Summary: Mostly the same as last month, but new code made possible more comprehensive coverage of domains with DNS issues. As a result, the number of reported DNS issues has increased by almost 75%. This is not an actual surge in DNS problems, rather just better reporting of the existing (still improving) landscape.
The number of DANE-enabled domains that have also been sighted on Google's email transparency report has increased from 114 to 115, while the number of DNS zones with TLSA-enabled primary MX hosts has increased from 2668 to 2708. The domain count has increased from 171738 to 172205.
A new type of TLSA record mismatch is starting to show up, so far on just two MX hosts. Their RSA certificate chains match their TLSA records, but their ECDSA certificate chains do not:
https://mail.sys4.de/pipermail/dane-users/2017-August/000416.html https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
As of today I count 172205 domains with correct DANE TLSA records for SMTP. As expected the bulk of the DANE domains are hosted by the handful of DNS/hosting providers who've enabled DANE support in bulk for the domains they host. The top 10 MX host providers by domain count are:
68968 domeneshop.no 60617 transip.nl 18365 udmedia.de 6576 bhosted.nl 1809 nederhost.net 1331 yourdomainprovider.net 1003 ec-elements.com 517 core-networks.de 378 omc-mail.com 326 bit.nl
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.nl/.de.
There are 2708 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. Alternatively, a similar number is seen in the count (2933) of distinct MX host server certificates that support the same ~172000 domains.
A related number is 3585 matching TLSA RRsets found SMTP MX hosts. These cover 3708 distinct MX hosts (some of which clearly employ a shared certificate).
The number of domains that at some point were listed in Gmail's email transparency report is 115 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 59 are in recent reports:
gmx.at jpberlin.de ouderportaal.nl travelbirdbelgie.be lrz.de overheid.nl nic.br mail.de pathe.nl registro.br posteo.de xs4all.nl gmx.ch ruhr-uni-bochum.de domeneshop.no open.ch tum.de webcruitermail.no switch.ch uni-erlangen.de debian.org anubisnetworks.com unitymedia.de freebsd.org gmx.com web.de gentoo.org mail.com egmontpublishing.dk ietf.org solvinity.com enron.email isc.org trashmail.com octopuce.fr netbsd.org xfinity.com comcast.net openssl.org xfinityhomesecurity.com dd24.net samba.org bayern.de gmx.net torproject.org bund.de hr-manager.net asf.com.pt elster.de mpssec.net minmyndighetspost.se fau.de t-2.net skatteverket.se freenet.de xs4all.net t-2.si gmx.de asp4all.nl
Of the ~172000 domains, 811 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 111. Below is a list of the 69 underlying MX hosts that serve these domains and whose TLSA records don't match reality:
Hall of Shame:
mail.dipietro.id.au mutt.lsexperts.de wfbrace.net eumembers.stansoft.bg mail.manima.de mx2.wfbrace.net mail.gna.ch mx1.spamsponge.de mx2.cbrace.nl andbraiz.com mx.thorko.de mx3.cbrace.nl mail.digitalwebpros.com mail.0pc.eu cinnamon.nl mail.itsmine.com webmail.kassoft.eu smtp1.gblt.nl demo.liveconfig.com mx.quentindavid.fr mail.initfour.nl mx04.mykolab.com servmail.fr smtp1.lococensus.nl intranet.nctechcenter.com upc.dircon.hu mail.myzt.nl ny-do.pieterpottie.com mail.demongeot.info nuj-netherlands.nl ma.qbitnet.com mail.nonoserver.info mx2.nuj-netherlands.nl diablo.sgt.com kd2.io mail.solarisinternetgroep.nl tusk.sgt.com node2.mxbackup.io bounder.steelyard.nl stmics01.smia-automotive.com mail.laukas.lt vanderbijlict.nl stmics02.smia-automotive.com mx.datenknoten.me mail.abanto-zierbena.org erg.verweg.com mx.giesen.me beerstra.org mx.bels.cz rootbox.me smtp.copi.org gaia.nfx.cz lima.ahrain.net eumembers.datacentrix.org mail.seslost.cz mail.castleturing.net smtp3.amadigi.ovh mail.3c7.de horse.cherrypet.net mail.pasion.ro mail.afaul.de mail.efflam.net mail.familie-sander.rocks awesome-mail.de hs.kuzenkov.net mail.rostit.se mail.denniseffing.de oostergo.net protector.rajmax.si
The number of domains with bad DNSSEC support is 649. Most of the increase is from accenture.com domains, almost all likely parked, so the actual impact on email delivery is probably small to none. The top 10 name server operators with problem domains are:
145 accenture.com 61 jsr-it.nl 26 tiscomhosting.nl 26 active24.cz 21 firstfind.nl 18 bradesco.com.br 17 usda.gov 10 rotterdam.nl 10 loopia.se 10 fde.dk
Around 79 of the broken domains have at least one working nameserver, and so are email-reachable, given enough retries. Only 5 of the DNS-broken domains appear in historical Google Email transparency reports:
tiviths.com.br tre-ce.jus.br tre-sp.jus.br tse.jus.br nsysu.edu.tw
The associated DNS lookup issues are:
_25._tcp.mailhost.bncr.fi.cr. IN TLSA ? ; ServFail _25._tcp.barracuda.nsysu.edu.tw. IN TLSA ? ; ServFail _25._tcp.lalavava.tse.jus.br. IN TLSA ? ; timeout _25._tcp.mx.tiviths.com.br. IN TLSA ? ; timeout _25._tcp.mandark.tse.jus.br. IN TLSA ? ; timeout _25._tcp.dexter.tse.jus.br. IN TLSA ? ; timeout
[ See https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08, Much of the TLSA non-response issue seems to be related to a "feature" of Arbor Networks firewalls, that enables droping of DNS requests for all but the most common RRtypes. Do not make the mistake of enabling this firewall "feature". ]
The oldest outstanding DNS issue is another SOA signature issue at truman.edu dating back to Nov/2014:
http://dnsviz.net/d/_25._tcp.barracuda.truman.edu/VGzORw/dnssec/
I hope some day soon they'll start missing email they care about and take the time to resolve the problem.
participants (1)
-
Viktor Dukhovni