Update on stats 2018-11

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Dec 1 09:36:17 CET 2018 

Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

Summary:  The DANE domain count is now 740,856

	  The substantial increase is primarily a result of newly
	  enabled DNSSEC and DANE TLSA records for the MX hosts
	  operated by one.com.  Congratulations and thanks to
	  one.com, and to iis.se for providing some of the incentive
	  to make this happen.

	  The number of domains with DNSSEC MX records is 9,035,030
	  Thus DANE TLSA is deployed on 8.19% of domains with DNSSEC.

As of today I count 740,856 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host.  The top 20 MX host providers by domain count are:

  400996 one.com
  117219 transip.nl
   97040 domeneshop.no
   35065 active24.com
   23768 udmedia.de
   10923 bhosted.nl
   10592 wido.info
    5689 previder.nl
    3593 interconnect.nl
    2525 provalue.nl
    2437 nederhost.nl
    1477 yourdomainprovider.net
    1290 xcellerate.nl
    1249 hi7.de
    1077 surfmailfilter.nl
    1013 soverin.net
     777 omc-mail.com
     689 sciver.net
     646 mailbox.org
     646 core-networks.de

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 12 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat
over-represented):

  4463 TOTAL
  1506 DE, Germany
   940 US, United States
   569 NL, Netherlands
   359 FR, France
   159 GB, United Kingdom
   136 CZ, Czech Republic
   111 CA, Canada
    60 CH, Switzerland
    58 SE, Sweden
    55 SG, Singapore
    49 BR, Brazil
    40 DK, Denmark

IPv6 is still comparatively rare for MX hosts, and the top 12
countries by DANE MX host IPv6 GeoIP are (same top 6).

  2229 TOTAL
   877 DE, Germany
   429 US, United States
   328 NL, Netherlands
   199 FR, France
    73 CZ, Czech Republic
    68 GB, United Kingdom
    36 SE, Sweden
    29 SG, Singapore
    23 CH, Switzerland
    19 AT, Austria
    15 IE, Ireland
    14 FI, Finland

There are 3701 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.

The number of published MX host TLSA RRsets found is 5375.  These
cover 5759 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 190 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 106 are in recent (last 90 days of) reports:

  gmx.at                   mail.de                markteffectmail.nl
  nic.br                   posteo.de              ouderportaal.nl
  registro.br              ruhr-uni-bochum.de     overheid.nl
  gmx.ch                   tum.de                 pathe.nl
  open.ch                  uni-erlangen.de        politie.nl
  anubisnetworks.com       unitybox.de            rotterdam.nl
  gmx.com                  unitymedia.de          saxion.nl
  habr.com                 web.de                 transip.nl
  kpn.com                  egmontpublishing.dk    truetickets.nl
  mail.com                 netic.dk               uvt.nl
  one.com                  tilburguniversity.edu  xs4all.nl
  societe.com              eupvsec.eu             domeneshop.no
  solvinity.com            octopuce.fr            handelsbanken.no
  t-2.com                  web200.hu              webcruitermail.no
  trashmail.com            comcast.net            atelkamera.nu
  xfinity.com              dd24.net               aegee.org
  xfinityhomesecurity.com  dns-oarc.net           debian.org
  xfinitymobile.com        gmx.net                freebsd.org
  active24.cz              habramail.net          gentoo.org
  cuni.cz                  hr-manager.net         ietf.org
  destroystores.cz         inexio.net             isc.org
  itesco.cz                mpssec.net             lazarus-ide.org
  klubpevnehozdravi.cz     procurios.net          mailbox.org
  nic.cz                   r4p3.net               netbsd.org
  optimail.cz              t-2.net                openssl.org
  smtp.cz                  transip.net            samba.org
  allsecur.de              xs4all.net             torproject.org
  bayern.de                xworks.net             asf.com.pt
  bund.de                  ardanta.nl             handelsbanken.se
  elster.de                bhosted.nl             minmyndighetspost.se
  fau.de                   boozyshop.nl           personligalmanacka.se
  freenet.de               hierinloggen.nl        skatteverket.se
  gmx.de                   hr.nl                  t-2.si
  jpberlin.de              hro.nl                 govtrack.us
  kabelmail.de             interconnect.nl
  lrz.de                   intermax.nl

Of the ~740000 domains, 1911 have "partial" TLSA records, that
cover only a subset of the MX hosts.  While this protects traffic
to some of the MX hosts, such domains are still vulnerable to the
usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 246. Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts.  A partial list is available at:

  https://github.com/danefail/list

To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure.  See:

    https://dane.sys4.de/common_mistakes
    http://imrryr.org/~viktor/ICANN61-viktor.pdf
    http://imrryr.org/~viktor/icann61-viktor.mp3

    http://tools.ietf.org/html/rfc7671#section-8.1
    http://tools.ietf.org/html/rfc7671#section-8.4

After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
509.  The top 10 name server operators with problem domains are:

  50 dotserv.com
  38 tiscomhosting.nl
  32 sylconia.net
  30 nrdns.nl
  28 metaregistrar.nl
  24 active24.cz	(customer zones with broken wildcard cnames)
  21 nazwa.pl		(customer zones with broken wildcard NS RRs)
  18 host-redirect.com
  13 movenext.nl
  11 is.nl

If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage
possible.

Three of the domains all whose nameservers have broken denial of
existence appear in historical Google reports:

  trtrj.jus.br
  trt01.gov.br
  trtrio.gov.br

-- 
        Viktor.

[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.

More information about the dane-users mailing list