Update on stats 2018-04

Viktor Dukhovni ietf-dane at dukhovni.org
Wed May 2 05:40:44 CEST 2018

Summary:  The DANE domain count is now 205,351.  Much of the increase
	  is the result of better (though still incomplete) coverage of
          the ".no" TLD, but some is due to the more gradual steady
          increase in the breadth of adoption.  I hope to broaden
	  the coverage further in May.

	  The number DNSSEC domains in the survey stands at 6,017,669,
	  thus DANE TLSA is deployed on 3.41% of domains with DNSSEC.

	  Data graciously provided by Gmail shows that 16,170 of
	  the DANE domains have received recent email from at least
	  5 senders.  And 2449 (vs. 1,542 a year ago out of a then
	  total 137,244 domains) of the domains have received at
	  least 50 recent messages.

As of today I count 205,351 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected the bulk of the DANE domains are hosted by the handful of
DNS/hosting providers who've enabled DANE support in bulk for the
domains they host.  The top 10 MX host providers by domain count

  90580 domeneshop.no           (result of better .no coverage)
  67122 transip.nl
  19107 udmedia.de
   6142 bhosted.nl
   1787 nederhost.nl
   1214 yourdomainprovider.net
    878 hi7.de                  (name change from ec-elements.com)
    751 surfmailfilter.nl
    549 core-networks.de
    456 omc-mail.com

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.nl/.de.  Speaking
of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts
shows the below top 10 countries (each unique IP address is counted,
so multi-homed MX hosts are perhaps somewhat over-represented):

  1374 DE, Germany
   922 US, United States
   490 NL, Netherlands
   358 FR, France
   157 GB, United Kingdom
   125 CZ, Czech Republic
    88 CA, Canada
    65 SE, Sweden
    56 CH, Switzerland
    49 SG, Singapore

IPv6 is still comparatively rare for MX hosts, and the top 10
countries by DANE MX host IPv6 GeoIP are (same top 6).

   782 DE, Germany
   474 US, United States
   286 NL, Netherlands
   221 FR, France
    94 GB, United Kingdom
    76 CZ, Czech Republic
    37 SE, Sweden
    26 SG, Singapore
    24 CH, Switzerland
    16 IE, Ireland

There are 3264 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers

The number of published MX host TLSA RRsets found is 4675.  These
cover 4933 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 132 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 71 are in recent reports:

  gmx.at                   ruhr-uni-bochum.de     politie.nl
  travelbirdbelgique.be    tum.de                 uvt.nl
  nic.br                   uni-erlangen.de        xs4all.nl
  registro.br              unitybox.de            domeneshop.no
  gmx.ch                   unitymedia.de          handelsbanken.no
  open.ch                  web.de                 webcruitermail.no
  anubisnetworks.com       dk-hostmaster.dk       aegee.org
  gmx.com                  egmontpublishing.dk    debian.org
  mail.com                 tilburguniversity.edu  freebsd.org
  solvinity.com            insee.fr               gentoo.org
  trashmail.com            octopuce.fr            ietf.org
  xfinity.com              comcast.net            isc.org
  xfinityhomesecurity.com  dd24.net               netbsd.org
  xfinitymobile.com        dns-oarc.net           openssl.org
  bayern.de                gmx.net                samba.org
  bund.de                  hr-manager.net         torproject.org
  elster.de                mpssec.net             asf.com.pt
  fau.de                   t-2.net                handelsbanken.se
  freenet.de               xs4all.net             minmyndighetspost.se
  gmx.de                   bhosted.nl             skatteverket.se
  jpberlin.de              boozyshop.nl           t-2.si
  lrz.de                   ouderportaal.nl        mail.co.uk
  mail.de                  overheid.nl            govtrack.us
  posteo.de                pathe.nl

Of the ~205000 domains, 1502 have "partial" TLSA records, that cover
only a subset of the MX hosts.  While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 258. Some of these also have MX hosts that don't have
broken TLSA records, so mail can still arrive via the remaining MX
hosts.  Goging forward I'm no longer listing the problem MX hosts
here.  Instead, I am contributing data to the github project that
tracks domains with DANE failures:


Please open issues or pull requests if you domains that are not
listed.  To avoid getting listed, please make sure to monitor the
validity of your own TLSA records, and implement a reliable key
rotation procedure.  See:



After eliminating parked domains that do not accept email of any
kind, the number of "real" email domains with bad DNSSEC support
stands at 110.  The top 10 name server operators with problem
domains are:

   8 tse.jus.br
   8 psb1.org
   8 nazwa.pl
   7 active24.cz
   5 tiscomhosting.nl
   4 ignum.com
   4 glbns.com
   4 centralpark.se
   4 army.mil
   4 1cocomo.com

No domains all whose nameservers have broken denial of existsnce
appear in historical Google reports.


[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.

More information about the dane-users mailing list