Update on stats (no major changes)

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Jan 28 06:57:55 CET 2017

[ The main notable change is that forpsi.cz have fixed the corner-case
  issues in their DNS and no longer generate occasional "bogus"
  denial of existence of TLSA records. ]

As of today I count 106082 domains with correct DANE TLSA records
for SMTP.  As expected the bulk of the DANE domains are hosted the
handful of DNS/hosting providers who've enabled DANE support in
bulk for the domains they host.  The top 10 MX host providers by
domain count are:

    42447 domeneshop.no
    34169 transip.nl
    15176 udmedia.de
     1737 bhosted.nl
     1287 nederhost.net
      892 ec-elements.com
      390 core-networks.de
      299 uvt.nl
      261 bit.nl
      256 omc-mail.com

The real numbers are surely larger, because I don't have access to
the full zone data for any ccTLDs, and in particular .de and .nl.

There are 2332 unique zones in which the underlying MX hosts are
found, this counts each of the above registrars as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.  Alternatively, a similar number is seen in the count
(2421) of distinct MX host server certificates that support the
same ~106000 domains.

Of the ~106000 domains, 609 have "partial" TLSA records, that cover
only a subset of the MX hosts.  While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 63 (~3 are recent additions that will likely be resolved
soon, the remaining ~60 are the for now stable population of broken

The number of domains with bad DNSSEC support is 388. The top 10
DNS providers (by broken domain count) are:

  56 axc.nl		- Slated to be resolved
  37 infracom.nl
  19 loopia.se
  19 active24.cz
  14 jsr-it.nl
  12 cas-com.net
  10 ignum.com
   8 ovh.net
   7 tse.jus.br
   7 is.nl

Around 100 of the broken domains have at least one working nameserver,
and so are email-reachable, given enough retries.

The number of domains that at some point were listed in Gmail's
transparency report is 96 (this is my ad-hoc criterion for a domain
being a large-enough actively used email domain).  Of these 46 are
in recent reports (January 2017):

    bayern.de               ietf.org                ruhr-uni-bochum.de
    bund.de                 insee.fr                samba.org
    comcast.net             ish.de                  t-2.net
    dd24.net                jpberlin.de             torproject.org
    debian.org              kabelmail.de            tum.de
    domeneshop.no           lrz.de                  uni-erlangen.de
    enron.email             mail.com                unitybox.de
    fau.de                  mail.de                 unitymedia.de
    freebsd.org             netbsd.org              web.de
    gentoo.org              octopuce.fr             webcruitermail.no
    gmx.at                  open.ch                 xfinity.com
    gmx.ch                  openssl.org             xs4all.net
    gmx.com                 ouderportaal.nl         xs4all.nl
    gmx.de                  overheid.nl             xworks.net
    gmx.net                 posteo.de
    hr-manager.net          registro.br

A recent addition that is not listed above is "exim.org".  It seems
that "exim.org" mailing lists don't process enough email to land
on Google transparency reports.

I don't have any way to measure how many domains enable DANE outbound
but aren't using DNSSEC for their own domain or are not publishing
TLSA records.  It is easy to do, just fire up a local validating
resolver, adjust /etc/resolv.conf to list only and/or
::1, and add a couple of lines to main.cf.  So the stats I am
reporting reflects only DANE adoption for inbound email.


More information about the dane-users mailing list