StartTLS is an extension to the classic SMTP e-mail protocol. It provides for the connection between a sending mail server and a receiving mail server to be encrypted to protect against snoopers. Sounds good, eh? Except that encryption isn't guaranteed. A malicious 'man in the middle' can easily prevent the encrypted connection being established, so that the mail is exchanged in a readable form. DANE is a standard designed to resolve that problem and make life harder for snoopers. So, how is adoption of DANE + StartTLS going in our .nl domain?
We're promoting adoption of DANE
DANE for SMTP DANE for SMTP how toEarlier this year, we wrote about DANE for e-mail (RFC 7672) and the security issues it addresses. We also announced that we were going to add DANE to our incentive scheme for registrars, the Registrar Scorecard (RSC). Incentivising DANE is part of our efforts to promote the use of modern standards. To enable the objective measurement of adoption, we use DMAP, developed by. We use DMAP to monitor a range of variables, including the adoption of standards incentivised through the RSC. Some of the data collected with DMAP is made available on our website stats.sidnlabs.nl, and we periodically publish supporting articles in our newsletter. It's now six months since the last article, so this seems like a good time to see whether our stats provide evidence of progress with DANE adoption.
Where do we currently stand with DANE?
The DANE standard depends on the use of DNSSEC. However, many internet users don't have the benefit of a DNSSEC-validating resolver. That's why the use of DANE for websites hasn't yet taken off; indeed, it hasn't really got going at all. Enabling DANE for e-mail is much easier, though, because setting up DNSSEC (validation) is relatively straightforward for the administrators of e-mail environments. Consequently, DANE for StartTLS has gained real traction in several countries, with Germany the standout example. We measure the adoption of DANE for e-mail within the .nl domain using OpenIntel: a DNS measurement platform set up in collaboration with the UTwente, SURFnet and NLnetLabs. Every day, OpenINTEL scans more than 220 million domain names, including all .nl domain names, to check various parameters. One being the presence of TLSA (DANE) records. We therefore have a wealth of information on this subject.
How do we measure DANE for e-mail?
Our DANE measurement method is as follows. First, we look at the primary MX record(s) of each domain (the one with the lowest priority). Then we see whether both the domain name itself, and the domain name of the MX record (which may be different) are secured with DNSSEC. After that, we establish whether the relevant MX record has a DANE TLSA record (e.g. "_25._tcp.kamx.sidn.nl"). If it does, we count the domain name as DANE-enabled.
Figure 1: The TLSA record for sidn.nl's MX record
For some time, it's been apparent that the number of DANE-enabled .nl domain names is growing. About 276,000 .nl domain names now have DANE security for e-mail -- a big increase on a few months ago.
A long way to go
Of course, that's still a small proportion of the 3.2 million or so signed .nl domain names. So there's still a long way to go. It's important to bear in mind that many domain names aren't actually used for e-mail: at least 25 per cent have no MX record. Nevertheless, there's plenty of scope for growing the DANE percentage, so we're going to continue incentivising adoption, at least for the moment. It'll be worth keeping an eye on the stats, therefore.
In the meantime, you can check the presence of DANE TLSA records for your favourite domain name using https://dane.sys4.de/ and https://internet.nl/.
