Re: DANE statistics

Thu, 10 Dec 2015 07:22:30 -0800 

On Thu, Dec 10, 2015 at 03:29:55PM +0100, Dirk Stöcker wrote:

> does anyone here have statistics about DANE enabled mail servers?

The majority of the domains are small ("vanity") domains of early
adopters like you.  I've found ~9600 of these, but there at least
around 20,000 more (hosted by udmedia.de) I have no way to find,
because they are not on any public lists of known domains.

> And maybe also a timeline showing an increase (hopefully)?

Well a year ago at this time I could only find around 500 domains.

> I'm running DANE for some
> time now and I don't ever get a Verified connection (except to my second
> server). That's a bit discouraging. I'd like to have at least once in a
> while a "Yeah" effect :-)

There are just ~30 domains with TLSA records that large enough for you
to have heard of them.  Here's a sample:

    conjur.com.br
    mypst.com.br
    registro.br
    societe.com
    t-2.com
    gohost.cz
    bayern.de
    bund.de
    jpberlin.de
    lrz.de
    posteo.de
    ruhr-uni-bochum.de
    tum.de
    unitymedia.de
    comcast.net
    rrpproxy.net
    t-2.net
    aanbodpagina.nl
    xs4all.nl
    debian.org
    eu.org
    freebsd.org
    ietf.org
    isc.org
    netbsd.org
    openssl.org
    samba.org
    torproject.org

> Even posting to this list will not result in a "Yeah" :-(

I don't know whether cloud9.net hosting supports DNSSEC.  Posts to
this list are publically archived, so this is not a compelling use
case for stronger encryption.

> Another question: In one of the postings some time back a TTL of 1 hour was
> suggest for TLSA. Why that short? I agree than my 24 hours is a bit long for
> switching, as a cert change takes then approx 3 days. But 6-12 hours should
> be fine.

Whatever works for you, but people do make mistakes with their TLSA
records, and you might also some day.  Mail redelivery attempts
after many hours of downtime get infrequent or sometimes don't
happen at all.

    https://tools.ietf.org/html/rfc7671#section-8.1
    https://dane.sys4.de/common_mistakes#3

Lately, folks are enthusiastic about "Let's Encrypt", but don't
seem to think through about the integration with DANE on port 25.
We likely need appropriate guides for this use case both in a
Postfix DANE tutorial and from LE.

-- 
        Viktor.

Reply via email to