Update on stats 2018-10

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Oct 31 05:13:42 CET 2018 

Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .LI,
	  .NAME, .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

Summary:  The DANE domain count is now 336,682

	  The number of domains with DNSSEC MX records is 9,015,211.
	  Thus DANE TLSA is deployed on 3.73% of domains with DNSSEC.

As of today I count 336,682 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host.  The top 20 MX host providers by domain count are:

   115370 transip.nl
    96024 domeneshop.no
    34882 active24.com
    23683 udmedia.de
    10797 bhosted.nl
    10599 wido.info
     5664 previder.nl
     3665 interconnect.nl
     2531 provalue.nl
     2443 nederhost.nl
     1505 yourdomainprovider.net
     1290 xcellerate.nl
     1210 hi7.de
     1075 surfmailfilter.nl
      998 soverin.net
      765 omc-mail.com
      688 sciver.net
      647 core-networks.de
      612 mailbox.org
      537 secure-gw.de

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 12 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat
over-represented):

  5323 TOTAL
  1789 DE, Germany
   984 NL, Netherlands
   957 US, United States
   382 FR, France
   172 GB, United Kingdom
   172 CZ, Czech Republic
   107 CA, Canada
    86 CH, Switzerland
    65 SE, Sweden
    56 SG, Singapore
    54 BR, Brazil
    47 NO, Norway

IPv6 is still comparatively rare for MX hosts, and the top 10
countries by DANE MX host IPv6 GeoIP are (same top 6).

  2633 TOTAL
  1042 DE, Germany
   441 US, United States
   441 NL, Netherlands
   218 FR, France
   103 CZ, Czech Republic
    80 GB, United Kingdom
    44 NO, Norway
    42 SE, Sweden
    31 SG, Singapore
    28 CH, Switzerland
    21 AT, Austria
    19 FI, Finland

There are 3669 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.

The number of published MX host TLSA RRsets found is 5242.  These
cover 5628 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 176 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 95 are in recent (last 90 days of) reports:

  gmx.at                   lrz.de                 intermax.nl
  transip.be               mail.de                markteffectmail.nl
  nic.br                   posteo.de              ouderportaal.nl
  registro.br              ruhr-uni-bochum.de     overheid.nl
  gmx.ch                   tum.de                 pathe.nl
  open.ch                  uni-erlangen.de        politie.nl
  anubisnetworks.com       unitybox.de            rotterdam.nl
  gmx.com                  unitymedia.de          transip.nl
  habr.com                 web.de                 truetickets.nl
  mail.com                 egmontpublishing.dk    uvt.nl
  mylocalbuddy.com         netic.dk               xs4all.nl
  societe.com              tilburguniversity.edu  domeneshop.no
  solvinity.com            octopuce.fr            handelsbanken.no
  t-2.com                  comcast.net            webcruitermail.no
  trashmail.com            dd24.net               aegee.org
  xfinity.com              gmx.net                debian.org
  xfinityhomesecurity.com  habramail.net          freebsd.org
  xfinitymobile.com        hr-manager.net         gentoo.org
  active24.cz              inexio.net             ietf.org
  cuni.cz                  mpssec.net             isc.org
  destroystores.cz         mylobu.net             lazarus-ide.org
  klubpevnehozdravi.cz     t-2.net                netbsd.org
  optimail.cz              transip.net            openssl.org
  smtp.cz                  xs4all.net             samba.org
  bayern.de                xworks.net             torproject.org
  bund.de                  ardanta.nl             asf.com.pt
  elster.de                bhosted.nl             handelsbanken.se
  fau.de                   boozyshop.nl           minmyndighetspost.se
  freenet.de               hierinloggen.nl        skatteverket.se
  gmx.de                   hr.nl                  t-2.si
  jpberlin.de              hro.nl                 govtrack.us
  kabelmail.de             interconnect.nl

Of the ~336000 domains, 1954 have "partial" TLSA records, that
cover only a subset of the MX hosts.  While this protects traffic
to some of the MX hosts, such domains are still vulnerable to the
usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 222. Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts.  A partial list is available at:

  https://github.com/danefail/list

To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure.  See:

    https://dane.sys4.de/common_mistakes
    http://imrryr.org/~viktor/ICANN61-viktor.pdf
    http://imrryr.org/~viktor/icann61-viktor.mp3

    http://tools.ietf.org/html/rfc7671#section-8.1
    http://tools.ietf.org/html/rfc7671#section-8.4

After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
509.  The top 10 name server operators with problem domains are:

  50 dotserv.com
  38 tiscomhosting.nl
  38 metaregistrar.nl
  34 sylconia.net
  31 nrdns.nl
  25 active24.cz	(customer zones with broken wildcard cnames)
  20 nazwa.pl		(customer zones with broken wildcard NS RRs)
  19 host-redirect.com
  10 blauwblaatje.nl
  10 army.mil

If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage
possible.

None of the domains all whose nameservers have broken denial of
existence appear in historical Google reports.  So it is likely
that the DNSSEC denial of existence problems are not felt by most
email senders.

-- 
        Viktor.

[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.

More information about the dane-users mailing list