> On Jan 13, 2016, at 1:23 PM, Viktor Dukhovni <[email protected]> wrote: > > On Wed, Jan 13, 2016 at 02:51:01PM +0000, Wiley, Glen wrote: > >> Comparable stats from SecSpider for a survey of 1056097 zones at >> http://secspider.verisignlabs.com/stats.html >> >> DANE Summary >> 16065 DANE enabled zones with TLSA records >> >> 65 PKIX based Trust Anchor TLSA records (Cert Usage 0) >> 541 PKIX based End Entity TLSA records (Cert Usage 1) >> 266 DANE based Trust Anchor TLSA records (Cert Usage 2) >> 5791 DANE based End Entity TLSA records (Cert Usage 3) > > 6663 > > These numbers don't add up to 16065 (their sum is 6663). Surely > there are not many zones (a majority?) with TLSA records with usage > other than 0/1/2/3? > >> 425 Zones have deployed TLSA for Secure SMTP (Port 465) >> 124 Zones have deployed TLSA for Secure POP3 (Port 995) >> 503 Zones have deployed TLSA for SMTP with STARTTLS (Port 587) >> 24 Zones have deployed TLSA for Alternate SMTP (Port 2525) >> 3024 Zones have deployed TLSA for HTTPS (Port 443) >> 1996 Zones have deployed TLSA for SMTP (Port 25) >> 72 Zones have deployed TLSA for POP3 (Port 110) >> 294 Zones have deployed TLSA for Secure IMAP (Port 993) >> 201 Zones have deployed TLSA for IMAP (Port 143) > > These numbers also add to 6663. Where did the 16k number come > from?
A very good question. The zone count is trying to show how many zones are protected by DANE. So, if a zone has its MX record (which is protected by DANE) in another zone, we count the referring zone as DANE enabled. The rationale was that DANE is an application-level protection so if you send email to someone at given email address, and the SMTP server is under another zone, the users of the email domain are still protected. That’s why it’s not a direct sum, but you can see we don’t multi-count the actual DANE records. I’m open to ideas about other ways to express this, but the intuition was to capture how many zones’ users are protected. Make sense? > I have found 10.7k domains for DANE SMTP (port 25) in a sample of > 4.8M domains of which 120k have DNSSEC for both the domain MX RRset > and for at least one best preference MX host and so can start > publishing TLSA records. This sounds really great. SecSpider has been monitoring as many DNSSEC-signed zones as I’ve been able to find for over 10 years. We’ve taken user submissions, crawled search engines, etc. in order to study the long term evolution of DNSSEC and how people have managed their zones since pretty much the beginning (we started monitoring every zone we could find right after the DNSSEC RFCs were published). We’ve found some really interesting things, but keeping abreast of the global deployment has become increasingly difficult. Would you be amendable to sharing those zones with SecSpider? I’d love to add them to its longitudinal study. Thanks! Eric _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
