Update on stats

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Sep 13 03:59:43 CEST 2016

On Wed, May 04, 2016 at 07:27:19PM +0000, Viktor Dukhovni wrote:

> I've gained access to the full zone files for .com/.net and a few
> of the newer gTLDs.  This makes it possible to do a more comprehensive
> survey of DANE SMTP support.

Now also .org, and the freely available .se/.nu TLDs, plus some
other data sources.

> The overall DANE domain count is now ~29800, but of course this is
> not a dramatic rise in adoption, rather an increase in the breadth
> of the survey.

Similarly, while the domain count is now ~59300, the bulk of the
rise is due to the broader survey.

> in bulk for the domains they host.  The top five are:
>     16650 transip.nl
>      6020 udmedia.de
>      1110 nederhost.net
>       663 ec-elements.com
>       180 core-networks.de
>     24623 TOTAL

The new top five counts are:

    31298 transip.nl
    15124 udmedia.de
     1799 bhosted.nl
     1264 nederhost.net
      903 ec-elements.com
    50388 TOTAL

> There 1850 unique zones in which the underlying MX hosts are found,
> this counts each of the above registrars as just one zone, so is
> a measure of the breadth of adoption in terms of servers deployed.

The new zone count is 2212.  The number of distinct certificates
presented by DANE TLSA SMTP servers is 2165.

> Of the 29800 domains, 336 have "partial" TLSA records, that cover
> only a subset of the MX hosts, while this protects traffic to some
> of the MX hosts, the domain is still vulnerable to the usual active
> attacks via the remaining MX hosts.

The partial implementations now number 509.

> The number of domains with incorrect TLSA records or failure to
> advertise STARTTLS (even though TLSA records are published) stands
> at 50.

This number has proved reasonably stable, and stands at 53.  Notable
among these are 25 long-standing problem domains served by just 6
MX hosts that have non-matching TLSA records:

    hanisauland.at          pinetree.cz             therapie-forum.info
    2cv-club-des-ducs.com   renekliment.cz          chauvet.me
    4nettech.com            bit-cleaner.de          datenknoten.me
    kkeane.com              boese-ban.de            mirounga.net
    leatherfest.com         alencon.eu              acsemb.org
    nctechcenter.com        dhautefeuille.eu        kryskool.org
    tntmonitoring.com       therapie-forum.eu       hlfh.space
    davidmosna.cz           dinepont.fr
    marketingpyro.cz        achduliebergott.info

and 7 more that publish TLSA records, but don't offer STARTTLS:

    lojabrum.com.br         gazonk.org              xorcist.org
    gestccon.com.br         myhead.org
    bofjall.se              skrivkramp.org

> The number of domains with bad DNSSEC support is 262. The top 10
> DNS providers (by broken domain count) are:
>   41 isphuset.no
>   36 tse.jus.br
>   22 axc.nl
>   21 active24.cz
>   20 registrar-servers.com
>   15 forpsi.net
>   11 ovh.net
>   11 cas-com.net
>   11 bestregistrar.com
>   10 shockmedia.nl

The count of DNSSEC problem domains now stands at 736, mostly
because I've found a lot more isphuset.no domains.  The upstream
DNS provider for isphuset.no has finally responded, and promised
to deal with this shortly, we'll see what happens!

     409 isphuset.no
      34 infracom.nl
      28 axc.nl
      23 registrar-servers.com
      19 loopia.se
      15 forpsi.net
      13 metaregistrar.nl
      12 cas-com.net
      12 active24.cz
       9 jsr-it.nl

I also have a new contact for axc.nl, perhaps that too will progress
in the near future.

> The number of domains that at some point were listed in Gmail's
> transparency report is 57 (this is my ad-hoc criterion for a domain
> being a large-enough actively used email domain).

This number is now 71.

> Of these 32 are in the most recent report:

The "most recent report" number is quite variable, because on some
days the transparency report includes a lot fewer domains than others.
Still, this does give some sense of the "freshness" of this status.
Today, that number is 33:

    gmx.at                  jpberlin.de             t-2.net
    nic.br                  lrz.de                  xs4all.net
    registro.br             mail.de                 xs4all.nl
    gmx.ch                  posteo.de               debian.org
    open.ch                 ruhr-uni-bochum.de      freebsd.org
    switch.ch               web.de                  gentoo.org
    gmx.com                 octopuce.fr             ietf.org
    mail.com                comcast.net             netbsd.org
    xfinity.com             dd24.net                openssl.org
    bund.de                 dns-oarc.net            samba.org
    gmx.de                  gmx.net                 torproject.org

> The .br TLD still includes too large a fraction (10/50) of domains
> with incorrect TLSA RRs.  This is a result of DNS hosting by
> registro.br, where TLSA records are easy to initially publish, but
> difficult to keep up to date.  

The .br registrar has taken positive steps to improve the situation,
and I am now tracking just 2 broken .br domains.


More information about the dane-users mailing list