Update on stats 2018-05

Viktor Dukhovni ietf-dane at dukhovni.org
Thu May 31 23:44:15 CEST 2018

Credits:  Thanks to a substantial contribution of names of signed
	  domains by Paul Vixie of Farsight Security, and smaller
	  significant contribution by domains-index.com, the scope
	  of the survey is substantially expanded from ~6.0 million
	  to ~7.9 million domains. Unsurprisingly, the numbers for
	  the major hosting providers are substantially larger than
	  in April.

	  Aside from the increase in the number of tested domains
	  a new hosting provider "active24.com" (aka active24.cz)
	  has enabled inbound and outbound DANE for their hosted
	  domains.  Thank you "active24.com" for improving the
	  security of Internet email infrastructure.

Summary:  The DANE domain count is now 289,550.

	  The number DNSSEC domains in the survey stands at 7,878,881,
	  thus DANE TLSA is deployed on 3.67% of domains with

As of today I count 289,550 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support in bulk for the
domains they host.  It is starting to get crowded at the top of
the list, so I'm now listing the top 15 MX host providers by domain

  100271 transip.nl
   95922 domeneshop.no
   33299 active24.com
   23389 udmedia.de
    9655 bhosted.nl
    2281 nederhost.nl
    1547 yourdomainprovider.net
    1032 hi7.de
     955 xcellerate.nl
     927 surfmailfilter.nl
     634 core-networks.de
     629 omc-mail.com
     508 mailbox.org
     495 secure-gw.de
     433 systemec.nl

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.nl/.cz/.de.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 10 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat

  1402 DE, Germany
   870 US, United States
   508 NL, Netherlands
   344 FR, France
   166 GB, United Kingdom
   121 CZ, Czech Republic
    81 CA, Canada
    65 SE, Sweden
    59 CH, Switzerland
    51 SG, Singapore

IPv6 is still comparatively rare for MX hosts, and the top 10
countries by DANE MX host IPv6 GeoIP are (same top 6).

   754 DE, Germany
   431 US, United States
   280 NL, Netherlands
   187 FR, France
    88 GB, United Kingdom
    67 CZ, Czech Republic
    36 SE, Sweden
    24 SG, Singapore
    23 CH, Switzerland
    14 SI, Slovenia

There are 3331 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers

The number of published MX host TLSA RRsets found is 4785.  These
cover 5103 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 152 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 82 are in recent reports:

  gmx.at                  gmx.de                  overheid.nl
  travelbirdbelgique.be   jpberlin.de             pathe.nl
  nic.br                  lrz.de                  politie.nl
  registro.br             mail.de                 truetickets.nl
  gmx.ch                  posteo.de               uvt.nl
  open.ch                 ruhr-uni-bochum.de      xs4all.nl
  anubisnetworks.com      tum.de                  domeneshop.no
  gmx.com                 uni-erlangen.de         handelsbanken.no
  mail.com                unitybox.de             webcruitermail.no
  solvinity.com           unitymedia.de           aegee.org
  trashmail.com           web.de                  debian.org
  xfinity.com             egmontpublishing.dk     freebsd.org
  xfinityhomesecurity.com netic.dk                gentoo.org
  xfinitymobile.com       tilburguniversity.edu   ietf.org
  active24.cz             insee.fr                isc.org
  clubcard.cz             octopuce.fr             netbsd.org
  cuni.cz                 comcast.net             openssl.org
  cvc.cz                  dd24.net                samba.org
  itesco.cz               dns-oarc.net            torproject.org
  klubpevnehozdravi.cz    gmx.net                 asf.com.pt
  localssrcapp.cz         hr-manager.net          handelsbanken.se
  nic.cz                  mpssec.net              iis.se
  smtp.cz                 t-2.net                 minmyndighetspost.se
  bayern.de               xs4all.net              skatteverket.se
  bund.de                 bhosted.nl              t-2.si
  elster.de               bit.nl                  govtrack.us
  fau.de                  boozyshop.nl
  freenet.de              ouderportaal.nl

Of the ~289000 domains, 1466 have "partial" TLSA records, that
cover only a subset of the MX hosts.  While this protects traffic
to some of the MX hosts, such domains are still vulnerable to the
usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 220. Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts.  A partial list is available at:


To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure.  See:



All the new blood in the survey has uncovered some previously unseen
DNSSEC denial of existence breakage.  After eliminating parked
domains that do not accept email of any kind, the number of "real"
email domains with bad DNSSEC support stands at 1171.  The top 20
name server operators with problem domains are:

   793 webspacecontrol.com / dotroll.com
    52 mijnhostingpartner.nl
    49 dotserv.com
    22 sylconia.net
    16 firstfind.nl
    13 psb1.org
    11 nazwa.pl
    11 blauwblaatje.nl
    10 metaregistrar.nl
     8 zeptor.nl
     8 tse.jus.br
     8 dnscluster.nl
     8 active24.cz
     7 ignum.com
     6 vultr.com
     6 tiscomhosting.nl
     6 host-redirect.com
     6 glbns.com
     6 domdom.hu
     6 1cocomo.com

The domains all whose nameservers have broken denial of existsnce
that also appear in historical Google reports are:



[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.

More information about the dane-users mailing list