dane/dnssec/tls tests from go6lab – findings and results jan Žorž, go6 institute
TRANSCRIPT
![Page 2: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/2.jpg)
DNSSEC implementation in go6lab
• Powerdns server (used as primary for non-signed domains) as “hidden” primary DNS server
• OpenDNSSEC platform for signing domains• BIND9 DNS servers as secondaries to
OpenDNSSEC to serve signed zones• Virtualization used: PROXMOX 3.4• OS templates: fedora-20, Centos6/7,
![Page 3: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/3.jpg)
DNSSEC implementation in go6lab
• “Bump in a wire”• Two public “primary” servers• Concept:
![Page 4: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/4.jpg)
DNSSEC in go6lab
• That was fairly easy and it works very well.• Implementation document used from Matthijs
Mekking:
http://go6.si/docs/opendnssec-start-guide-draft.pdf
![Page 5: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/5.jpg)
DANE experiment
• When DNSSEC was setup and functioning we started to experiment with DANE (DNS Authenticated Name Entities .
• Requirements: – DNSSEC signed domains– Postfix server with TLS support > 2.11
• We decided for Postfix 3.0.1
![Page 6: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/6.jpg)
DANE• TLSA record for mx.go6lab.si
_25._tcp.mx.go6lab.si. IN TLSA 3 0 1 B4B7A46F9F0DFEA0151C2E07A5AD7908F4C8B0050E7CC25908DA05E2 A84748ED
It’s basically a hash of TLS certificate on mx.go6lab.si
More about DANE: http://www.internetsociety.org/deploy360/resources/dane/
![Page 7: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/7.jpg)
What is DANE and how does it work
![Page 8: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/8.jpg)
![Page 9: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/9.jpg)
![Page 10: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/10.jpg)
DANE verification
• Mx.go6lab.si was able to verify TLS cert to T-2 mail server and nlnet-labs and some others…
mx postfix/smtp[31332]: Verified TLS connection established to
smtp-good-in-2.t-2.si[2a01:260:1:4::24]:25: TLSv1 with cipher
DHE-RSA-AES256-SHA (256/256 bits)
dicht postfix/smtp[29540]: Verified TLS connection established to
mx.go6lab.si[2001:67c:27e4::23]:25: TLSv1.2 with cipher
ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)
![Page 11: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/11.jpg)
Postfix configsmtpd_use_tls = yessmtpd_tls_security_level = maysmtpd_tls_key_file = /etc/postfix/ssl/server.pemsmtpd_tls_cert_file = /etc/postfix/ssl/server.pemsmtpd_tls_auth_only = nosmtpd_tls_loglevel = 1smtpd_tls_received_header = yessmtpd_tls_session_cache_timeout = 3600ssmtp_tls_security_level = danesmtp_use_tls = yessmtp_tls_note_starttls_offer = yessmtp_tls_loglevel = 1tls_random_exchange_name = /var/run/prng_exchtls_random_source = dev:/dev/urandomtls_smtp_use_tls = yes
![Page 12: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/12.jpg)
Malformed TLSA record
• We created TLSA record with bad hash (one character changed)
• Postfix failed to verified it and refused to send a message
mx postfix/smtp[1765]: Untrusted TLS connection established to mail-bad.go6lab.si[2001:67c:27e4::beee]:25: TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)mx postfix/smtp[1765]: 3A4BE8EE5C: Server certificate not
trusted
![Page 13: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/13.jpg)
1M top Alexa domains and DANE
• We fetched top 1 million Alexa domains and created a script that sent an email to each any of them ( test-dnssec-dane@[domain] )
• After some tweaking of the script we got some good results
• Then we built a script that parsed maillog file and here are the results:
![Page 14: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/14.jpg)
Results
• Out of 1 million domains, 992.232 of them has MX record and mail server.
• Nearly 70% (687.897) of all attempted SMTP sessions to Alexa top 1 million domains MX records were encrypted with TLS
• Majority of TLS connections (60%) were established with trusted certificate
• 1.382 of connections where remote mail server announced TLS capability failed with "Cannot start TLS: handshake failure"
![Page 15: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/15.jpg)
More resultsTLS established connections ratios are:
Anonymous: 109.753Untrusted: 167.063Trusted: 410.953Verified: 128
Quick guide: Anonymous (opportunistic TLS with no signature), Untrusted (peer certificate not signed by trusted CA), Trusted (peer certificate signed by trusted CA) and Verified (verified with TLSA by DANE).
![Page 16: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/16.jpg)
DANE Verified
Verified: 128 !!!
![Page 17: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/17.jpg)
Mail distribution- Google.com mail servers handles 125.422 domains and all of them were detected with Trusted TLS state.- Secureserver.net mail servers handles 35.759 domains, some of them with Trusted TLS, some of them with no TLS at all- qq.com mail servers handles 11.254 domains and has no TLS at all- yandex.ru mail servers handles 9.268 domains and has Trusted TLS- ovh.net mail servers handles 8.531 domains with majority of them establishing Trusted TLS, just their redirect server having no TLS at all (redirect.ovh.net)
![Page 18: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/18.jpg)
Mail distribution
- emailsrvr.com mail servers handles 8.262 domains and has Trusted TLS- zohomail.com mail servers handles 2.981 domains and has Trusted TLS- lolipop.jp mail servers handles 1.685 domains and has no TLS at all- kundenserver.de mail servers handles 2.834 domains and has Trusted TLS- gandi.net mail servers handles 2.200 domains and has Anonymous TLS
![Page 19: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/19.jpg)
DNSSEC? DANE?
None of this “big” mail servers (and their domains) are DNSSEC signed (that means no DANE for them possible.
![Page 20: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/20.jpg)
• We extracted .si domains from that top1m from Alexa and added some dnssigned and some other “usual suspects”
• …and here are results!
SLO email servers test
![Page 21: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/21.jpg)
All contacted mail servers analysis:All mail servers: 397Anonymous TLS servers: 95 (no peer certificate, no verification, just anonymous encryption)Untrusted TLS servers: 104 (peer certificate not signed by trusted CA)Trusted TLS servers: 103 (peer certificate signed by trusted CA, unverified peer name)Verified (DANE) TLS servers: 9 (peer certificate signed by trusted CA and verified peer name (DANE))NO TLS servers: 90 (no TLS encryption at all, not even as an option)
![Page 22: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/22.jpg)
All SMTP sessions analysis:
Number of all established SMTP sessions: 554Number of all succesful TLS sessions: 504Number of all failed TLS sessions: 6Number of sessions with NO TLS at all: 44Number of IPv6 SMTP sessions: 53Number of IPv4 SMTP sessions: 501
![Page 23: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/23.jpg)
All domains checked analysis:
All domains checked: 610NON DNSSEC signed domains: 575DNSSEC signed domains: 35Domains with no MX record: 56
![Page 24: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/24.jpg)
DANE enabled mail servers:
- edo.kr-neki.si- mail.go6lab.si- mx1.t-2.net- mx2.t-2.net- mx.go6lab.si- protector.rajmax.si- renato.ni-re.net- smtp-bad-in-1.t-2.net- smtp-good-in-2.t-2.si
![Page 25: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/25.jpg)
Mail servers with NO TLS capability
• The list is too long and I would not like to do publica shaming here…
• …but the list can be found here:
http://bgp.go6.si/email-research/results.txt
![Page 26: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/26.jpg)
Conclusions
• 70% of email can be encrypted in some way, you just need to enable TLS on your server
• Low number of DNSSEC signed domains/servers
• Even lower number of DANE/TLSA verified servers/connections
• It’s easy, go and do it – it’s not the end of the world and it helps with verifying who are you sending emails to – and vice versa ;)
![Page 27: DANE/DNSSEC/TLS tests from Go6lab – findings and results Jan Žorž, Go6 Institute](https://reader035.vdocuments.mx/reader035/viewer/2022062322/5697bfc81a28abf838ca8257/html5/thumbnails/27.jpg)
Q&A
Questions? Protests? Suggestions? Complaints?
http://bgp.go6.si/email-research/results.txt