Update on stats (no major changes)

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Dec 29 06:09:26 CET 2016

As of today I count 105264 domains with correct DANE TLSA records
for SMTP.  As expected the bulk of the DANE domains are hosted the
handful of DNS/hosting providers who've enabled DANE support in
bulk for the domains they host.  The top 10 MX host providers by
domain count are:

    42300 domeneshop.no
    33519 transip.nl
    15205 udmedia.de
     1748 bhosted.nl
     1292 nederhost.net
      897 ec-elements.com
      387 core-networks.de
      300 uvt.nl
      266 bit.nl
      227 omc-mail.com

The real numbers are surely larger, because I don't have access to
the full zone data for any ccTLDs, and in particular .de and .nl.

There are 2269 unique zones in which the underlying MX hosts are
found, this counts each of the above registrars as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.  Alternatively, a similar number is seen in the count
(2349) of distinct MX host server certificates that support the
same ~105000 domains.

Of the ~105000 domains, 825 have "partial" TLSA records, that cover
only a subset of the MX hosts.  While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 75 (~25 are recent additions that will likely be resolved
soon, the remaining ~50 are the long-term stable population of
broken domains).

The number of domains with bad DNSSEC support is 405. The top 10
DNS providers (by broken domain count) are:

  58 axc.nl
  39 infracom.nl
  22 registrar-servers.com
  19 loopia.se
  19 active24.cz
  16 forpsi.net
  12 jsr-it.nl
  12 cas-com.net
   9 ovh.net
   9 ignum.com

Around 100 of the broken domains have at least one working nameserver,
and so are email-reachable, given enough retries.

The number of domains that at some point were listed in Gmail's
transparency report is 95 (this is my ad-hoc criterion for a domain
being a large-enough actively used email domain).  Of these 44 are
in the most recent report:

    gmx.at                  lrz.de                  xworks.net
    conjur.com.br           mail.de                 asp4all.nl
    registro.br             posteo.de               bhosted.nl
    gmx.ch                  ruhr-uni-bochum.de      overheid.nl
    open.ch                 uni-erlangen.de         xs4all.nl
    anubisnetworks.com      unitymedia.de           domeneshop.no
    gmx.com                 web.de                  debian.org
    mail.com                enron.email             freebsd.org
    trashmail.com           octopuce.fr             gentoo.org
    xfinity.com             comcast.net             ietf.org
    bund.de                 dd24.net                netbsd.org
    fau.de                  gmx.net                 openssl.org
    gmx.de                  hr-manager.net          samba.org
    jpberlin.de             t-2.net                 torproject.org
    kabelmail.de            xs4all.net

In September of 2016 I asked a contact at Google to count how many
of the domains in the survey received correspondence from multiple
Gmail users.  Back then the number was 1,827 out of 56k domains.
More recently the number is 2,266 out of ~105k domains.

I don't have any way to measure how many domains enable DANE outbound
but aren't using DNSSEC for their own domain or publishing TLSA
records.  It is easy to do, just fire up a local validating resolver,
adjust /etc/resolv.conf to list only and/or ::1, and add
a couple of lines to main.cf.


More information about the dane-users mailing list