Update on stats

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Mar 25 21:50:45 CET 2017

As of today I count 137620 domains with correct DANE TLSA records
for SMTP.  As expected the bulk of the DANE domains are hosted the
handful of DNS/hosting providers who've enabled DANE support in
bulk for the domains they host.  The top 10 MX host providers by
domain count are:

    60764 domeneshop.no
    43961 transip.nl
    15734 udmedia.de
     3040 bhosted.nl
     1493 nederhost.net
      904 ec-elements.com
      431 core-networks.de
      307 uvt.nl
      301 bit.nl
      287 omc-mail.com

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, in particular .de, .nl and .no.

There are 2449 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.  Alternatively, a similar number is seen in the count
(2613) of distinct MX host server certificates that support the
same ~137000 domains.  

A related number is 4172 TLSA RRsets found for MX host TCP port 25.
This includes secondary MX hosts and domains none of whose primary
MX hosts have TLSA records.  

The number of domains that at some point were listed in Gmail's
email transparency report is now 105 (this is my ad-hoc criterion
for a domain being a large-enough actively used email domain).  Of
these, 56 are in recent reports (March 2017):

    gmx.at                  jpberlin.de             overheid.nl
    nic.br                  lrz.de                  pathe.nl
    registro.br             mail.de                 wooniezie.nl
    gmx.ch                  posteo.de               xs4all.nl
    open.ch                 ruhr-uni-bochum.de      domeneshop.no
    anubisnetworks.com      tum.de                  webcruitermail.no
    gmx.com                 uni-erlangen.de         debian.org
    mail.com                unitymedia.de           domainmail.org
    piratenexus.com         web.de                  freebsd.org
    pirateperfection.com    enron.email             gentoo.org
    pre-sustainability.com  octopuce.fr             ietf.org
    t-2.com                 comcast.net             netbsd.org
    trashmail.com           dd24.net                netcoolusers.org
    xfinity.com             gmx.net                 openssl.org
    bayern.de               hr-manager.net          samba.org
    bund.de                 t-2.net                 torproject.org
    elster.de               xs4all.net              minmyndighetspost.se
    fau.de                  asp4all.nl              skatteverket.se
    gmx.de                  ouderportaal.nl

A different metric is how many of the DANE-enabled domains received
email from at least 10 Gmail senders in a recent 8 day interval.
Back in Dec/2016 I reported that ~2200 out of ~105k domains met
that criterion.  This month, the number was ~3900 out of ~137k
domains.  So it seems that a non-negligible fraction of the increase
is from real domains that receive email, and not just parked domains.

Of the ~137000 domains, 655 have "partial" TLSA records, that cover
only a subset of the MX hosts.  While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 96 (~30 are recent additions that may be resolved soon,
the remaining ~60 are the for now stable population of broken
domains).  This month I'm posting the list of the 44 underlying MX
hosts that serve these domains and whose TLSA records don't match

    Hall of Shame:

    mail.dipietro.id.au        www.mtg.de                  mail.inu.nl
    clubeararaquarense.org.br  mx1.spamsponge.de           mail.jekuiken.nl
    mail.antiphishing.ch       mail.nonoserver.info        mail.myzt.nl
    mail.digitalwebpros.com    mx.datenknoten.me           bounder.steelyard.nl
    mail.dnsmadefree.com       mx.giesen.me                mx.wm.net.nz
    demo.liveconfig.com        mail.castleturing.net       baobrien.org
    ny-do.pieterpottie.com     datawebb.dafcorp.net        smtp.copi.org
    diablo.sgt.com             anubis.delphij.net          eumembers.datacentrix.org
    tusk.sgt.com               dorothy.goldenhairdafo.net  smtp2.amadigi.ovh
    mx.bels.cz                 hs.kuzenkov.net             webmail.headsite.se
    johniez.cz                 oostergo.net                protector.rajmax.si
    mail.pksvice.cz            ren.warunek.net             arch-server.hlfh.space
    srv01.101host.de           mail.e-rave.nl              mail.blackcherry-management.co.uk
    mail.cdbm.de               mail.hhsk.nl                email.themcintyres.us
    mail.manima.de             box.inpoint-mailt.nl

The number of domains with bad DNSSEC support is 322. The top 10
DNS providers (by broken domain count) are:

    52 axc.nl		 - Slated to be resolved
    38 infracom.nl	 - Slated to be resolved
    18 loopia.se
    18 active24.cz
    14 jsr-it.nl
    12 rdw.nl
     9 cas-com.net
     8 metaregistrar.nl
     6 tiscomhosting.nl
     6 thednscompany.com

Around 60 of the broken domains have at least one working nameserver,
and so are email-reachable, given enough retries.


More information about the dane-users mailing list