Update on stats (no major changes)

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Nov 28 03:45:38 CET 2016

As of today I count 103599 domains with correct DANE TLSA records
for SMTP.  As expected the bulk of the DANE domains are hosted the
handful of DNS/hosting providers who've enabled DANE support in
bulk for the domains they host.  The top 10 MX host providers by
domain count are (bit.nl is a newcomer to the top 10 list):

    42124 domeneshop.no
    32486 transip.nl
    15100 udmedia.de
     1759 bhosted.nl
     1266 nederhost.net
      903 ec-elements.com
      374 core-networks.de
      305 uvt.nl
      258 bit.nl
      207 omc-mail.com

The real numbers are surely larger, because I don't have access to
the full zone data for any ccTLDs, and in particular .de and .nl.

There are 2191 unique zones in which the underlying MX hosts are
found, this counts each of the above registrars as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.  Alternatively, a similar number is seen in the count
(2297) of distinct MX host server certificates that support the
same ~104000 domains.

Of the ~104000 domains, 772 have "partial" TLSA records, that cover
only a subset of the MX hosts.  While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
at 61 (~10 are recent additions that will likely be resolved soon,
the remaining ~50 are the long-term stable population of broken

The number of domains with bad DNSSEC support is 388. The top 10
DNS providers (by broken domain count) are:

  49 axc.nl
  39 infracom.nl
  25 binero.se
  23 registrar-servers.com
  20 loopia.se
  19 active24.cz
  16 forpsi.net
  12 cas-com.net
  11 jsr-it.nl
  10 ignum.com

Around 100 of the broken domains have at least one working nameserver,
and so are email-reachable, given enough retries.

The number of domains that at some point were listed in Gmail's
transparency report is 91 (this is my ad-hoc criterion for a domain
being a large-enough actively used email domain).  Of these 44 are
in the most recent report:

  gmx.at                  jpberlin.de             t-2.net
  conjur.com.br           lrz.de                  xs4all.net
  registro.br             mail.de                 overheid.nl
  gmx.ch                  posteo.de               xs4all.nl
  open.ch                 ruhr-uni-bochum.de      domeneshop.no
  anubisnetworks.com      tum.de                  webcruitermail.no
  gmx.com                 uni-erlangen.de         debian.org
  mail.com                unitybox.de             freebsd.org
  trashmail.com           unitymedia.de           gentoo.org
  xfinity.com             web.de                  ietf.org
  bayern.de               octopuce.fr             netbsd.org
  bund.de                 comcast.net             openssl.org
  fau.de                  dd24.net                samba.org
  gmx.de                  gmx.net                 torproject.org
  ish.de                  hr-manager.net


More information about the dane-users mailing list