[caiu] Problemas DNSSEC para e-mail

Rubens Kuhl rubensk em gmail.com
Sáb Jul 15 10:13:50 BRT 2017

Dos 6 domínios com mais envio de e-mails e que tem problemas com DNSSEC
e/ou TLSA DANE, 5 são brasileiros:


Outros 3 domínios aparentemente brasileiros mas com menor volume de
mensagens são:


Fonte: https://mail.sys4.de/pipermail/dane-users/2017-May/000411.html
(reproduzido ao final)

Alguém com contatos nessas organizações ?


Update on stats 2017-05*Viktor Dukhovni* ietf-dane at dukhovni.org
*Sun May 28 21:05:31 CEST 2017*

   - Previous message (by thread): Test tool havedane.net and NCSC-NL
   factsheet on DANE
   - *Messages sorted by:* [ date ]
    [ thread ]
    [ subject ]
    [ author ]


As of today I count 169812 domains with correct DANE TLSA records
for SMTP.  As expected the bulk of the DANE domains are hosted the
handful of DNS/hosting providers who've enabled DANE support in
bulk for the domains they host.  The top 10 MX host providers by
domain count are:

   69614 domeneshop.no
   59404 transip.nl
   18372 udmedia.de
    6733 bhosted.nl
    1831 nederhost.net
     997 ec-elements.com
     501 core-networks.de
     339 bit.nl
     334 omc-mail.com
     309 uvt.nl

    [ The 365 "networking4all.net" domains from last month are
      gone, because they got bought by metaregistrar.nl and the
      new MX hosts are not in DNSSEC signed zones. Otherwise,
      the total would now have been over 170000. ]

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.nl/.de.

There are 2567 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.  Alternatively, a similar number is seen in the count
(2667) of distinct MX host server certificates that support the
same ~169000 domains.

A related number is 3818 TLSA RRsets found for MX host TCP port
25.  This includes secondary MX hosts and domains none of whose
primary MX hosts have TLSA records.

The number of domains that at some point were listed in Gmail's
email transparency report is 108 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 54 are in recent reports:

  anubisnetworks.com      gmx.de                  posteo.de
  asf.com.pt              gmx.net                 registro.br
  asp4all.nl              hr-manager.net          ruhr-uni-bochum.de
  bayern.de               ietf.org                samba.org
  bhosted.nl              isc.org                 solvinity.com
  bund.de                 jpberlin.de             t-2.com
  comcast.net             lrz.de                  t-2.net
  dd24.net                mail.com                t-2.si
  debian.org              mail.de                 torproject.org
  domeneshop.no           netbsd.org              trashmail.com
  elster.de               nic.br                  tum.de
  enron.email             nic.cz                  uni-erlangen.de
  fau.de                  octopuce.fr             unitymedia.de
  freebsd.org             open.ch                 web.de
  gentoo.org              openssl.org             webcruitermail.no
  gmx.at                  ouderportaal.nl         xfinity.com
  gmx.ch                  overheid.nl             xs4all.net
  gmx.com                 pathe.nl                xs4all.nl

Of the ~169000 domains, 749 have "partial" TLSA records, that cover
only a subset of the MX hosts.  While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 93.  The list of the 54 underlying MX hosts that serve
these domains and whose TLSA records don't match reality.

  Hall of Shame:

  mail.dipietro.id.au       mail.enzevalos.de     dorothy.goldenhairdafo.ne
  eumembers.stansoft.bg     hmserver.de           hs.kuzenkov.net
  catabra.com.br            mail.manima.de        oostergo.net
  server29.prazernavida.com www.mtg.de            ren.warunek.net
  mail.pgp.inf.br           mx1.spamsponge.de     cinnamon.nl
  my.mai1.ch                mail.0pc.eu           mail.e-rave.nl
  alpaca.attackllama.com    gamepixel.eu          mail.jekuiken.nl
  mail.danmolik.com         mx.quentindavid.fr    mail.myzt.nl
  mail.digitalwebpros.com   servmail.fr           bounder.steelyard.nl
  demo.liveconfig.com       mail.nonoserver.info  mx.wm.net.nz
  ny-do.pieterpottie.com    mx.datenknoten.me     beerstra.org
  diablo.sgt.com            mx.giesen.me          smtp.copi.org
  tusk.sgt.com              smtp.aechelon.net     eumembers.datacentrix.org
  mx1.wittsend.com          mail.castleturing.net smtp3.amadigi.ovh
  mx.bels.cz                mail.d3fy.net         mail.pasion.ro
  gaia.nfx.cz               datawebb.dafcorp.net  mail.lahl.rocks
  badf00d.de                anubis.delphij.net    protector.rajmax.si
  mail.denniseffing.de      goldenhairdafo.net    email.themcintyres.us

The number of domains with bad DNSSEC support is 438.  The increase is
due to a comprehensive scan of all 4.6 million DNSSEC domains in the
survey, previously some parts of the survey did not record SERVFAIL

the top 10 DNS providers with problem domains are:

    68 jsr-it.nl
    58 infracom.nl	- Was slated to be resolved in March, delayed...
    27 is.nl
    24 active24.cz
    23 tiscomhosting.nl
    18 metaregistrar.nl
    15 rdw.nl
    10 firstfind.nl
     9 cas-com.net
     8 loopia.se

Around 50 of the broken domains have at least one working nameserver,
and so are email-reachable, given enough retries.  Only 6 of these
DNS-broken domains appear in historical Google Email transparency


The associated DNS lookup issues are:

  _25._tcp.ims1.rzd.ru. IN TLSA ? ; TLSA non-response:
  _25._tcp.ims2.rzd.ru. IN TLSA ? ; TLSA non-response:
  _25._tcp.lalavava.tse.jus.br. IN TLSA ? ; TLSA non-response:
  _25._tcp.mx.tiviths.com.br. IN TLSA ? ; TLSA non-response:
  _25._tcp.mx1.trt1.jus.br. IN TLSA ? ; zone signature failure:
  _25._tcp.mx1.trtrj.jus.br. IN TLSA ? ; zone signature failure:
  _25._tcp.mx2.tjce.jus.br. IN TLSA ? ; SOA signature failure:

   [ See <https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08>,
     Much of the TLSA non-response issue seems to be related to a
     "feature" of Arbor Networks firewalls, that enables droping
     of  DNS requests for all but the most common RRtypes.  Do not
     make the mistake of enabling this firewall "feature". ]

The oldest outstanding DNS issue is another SOA signature issue
at truman.edu dating back to Nov/2014:


I hope some day soon they'll start missing email they care about
and take the time to resolve the problem.


Mais detalhes sobre a lista de discussão caiu