Hey Viktor, > On 11 May 2016, at 11:01, Viktor Dukhovni <[email protected]> wrote: > > >> b) hosted in germany where there's a BSI guide-line to implement DNSSEC (I >> talked to these guys a while ago, they're largely unfamiliar with the topic >> of cryptography AFAICT) > > [ I get it, you really don't care for DNSSEC. :-) But that's not > a sound reason to then also dislike anyone who is not like-minded. ]
It's not that I didn't like them. They were nice guys. But, among quite a few other things, if they're talking about new guidelines -- some with regard to X.509 -- and haven't heard about CT or how CT works, that's a bit weird, IMO. BSI is the former crypto department of the BND, as I'm sure you're aware. I'm from a german speaking country with similar bureaucracies in place, and I have very little trust in their ultimate recommendations, findings and laws they support. But that's just me, I don't like governments in general. That doesn't mean they do not have good people around, there're some, I've even met a few. It's also a bit off-topic w.r.t. the DNSSEC/DANE discussion. I do like the DANE standard itself, I just hate that it builds on DNSSEC. Shifting trust-anchors from (now audited, monitored) CAs to TLDs (now we have tons of weird gTLDs), is just not the way to go. Besides DNSSEC being a 15 year old standard that totally fails in many information security regards, hasn't been updated to an extent that I'd consider it "modern" etc. > While the BSI does have some influence over government systems and > large email providers, ... the vast majority of .de domains with DANE > TLSA records are individual vanity and small-business domains, and > they are choosing to enable email transport security, not BSI > conformance. I'd still see this as a somewhat "german trend". Sysadmins talk to each other, use the same forum posts, et cetera. >> c) aren't .gov, .mil etc. where a similar policy to the BSI one exists >> - though large outages still happen frequently > > While .gov and .mil mandate DNSSEC, they don't have any domains with > DANE at present. The closest you'll get to that in the DANE space is > > ncaa.go.tz > zanzibarjustice.go.tz > > I doubt Tanzania was substantially influenced by either BSI or the USG. > More likely someone with a bit of initiative there though it was a good > idea and made it happen. Agreed. > The top 5 DANE/DNSSEC enable registrars are the primary MX hosts of > 25.3k of the 30.5k domains. The remaining 5.2k domains are fairly diverse, > and yes a large fraction are in Germany. If we also exclude domains with > a secondary MX with one of those registrars we end up with: > > 1263 com > 1013 de > 655 net > 360 org > 234 eu > 181 nl > 174 cz > 84 se > 82 ch > 81 info > 78 fr > 78 com.br > 71 xyz > 58 at > 56 email > 53 dk > 53 be > 48 me > 42 io > 28 biz > 27 us > 25 name > 22 co.uk > 18 uk > 17 ovh > 16 pt > 16 hu > 14 net.br > 13 si > 13 lu > 12 ru > 11 pl > 11 is > 20 fi > 11 co > 10 nu > 9 cc > > Many of the .com/.net/.eu/.org domains are likely also German, but there > is also a considerable fraction of AT/CZ/SE/CH/FR/DK/BE/NU domains. So, > yes, at present most the deployment is in Northern Europe, but note also > some signs of life in the eastern block .si/.ru/.hu/.pl > > With only one MTA open-source supporting DANE at present, and only with > relatively recent releases, and OpenSSL 1.1.0 still (for a couple more > weeks) in beta, it is not surprising that deployment is still light. > We can't expect deployment when supporting code is not yet widely > available. That's more to the point, thanks for the data. Are your raw data-sets public anywhere (e.g. scans.io)? Aaron
signature.asc
Description: Message signed with OpenPGP using GPGMail
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
