Update on stats 2017-12

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Jan 1 22:49:00 CET 2018

[ Happy New Year!  May 2018 see major advances in DANE adoption and
  even fewer operational issues. ]

Summary:  The number of DANE-enabled domains that have also been sighted
	  on Google's email transparency report has increased from 125 to 127

	  The total domain count has increased from 173857 to 176079.

	  The number DNSSEC domains in the survey stands at 5096318,
	  thus DANE TLSA is deployed on 3.46% of domains with DNSSEC.
	  Many DNSSEC domains use third-party MX hosts, that don't
	  have DNSSEC, so they can't benefit from DANE until their
	  providers secure the MX hosts.  Please ask your provider
	  to enable DNSSEC and DANE on their MX hosts.  [ It would
	  be especially significant if "redirect.ovh.net" were to
	  implement DNSSEC+DANE, if someone personally knows the
	  right people to gently nudge at ovh.net, please do. ]

As of today I count 176079 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected the bulk of the DANE domains are hosted by the handful of
DNS/hosting providers who've enabled DANE support in bulk for the
domains they host.  The top 10 MX host providers by domain count

   68824 domeneshop.no
   63076 transip.nl
   18510 udmedia.de
    6318 bhosted.nl
    1767 nederhost.nl
    1265 yourdomainprovider.net
    1003 ec-elements.com
     516 core-networks.de
     395 omc-mail.com
     370 mailbox.org

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.nl/.de.  Speaking
of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts
shows the below top 10 countries (each unique IP address is counted,
so multi-homed MX hosts are perhaps somewhat over-represented):

   1277 GeoIP Country Edition: DE, Germany
    770 GeoIP Country Edition: US, United States
    450 GeoIP Country Edition: NL, Netherlands
    321 GeoIP Country Edition: FR, France
    149 GeoIP Country Edition: GB, United Kingdom
    102 GeoIP Country Edition: CZ, Czech Republic
     74 GeoIP Country Edition: CA, Canada
     62 GeoIP Country Edition: CH, Switzerland
     60 GeoIP Country Edition: SE, Sweden
     58 GeoIP Country Edition: BR, Brazil

IPv6 is still comparatively rare for MX hosts, and the top 11
countries by DANE MX host IPv6 GeoIP are:

    212 GeoIP Country V6 Edition: DE, Germany
    103 GeoIP Country V6 Edition: US, United States
    100 GeoIP Country V6 Edition: NL, Netherlands
     56 GeoIP Country V6 Edition: FR, France
     29 GeoIP Country V6 Edition: GB, United Kingdom
     23 GeoIP Country V6 Edition: CZ, Czech Republic
      8 GeoIP Country V6 Edition: SE, Sweden
      7 GeoIP Country V6 Edition: SG, Singapore
      7 GeoIP Country V6 Edition: NO, Norway
      7 GeoIP Country V6 Edition: ID, Indonesia
      7 GeoIP Country V6 Edition: CH, Switzerland

There are 3018 unique zones in which the underlying MX hosts are found,
this counts each of the above providers as just one zone, so is a measure
of the breadth of adoption in terms of servers deployed.

The number of published MX host TLSA RRsets found is 4652.  These
cover 4742 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 128 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 73 are in recent reports:

   gmx.at                   lrz.de                  ouderportaal.nl
   travelbirdbelgie.be      mail.de                 overheid.nl
   travelbirdbelgique.be    posteo.de               pathe.nl
   nic.br                   ruhr-uni-bochum.de      uvt.nl
   registro.br              tum.de                  xs4all.nl
   gmx.ch                   uni-erlangen.de         domeneshop.no
   open.ch                  unitybox.de             handelsbanken.no
   switch.ch                unitymedia.de           webcruitermail.no
   anubisnetworks.com       web.de                  aegee.org
   gmx.com                  egmontpublishing.dk     debian.org
   isavedialogue.com        netic.dk                freebsd.org
   mail.com                 tilburguniversity.edu   gentoo.org
   solvinity.com            octopuce.fr             ietf.org
   t-2.com                  comcast.net             isc.org
   trashmail.com            dd24.net                netbsd.org
   xfinity.com              dns-oarc.net            openssl.org
   xfinityhomesecurity.com  gmx.net                 samba.org
   xfinitymobile.com        hr-manager.net          torproject.org
   nic.cz                   mpssec.net              asf.com.pt
   bayern.de                t-2.net                 handelsbanken.se
   bund.de                  xs4all.net              t-2.si
   fau.de                   bhosted.nl              mail.co.uk
   freenet.de               boozyshop.nl            govtrack.us
   gmx.de                   hierinloggen.nl
   jpberlin.de              otvi.nl

Of the ~176000 domains, 785 have "partial" TLSA records, that cover
only a subset of the MX hosts.  While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to advertise
STARTTLS (even though TLSA records are published) stands today at 192.
Below is a list of the 102 underlying MX hosts that serve these domains
and whose TLSA records don't match reality:

   Hall of Shame:

   white.agoracon.at              mx2.pfp.de                  mail.diejanssens.net
   mail.dipietro.id.au            mail.rleh.de                mail.efflam.net
   mx.krb.srv.pique.net.au        mail.schwaho.de             mail.lnaze.net
   zebulon.pique.net.au           mx1.spam-sponge.de          mail.misbegotten.net
   eufront.stansoft.bg            mx2.spam-sponge.de          wfbrace.net
   eumembers.stansoft.bg          mx3.spam-sponge.de          mx2.wfbrace.net
   mail.advokatur4a.ch            mx1.spamsponge.de           mx2.cbrace.nl
   andbraiz.com                   mx2.spamsponge.de           mx3.cbrace.nl
   mail.digitalwebpros.com        mx3.spamsponge.de           mail.fscker.nl
   mail.dnsmadefree.com           mx10.timotoups.de           smtp1.lococensus.nl
   smtp-1.httrack.com             fsck.email                  smtp2.lococensus.nl
   mail.i-bible.com               mail.0pc.eu                 mail.myzt.nl
   demo.liveconfig.com            mail2.cesidianroot.eu       nuj-netherlands.nl
   mx01.mykolab.com               gamepixel.eu                mx2.nuj-netherlands.nl
   mx02.mykolab.com               webmail.kassoft.eu          bounder.steelyard.nl
   mx04.mykolab.com               smtp.skolovi.eu             mail.abanto-zierbena.org
   srv2.noneuclideanconcepts.com  mail2.subse.eu              smtp2.briaeros007.org
   ma.qbitnet.com                 smtp.vdlaken.eu             eumembers.datacentrix.org
   stmics01.smia-automotive.com   mx.quentindavid.fr          genius.konundrum.org
   stmics02.smia-automotive.com   servmail.fr                 smtps.planchon.org
   romulus.wittsend.com           mail.demongeot.info         smtp2.amadigi.ovh
   mail.zx.com                    mail.nonoserver.info        smtp3.amadigi.ovh
   mx.bels.cz                     mx1.email.youwerehere.info  mail.bacrau.ro
   mail.davidbodnar.cz            mx2.email.youwerehere.info  mail.itconnect.ro
   mail1.dolnipodluzi.cz          mail.rapidfuse.io           mx.itconnect.ro
   mail.machkovi.cz               mail2.galax.is              mail.pasion.ro
   gaia.nfx.cz                    mail.lsd.is                 mail.familie-sander.rocks
   petg.cz                        mx.datenknoten.me           mx1.shevaldin.ru
   mail.zionbit.cz                mx.giesen.me                halon.gislaved.se
   mail.absynth.de                rootbox.me                  halon02.gislaved.se
   mail.all4.de                   mail.amsx.net               mail.labbrack.se
   mx2.mindrun.de                 mail.castleturing.net       mail1.puggan.se
   www.mtg.de                     mail.culm.net               mail.rostit.se
   mail.ocmenzel.de               anubis.delphij.net          mail.xn----ymcadjpj1at5o.xn--wgbh

Some recently notified, but the number of long-term problem MX
hosts has been slowly creeping up... Please make sure to monitor
the validity of your TLSA records, and implement a reliable key
rotation procedure.  Let's Encrypt users in particular tend to
forget that by default Let's Encrypt certificate renewal replaces
both the key and certificate, please read:


When updating the certificate chain you need to temporarily
pre-publish multiple TLSA records matching the current and future


However, with "3 1 1" + "2 1 1", the rollover process can be
substantially simplified:


After eliminating parked domains that do not accept email of any
kind, the number of "real" email domains with bad DNSSEC support
stands at 116.  The top 6 (the rest have too few domains to include
in a top 10) name server operators with problem domains

  24 firstfind.nl
   7 active24.cz
   5 tse.jus.br
   4 ignum.com
   4 glbns.com
   4 army.mil

Only 2 DNS-broken domains have no working nameservers and also
appear in historical Google Email transparency reports:


The problem DNS queries are:


  [ See <https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08>,
    Much of the TLSA non-response issue seems to be related to a
    "feature" of some firewalls, that enables droping of DNS requests
    for all but the most common RRtypes.  Do not make the mistake
    of enabling this firewall "feature". ]

The oldest outstanding DNS issue is an SOA signature issue at
truman.edu dating back to Nov/2014:


I hope some day soon they'll start missing email they care about
and take the time to resolve the problem.


[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.

More information about the dane-users mailing list