Update on stats 2019-07
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Aug 1 07:23:30 CEST 2019
Summary: The DANE domain count is now 1,191,805
The number of domains that return DNSSEC-validated replies
in response to MX queries is 9,866,733. Thus DANE TLSA
is deployed on 12.08% of domains with DNSSEC. [ The total
number of tracked signed delegations (DS RRsets) is 10,026,848,
but not all the corresponding domains are up and running. ]
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 1,191,805 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host. The top 20 MX host providers by domain count
are:
713339 one.com
127741 transip.nl
98672 domeneshop.no
36445 active24.com
32249 vevida.com
27261 web4u.cz
24283 udmedia.de
15760 flexfilter.nl
13854 zxcs.nl
13118 onebit.cz
11226 bhosted.nl
6026 netzone.ch
5662 previder.nl
3704 ips.nl
3304 interconnect.nl
2568 provalue.nl
2261 nederhost.nl
1706 nmugroup.com
1586 yourdomainprovider.net
1295 xcellerate.nl
The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 20 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
5965 TOTAL
1879 DE, Germany
1367 US, United States
804 NL, Netherlands
408 FR, France
278 GB, United Kingdom
179 CZ, Czechia
136 CA, Canada
127 SG, Singapore
75 CH, Switzerland
72 SE, Sweden
57 DK, Denmark
52 JP, Japan
46 AT, Austria
45 IE, Ireland
43 FI, Finland
43 AU, Australia
36 PL, Poland
36 BR, Brazil
33 IN, India
27 RU, Russia
IPv6 is less common than IPv4 for MX hosts (but improved IPv6
connectivity on my end this month finds more IPv6 DANE MTAs), and
the top 20 countries by DANE MX host IPv6 GeoIP are:
2941 TOTAL
1146 DE, Germany
528 US, United States
396 NL, Netherlands
251 FR, France
119 CZ, Czechia
111 GB, United Kingdom
41 SG, Singapore
35 CH, Switzerland
34 SE, Sweden
30 RU, Russia
27 CA, Canada
25 JP, Japan
24 AT, Austria
16 IE, Ireland
14 SI, Slovenia
14 NO, Norway
14 AU, Australia
13 DK, Denmark
12 ID, Indonesia
12 BR, Brazil
There are 4576 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.
The number of published MX host TLSA RRsets found is 6971. These
cover 7425 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).
The number of domains that at some point were listed in Gmail's
email transparency report is 255 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain). Of
these, 136 are in recent (last 90 days of) reports:
univie.ac.at mensa.de mailplus.nl
gmx.at posteo.de markteffectmail.nl
transip.be ruhr-uni-bochum.de minbzk.nl
nic.br tum.de mm1.nl
registro.br uni-erlangen.de ouderportaal.nl
gmx.ch uni-muenchen.de overheid.nl
open.ch unitybox.de pathe.nl
anubisnetworks.com unitymedia.de photofacts.nl
fmc-na.com web.de politie.nl
gmx.com egmontpublishing.dk previder.nl
habr.com netic.dk rijksoverheid.nl
hotelsinduitsland.com tilburguniversity.edu rotterdam.nl
kpn.com web200.eu rvo.nl
mail.com zone.eu ssonet.nl
one.com ac-strasbourg.fr transip.nl
societe.com octopuce.fr truetickets.nl
solvinity.com web200.hu utwente.nl
t-2.com 247superhost.net uvt.nl
telfort.com comcast.net xs4all.nl
trashmail.com dns-oarc.net domeneshop.no
xfinity.com gmx.net handelsbanken.no
xfinityhomesecurity.com habramail.net uib.no
xfinitymobile.com hr-manager.net webcruitermail.no
active24.cz inexio.net atelkamera.nu
atlas.cz mpssec.net aegee.org
centrum.cz procurios.net debian.org
cuni.cz riseup.net freebsd.org
itesco.cz t-2.net gentoo.org
klubpevnehozdravi.cz transip.net ietf.org
nic.cz transversal.net isc.org
onebit.cz vevida.net netbsd.org
smtp.cz xs4all.net openssl.org
virusfree.cz xworks.net ozlabs.org
volny.cz belastingdienst.nl samba.org
allsecur.de bhosted.nl torproject.org
bayern.de bluerail.nl asf.com.pt
bund.de boekwinkeltjes.nl moikrug.ru
elster.de boozyshop.nl boplatssyd-automail.se
fau.de corpoflow.nl handelsbanken.se
freenet.de denhaag.nl minmyndighetspost.se
gmx.de dictu.nl personligalmanacka.se
jpberlin.de digid.nl skatteverket.se
kabelmail.de hr.nl govtrack.us
lrz.de interconnect.nl
mail.de intermax.nl
Of the ~1.19 million domains, 2526 have "partial" TLSA records,
that cover only a subset of the (secondary) MX hosts. While this
protects traffic to some of the MX hosts, such domains are still
vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 501. Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts. A partial list is available at:
https://github.com/danefail/list
To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure. See:
https://dane.sys4.de/common_mistakes
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
1178. The top 10 name server operators with problem domains are:
489 mijnhostingpartner.nl
41 metaregistrar.nl
38 movenext.nl
34 dotserv.com
33 tiscomhosting.nl
31 nrdns.nl
23 domaincontrol.com
22 sylconia.net
14 is.nl
14 interhand.net
[ Seven of the ten problem providers are Dutch. It would be great if
SIDN could apply some carrot and stick to incent .NL hosting providers
to have correctly working DNSSEC implementations. ]
If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage
possible.
Ten of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br (Nameservers REFUSE TLSA lookups)
trt01.gov.br (Zone mostly unsigned)
trtrio.gov.br (Zone mostly unsigned)
trt1.jus.br (Zone mostly unsigned)
trtrj.jus.br (Zone mostly unsigned)
bluehosting.host (NSEC RRs don't cover wildcard)
rackeo.host (NSEC RRs don't cover wildcard)
mobily.com.sa (firewall blocks TLSA queries)
sauditelecom.com.sa (firewall blocks TLSA queries)
bog.gov.sa (firewall blocks TLSA queries)
--
Viktor.
[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist. I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.
More information about the dane-users
mailing list