On Wed, Aug 18, 2021 at 10:03:06PM -0400, post...@ptld.com wrote: > > The adoption of DNSSEC seems to have increased a lot in > > the past 12 months (~30% increase). > > Is google / gmail using it yet? > Last i knew they weren't using DNSSEC or DANE.
Nope. > host -t ds google.com google.com has no DS record > host -t ds gmail.com gmail.com has no DS record They are into MTA-STS instead, as a way to prevent downgrade attacks against mail servers. SMTP MTA Strict Transport Security (MTA-STS) https://tools.ietf.org/html/rfc8461 (Proposed Standard) But that's all it does (assuming other mail servers are paying attention to it - Google's and Microsoft's do). And you don't get any of the other benefits of DNSSEC. If there's ever a worldwide distributed DNS cache poisoning attack that adversely affects their domains and revenue, they might change their mind. And their public DNS servers at 8.8.8.8 are DNSSEC-validating (assuming traffic to 8.8.8.8 isn't being hijacked by a big router on the way - btw don't assume that), so they aren't ignoring it completely. But it's still a very small percentage overall. I've seen old figures of 1.5% of .com domains use it, but it's big in a few countries, and the USA government has to use it. I think in total about 15.8M out of about 360M domains use DNSSEC. So that would be about 4.4%. So a ~30% increase might not sound like much. At the current adoption rate, it would take nearly a century to reach 100%! But the rate of adoption did suddenly increase noticeably a year ago, and it might increase more now as it gets easier. https://stats.dnssec-tools.org/ I just saw Viktor's reply about mx[1-4].smtp.goog, and it looks like those domains are no longer signed: > host -t ds mx1.smtp.goog mx1.smtp.goog has no DS record > host -t ds mx2.smtp.goog mx2.smtp.goog has no DS record > host -t ds mx3.smtp.goog mx3.smtp.goog has no DS record > host -t ds mx4.smtp.goog mx4.smtp.goog has no DS record But it's good that they make it easy for their Cloud DNS customers to sign their zones. We're still a long way from the day when the Chrome browser starts labelling unsigned domains as "Unsecure". :-) cheers, raf
