Belated update on stats 2017-09/2017-10

Viktor Dukhovni ietf-dane at
Thu Oct 26 08:31:42 CEST 2017

[ Sorry about the delay, I was too busy rewriting major chunks
  of the underlying code to produce a report.  Better late than
  never so the below is the status for today, rather than the end
  of September. ]

Summary:  The number of DANE-enabled domains that have also been sighted
	  on Google's email transparency report has increased from 115 to
	  122, while the number of DNS zones with TLSA-enabled primary MX
	  hosts has increased from 2708 to 2999.  The total domain count
	  is largely unchanged from 172205 to 172120.

	  A new type of TLSA record mismatch has cropped up, so far on
	  just two MX hosts.  Their RSA certificate chains match their
	  TLSA records, but their ECDSA certificate chains do not:

As of today I count 172120 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected the bulk of the DANE domains are hosted by the handful of
DNS/hosting providers who've enabled DANE support in bulk for the
domains they host.  The top 10 MX host providers by domain count


The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.nl/.de.

[ The DANE domain counts for the large providers appear to have
  plateaued in the past couple of months.  Perhaps, absent new more
  comprehensive sources of live domain names, I've finally found
  as many domains I can reasonably expect to find for these providers,
  and there's not much growth in their "visible" domain portfolios. ]

There are 2999 unique zones in which the underlying MX hosts are found,
this counts each of the above providers as just one zone, so is a measure
of the breadth of adoption in terms of servers deployed.  Alternatively,
a similar number is seen in the count (2853) of distinct MX host server
certificates that support the same ~172000 domains.

The number of published MX host TLSA RRsets found is 3932.  These
cover 4004 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 122 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 70 are in recent reports (spanning Sep and Oct):                                                                                                                                                                                                 

Of the ~172000 domains, 545 have "partial" TLSA records, that cover
only a subset of the MX hosts.  While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to advertise
STARTTLS (even though TLSA records are published) stands today at 160.
Below is a list of the 100 underlying MX hosts that serve these domains
and whose TLSA records don't match reality:

  Hall of Shame:                                                                                                                               

Some just notified, so I expect this to be a local peak.

After eliminating parked domains that do not accept email of any
kind, The number of "real" email domains with bad DNSSEC support
stands at 175.  (The domains from the previous
report were all parked).  The top 10 name server operators with
problem domains are:


Only 7 of the DNS-broken domains appear in historical Google Email
transparency reports:

The problem DNS queries are: IN TLSA ? IN TLSA ? IN TLSA ? IN TLSA ? IN TLSA ? IN TLSA ? IN TLSA ?

  [ See <>,
    Much of the TLSA non-response issue seems to be related to a
    "feature" of some firewalls, that enables droping of DNS requests
    for all but the most common RRtypes.  Do not make the mistake
    of enabling this firewall "feature". ]

The oldest outstanding DNS issue is an SOA signature issue at dating back to Nov/2014:

I hope some day soon they'll start missing email they care about
and take the time to resolve the problem.


[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.

More information about the dane-users mailing list