Statistics of the month: DANE for e-mail

Big rise in domain names secured with DANE for e-mail

StartTLS is an extension to the classic SMTP e-mail protocol. It provides for the connection between a sending mail server and a receiving mail server to be encrypted to protect against snoopers. Sounds good, eh? Except that encryption isn't guaranteed. A malicious 'man in the middle' can easily prevent the encrypted connection being established, so that the mail is exchanged in a readable form. DANE is a standard designed to resolve that problem and make life harder for snoopers. So, how is adoption of DANE + StartTLS going in our .nl domain?

We're promoting adoption of DANE

Earlier this year, we wrote about DANE for e-mail (RFC7672) and the security issues it addresses. We also announced that we were going to add DANE to our incentive scheme for registrars, the Registrar Scorecard (RSC). Incentivising DANE is part of our efforts to promote the use of modern standards. To enable the objective measurement of adoption, we use DMAP, developed by. We use DMAP to monitor a range of variables, including the adoption of standards incentivised through the RSC. Some of the data collected with DMAP is made available on our website stats.sidnlabs.nl, and we periodically publish supporting articles in our newsletter. It's now six months since the last article, so this seems like a good time to see whether our stats provide evidence of progress with DANE adoption.

Where do we currently stand with DANE?

The DANE standard depends on the use of DNSSEC. However, many internet users don't have the benefit of a DNSSEC-validating resolver. That's why the use of DANE for websites hasn't yet taken off; indeed, it hasn't really got going at all. Enabling DANE for e-mail is much easier, though, because setting up DNSSEC (validation) is relatively straightforward for the administrators of e-mail environments. Consequently, DANE for StartTLS has gained real traction in several countries, with Germany the standout example. We measure the adoption of DANE for e-mail within the .nl domain using OpenIntel: a DNS measurement platform set up in collaboration with the UTwente, SURFnet and NLnetLabs. Every day, OpenINTEL scans more than 220 million domain names, including all .nl domain names, to check various parameters. One being the presence of TLSA (DANE) records. We therefore have a wealth of information on this subject.

How do we measure DANE for e-mail?

Our DANE measurement method is as follows. First, we look at the primary MX record(s) of each domain (the one with the lowest priority). Then we see whether both the domain name itself, and the domain name of the MX record (which may be different) are secured with DNSSEC. After that, we establish whether the relevant MX record has a DANE TLSA record (e.g. "_25._tcp.kamx.sidn.nl"). If it does, we count the domain name as DANE-enabled.

25. tcp.kamx.sidn.nl

Figure 1: The TLSA record for sidn.nl's MX record

For some time, it's been apparent that the number of DANE-enabled .nl domain names is growing. About 276,000 .nl domain names now have DANE security for e-mail -- a big increase on a few months ago.

DANE op stats.sidnlabs.nl

A long way to go

Of course, that's still a small proportion of the 3.2 million or so signed .nl domain names. So there's still a long way to go. It's important to bear in mind that many domain names aren't actually used for e-mail: at least 25 per cent have no MX record. Nevertheless, there's plenty of scope for growing the DANE percentage, so we're going to continue incentivising adoption, at least for the moment. It'll be worth keeping an eye on the stats, therefore.

In the meantime, you can check the presence of DANE TLSA records for your favourite domain name using https://dane.sys4.de/ and https://internet.nl/.

Comments

  • Tuesday 16 July 2019

    Weblog

    TimeNL: the transparent new NTP service from SIDN Labs

    Thumb-LCD-clock-display-macro

    The importance of accurate time measurement and synchronisation

    Read more
  • Tuesday 26 November 2019

    Weblog

    Statistic of the month: fake webshop detections

    Thumb-woman-doing-online-shopping

    Our self-teaching system keeps getting smarter

    Read more
  • Tuesday 30 October 2018

    News

    Children become the cyberheroes of the future

    Thumb-tiener-op-tablet

    Learning through play helps youngsters understand the virtual world

    Read more

Sorry

Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.