Update on stats (axc.nl DNS issues resolved this month)

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Apr 30 02:31:52 CEST 2017

As of today I count 168708 domains with correct DANE TLSA records
for SMTP.  As expected the bulk of the DANE domains are hosted the
handful of DNS/hosting providers who've enabled DANE support in
bulk for the domains they host.  The top 10 MX host providers by
domain count are:

   69372 domeneshop.no
   58498 transip.nl
   18224 udmedia.de
    6769 bhosted.nl
    1824 nederhost.net
     993 ec-elements.com
     494 core-networks.de
     365 networking4all.net
     337 bit.nl
     328 omc-mail.com

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs.  However, this month, I was
able to obtain nearly comprehensive domain lists for .no, .nl and
.de, which accounts for the unusually large increase over the previous
month's totals.

There are 2529 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.  Alternatively, a similar number is seen in the count
(2644) of distinct MX host server certificates that support the
same ~168000 domains.  

A related number is 3795 TLSA RRsets found for MX host TCP port 25.
This includes secondary MX hosts and domains none of whose primary
MX hosts have TLSA records.  

The number of domains that at some point were listed in Gmail's
email transparency report is 105 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 53 are in recent reports (April 2017):

  gmx.at              jpberlin.de         bhosted.nl
  nic.br              lrz.de              ouderportaal.nl
  registro.br         mail.de             overheid.nl
  gmx.ch              posteo.de           pathe.nl
  open.ch             ruhr-uni-bochum.de  xs4all.nl
  anubisnetworks.com  tum.de              domeneshop.no
  gmx.com             uni-erlangen.de     webcruitermail.no
  mail.com            unitymedia.de       debian.org
  solvinity.com       web.de              freebsd.org
  t-2.com             enron.email         gentoo.org
  trashmail.com       octopuce.fr         ietf.org
  xfinity.com         comcast.net         isc.org
  nic.cz              dd24.net            netbsd.org
  bayern.de           gmx.net             openssl.org
  bund.de             hr-manager.net      samba.org
  elster.de           t-2.net             torproject.org
  fau.de              xs4all.net          asf.com.pt
  gmx.de              asp4all.nl

Of the ~168000 domains, 737 have "partial" TLSA records, that cover
only a subset of the MX hosts.  While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 73 (~10 are recent additions that may be resolved soon,
the remaining ~60 are the for now stable population of broken
domains).  This month I'm posting the list of the 40 underlying MX
hosts that serve these domains and whose TLSA records don't match

    Hall of Shame:

    mail.dipietro.id.au        mx.quentindavid.fr         mail.jekuiken.nl
    mail.pgp.inf.br            servmail.fr                mail.myzt.nl
    mail.digitalwebpros.com    mail.nonoserver.info       bounder.steelyard.nl
    demo.liveconfig.com        mail.laukas.lt             mx.wm.net.nz
    ny-do.pieterpottie.com     mx.datenknoten.me          kitsune.one
    diablo.sgt.com             mx.giesen.me               baobrien.org
    tusk.sgt.com               mail.castleturing.net      beerstra.org
    mx.bels.cz                 datawebb.dafcorp.net       smtp.copi.org
    mail.enzevalos.de          anubis.delphij.net         eumembers.datacentrix.org
    mail.manima.de             dorothy.goldenhairdafo.net smtp3.amadigi.ovh
    www.mtg.de                 hs.kuzenkov.net            protector.rajmax.si
    mx1.spamsponge.de          oostergo.net               email.themcintyres.us
    gamepixel.eu               ren.warunek.net
    mail.thomspooren.eu        mail.e-rave.nl

The number of domains with bad DNSSEC support is 263.  With axc.nl
(the previous #1) resolved this month, the top 13 DNS providers with
problem domains, after a 5-way tie for 8th place are:

    37 infracom.nl	 - Was slated to be resolved in March, delayed...
    18 loopia.se
    18 active24.cz
    14 jsr-it.nl
    13 rdw.nl
     9 cas-com.net
     8 metaregistrar.nl
     6 tiscomhosting.nl
     6 pfsc.com
     6 ovh.net

Around 50 of the broken domains have at least one working nameserver,
and so are email-reachable, given enough retries.  Only 6 of these
DNS-broken domains appear in historical Google Email transparency


The associated DNS lookup issues are:

  _25._tcp.ims1.rzd.ru. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.ims1.rzd.ru/dnssec/
  _25._tcp.ims2.rzd.ru. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.ims2.rzd.ru/dnssec/
  _25._tcp.lalavava.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.lalavava.tse.jus.br/dnssec/
  _25._tcp.mx1.trt1.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trt1.jus.br/dnssec/
  _25._tcp.mx1.trtrj.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trtrj.jus.br/dnssec/
  _25._tcp.mx2.tjce.jus.br. IN TLSA ? ; SOA signature failure: http://dnsviz.net/d/_25._tcp.mx2.tjce.jus.br/dnssec/
  _25._tcp.mxin1.amsterdam.nl. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.mxin1.amsterdam.nl/dnssec/

   [ See <https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08>,
     Much of the TLSA non-response issue seems to be related to a
     "feature" of Arbor Networks firewalls, that enables droping
     of  DNS requests for all but the most common RRtypes.  Do not
     make the mistake of enabling this firewall "feature". ]

The oldest outstanding DNS issue is another SOA signature issue
at truman.edu dating back to Nov/2014:


I hope some day soon they'll start missing email they care about
and take the time to resolve the problem.


More information about the dane-users mailing list