Update on stats 2019-03
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Apr 1 07:30:33 CEST 2019
Summary: The DANE domain count is now 1,107,851
The number of domains that return DNSSEC-validated replies
in response to MX queries is 9,525,120. Thus DANE TLSA
is deployed on 11.63% of domains with DNSSEC.
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 1,107,851 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host. The top 20 MX host providers by domain count
are:
682345 one.com
122842 transip.nl
97106 domeneshop.no
35828 active24.com
32803 vevida.com
24093 udmedia.de
16091 flexfilter.nl
12932 onebit.cz
11039 bhosted.nl
5992 netzone.ch
5657 previder.nl
3901 ips.nl
3535 interconnect.nl
2490 provalue.nl
2343 nederhost.nl
1646 nmugroup.com
1445 yourdomainprovider.net
1328 hi7.de
1308 xcellerate.nl
1307 prolocation.net
The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 20 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
4977 TOTAL
1680 DE, Germany
1026 US, United States
674 NL, Netherlands
382 FR, France
204 GB, United Kingdom
170 CZ, Czechia
104 CA, Canada
80 SG, Singapore
71 CH, Switzerland
69 SE, Sweden
48 DK, Denmark
45 IE, Ireland
40 AU, Australia
39 AT, Austria
38 BR, Brazil
33 FI, Finland
29 PL, Poland
25 RU, Russia
21 JP, Japan
18 IT, Italy
IPv6 is still comparatively rare for MX hosts, and the top 20
countries by DANE MX host IPv6 GeoIP are:
1834 TOTAL
677 DE, Germany
309 NL, Netherlands
221 FR, France
170 US, United States
111 CZ, Czechia
51 GB, United Kingdom
40 SE, Sweden
27 RU, Russia
27 CH, Switzerland
26 CA, Canada
20 AT, Austria
13 DK, Denmark
12 IE, Ireland
12 AU, Australia
11 NO, Norway
10 FI, Finland
10 BR, Brazil
9 SI, Slovenia
7 UA, Ukraine
7 PL, Poland
There are 4176 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.
The number of published MX host TLSA RRsets found is 6156. These
cover 6594 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).
The number of domains that at some point were listed in Gmail's
email transparency report is 229 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain). Of
these, 114 are in recent (last 90 days of) reports:
univie.ac.at ruhr-uni-bochum.de minbzk.nl
gmx.at tu-darmstadt.de mycom.nl
nic.br tum.de ouderportaal.nl
registro.br uni-erlangen.de overheid.nl
gmx.ch unitybox.de pathe.nl
open.ch unitymedia.de photofacts.nl
anubisnetworks.com web.de photofactsacademy.nl
fmc-na.com dk-hostmaster.dk politie.nl
gmx.com egmontpublishing.dk previder.nl
habr.com netic.dk rijksoverheid.nl
hotelsinduitsland.com tilburguniversity.edu ssonet.nl
kpn.com dovecot.fi transip.nl
mail.com ac-strasbourg.fr truetickets.nl
one.com insee.fr utwente.nl
solvinity.com octopuce.fr uvt.nl
t-2.com web200.hu xs4all.nl
telfort.com comcast.net domeneshop.no
trashmail.com gmx.net handelsbanken.no
xfinity.com habramail.net webcruitermail.no
xfinityhomesecurity.com hr-manager.net atelkamera.nu
xfinitymobile.com inexio.net aegee.org
active24.cz mpssec.net debian.org
cuni.cz procurios.net freebsd.org
itesco.cz riseup.net gentoo.org
klubpevnehozdravi.cz t-2.net ietf.org
onebit.cz transip.net isc.org
smtp.cz vevida.net netbsd.org
virusfree.cz xs4all.net openssl.org
bayern.de atletiekunie.nl ozlabs.org
bund.de bhosted.nl samba.org
elster.de bluerail.nl torproject.org
fau.de boozyshop.nl asf.com.pt
freenet.de corpoflow.nl handelsbanken.se
gmx.de hierinloggen.nl iis.se
jpberlin.de interconnect.nl minmyndighetspost.se
lrz.de intermax.nl personligalmanacka.se
mail.de mailplus.nl skatteverket.se
posteo.de markteffectmail.nl govtrack.us
Of the DANE email domains, 2044 are listed in the Alexa top 1 million
(web site) list.
Of the ~1.11 million domains, 2403 have "partial" TLSA records,
that cover only a subset of the (secondary) MX hosts. While this
protects traffic to some of the MX hosts, such domains are still
vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 376. Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts. A partial list is available at:
https://github.com/danefail/list
To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
1160. The top 10 name server operators with problem domains are:
544 mijnhostingpartner.nl
95 epik.com
42 metaregistrar.nl
35 dotserv.com
35 binero.se
34 tiscomhosting.nl
31 nrdns.nl
29 sylconia.net
26 active24.cz
20 movenext.nl
[ Some of these also have denial of existence problems at many
more domains that don't receive mail, so the problem is not
operationally significant in those cases, but could become
larger, if more email-enabled signed domains start using these
servers. For the top two, these additional domains number
well over one thousand each. ]
If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage
possible.
Seven of the domains all whose nameservers have broken denial of
existence appear in historical Google reports:
trt01.gov.br
trtrio.gov.br
trt1.jus.br
trtrj.jus.br
accenturealumni.com
rackeo.host
sauditelecom.com.sa
--
Viktor.
[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist. I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.
More information about the dane-users
mailing list