Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Virtually no email sent on the Internet is protected by DANE, DNSSEC, or TLSA.

Here's a short list of domains that are using DNSSEC, DANE and TLSA to protect their email. I also provide a transcript of a utility that connects to and verifies the SMTP server and the DANE/TLSA records for openssl.org and could have done so for every domain on this list but there's no reason to get carried away.

* geektimes.com

* gmx.com

* mail.com

* comcast.net

* dd24.net

* debian.org

* freebsd.org

* gentoo.org

* ietf.org

* isc.org

* netbsd.org

* openssl.org

* samba.org

* torproject.org

There's a DANE TLS SMTP server checking tool: https://www.huque.com/bin/danecheck-smtp

Here's what it does: This application checks a DANE SMTP Service. It queries the MX record set for the given domain, looks up DANE TLSA records at the MX targets, connects to the target servers, negotiates STARTTLS, and then attempts to verify the TLS server certificate against the TLSA records.

Lets test openssl.org:

    Domain Name: openssl.org

    MX host: 50 mta.openssl.org

    #################################################################
    ### CHECKING MX HOST: mta.openssl.org
    #################################################################

    TLSA records found: 1
    TLSA: 3 1 1 6cf12d78fbf242909d01b96ab5590812954058dc32f8415f048fff064291921e

    Connecting to IPv6 address: 2001:608:c00:180::1:e6 port 25
    recv: 220-mta.openssl.org ESMTP Postfix
    recv: 220 mta.openssl.org ESMTP Postfix
    send: EHLO cheetara.huque.com
    recv: 250-mta.openssl.org
    recv: 250-PIPELINING
    recv: 250-SIZE 36700160
    recv: 250-VRFY
    recv: 250-ETRN
    recv: 250-STARTTLS
    recv: 250-ENHANCEDSTATUSCODES
    recv: 250-8BITMIME
    recv: 250 DSN
    send: STARTTLS
    recv: 220 2.0.0 Ready to start TLS
    TLSv1.2 handshake succeeded.
    Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
    Peer Certificate chain:
     0 Subject CN: mta.openssl.org
     Issuer  CN: Let's Encrypt Authority X3
      1 Subject CN: Let's Encrypt Authority X3
     Issuer  CN: DST Root CA X3
      SAN dNSName: mta.openssl.org
    DANE TLSA 3 1 1 [6cf12d78fbf2...] matched EE certificate at depth 0
    Validated Certificate chain:
     0 Subject CN: mta.openssl.org
       Issuer  CN: Let's Encrypt Authority X3
     SAN dNSName: mta.openssl.org

    Connecting to IPv4 address: 194.97.150.230 port 25
    recv: 220-mta.openssl.org ESMTP Postfix
    recv: 220 mta.openssl.org ESMTP Postfix
    send: EHLO cheetara.huque.com
    recv: 250-mta.openssl.org
    recv: 250-PIPELINING
    recv: 250-SIZE 36700160
    recv: 250-VRFY
    recv: 250-ETRN
    recv: 250-STARTTLS
    recv: 250-ENHANCEDSTATUSCODES
    recv: 250-8BITMIME
    recv: 250 DSN
    send: STARTTLS
    recv: 220 2.0.0 Ready to start TLS
    TLSv1.2 handshake succeeded.
    Cipher: TLSv1.2 ECDHE-RSA-AES256-GCM-SHA384
    Peer Certificate chain:
     0 Subject CN: mta.openssl.org
       Issuer  CN: Let's Encrypt Authority X3
     1 Subject CN: Let's Encrypt Authority X3
       Issuer  CN: DST Root CA X3
     SAN dNSName: mta.openssl.org
    DANE TLSA 3 1 1 [6cf12d78fbf2...] matched EE certificate at depth 0
    Validated Certificate chain:
     0 Subject CN: mta.openssl.org
       Issuer  CN: Let's Encrypt Authority X3
     SAN dNSName: mta.openssl.org

    [0] Authentication succeeded for all (2) peers.


With the note that those are literally the best domain names you can come up with, and that you can go to the search bar below and look at my comments to see me running the Moz 500 through the same analysis, I feel like your list makes my point for me. Thanks.

DNSSEC standardization began in NINETEEN NINETY FIVE. That's twenty five years ago. They got GENTOO.ORG. That's the win you're crowing over. Congratulations! As goes GENTOO.ORG, so too goes the Internet.


Internet protocol evolution is in a funny place currently. IPv6 is just as old and it's only recently been widely deployed. There's just so much inertia.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: