> On May 10, 2016, at 11:14 PM, Aaron Zauner <[email protected]> wrote:
>
> Do you have percentages which of these aren't either:
>
> a) a open-source project where there's large community demand (for some
> reason)
The open-source projects are a very tiny subset of the overall list,
they are a large fraction only of the "more prominent" domains, by
being "more prominent" then the mostly small domains with DANE support.
> b) hosted in germany where there's a BSI guide-line to implement DNSSEC (I
> talked to these guys a while ago, they're largely unfamiliar with the topic
> of cryptography AFAICT)
[ I get it, you really don't care for DNSSEC. :-) But that's not
a sound reason to then also dislike anyone who is not like-minded. ]
While the BSI does have some influence over government systems and
large email providers, ... the vast majority of .de domains with DANE
TLSA records are individual vanity and small-business domains, and
they are choosing to enable email transport security, not BSI
conformance.
A lot of the .de domains with DANE TLSA are hosted by udmedia.de, that
specifically marketed DNSSEC/DANE support to owners of small domains,
and hosts around 6000 domains under .de/.eu/.com/.net/...
Of the .de 3200 domains with DANE TLSA (that I was able to find, I
don't have anything like a complete list) ~1300 are not hosted by
udmedia.de or transip.nl or the other 3 top DNSSEC+DANE hosting
providers. They are "Mom&Pop" vanity domains and domains of
some small businesses.
> c) aren't .gov, .mil etc. where a similar policy to the BSI one exists
> - though large outages still happen frequently
While .gov and .mil mandate DNSSEC, they don't have any domains with
DANE at present. The closest you'll get to that in the DANE space is
ncaa.go.tz
zanzibarjustice.go.tz
I doubt Tanzania was substantially influenced by either BSI or the USG.
More likely someone with a bit of initiative there though it was a good
idea and made it happen.
The top 5 DANE/DNSSEC enable registrars are the primary MX hosts of
25.3k of the 30.5k domains. The remaining 5.2k domains are fairly diverse,
and yes a large fraction are in Germany. If we also exclude domains with
a secondary MX with one of those registrars we end up with:
1263 com
1013 de
655 net
360 org
234 eu
181 nl
174 cz
84 se
82 ch
81 info
78 fr
78 com.br
71 xyz
58 at
56 email
53 dk
53 be
48 me
42 io
28 biz
27 us
25 name
22 co.uk
18 uk
17 ovh
16 pt
16 hu
14 net.br
13 si
13 lu
12 ru
11 pl
11 is
20 fi
11 co
10 nu
9 cc
Many of the .com/.net/.eu/.org domains are likely also German, but there
is also a considerable fraction of AT/CZ/SE/CH/FR/DK/BE/NU domains. So,
yes, at present most the deployment is in Northern Europe, but note also
some signs of life in the eastern block .si/.ru/.hu/.pl
With only one MTA open-source supporting DANE at present, and only with
relatively recent releases, and OpenSSL 1.1.0 still (for a couple more
weeks) in beta, it is not surprising that deployment is still light.
We can't expect deployment when supporting code is not yet widely
available.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
