Update on stats 2018-11
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Dec 1 09:36:17 CET 2018
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
Summary: The DANE domain count is now 740,856
The substantial increase is primarily a result of newly
enabled DNSSEC and DANE TLSA records for the MX hosts
operated by one.com. Congratulations and thanks to
one.com, and to iis.se for providing some of the incentive
to make this happen.
The number of domains with DNSSEC MX records is 9,035,030
Thus DANE TLSA is deployed on 8.19% of domains with DNSSEC.
As of today I count 740,856 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host. The top 20 MX host providers by domain count are:
400996 one.com
117219 transip.nl
97040 domeneshop.no
35065 active24.com
23768 udmedia.de
10923 bhosted.nl
10592 wido.info
5689 previder.nl
3593 interconnect.nl
2525 provalue.nl
2437 nederhost.nl
1477 yourdomainprovider.net
1290 xcellerate.nl
1249 hi7.de
1077 surfmailfilter.nl
1013 soverin.net
777 omc-mail.com
689 sciver.net
646 mailbox.org
646 core-networks.de
The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 12 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat
over-represented):
4463 TOTAL
1506 DE, Germany
940 US, United States
569 NL, Netherlands
359 FR, France
159 GB, United Kingdom
136 CZ, Czech Republic
111 CA, Canada
60 CH, Switzerland
58 SE, Sweden
55 SG, Singapore
49 BR, Brazil
40 DK, Denmark
IPv6 is still comparatively rare for MX hosts, and the top 12
countries by DANE MX host IPv6 GeoIP are (same top 6).
2229 TOTAL
877 DE, Germany
429 US, United States
328 NL, Netherlands
199 FR, France
73 CZ, Czech Republic
68 GB, United Kingdom
36 SE, Sweden
29 SG, Singapore
23 CH, Switzerland
19 AT, Austria
15 IE, Ireland
14 FI, Finland
There are 3701 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.
The number of published MX host TLSA RRsets found is 5375. These
cover 5759 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).
The number of domains that at some point were listed in Gmail's
email transparency report is 190 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain). Of
these, 106 are in recent (last 90 days of) reports:
gmx.at mail.de markteffectmail.nl
nic.br posteo.de ouderportaal.nl
registro.br ruhr-uni-bochum.de overheid.nl
gmx.ch tum.de pathe.nl
open.ch uni-erlangen.de politie.nl
anubisnetworks.com unitybox.de rotterdam.nl
gmx.com unitymedia.de saxion.nl
habr.com web.de transip.nl
kpn.com egmontpublishing.dk truetickets.nl
mail.com netic.dk uvt.nl
one.com tilburguniversity.edu xs4all.nl
societe.com eupvsec.eu domeneshop.no
solvinity.com octopuce.fr handelsbanken.no
t-2.com web200.hu webcruitermail.no
trashmail.com comcast.net atelkamera.nu
xfinity.com dd24.net aegee.org
xfinityhomesecurity.com dns-oarc.net debian.org
xfinitymobile.com gmx.net freebsd.org
active24.cz habramail.net gentoo.org
cuni.cz hr-manager.net ietf.org
destroystores.cz inexio.net isc.org
itesco.cz mpssec.net lazarus-ide.org
klubpevnehozdravi.cz procurios.net mailbox.org
nic.cz r4p3.net netbsd.org
optimail.cz t-2.net openssl.org
smtp.cz transip.net samba.org
allsecur.de xs4all.net torproject.org
bayern.de xworks.net asf.com.pt
bund.de ardanta.nl handelsbanken.se
elster.de bhosted.nl minmyndighetspost.se
fau.de boozyshop.nl personligalmanacka.se
freenet.de hierinloggen.nl skatteverket.se
gmx.de hr.nl t-2.si
jpberlin.de hro.nl govtrack.us
kabelmail.de interconnect.nl
lrz.de intermax.nl
Of the ~740000 domains, 1911 have "partial" TLSA records, that
cover only a subset of the MX hosts. While this protects traffic
to some of the MX hosts, such domains are still vulnerable to the
usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 246. Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts. A partial list is available at:
https://github.com/danefail/list
To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure. See:
https://dane.sys4.de/common_mistakes
http://imrryr.org/~viktor/ICANN61-viktor.pdf
http://imrryr.org/~viktor/icann61-viktor.mp3
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
509. The top 10 name server operators with problem domains are:
50 dotserv.com
38 tiscomhosting.nl
32 sylconia.net
30 nrdns.nl
28 metaregistrar.nl
24 active24.cz (customer zones with broken wildcard cnames)
21 nazwa.pl (customer zones with broken wildcard NS RRs)
18 host-redirect.com
13 movenext.nl
11 is.nl
If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage
possible.
Three of the domains all whose nameservers have broken denial of
existence appear in historical Google reports:
trtrj.jus.br
trt01.gov.br
trtrio.gov.br
--
Viktor.
[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist. I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.
More information about the dane-users
mailing list