On Tue, Apr 19, 2016 at 04:23:08PM +0000, Viktor Dukhovni wrote:
> > >In my survey of 12000 DANE TLSA-enabled domains 545 are using LE
> > >certificates.
> >
> > Is this compared to the ~9600 in December last year? That would be 25%
> > increase in your survey?
>
> Yes, but some of that is due to new methods to find candidate
> domains, not just more domains found with the same methods.
For example, yesterday I decided to try a new way to find candidate
domains, and that scan is now about 30% done. I've found 1052 new
DANE TLSA domains, the vast majority of which are hosted by the
usual 3 suspects:
804 transip.nl
123 udmedia.de
35 nederhost.net
This scan will also double my corpus of identified domains that
have DNSSEC for both the domain and at least of the primary MX
hosts (if the domain has MX records). That number will rise from
~130,000 to ~260,000. While the total DANE domain count will then
be around 15000.
A more interesting number from December that grows independently
of my prowess at finding largely obscure hosted domains, is the
number of domains that appear on Google's email transparency report
(are actually observed by Gmail to send or receive a non-negligible
quantity of email).
That number was 25 in October at the MAAWG conference, 30 in
December, and is 50 today. It will soon be 53, because yesterday
the gmx.{de,net,com} domains got DNSSEC signed, quite likely so as
to publish TLSA records in a matter of days if this matches the
recent observations with web.de.
Another interesting metric, (for which I don't have numbers from
December) is that the MX hosts of the ~12000 domains lie in ~1640
distinct delegated domains. The current survey expansion (at ~30%
progress) has found 7 more. This metric measures deployment of
DANE by server operators not domain owners, and so counts the top
3 hosting providers as as just 3 deployments, not 7100.
If any of this encourages some readers of this list to deploy
DNSSEC+DANE, I urge you to make sure that:
* You have publically discoverable email contact addresses
either via "whois", or the "mrname" of DNS SOA record.
* You monitor your servers, making sure that their TLSA
records match the deployed certificate chain and that
with usage DANE-TA(2) the server certificate hostname
matches the TLSA base domain" of the TLSA record and
is not expired.
* When using a public CA for your certs, consider publishing
both a "2 1 1" TLSA record matching the issuing CA public
key and a "3 1 1" record matching your server public key.
Make sure to include the CA certificate in your server
certificate chain file.
* When not using a public CA for your certs, consider publishing
both a "2 0 1" TLSA record matching the public key of a private
issuing CA that you create for this purpose, as well as the
"3 1 1" record matching your server public key. Make
sure to include the CA certificate in your server certificate
chain file. See
https://www.ietf.org/mail-archive/web/uta/current/msg01498.html
for the rationale. This approach makes it easier to do key
rotation and reduces the risk of authentication failure.
Enough on this topic for a while I think. I'll post another update
in October, unless something dramatic happens before then.
--
Viktor.
