From ietf-dane at dukhovni.org  Tue Oct 11 18:51:56 2016
From: ietf-dane at dukhovni.org (Viktor Dukhovni)
Date: Tue, 11 Oct 2016 16:51:56 +0000
Subject: Update on stats (domeneshop.no boosts the domain count)
Message-ID: <20161011165156.GC4973@mournblade.imrryr.org>

[ Bcc'd to a contact at another large provider, which I hope will
  be the next one to top the list... No pressure Christian ... :-) ]

Just recently domeneshop.no have published DANE TLSA records for
the MX hosts that support many of their hosted domains.

So today I count 102638 domains with correct DANE TLSA records for
SMTP.  As expected the bulk of the DANE domains are hosted the
handful of DNS/hosting providers who've enabled DANE support in
bulk for the domains they host.  The top 10 MX host providers
by domain count are:

    42231 domeneshop.no
    31928 transip.nl
    15092 udmedia.de
     1792 bhosted.nl
     1262 nederhost.net
      905 ec-elements.com
      377 core-networks.de
      290 uvt.nl
      205 omc-mail.com
      181 hot-chilli.net

The real numbers are surely larger, because I don't have access to
the full zone data for any ccTLDs, and in particular .de and .nl.

There are 2113 unique zones in which the underlying MX hosts are
found, this counts each of the above registrars as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.  Alternatively, a similar number is seen in the count
(2219) of distinct MX host server certificates that support the
same ~102000 domains.

Of the ~102000 domains, 539 have "partial" TLSA records, that cover
only a subset of the MX hosts.  While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
at 85 (~30 are recent additions that will likely be resolved soon,
the remaining ~50 are the long-term stable population of broken
domains).

The number of domains with bad DNSSEC support is 414. The top 10
DNS providers (by broken domain count) are:

  50 axc.nl
  39 infracom.nl
  24 registrar-servers.com
  20 loopia.se
  19 active24.cz
  18 jsr-it.nl
  16 forpsi.net
  12 cas-com.net
   8 is.nl
   8 ignum.com

The number of domains that at some point were listed in Gmail's
transparency report is 81 (this is my ad-hoc criterion for a domain
being a large-enough actively used email domain).  Of these 43 are
in the most recent report:

  gmx.at                  mail.de                 otvi.nl
  conjur.com.br           posteo.de               overheid.nl
  nic.br                  ruhr-uni-bochum.de      xs4all.nl
  registro.br             tum.de                  domeneshop.no
  gmx.ch                  uni-erlangen.de         webcruitermail.no
  open.ch                 web.de                  debian.org
  gmx.com                 octopuce.fr             freebsd.org
  mail.com                comcast.net             gentoo.org
  xfinity.com             dd24.net                ietf.org
  bund.de                 gmx.net                 netbsd.org
  fau.de                  hr-manager.net          openssl.org
  gmx.de                  t-2.net                 samba.org
  jpberlin.de             xs4all.net              torproject.org
  kabelmail.de            asp4all.nl
  lrz.de                  bhosted.nl

-- 
	Viktor.