Re: [exim] Exim & DANE .. status ?

Top Page
Delete this message
Reply to this message
Author: Viktor Dukhovni
Date:  
To: exim-users
Subject: Re: [exim] Exim & DANE .. status ?


> On May 22, 2018, at 1:00 PM, Niels Dettenbach (Syndicat IT & Internet) via Exim-users <exim-users@???> wrote:
>
> Am 22. Mai 2018 18:09:24 MESZ schrieb Cyborg via Exim-users <exim-users@???>:
>> Hi Guys,
>>
>> the german office of security ( BSI ) has given out a policy, that
>> secure emailserver should have implemented DANE.
>
> DANE is "nice" by theory - and the german BSI is a entity mainly driven by theoreticans...ß)


This theory is presently being practiced by the MX hosts of 232 thousand
domains and counting...

> In reality there are good reasons why many (even large) Email providers don't established DANE nor DNSSEC at all until today.


It takes time for implementations to reach end-users and for
management tools to mature. This is the early adopter phase,
but a technically skilled and operationally disciplined MTA
operator should be able to deploy DANE now. The main obstacle
for some of the larger domains is all the geo load-balancing
kit that resolves A/AAAA records on the fly and does not support
DNSSEC signing. Thus google.com won't have DNSSEC terribly soon,
but googlemail.com on the other hand might get there in a not
unreasonably timeframe...

On Monday this week active24.com enabled DANE for their MX hosts,
this brought DANE to another ~30k domains (some soon to be found).
The leader board by number of customer domains I managed to find:

90583 domeneshop.no
69365 transip.nl
22307 active24.com
19741 udmedia.de
6261 bhosted.nl
1803 nederhost.nl
1224 yourdomainprovider.net
943 hi7.de
767 surfmailfilter.nl
556 core-networks.de

Top 10 TLD suffixes for DANE domains:

63594 no
48045 nl
40039 com
23014 cz
18734 de
6951 net
5447 eu
4646 org
4341 be
1984 se

Domains "large enough" to be listed in recent Gmail transparency
report datasets:

gmx.at            freenet.de        boozyshop.nl
travelbirdbelgique.be    gmx.de            intermax.nl
nic.br            jpberlin.de        ouderportaal.nl
registro.br        lrz.de            overheid.nl
gmx.ch            mail.de            pathe.nl
open.ch            posteo.de        politie.nl
anubisnetworks.com    ruhr-uni-bochum.de    uvt.nl
gmx.com            tum.de            xs4all.nl
mail.com        uni-erlangen.de        domeneshop.no
solvinity.com        unitybox.de        handelsbanken.no
trashmail.com        unitymedia.de        webcruitermail.no
xfinity.com        web.de            aegee.org
xfinityhomesecurity.com dk-hostmaster.dk    debian.org
xfinitymobile.com    egmontpublishing.dk    freebsd.org
active24.cz        netic.dk        gentoo.org
clubcard.cz        tilburguniversity.edu    ietf.org
cuni.cz            insee.fr        isc.org
cvc.cz            octopuce.fr        netbsd.org
destroystores.cz    comcast.net        openssl.org
itesco.cz        dd24.net        samba.org
klubpevnehozdravi.cz    dns-oarc.net        torproject.org
knizni-magazin.cz    gmx.net            asf.com.pt
localssrcapp.cz        hr-manager.net        handelsbanken.se
smtp.cz            mpssec.net        minmyndighetspost.se
bayern.de        t-2.net            skatteverket.se
bund.de            xs4all.net        t-2.si
elster.de        bhosted.nl        mail.co.uk
fau.de            bit.nl            govtrack.us


It seems that "exim.org" is not "large enough" as it has DANE TLSA
records, but is not mentioned in the Gmail reports...

-- 
    Viktor.




-- 
    Viktor.