WEBVTT

00:00.000 --> 00:07.000
Hi.

00:07.000 --> 00:08.000
This is working.

00:08.000 --> 00:09.000
Yes.

00:09.000 --> 00:10.000
I'm Benjamin.

00:10.000 --> 00:18.000
I work for the government and I'll talk about online tooling to check your email configuration.

00:18.000 --> 00:21.000
Partly, Internet.nl, but also some other tools.

00:21.000 --> 00:30.000
For the government, I'm advice on standards and I use Internet.nl to scan the Dutch government internally

00:30.000 --> 00:34.000
and report on that openly.

00:34.000 --> 00:37.000
Let's take a look at Internet.nl.

00:37.000 --> 00:48.000
For example, I do a website testing part, but there's also an email testing part and will mainly focus on the email testing part.

00:48.000 --> 00:59.000
So, Internet.nl is from, it's done by the Dutch Internet standards platform that's the organization behind it.

00:59.000 --> 01:04.000
And that's a private public partnership between government and Internet community.

01:04.000 --> 01:15.000
Internet community like RIP or local.nl local TLD, but also an Internet society which we use the nice Internet.nl name.

01:15.000 --> 01:18.000
We rent it or we can use it from.

01:18.000 --> 01:27.000
And some governmental organizations including the local Dutch National Security Center.

01:27.000 --> 01:38.000
So, the main goal is to promote modern Internet standards and I will mainly focus on these few standards.

01:38.000 --> 01:40.000
Well, yeah.

01:40.000 --> 01:45.000
Common standards hopefully, although not always.

01:45.000 --> 01:51.000
So, IPv6 for email, we will check are your name servers?

01:51.000 --> 01:57.000
Do you have at least two name servers with an IPv6 address? Are they reachable?

01:57.000 --> 02:00.000
And the same goes for the email server.

02:00.000 --> 02:04.000
So, does it actually have an IPv6 address?

02:04.000 --> 02:13.000
We don't check if you actually, or you are allowed not having an IPv4 address, of course, but you should at least have an IPv6 address, right?

02:13.000 --> 02:18.000
The main, this is, I think, 30 years old now or something.

02:18.000 --> 02:21.000
It's pretty old.

02:21.000 --> 02:24.000
Lots of tooling cannot handle IPv6.

02:24.000 --> 02:31.000
So, my favorite tool like IPv4 info, you cannot use it, but you can use like IPv4.nl.

02:31.000 --> 02:41.000
But you might also want to check all your monitoring tools if they actually support IPv6.

02:41.000 --> 02:44.000
But that's this kind of problem.

02:44.000 --> 02:49.000
Please don't use IPv4 maps as IPv6 addresses.

02:49.000 --> 02:54.000
Sometimes you see governmental people doing this just to comply with our tooling.

02:54.000 --> 02:58.000
But nowadays we ban this.

02:58.000 --> 03:07.000
So, uptime, sometimes you get like these messages like, yeah, it's Google down or it's Internet.nl wrong.

03:07.000 --> 03:13.000
Well, Google's down, of course, on IPv6 because they don't apparently monitor it somehow.

03:13.000 --> 03:18.000
Check your monitoring tools, apparently Google didn't.

03:18.000 --> 03:26.000
So, please also note if you're self hosting at home or something and you check your IPv6 address,

03:26.000 --> 03:29.000
that you are not exposing your MAC address.

03:29.000 --> 03:36.000
So, if you have, like, F-E in your IPv6 address, you might expose your MAC address.

03:36.000 --> 03:39.000
Could also be a random data range.

03:39.000 --> 03:43.000
We check that also on the connection test on Internet.nl.

03:43.000 --> 03:46.000
So, you can do that also.

03:47.000 --> 03:55.000
Some common issues we now may see with containers is like you can actually do support IPv6 incoming,

03:55.000 --> 04:02.000
but not outgoing because if you don't enable IPv6 in Docker,

04:02.000 --> 04:07.000
yeah, IPv6 just doesn't work from the container.

04:07.000 --> 04:13.000
It works if you have an outgoing incoming connection, but not if you have an outgoing connection.

04:13.000 --> 04:18.000
And we also quite often see that this is pretty tricky.

04:18.000 --> 04:24.000
Your results or your external results actually does have an IPv6 address.

04:24.000 --> 04:32.000
It can resolve, quote, A, but then it does not have, again, IPv6 on its own.

04:32.000 --> 04:36.000
So, it cannot connect to IPv6 only name servers.

04:36.000 --> 04:38.000
We serve, of course, interesting.

04:38.000 --> 04:43.000
You don't see this often, but we have some, we also check this on Internet.nl.

04:43.000 --> 04:51.000
So, you can do the connection test or you can try to resolve like the MX of DNS labs.nl, which is IPv6 only.

04:51.000 --> 04:59.000
Yeah, please be inclusive like 4 billion or a bit less IPv4 addresses are, yeah.

05:00.000 --> 05:03.000
Quite some, but not enough for the whole world.

05:03.000 --> 05:07.000
So, please do IPv6.

05:07.000 --> 05:11.000
Some countries also facing out IPv4 like the Czech Republic.

05:11.000 --> 05:14.000
And mostly IPv6 is now a thing.

05:14.000 --> 05:19.000
Also, here at the conference, I think the Wi-Fi is mostly IPv6.

05:19.000 --> 05:23.000
DNSSEC, this is a trick.

05:23.000 --> 05:29.000
In Europe, it's less controversial than in America.

05:29.000 --> 05:34.000
We'll just check like, do you have DNSSEC, and is it valid?

05:34.000 --> 05:39.000
And is it valid for your domain and also for your MX?

05:39.000 --> 05:43.000
Yeah, not doing DNSSEC in 2025.

05:43.000 --> 05:48.000
Do you know this problem, example, most cards?

05:48.000 --> 05:49.000
Yeah.

05:49.000 --> 05:53.000
So, the problem is they use Akamai, of course, very secure.

05:53.000 --> 05:57.000
But then there's a bit of a typo here.

05:57.000 --> 06:02.000
And that was a free domain apparently, so somebody registered it.

06:02.000 --> 06:03.000
Yeah.

06:03.000 --> 06:08.000
You might want to do like defense in depth and do DNSSEC, right?

06:08.000 --> 06:10.000
And this is not even spoofing.

06:10.000 --> 06:12.000
This is just buying a domain name, right?

06:12.000 --> 06:14.000
That's very easy.

06:14.000 --> 06:19.000
So, internet.nl has an, uses unbound, has an hard expire.

06:19.000 --> 06:28.000
Unbound has like a soft expire, which says like, well, maybe your DNS can be like one hour or up to one day old.

06:28.000 --> 06:30.000
We check it hard.

06:30.000 --> 06:33.000
Google DNS also has a hard check.

06:33.000 --> 06:40.000
So, we mostly see like your apex is valid, but your zip domain is not because you do some

06:40.000 --> 06:47.000
naming to some weird, I don't know, Akamai Microsoft, something weird.

06:47.000 --> 06:53.000
Or, yeah, you have an invalid or expired insect.

06:53.000 --> 06:58.000
Internet.nl checks the whole chain because we use unbound.

06:58.000 --> 07:01.000
So, yeah, if you see name, you might have a problem.

07:01.000 --> 07:05.000
And we use Q name immunization.

07:05.000 --> 07:13.000
So, sometimes, yeah, results into seeing problems on your DNS part.

07:13.000 --> 07:16.000
If you think, well, DNS is not for me.

07:16.000 --> 07:23.000
I advise from DSEC.nl.io, it's a European based free DNS provider.

07:23.000 --> 07:28.000
Of course, the other tools, which are very nice and way better at DNSSEC,

07:28.000 --> 07:35.000
or DNSSEC, and zonemaster, this is the positive thing on the green stuff, of course,

07:35.000 --> 07:37.000
make something as wrong.

07:37.000 --> 07:40.000
You, these will be kales and rats.

07:40.000 --> 07:43.000
See names, yeah, more about gnems.

07:43.000 --> 07:50.000
Watch out with gnems, because we see this a lot like www.cnm to your apex.

07:50.000 --> 07:55.000
You won't have most of the people who have like an mx record from their apex.

07:55.000 --> 08:01.000
Now, you also have an mx record for your www, maybe you don't want that.

08:01.000 --> 08:09.000
And also, if you see name to external sites, of course, if you don't set up an mx,

08:09.000 --> 08:16.000
now the external site is responsible for the A and the Qat A, but also anything else,

08:16.000 --> 08:21.000
like a null mx, or if they don't do that, they can actually send and receive email, right,

08:21.000 --> 08:22.000
on this thing.

08:22.000 --> 08:27.000
So, maybe you don't want to do that, and just flatten this.

08:27.000 --> 08:35.000
SPF should be simple, but yeah, isn't, of course, if you do it like plus, or question mark,

08:35.000 --> 08:39.000
or like force them, yeah, what does it say?

08:39.000 --> 08:49.000
So, SPF is should be simple, but it's somehow extremely hard.

08:49.000 --> 08:56.000
These are like common configurations for allowing your mx, your mx, a and Qat A, by the way,

08:56.000 --> 09:01.000
or just don't allow email with a hard feel.

09:01.000 --> 09:08.000
Common problems, we see people only configure this on their apex and nothing else.

09:08.000 --> 09:14.000
And when using an include, make sure you have maximum of 10 lookups,

09:14.000 --> 09:18.000
and then I will come back to that later.

09:18.000 --> 09:24.000
And if you're using an include, you should probably monitor that, because if the includes

09:24.000 --> 09:30.000
are not managed by you, they can change, and they might go over that 10 limits.

09:30.000 --> 09:35.000
And yeah, more than 9 out of 10 tools do the counting wrong.

09:35.000 --> 09:39.000
Including internet, doesn't it, lots of moments?

09:39.000 --> 09:44.000
Yeah, yeah, and our developer now said,

09:44.000 --> 09:47.000
mainly developer now said, like, yeah, we're not going to fix this anymore.

09:47.000 --> 09:53.000
We're going to include SPF trays, which is a nice rust tool.

09:53.000 --> 10:00.000
They also initially did counting wrong, but they fixed it in PR issue for or something.

10:00.000 --> 10:07.000
Because you have your main counting, but you also have the sub-counting.

10:07.000 --> 10:13.000
So if you're, so all the includes are counted, but also have every mx should be resolved

10:13.000 --> 10:22.000
and IP address, you end up with possibly 11 valid DNS address.

10:22.000 --> 10:25.000
So not 10, 11, 11 worst case scenario.

10:25.000 --> 10:28.000
So some links here, how do you install it?

10:28.000 --> 10:32.000
Deakin, how can we check that without knowing your selector?

10:32.000 --> 10:39.000
Well, we just check your domain key, and we expect an no error,

10:39.000 --> 10:42.000
then there's something below it, an x domain.

10:42.000 --> 10:44.000
Shouldn't be something below it.

10:44.000 --> 10:49.000
But we see a lot of nx domains when there is some selector below it,

10:49.000 --> 10:52.000
barely configured DNS server.

10:52.000 --> 10:56.000
Yeah, there's a RFC for that, there should be nothing below it.

10:56.000 --> 11:01.000
D mark, yeah, should be something like this.

11:01.000 --> 11:08.000
Only on your top domain, you can override it, but it still means SPF or date decimus valid.

11:08.000 --> 11:10.000
It doesn't mean ends.

11:11.000 --> 11:16.000
The main problem we see here, yeah, P is none, doesn't have anything.

11:16.000 --> 11:25.000
And somehow you don't need a trailing semicolon, except for the authentication stuff.

11:25.000 --> 11:28.000
There it is, but it's wrong in the documentation.

11:28.000 --> 11:31.000
It's in the erata, that there should be a semicolon there.

11:31.000 --> 11:34.000
It's in the ABNF, but yeah, who reads that?

11:34.000 --> 11:37.000
And who reads the erata, so.

11:38.000 --> 11:42.000
But we checked for that, and we will say, like, something is wrong.

11:42.000 --> 11:49.000
But yeah, first of them didn't have anything, but I, from a previous conference, this is an example.

11:49.000 --> 11:55.000
So if you want to do no mail, it might be a bit weird this room for no mail.

11:55.000 --> 11:59.000
But there's a null image you can set up.

11:59.000 --> 12:03.000
And then you explicitly say, I do no email.

12:04.000 --> 12:08.000
Which is just a priority zero with a dot.

12:08.000 --> 12:13.000
You cannot set up this in every DNS software, but you shoot.

12:13.000 --> 12:17.000
And then you could also, of course, do an SPF file.

12:17.000 --> 12:22.000
Also with a semicolon, and also do a DMARC reject.

12:22.000 --> 12:29.000
So you force, actually, there should be decim or SPF, and it will fail always, right?

12:30.000 --> 12:32.000
Then we do Dane.

12:32.000 --> 12:36.000
Oh, yeah, we check if it's exist, it's valid.

12:36.000 --> 12:44.000
And if you do some rollover scheme, I will go over very brief, because I've sent two minutes.

12:44.000 --> 12:49.000
Yeah, you can see it in the slides, so we'll upload them later.

12:49.000 --> 12:53.000
So common issues, they need the NSEC.

12:53.000 --> 12:58.000
And we see a lot of people, they want to pass like Dane and set it up once,

12:58.000 --> 13:04.000
and then automatically renewal their certificate, but don't update their DNS.

13:04.000 --> 13:06.000
Yeah, don't do that.

13:06.000 --> 13:11.000
Have a rollover scheme to at least, maybe an intermediate certificate,

13:11.000 --> 13:14.000
but also monitor that because they change.

13:14.000 --> 13:18.000
You probably want to do TLS reporting.

13:18.000 --> 13:23.000
I probably don't want to do MTA STS in combination, because it's tricky,

13:23.000 --> 13:25.000
if one is wrong, and the other is,

13:26.000 --> 13:29.000
we have another tool, which is an active tool.

13:29.000 --> 13:31.000
It's a have Dane.

13:31.000 --> 13:33.000
You can have Dane both net.

13:33.000 --> 13:39.000
You can send an email to three addresses and it checks if you have configured Dane correctly,

13:39.000 --> 13:47.000
or if your mill server actually sends email to servers that has like bogus date.

13:47.000 --> 13:54.000
Also shout out to assist for a Christmas present, open sources tool.

13:54.000 --> 14:00.000
It was close source before, now it's open source, which is really nice.

14:00.000 --> 14:07.000
Some other check with is nice, but not open source, but also not really commercial.

14:07.000 --> 14:14.000
And of course you can do like a manual Dane check with OpenSL, which is also nice.

14:14.000 --> 14:21.000
And the main thing, I think, in TLS, only tool that actually does like online open source,

14:21.000 --> 14:26.000
online tool that does start TLS debocking.

14:26.000 --> 14:32.000
And the main issue is that mill servers do like rate limit us.

14:32.000 --> 14:35.000
So that's a problem.

14:35.000 --> 14:40.000
Because we need to do quite some TLS connections to set up and know,

14:40.000 --> 14:47.000
because the only way, the only way to know what your server is supporting is sending over every possible

14:47.000 --> 14:54.000
sliver, then see what it will connect, then removing that, then do it again, etc, etc.

14:54.000 --> 15:01.000
So if your server supports lots of TLS, we need to do lots of connections.

15:01.000 --> 15:06.000
Oh, something wrong there, but my time is also.

15:06.000 --> 15:12.000
Yeah, so you can also do it with test, as so, which scripts.

15:12.000 --> 15:16.000
We also check for a T.A. issue.

15:16.000 --> 15:23.000
And yeah, issue mill might be interesting to you can block S-mime certificates with that.

15:23.000 --> 15:28.000
And other stuff, these are nice tools, not open source.

15:28.000 --> 15:32.000
We should have some fast tools, alternative for that.

15:32.000 --> 15:36.000
Actually, mill tester, I would really like to have a full sort of internet for that.

15:36.000 --> 15:42.000
And some URLs, we have testing tool, it's on internet. Now, we used to give this T-shirts away.

15:42.000 --> 15:46.000
If you score 100% currently, we're out of stock, we are working on a new design,

15:46.000 --> 15:48.000
and we will have a new T-shirt soon.

15:48.000 --> 15:52.000
And we have some localized versions in Brazil, Denmark, France, Germany.

15:52.000 --> 15:59.000
And we have a dashboard for a non-profit with a foregovernment and vital sector,

15:59.000 --> 16:03.000
and you can dump like loads of domains in there and have them.

16:03.000 --> 16:05.000
We're currently checking.

16:05.000 --> 16:09.000
We're currently in the GitHub trying to move that to something else,

16:09.000 --> 16:12.000
and you can run it yourself and PR show welcome.

16:12.000 --> 16:14.000
Questions?

16:15.000 --> 16:28.000
You recommended a new set SPF records on the wild card in the DNS.

16:28.000 --> 16:29.000
Yeah, that might be-

16:29.000 --> 16:34.000
Sorry, the repeat question.

16:34.000 --> 16:41.000
You recommended to have SPF on the wild cards.

16:41.000 --> 16:43.000
Does internet open L check for that?

16:43.000 --> 16:44.000
No.

16:44.000 --> 16:46.000
What's the question?

16:46.000 --> 16:48.000
Why doesn't it check for that?

16:48.000 --> 16:49.000
Why doesn't it check for that?

16:49.000 --> 16:53.000
It's pretty tricky to check, but we have some open issues to maybe check for this,

16:53.000 --> 16:57.000
and maybe also check for, is it a C now or something?

16:57.000 --> 17:00.000
Yeah, there are some issues open for that.

17:00.000 --> 17:08.000
Yeah, it's not on a big highest on the PR or T-list yet.

17:08.000 --> 17:13.000
Do you have a plan to implement the MTA STS checks?

17:13.000 --> 17:15.000
I think it's not on the schedule.

17:15.000 --> 17:16.000
Oh, sorry.

17:16.000 --> 17:21.000
A question is, do you have plans to implement the MTA STS checks,

17:21.000 --> 17:24.000
currently not an issue?

17:24.000 --> 17:31.000
But you can file, of course, an issue for this.

17:31.000 --> 17:33.000
What's the highest on your priorities?

17:33.000 --> 17:35.000
We have a public roadmap.

17:35.000 --> 17:40.000
Currently, we're working on a new Dutch government TLS guidelines,

17:40.000 --> 17:45.000
so that's a complete TLS rework on the internal parts,

17:45.000 --> 17:49.000
which is also open on death for that internet.

17:49.000 --> 17:52.000
That's the main thing, then comes to redesign,

17:52.000 --> 17:54.000
so we can give out new t-shirts,

17:54.000 --> 18:00.000
and then we have a huge list of DNS stuff we want to add.

18:00.000 --> 18:03.000
So, yeah, mainly checking DNS, right?

18:05.000 --> 18:07.000
That's a question.

18:07.000 --> 18:08.000
Okay.

18:08.000 --> 18:12.000
I just want to say, thank you so much for doing the RTI checks.

18:12.000 --> 18:15.000
I think that's really awesome to do that.

18:15.000 --> 18:16.000
Thank you.

18:16.000 --> 18:20.000
So the question, the remark was, thank you for the RTI checks.

18:20.000 --> 18:21.000
Yes.

18:21.000 --> 18:26.000
The more, yeah, thanks for the National Fabric Security Center

18:26.000 --> 18:30.000
of the Netherlands, they gave that code as a contribution.

18:30.000 --> 18:32.000
Yes, very nice.

18:33.000 --> 18:39.000
Do you have a list of the minimum list that needs to be done

18:39.000 --> 18:43.000
in order for emails not to get into spam?

18:43.000 --> 18:46.000
The question was, do you have a minimal list of things

18:46.000 --> 18:51.000
that needs to be done for not ending up in spam?

18:51.000 --> 18:55.000
Yeah, internet score 100% on internet.

18:55.000 --> 18:59.000
Of course, but then maybe also do like reverse DNS correct,

19:00.000 --> 19:09.000
and yeah, I would advise you for also the these tools.

19:09.000 --> 19:12.000
Which are sadly not false.

19:12.000 --> 19:14.000
Thank you very much.