Update on stats
ietf-dane at dukhovni.org
Tue Sep 13 03:59:43 CEST 2016
On Wed, May 04, 2016 at 07:27:19PM +0000, Viktor Dukhovni wrote:
> I've gained access to the full zone files for .com/.net and a few
> of the newer gTLDs. This makes it possible to do a more comprehensive
> survey of DANE SMTP support.
Now also .org, and the freely available .se/.nu TLDs, plus some
other data sources.
> The overall DANE domain count is now ~29800, but of course this is
> not a dramatic rise in adoption, rather an increase in the breadth
> of the survey.
Similarly, while the domain count is now ~59300, the bulk of the
rise is due to the broader survey.
> in bulk for the domains they host. The top five are:
> 16650 transip.nl
> 6020 udmedia.de
> 1110 nederhost.net
> 663 ec-elements.com
> 180 core-networks.de
> 24623 TOTAL
The new top five counts are:
> There 1850 unique zones in which the underlying MX hosts are found,
> this counts each of the above registrars as just one zone, so is
> a measure of the breadth of adoption in terms of servers deployed.
The new zone count is 2212. The number of distinct certificates
presented by DANE TLSA SMTP servers is 2165.
> Of the 29800 domains, 336 have "partial" TLSA records, that cover
> only a subset of the MX hosts, while this protects traffic to some
> of the MX hosts, the domain is still vulnerable to the usual active
> attacks via the remaining MX hosts.
The partial implementations now number 509.
> The number of domains with incorrect TLSA records or failure to
> advertise STARTTLS (even though TLSA records are published) stands
> at 50.
This number has proved reasonably stable, and stands at 53. Notable
among these are 25 long-standing problem domains served by just 6
MX hosts that have non-matching TLSA records:
hanisauland.at pinetree.cz therapie-forum.info
2cv-club-des-ducs.com renekliment.cz chauvet.me
4nettech.com bit-cleaner.de datenknoten.me
kkeane.com boese-ban.de mirounga.net
leatherfest.com alencon.eu acsemb.org
nctechcenter.com dhautefeuille.eu kryskool.org
tntmonitoring.com therapie-forum.eu hlfh.space
and 7 more that publish TLSA records, but don't offer STARTTLS:
lojabrum.com.br gazonk.org xorcist.org
> The number of domains with bad DNSSEC support is 262. The top 10
> DNS providers (by broken domain count) are:
> 41 isphuset.no
> 36 tse.jus.br
> 22 axc.nl
> 21 active24.cz
> 20 registrar-servers.com
> 15 forpsi.net
> 11 ovh.net
> 11 cas-com.net
> 11 bestregistrar.com
> 10 shockmedia.nl
The count of DNSSEC problem domains now stands at 736, mostly
because I've found a lot more isphuset.no domains. The upstream
DNS provider for isphuset.no has finally responded, and promised
to deal with this shortly, we'll see what happens!
I also have a new contact for axc.nl, perhaps that too will progress
in the near future.
> The number of domains that at some point were listed in Gmail's
> transparency report is 57 (this is my ad-hoc criterion for a domain
> being a large-enough actively used email domain).
This number is now 71.
> Of these 32 are in the most recent report:
The "most recent report" number is quite variable, because on some
days the transparency report includes a lot fewer domains than others.
Still, this does give some sense of the "freshness" of this status.
Today, that number is 33:
gmx.at jpberlin.de t-2.net
nic.br lrz.de xs4all.net
registro.br mail.de xs4all.nl
gmx.ch posteo.de debian.org
open.ch ruhr-uni-bochum.de freebsd.org
switch.ch web.de gentoo.org
gmx.com octopuce.fr ietf.org
mail.com comcast.net netbsd.org
xfinity.com dd24.net openssl.org
bund.de dns-oarc.net samba.org
gmx.de gmx.net torproject.org
> The .br TLD still includes too large a fraction (10/50) of domains
> with incorrect TLSA RRs. This is a result of DNS hosting by
> registro.br, where TLSA records are easy to initially publish, but
> difficult to keep up to date.
The .br registrar has taken positive steps to improve the situation,
and I am now tracking just 2 broken .br domains.
More information about the dane-users