones along with them. The "yourdomainprovider.net" domains are also from the same combined company, so they now host around ~1400 DANE domains.
The number of domains that at some point were listed in Gmail's email transparency report is 108
This is now 110.
The number of domains with bad DNSSEC support is 438.
This has fallen to 404. As is.nl has addressed the bulk of their problem domains.
participants (1)
-
Viktor Dukhovni