Update on stats

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Feb 27 03:06:15 CET 2017

As of today I count 110505 domains with correct DANE TLSA records
for SMTP.  As expected the bulk of the DANE domains are hosted the
handful of DNS/hosting providers who've enabled DANE support in
bulk for the domains they host.  The top 10 MX host providers by
domain count are:

    43813 domeneshop.no
    35704 transip.nl
    15495 udmedia.de
     2022 bhosted.nl
     1332 nederhost.net
      896 ec-elements.com
      409 core-networks.de
      307 uvt.nl
      282 bit.nl
      275 omc-mail.com

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, and in particular .de and .nl.

There are 2401 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.  Alternatively, a similar number is seen in the count
(2522) of distinct MX host server certificates that support the
same ~110000 domains.

Of the ~110000 domains, 565 have "partial" TLSA records, that cover
only a subset of the MX hosts.  While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 64 (~4 are recent additions that will likely be resolved
soon, the remaining ~60 are the for now stable population of broken
domains).  This month I'm posting the top 50 entries, these are
domains that have been on that list for the longest time.

    Hall of Shame:

    castleturing.net        goldenhairdafo.net      dexalo.de
    nonoserver.info         inu.nl                  dexalo.eu
    wm.net.nz               dnsmadefree.com         digitalwebpros.com
    apachedemo.de           z0z0.me                 jeremyness.com
    oostergo.net            pksvice.cz              maximilian-greger.com
    thothnet.org            ttygap.net              copi.org
    wipedivision.cz         bels.cz                 delphij.net
    rajmax.si               baobrien.org            poderdoalimento.com.br
    acsemb.org              baobrien.guru           rnrfunco.net
    dhautefeuille.eu        pieterpottie.com        sgt.com
    dinepont.fr             sylvieandpieter.com     rnrfunco.com
    hlfh.space              sylviesfollies.com      puz.de
    12xu.info               flatcap.org             zencrypt.de
    warunek.net             russon.org              freeservices.net
    giesen.me               amadigi.ovh             kuzenkov.net
    kamikazekippetjes.nl    duffau.net              obninsk.biz
    myzt.nl                 daallexx.eu

The number of domains with bad DNSSEC support is 434. The top 10
DNS providers (by broken domain count) are:

    62 axc.nl		 - Slated to be resolved
    37 infracom.nl	 - Slated to be resolved
    18 loopia.se
    18 active24.cz
    16 domaincontrol.com - notified
    14 jsr-it.nl
    12 rdw.nl
    12 cas-com.net
    11 dootall.com	 - notified
    10 ignum.com

Around 100 of the broken domains have at least one working nameserver,
and so are email-reachable, given enough retries.

The number of domains that at some point were listed in Gmail's
transparency report is 99 (this is my ad-hoc criterion for a domain
being a large-enough actively used email domain).  Of these 44 are
in recent reports (February 2017):

    Hall of Fame:

    gmx.at                  mail.de                 asp4all.nl
    nic.br                  posteo.de               ouderportaal.nl
    registro.br             ruhr-uni-bochum.de      overheid.nl
    gmx.ch                  tum.de                  xs4all.nl
    open.ch                 uni-erlangen.de         domeneshop.no
    gmx.com                 unitymedia.de           webcruitermail.no
    mail.com                web.de                  debian.org
    trashmail.com           enron.email             freebsd.org
    xfinity.com             octopuce.fr             gentoo.org
    bayern.de               comcast.net             ietf.org
    bund.de                 dd24.net                isc.org
    fau.de                  gmx.net                 netbsd.org
    gmx.de                  hr-manager.net          samba.org
    jpberlin.de             t-2.net                 torproject.org
    lrz.de                  xs4all.net

A recent addition that is not listed above is "exim.org".  It seems
that "exim.org" mailing lists don't process enough email to land
on Google transparency reports.  Similarly, "openssl.org" used to
be on this list, and still has working TLSA records, but it seems
no longer generates enough email traffic to be on Google's reports.

I don't have any way to measure how many domains enable DANE outbound
but aren't using DNSSEC for their own domain or are not publishing
TLSA records.  It is easy to do, just fire up a local validating
resolver, adjust /etc/resolv.conf to list only and/or
::1, and add a couple of lines to main.cf.  So the stats I am
reporting reflects only DANE adoption for inbound email.


More information about the dane-users mailing list