As of today I count 171460 domains with correct DANE TLSA records for SMTP. As expected the bulk of the DANE domains are hosted the handful of DNS/hosting providers who've enabled DANE support in bulk for the domains they host. The top 10 MX host providers by domain count are:
69368 domeneshop.no 59835 transip.nl 18351 udmedia.de 6665 bhosted.nl 1820 nederhost.net 1007 ec-elements.com 1001 networking4all.net 514 core-networks.de 375 omc-mail.com 364 yourdomainprovider.net
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.nl/.de.
There are 2615 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. Alternatively, a similar number is seen in the count (2707) of distinct MX host server certificates that support the same ~171000 domains.
A related number is 3955 TLSA RRsets found for MX host TCP port 25. This includes secondary MX hosts and domains none of whose primary MX hosts have TLSA records.
The number of domains that at some point were listed in Gmail's email transparency report is 111 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 54 are in recent reports:
anubisnetworks.com gmx.net posteo.de asf.com.pt hr-manager.net registro.br asp4all.nl ietf.org ruhr-uni-bochum.de bayern.de isc.org samba.org bund.de jpberlin.de solvinity.com comcast.net lrz.de t-2.net dd24.net mail.com tilburguniversity.ed debian.org mail.de torproject.org domeneshop.no mpssec.net trashmail.com elster.de netbsd.org tum.de enron.email nic.br uni-erlangen.de fau.de octopuce.fr unitymedia.de freebsd.org open.ch uvt.nl gentoo.org openssl.org web.de gmx.at otvi.nl webcruitermail.no gmx.ch ouderportaal.nl xfinity.com gmx.com overheid.nl xs4all.net gmx.de pathe.nl xs4all.nl
Of the ~171000 domains, 835 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 108. Below is a list of the 53 underlying MX hosts that serve these domains and whose TLSA records don't match reality:
Hall of Shame:
mail.dipietro.id.au mx1.spamsponge.de dorothy.goldenhairdafo.net eumembers.stansoft.bg smtp2.strotmann.de oostergo.net catabra.com.br mx.thorko.de cinnamon.nl mail.pgp.inf.br smtp.flipmail.es mail.e-rave.nl mail.danmolik.com mail.0pc.eu mail.jekuiken.nl mail.digitalwebpros.com gamepixel.eu mail.myzt.nl demo.liveconfig.com mx.quentindavid.fr bounder.steelyard.nl intranet.nctechcenter.com servmail.fr beerstra.org ny-do.pieterpottie.com mail.nonoserver.info eumembers.datacentrix.org diablo.sgt.com mail.bax.is smtp3.amadigi.ovh tusk.sgt.com mail.lsd.is itaskmanager.ovh mx1.wittsend.com mail.laukas.lt mail.pasion.ro mx.bels.cz mx.datenknoten.me mail.lahl.rocks gaia.nfx.cz mx.giesen.me puggan.se badf00d.de mail.castleturing.net mail.rostit.se mail.denniseffing.de mail.culm.net protector.rajmax.si mail.manima.de datawebb.dafcorp.net email.themcintyres.us www.mtg.de anubis.delphij.net
The number of domains with bad DNSSEC support is 423. The top 10 DNS providers with problem domains are:
68 jsr-it.nl 53 infracom.nl - Was slated to be resolved in March, delayed... 25 tiscomhosting.nl 25 active24.cz 15 rdw.nl 15 firstfind.nl 11 loopia.se 10 metaregistrar.nl 9 cas-com.net 8 ovh.net 7 ignum.com
Around 50 of the broken domains have at least one working nameserver, and so are email-reachable, given enough retries. Only 6 of the DNS-broken domains appear in historical Google Email transparency reports:
tiviths.com.br tre-sp.jus.br trt1.jus.br trtrj.jus.br tse.jus.br rzd.ru
The associated DNS lookup issues are:
_25._tcp.mx.tiviths.com.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.mx.tiviths.com.br/dnssec/ _25._tcp.mx1.trt1.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trt1.jus.br/dnssec/ _25._tcp.mx1.trtrj.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trtrj.jus.br/dnssec/ _25._tcp.dexter.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.dexter.tse.jus.br/dnssec/ _25._tcp.lalavava.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.lalavava.tse.jus.br/dnssec/ _25._tcp.mandark.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.mandark.tse.jus.br/dnssec/ _25._tcp.ims1.rzd.ru. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.ims1.rzd.ru/dnssec/ _25._tcp.ims2.rzd.ru. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.ims2.rzd.ru/dnssec/
[ See https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08, Much of the TLSA non-response issue seems to be related to a "feature" of Arbor Networks firewalls, that enables droping of DNS requests for all but the most common RRtypes. Do not make the mistake of enabling this firewall "feature". ]
The oldest outstanding DNS issue is another SOA signature issue at truman.edu dating back to Nov/2014:
http://dnsviz.net/d/_25._tcp.barracuda.truman.edu/VGzORw/dnssec/
I hope some day soon they'll start missing email they care about and take the time to resolve the problem.
participants (1)
-
Viktor Dukhovni