IETF Logo Mail Archive

Re: [dane] any statistics of deployment available?

"Osterweil, Eric" <eosterweil@verisign.com> Thu, 14 January 2016 15:10 UTC

Return-Path: <eosterweil@verisign.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 26B481B2E33 for <dane@ietfa.amsl.com>; Thu, 14 Jan 2016 07:10:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gCjWnoH1IYlA for <dane@ietfa.amsl.com>; Thu, 14 Jan 2016 07:10:38 -0800 (PST)
Received: from mail-oi0-x261.google.com (mail-oi0-x261.google.com [IPv6:2607:f8b0:4003:c06::261]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8B7981B354B for <dane@ietf.org>; Thu, 14 Jan 2016 07:10:36 -0800 (PST)
Received: by mail-oi0-x261.google.com with SMTP id y145so10845332oif.1 for <dane@ietf.org>; Thu, 14 Jan 2016 07:10:36 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :content-type:content-id:content-transfer-encoding:mime-version; bh=pZRlCUxxGytn1ldjac78A18GMsrPrfZprITYDEyZQeU=; b=XwDfPsnKN2Vf1shb9wyVec32n+IfFnXnGjdP5ISGkVdFcMi7pvLnDuS5VswWlqCcmb ZkfH0oXVM3f9gOlBM6YKK83gCxCRw+q087FGuY3LFTneVPt8uQiu29dvFvbzesmWPrCL KQwjN72J/CoKVBXrJvZZUl1OWeODrZ64KeuAvy9eR4aGdgdCw4asYLqro9mNHyXtczUS t2iJRBr+BPjsiWpIva7Exhctsvum6tMr9olMGQn1kuXbcryfCJyET1SgtXS9hv0GwZqT 4bsat9CtN66Zvi17NWezHjxpK5e8Rb7fZMF6W1UmMC3gq9C6KhltUHaidrejEafB57Up uhaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:references:in-reply-to:accept-language:content-language :content-type:content-id:content-transfer-encoding:mime-version; bh=pZRlCUxxGytn1ldjac78A18GMsrPrfZprITYDEyZQeU=; b=gnb9DRKm94UHAGZ/Ld7CTD8IYiCGuAjkcvCqsen+Md/8Z1ScPpruxWqzFEGMM5NqnX K2ujxWZzDdmt2mp2XKjtmaaikxmTY0CiaGAWo+VYuNLYPSxLKeUmtFE/fXrmnM6zT302 DE3OGynKKi59DJk2gpXudm7U539gLa0tUURLIPQH0KLvwnWcJ/WewPgFKqLGKASiaQom Y78ZuqAHGGSxqeqDSI9Rn188At2qmgQOok325gw6vlyMP1iL+uCWtVbBz5NOk9FDeupx SEYBGyHGecktF+dy+REO6Nn57508VSgqLnNqYhW6/JR93aJMmj5vXpo4k/DC1Z8mHQ4j i5rg==
X-Gm-Message-State: ALoCoQm6ZaZ4YjACWvXwjCcfHISyKo5utKyuIo/SobPDSF/QVY+v+2xc3bEOHJtOT4tz/+je2/2CKtkvc4yLUSWE5M/gIrcS0z3m/7P38bb2l7kFsnzTEBk=
X-Received: by 10.140.222.18 with SMTP id s18mr6338044qhb.21.1452784235939; Thu, 14 Jan 2016 07:10:35 -0800 (PST)
Received: from brn1lxmailout01.verisign.com (brn1lxmailout01.verisign.com. [72.13.63.41]) by smtp-relay.gmail.com with ESMTPS id y16sm927729qka.6.2016.01.14.07.10.35 for <dane@ietf.org> (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 14 Jan 2016 07:10:35 -0800 (PST)
X-Relaying-Domain: verisign.com
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01 [10.173.152.255]) by brn1lxmailout01.verisign.com (8.13.8/8.13.8) with ESMTP id u0EFAZ1D021375 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for <dane@ietf.org>; Thu, 14 Jan 2016 10:10:35 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Thu, 14 Jan 2016 10:10:35 -0500
From: "Osterweil, Eric" <eosterweil@verisign.com>
To: "dane@ietf.org" <dane@ietf.org>
Thread-Topic: [dane] any statistics of deployment available?
Thread-Index: AdFIeslBxynRdYetRzmHZNYubTMahgAMtMUAAAyqfgABTGYggAAR5HgAACuL2wA=
Date: Thu, 14 Jan 2016 15:10:34 +0000
Message-ID: <D05D3A38-1D06-4F68-B9E9-B24B58D495CA@verisign.com>
References: <814D0BFB77D95844A01CA29B44CBF8A715B0AEC4@lhreml504-mbs> <20160106131105.GC14398@sys4.de> <20160106191346.GF18704@mournblade.imrryr.org> <D2BBCE19.21C93%gwiley@verisign.com> <20160113182341.GO18704@mournblade.imrryr.org>
In-Reply-To: <20160113182341.GO18704@mournblade.imrryr.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="utf-8"
Content-ID: <C17CCE47E412DB45AB4B23928D11C751@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/IsIBaG5Jnc7EFlB6McWCeQi6rmk>
Subject: Re: [dane] any statistics of deployment available?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jan 2016 15:10:41 -0000

> On Jan 13, 2016, at 1:23 PM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> 
> On Wed, Jan 13, 2016 at 02:51:01PM +0000, Wiley, Glen wrote:
> 
>> Comparable stats from SecSpider for a survey of 1056097 zones at
>> http://secspider.verisignlabs.com/stats.html
>> 
>> DANE Summary
>> 16065 DANE enabled zones with TLSA records
>> 
>> 65 PKIX based Trust Anchor TLSA records (Cert Usage 0)
>> 541   PKIX based End Entity TLSA records (Cert Usage 1)
>> 266   DANE based Trust Anchor TLSA records (Cert Usage 2)
>> 5791  DANE based End Entity TLSA records (Cert Usage 3)
> 
> 6663
> 
> These numbers don't add up to 16065 (their sum is 6663).  Surely
> there are not many zones (a majority?) with TLSA records with usage
> other than 0/1/2/3?
> 
>> 425   Zones have deployed TLSA for Secure SMTP (Port 465)
>> 124   Zones have deployed TLSA for Secure POP3 (Port 995)
>> 503   Zones have deployed TLSA for SMTP with STARTTLS (Port 587)
>> 24 Zones have deployed TLSA for Alternate SMTP (Port 2525)
>> 3024  Zones have deployed TLSA for HTTPS (Port 443)
>> 1996  Zones have deployed TLSA for SMTP (Port 25)
>> 72 Zones have deployed TLSA for POP3 (Port 110)
>> 294   Zones have deployed TLSA for Secure IMAP (Port 993)
>> 201   Zones have deployed TLSA for IMAP (Port 143)
> 
> These numbers also add to 6663.  Where did the 16k number come
> from?  

A very good question.  The zone count is trying to show how many zones are protected by DANE.  So, if a zone has its MX record (which is protected by DANE) in another zone, we count the referring zone as DANE enabled.  The rationale was that DANE is an application-level protection so if you send email to someone at  given email address, and the SMTP server is under another zone, the users of the email domain are still protected.  That’s why it’s not a direct sum, but you can see we don’t multi-count the actual DANE records.  I’m open to ideas about other ways to express this, but the intuition was to capture how many zones’ users are protected.  Make sense?

> I have found 10.7k domains for DANE SMTP (port 25) in a sample of
> 4.8M domains of which 120k have DNSSEC for both the domain MX RRset
> and for at least one best preference MX host and so can start
> publishing TLSA records.

This sounds really great.  SecSpider has been monitoring as many DNSSEC-signed zones as I’ve been able to find for over 10 years.  We’ve taken user submissions, crawled search engines, etc. in order to study the long term evolution of DNSSEC and how people have managed their zones since pretty much the beginning (we started monitoring every zone we could find right after the DNSSEC RFCs were published).  We’ve found some really interesting things, but keeping abreast of the global deployment has become increasingly difficult.  Would you be amendable to sharing those zones with SecSpider?  I’d love to add them to its longitudinal study.

Thanks!

Eric

v2.23.0 | Report a Bug | By Email