Update on stats 2017-06

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Jun 30 22:09:46 CEST 2017

As of today I count 171460 domains with correct DANE TLSA records
for SMTP.  As expected the bulk of the DANE domains are hosted the
handful of DNS/hosting providers who've enabled DANE support in
bulk for the domains they host.  The top 10 MX host providers by
domain count are:

  69368 domeneshop.no
  59835 transip.nl
  18351 udmedia.de
   6665 bhosted.nl
   1820 nederhost.net
   1007 ec-elements.com
   1001 networking4all.net
    514 core-networks.de
    375 omc-mail.com
    364 yourdomainprovider.net

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.nl/.de.

There are 2615 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.  Alternatively, a similar number is seen in the count
(2707) of distinct MX host server certificates that support the
same ~171000 domains.  

A related number is 3955 TLSA RRsets found for MX host TCP port
25.  This includes secondary MX hosts and domains none of whose
primary MX hosts have TLSA records.

The number of domains that at some point were listed in Gmail's
email transparency report is 111 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 54 are in recent reports:

  anubisnetworks.com   gmx.net              posteo.de
  asf.com.pt           hr-manager.net       registro.br
  asp4all.nl           ietf.org             ruhr-uni-bochum.de
  bayern.de            isc.org              samba.org
  bund.de              jpberlin.de          solvinity.com
  comcast.net          lrz.de               t-2.net
  dd24.net             mail.com             tilburguniversity.ed
  debian.org           mail.de              torproject.org
  domeneshop.no        mpssec.net           trashmail.com
  elster.de            netbsd.org           tum.de
  enron.email          nic.br               uni-erlangen.de
  fau.de               octopuce.fr          unitymedia.de
  freebsd.org          open.ch              uvt.nl
  gentoo.org           openssl.org          web.de
  gmx.at               otvi.nl              webcruitermail.no
  gmx.ch               ouderportaal.nl      xfinity.com
  gmx.com              overheid.nl          xs4all.net
  gmx.de               pathe.nl             xs4all.nl

Of the ~171000 domains, 835 have "partial" TLSA records, that cover
only a subset of the MX hosts.  While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 108.  Below is a list of the 53 underlying MX hosts that
serve these domains and whose TLSA records don't match reality:

  Hall of Shame:

  mail.dipietro.id.au        mx1.spamsponge.de      dorothy.goldenhairdafo.net
  eumembers.stansoft.bg      smtp2.strotmann.de     oostergo.net
  catabra.com.br             mx.thorko.de           cinnamon.nl
  mail.pgp.inf.br            smtp.flipmail.es       mail.e-rave.nl
  mail.danmolik.com          mail.0pc.eu            mail.jekuiken.nl
  mail.digitalwebpros.com    gamepixel.eu           mail.myzt.nl
  demo.liveconfig.com        mx.quentindavid.fr     bounder.steelyard.nl
  intranet.nctechcenter.com  servmail.fr            beerstra.org
  ny-do.pieterpottie.com     mail.nonoserver.info   eumembers.datacentrix.org
  diablo.sgt.com             mail.bax.is            smtp3.amadigi.ovh
  tusk.sgt.com               mail.lsd.is            itaskmanager.ovh
  mx1.wittsend.com           mail.laukas.lt         mail.pasion.ro
  mx.bels.cz                 mx.datenknoten.me      mail.lahl.rocks
  gaia.nfx.cz                mx.giesen.me           puggan.se
  badf00d.de                 mail.castleturing.net  mail.rostit.se
  mail.denniseffing.de       mail.culm.net          protector.rajmax.si
  mail.manima.de             datawebb.dafcorp.net   email.themcintyres.us
  www.mtg.de                 anubis.delphij.net

The number of domains with bad DNSSEC support is 423.  The top 10
DNS providers with problem domains are:

  68 jsr-it.nl
  53 infracom.nl	- Was slated to be resolved in March, delayed...
  25 tiscomhosting.nl
  25 active24.cz
  15 rdw.nl
  15 firstfind.nl
  11 loopia.se
  10 metaregistrar.nl
   9 cas-com.net
   8 ovh.net
   7 ignum.com

Around 50 of the broken domains have at least one working nameserver,
and so are email-reachable, given enough retries.  Only 6 of the
DNS-broken domains appear in historical Google Email transparency


The associated DNS lookup issues are:

  _25._tcp.mx.tiviths.com.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.mx.tiviths.com.br/dnssec/
  _25._tcp.mx1.trt1.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trt1.jus.br/dnssec/
  _25._tcp.mx1.trtrj.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trtrj.jus.br/dnssec/
  _25._tcp.dexter.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.dexter.tse.jus.br/dnssec/
  _25._tcp.lalavava.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.lalavava.tse.jus.br/dnssec/
  _25._tcp.mandark.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.mandark.tse.jus.br/dnssec/
  _25._tcp.ims1.rzd.ru. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.ims1.rzd.ru/dnssec/
  _25._tcp.ims2.rzd.ru. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.ims2.rzd.ru/dnssec/

  [ See <https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08>,
    Much of the TLSA non-response issue seems to be related to a
    "feature" of Arbor Networks firewalls, that enables droping of
    DNS requests for all but the most common RRtypes.  Do not make
    the mistake of enabling this firewall "feature". ]

The oldest outstanding DNS issue is another SOA signature issue
at truman.edu dating back to Nov/2014:


I hope some day soon they'll start missing email they care about
and take the time to resolve the problem.


More information about the dane-users mailing list