Re: [dane] any statistics of deployment available?
Viktor Dukhovni <ietf-dane@dukhovni.org> Thu, 14 January 2016 16:01 UTC
Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 337AD1A03A0 for <dane@ietfa.amsl.com>; Thu, 14 Jan 2016 08:01:34 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Level:
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4LAvrbzs9fio for <dane@ietfa.amsl.com>; Thu, 14 Jan 2016 08:01:32 -0800 (PST)
Received: from mournblade.imrryr.org (mournblade.imrryr.org [38.117.134.19]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8EA761A0398 for <dane@ietf.org>; Thu, 14 Jan 2016 08:01:32 -0800 (PST)
Received: by mournblade.imrryr.org (Postfix, from userid 1034) id 4ED55282FB3; Thu, 14 Jan 2016 16:01:31 +0000 (UTC)
Date: Thu, 14 Jan 2016 16:01:31 +0000
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: dane@ietf.org
Message-ID: <20160114160131.GA646@mournblade.imrryr.org>
References: <814D0BFB77D95844A01CA29B44CBF8A715B0AEC4@lhreml504-mbs> <20160106131105.GC14398@sys4.de> <20160106191346.GF18704@mournblade.imrryr.org> <D2BBCE19.21C93%gwiley@verisign.com> <20160113182341.GO18704@mournblade.imrryr.org> <D05D3A38-1D06-4F68-B9E9-B24B58D495CA@verisign.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <D05D3A38-1D06-4F68-B9E9-B24B58D495CA@verisign.com>
User-Agent: Mutt/1.5.24 (2015-08-30)
Archived-At: <http://mailarchive.ietf.org/arch/msg/dane/Y4CTJRWszgTPPwbArKL1Zd1u2O0>
Subject: Re: [dane] any statistics of deployment available?
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: dane@ietf.org
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>, <mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dane/>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>, <mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 14 Jan 2016 16:01:34 -0000
On Thu, Jan 14, 2016 at 03:10:34PM +0000, Osterweil, Eric wrote: > >> DANE Summary > >> 16065 DANE enabled zones with TLSA records > >> > >> 65 PKIX based Trust Anchor TLSA records (Cert Usage 0) > >> 541 PKIX based End Entity TLSA records (Cert Usage 1) > >> 266 DANE based Trust Anchor TLSA records (Cert Usage 2) > >> 5791 DANE based End Entity TLSA records (Cert Usage 3) > > > > 6663 Ok, so that's 6663 TLSA RRsets, but a much larger number of protected zones due to MX indirection. So I would clearly separate the RRset count from the "protected domain" count. >> 1996 Zones have deployed TLSA for SMTP (Port 25) So the missing ~10k "zones" (protected domains) are here, because the other ports are rarely (RFC6186 notwithstanding) subject to indirection. That is you've found 1996 MX hosts with TLSA RRsets? Or 1996 zones with 1 or more MX hosts with TLSA RRsets, or a total of 1996 TLSA records for port 25? I am guessing the latter, because that's what makes the "certificate usage" total equal to the "by port" total. In that case our numbers are similar, I have 10.7k email SMTP domains covered by TLSA records of 1564 MX hosts with 2212 TLSA RRs (at least, because there are cases where I don't look for any TLSA RRs on worse priority MX hosts if a better priority MX hosts have no TLSA records). Of the 10.7k domains 200 have incomplete TLSA record coverage in that some MX hosts are not protected, so the "domain" is not secured against MITM by attackers who block access to the protected MX hosts. -- Viktor.
- Re: [dane] any statistics of deployment available? Viktor Dukhovni
- Re: [dane] any statistics of deployment available? Hosnieh Rafiee
- [dane] any statistics of deployment available? Hosnieh Rafiee
- Re: [dane] any statistics of deployment available? Dan York
- Re: [dane] any statistics of deployment available? Hosnieh Rafiee
- Re: [dane] any statistics of deployment available? Patrick Ben Koetter
- Re: [dane] any statistics of deployment available? Shumon Huque
- Re: [dane] any statistics of deployment available? Osterweil, Eric
- Re: [dane] any statistics of deployment available? Viktor Dukhovni
- Re: [dane] any statistics of deployment available? Wiley, Glen
- Re: [dane] any statistics of deployment available? Viktor Dukhovni
- Re: [dane] any statistics of deployment available? Osterweil, Eric
- Re: [dane] any statistics of deployment available? Viktor Dukhovni
- Re: [dane] any statistics of deployment available? Osterweil, Eric
- [dane] Added DANE stats to Deploy360 page - Re: a… Dan York