IETF Logo Mail Archive

Re: [dane] any statistics of deployment available?

"Osterweil, Eric" <eosterweil@verisign.com> Thu, 14 January 2016 17:41 UTC

Return-Path: <eosterweil@verisign.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 354851A6F9D for <dane@ietfa.amsl.com>; Thu, 14 Jan 2016 09:41:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sqL6i44o4vBZ for <dane@ietfa.amsl.com>; Thu, 14 Jan 2016 09:41:04 -0800 (PST)
Received: from mail-qg0-x262.google.com (mail-qg0-x262.google.com [IPv6:2607:f8b0:400d:c04::262]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 80DC71A6F59 for <dane@ietf.org>; Thu, 14 Jan 2016 09:41:04 -0800 (PST)
Received: by mail-qg0-x262.google.com with SMTP id o11so51269900qge.3 for <dane@ietf.org>; Thu, 14 Jan 2016 09:41:04 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=verisign-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:thread-topic:thread-index:date:message-id :references:in-reply-to:accept-language:content-language :content-type:content-id:content-transfer-encoding:mime-version; bh=DdVfb75KPENl7oBaqW3s4Kkj7J8UaRb0bU4VcPRnpoM=; b=kfKhKSnGN9uLp5M6KkU2RIeSVPlYAspMdqpnk5gNLP/2B0ZlrbF61hap5mYIrUm44I mmkcUAxQzTFrIowHr4QZsWA93SR+CI76DdYCdiL+E1POkSy/hhnQbpQQNbtGGuRA27nB 8BvYZO6ghbMtcNDqLlbP7SZCzN13Ij0FXj567xqBqjBkInZnAo5ksV+MvhI1oQpvsQ1J pYQG3e0svAJTuVX/+7W/jm+hErGR+OPxHulhsmTM9I2tsuVYoNrmMw7l7aZWb2ZwyWL0 53pA/ISf6jh6xu7BgK8fCV/VbvTE/HsWcxB40o8994ub29WVPbswM8saYypuIc5HRQNc vn1g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:thread-topic:thread-index:date :message-id:references:in-reply-to:accept-language:content-language :content-type:content-id:content-transfer-encoding:mime-version; bh=DdVfb75KPENl7oBaqW3s4Kkj7J8UaRb0bU4VcPRnpoM=; b=PVj1lY9RENIzZpxUt+I9DRbHGrglHzakk24mv/M190tqmcmGAHMap0IRp6wTMtELfj 6U+6bTnQurenD48KiLJziKnnQOlyhg2oJyJwelSj8D71i8vN1fGdQUEF6Lz3KUZSXEHC A07KKwyuOz94MJjd3Ts3C7vv6/i058/FO5r0qix/x3WPhOk4j/cESWJhJn5xHTIMFvGe rEMe+Hwcwjm/PgrTjJ2dwLV3kSkTE2fbK1PUj23y5ttNqeAS6gX16p1omFFy6yCSHPQq 1bQfzdZUrtCHkeHZLoUbh+VH2VYHjOVIQWJf0yxQKKqkAltjKwWHgnPcscT9cozyq3z6 WzWQ==
X-Gm-Message-State: ALoCoQmJmiIq0In/hr7PfC8fMFZJFDuD5oSbdDZEAay3x79eCci9Pff1qDBMvL5LktboA6Yrx3IIqAHv7wdYQW56J+Zd/MJ9Dguvd9ZpP3jdX6+2d3D9LNQ=
X-Received: by 10.141.6.131 with SMTP id i125mr8067661qhd.68.1452793263599; Thu, 14 Jan 2016 09:41:03 -0800 (PST)
Received: from brn1lxmailout02.verisign.com (brn1lxmailout02.verisign.com. [72.13.63.42]) by smtp-relay.gmail.com with ESMTPS id d3sm1015951qkb.3.2016.01.14.09.41.03 for <dane@ietf.org> (version=TLS1 cipher=AES128-SHA bits=128/128); Thu, 14 Jan 2016 09:41:03 -0800 (PST)
X-Relaying-Domain: verisign.com
Received: from BRN1WNEXCHM01.vcorp.ad.vrsn.com (brn1wnexchm01 [10.173.152.255]) by brn1lxmailout02.verisign.com (8.13.8/8.13.8) with ESMTP id u0EHf35H013693 (version=TLSv1/SSLv3 cipher=AES256-SHA bits=256 verify=FAIL) for <dane@ietf.org>; Thu, 14 Jan 2016 12:41:03 -0500
Received: from BRN1WNEXMBX01.vcorp.ad.vrsn.com ([::1]) by BRN1WNEXCHM01.vcorp.ad.vrsn.com ([::1]) with mapi id 14.03.0174.001; Thu, 14 Jan 2016 12:41:01 -0500
From: "Osterweil, Eric" <eosterweil@verisign.com>
To: "dane@ietf.org" <dane@ietf.org>
Thread-Topic: [dane] any statistics of deployment available?
Thread-Index: AdFIeslBxynRdYetRzmHZNYubTMahgAMtMUAAAyqfgABTGYggAAR5HgAACuL2wAAAceIgAADdlKA
Date: Thu, 14 Jan 2016 17:41:00 +0000
Message-ID: <F40D2CE1-4029-4676-AFD5-4EB9500BF4FC@verisign.com>
References: <814D0BFB77D95844A01CA29B44CBF8A715B0AEC4@lhreml504-mbs> <20160106131105.GC14398@sys4.de> <20160106191346.GF18704@mournblade.imrryr.org> <D2BBCE19.21C93%gwiley@verisign.com> <20160113182341.GO18704@mournblade.imrryr.org> <D05D3A38-1D06-4F68-B9E9-B24B58D495CA@verisign.com> <20160114160131.GA646@mournblade.imrryr.org>
In-Reply-To: <20160114160131.GA646@mournblade.imrryr.org>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.173.152.4]
Content-Type: text/plain; charset="utf-8"
Content-ID: <4CE0871D0A1404468F2002C9095B639C@verisign.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/JebkamkFPDRHuytHYpw7hpjno5c>
Subject: Re: [dane] any statistics of deployment available?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jan 2016 17:41:06 -0000

> On Jan 14, 2016, at 11:01 AM, Viktor Dukhovni <ietf-dane@dukhovni.org> wrote:
> 
> On Thu, Jan 14, 2016 at 03:10:34PM +0000, Osterweil, Eric wrote:
> 
>>>> DANE Summary
>>>> 16065 DANE enabled zones with TLSA records
>>>> 
>>>> 65 PKIX based Trust Anchor TLSA records (Cert Usage 0)
>>>> 541   PKIX based End Entity TLSA records (Cert Usage 1)
>>>> 266   DANE based Trust Anchor TLSA records (Cert Usage 2)
>>>> 5791  DANE based End Entity TLSA records (Cert Usage 3)
>>> 
>>> 6663
> 
> Ok, so that's 6663 TLSA RRsets, but a much larger number of protected
> zones due to MX indirection.  So I would clearly separate the RRset
> count from the "protected domain" count.

Yep.  The RR counts are listed below the zone count.  I think this is precisely what led you to notice.  That is, all of the counts below the zone count are RR counts.

> 
>>> 1996  Zones have deployed TLSA for SMTP (Port 25)
> 
> So the missing ~10k "zones" (protected domains) are here, because
> the other ports are rarely (RFC6186 notwithstanding) subject to
> indirection.  

Any of the mail protocols is subject to this indirection, as those DANE records are based off the MX record.

> That is you've found 1996 MX hosts with TLSA RRsets?  Or 1996 zones
> with 1 or more MX hosts with TLSA RRsets, or a total of 1996 TLSA
> records for port 25?  I am guessing the latter, because that's what
> makes the "certificate usage" total equal to the "by port" total.

There are 1996 TLSA Resource Records that have the domain name _25._tcp.<domain name>.  Each RR at every domain name gets counted separately.  So, if someone has two RRs at the same domain name, SecSpider counts two, not one.

> In that case our numbers are similar, I have 10.7k email SMTP
> domains covered by TLSA records of 1564 MX hosts with 2212 TLSA
> RRs (at least, because there are cases where I don't look for any
> TLSA RRs on worse priority MX hosts if a better priority MX hosts
> have no TLSA records).  Of the 10.7k domains 200 have incomplete
> TLSA record coverage in that some MX hosts are not protected, so
> the "domain" is not secured against MITM by attackers who block
> access to the protected MX hosts.

That’s very interesting!

Eric

v2.23.0 | Report a Bug | By Email