Update on stats 2018-06

[Viktor Dukhovni]

Credits:  With additional data from Paul Vixie of Farsight Security,
          the DNSSEC coverage continues to improve.

Summary:  The DANE domain count is now 296,990.

          The number DNSSEC domains in the survey stands at 8,069,614.
          Thus DANE TLSA is deployed on 3.68% of domains with
          DNSSEC.

As of today I count 296,990 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support in bulk for the
domains they host.  It is starting to get crowded at the top of
the list, so I'm now listing the top 15 MX host providers by domain
count:

  103783 transip.nl
   96089 domeneshop.no
   34141 active24.com
   23491 udmedia.de
    9646 bhosted.nl
    2270 nederhost.nl
    1940 provalue.nl                    (new this month)
    1575 yourdomainprovider.net
    1072 hi7.de
     958 xcellerate.nl
     874 surfmailfilter.nl
     652 omc-mail.com
     651 core-networks.de
     588 interconnect.nl                (new this month)
     547 mailbox.org

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.nl/.cz/.de.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 10 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat
over-represented):

  4080     TOTAL
  1394 DE, Germany
   900 US, United States
   509 NL, Netherlands
   338 FR, France
   163 GB, United Kingdom
   121 CZ, Czech Republic
    80 CA, Canada
    59 SE, Sweden
    58 CH, Switzerland
    57 SG, Singapore

IPv6 is still comparatively rare for MX hosts, and the top 10
countries by DANE MX host IPv6 GeoIP are (same top 6).

  2043     TOTAL
   768 DE, Germany
   417 US, United States
   282 NL, Netherlands
   187 FR, France
    89 GB, United Kingdom
    68 CZ, Czech Republic
    34 SE, Sweden
    25 SG, Singapore
    23 CH, Switzerland
    14 SI, Slovenia

There are 3402 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.

The number of published MX host TLSA RRsets found is 4690.  These
cover 5012 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 157 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 87 are in recent reports:

  gmx.at                   fau.de                 deltion.nl
  travelbirdbelgique.be    freenet.de             hierinloggen.nl
  nic.br                   gmx.de                 interconnect.nl
  registro.br              jpberlin.de            ouderportaal.nl
  gmx.ch                   lrz.de                 overheid.nl
  open.ch                  mail.de                pathe.nl
  anubisnetworks.com       posteo.de              politie.nl
  gmx.com                  ruhr-uni-bochum.de     truetickets.nl
  mail.com                 tum.de                 uvt.nl
  societe.com              uni-erlangen.de        xs4all.nl
  solvinity.com            unitybox.de            domeneshop.no
  t-2.com                  unitymedia.de          webcruitermail.no
  trashmail.com            web.de                 aegee.org
  xfinity.com              egmontpublishing.dk    debian.org
  xfinityhomesecurity.com  netic.dk               freebsd.org
  xfinitymobile.com        tilburguniversity.edu  gentoo.org
  active24.cz              octopuce.fr            ietf.org
  clubcard.cz              comcast.net            isc.org
  cuni.cz                  dd24.net               netbsd.org
  cvc.cz                   dns-oarc.net           openssl.org
  itesco.cz                gmx.net                samba.org
  klubpevnehozdravi.cz     hr-manager.net         torproject.org
  knizni-magazin.cz        inexio.net             asf.com.pt
  nic.cz                   mpssec.net             handelsbanken.se
  optimail.cz              t-2.net                iis.se
  smtp.cz                  xs4all.net             minmyndighetspost.se
  bayern.de                bhosted.nl             skatteverket.se
  bund.de                  bit.nl                 t-2.si
  elster.de                boozyshop.nl           govtrack.us

Of the ~297000 domains, 1142 have "partial" TLSA records, that
cover only a subset of the MX hosts.  While this protects traffic
to some of the MX hosts, such domains are still vulnerable to the
usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 266. Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts.  A partial list is available at:

  https://github.com/danefail/list

To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure.  See:

    https://dane.sys4.de/common_mistakes
    http://imrryr.org/~viktor/ICANN61-viktor.pdf
    http://imrryr.org/~viktor/icann61-viktor.mp3

    http://tools.ietf.org/html/rfc7671#section-8.1
    http://tools.ietf.org/html/rfc7671#section-8.4

All the new blood in the survey has uncovered some previously unseen
DNSSEC denial of existence breakage.  After eliminating parked
domains that do not accept email of any kind, the number of "real"
email domains with bad DNSSEC support stands at 678.  The top 20
name server operators with problem domains are:

   127 mijnhostingpartner.nl
    79 webspacecontrol.com / dotroll.com
    56 dotserv.com
    42 metaregistrar.nl
    40 is.nl
    32 tiscomhosting.nl
    29 active24.cz              (some broken wildcard cnames)
    27 tse.jus.br
    26 sylconia.net
    14 host-redirect.com
    13 psb1.org
    13 nazwa.pl                 (some broken wildcard NS RRs)
    12 zeptor.nl
    12 nrdns.nl
    11 blauwblaatje.nl
     8 dnscluster.nl
     7 forpsi.net
     6 pcextreme.nl
     6 glbns.com
     6 domdom.hu

If anyone has good contacts at one of these provides, please encourage
them to remediate not only the broken domains (I can send them a
list), but also the root cause that makes the breakage possible.

The domains all whose nameservers have broken denial of existsnce
that also appear in historical Google reports are:

  trt1.jus.br
  trtrj.jus.br
  tre-ce.jus.br
  tre-pe.jus.br
  tre-rj.jus.br
  tre-rs.jus.br
  tre-sc.jus.br
  tre-sp.jus.br
  tse.jus.br

The last seven of these should be fixed shortly, the right parties
have been informed, and I expect will have resolved promptly.

-- 
        Viktor.

[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.