Update on stats 2019-07

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Aug 1 07:23:30 CEST 2019

Summary:  The DANE domain count is now 1,191,805

	  The number of domains that return DNSSEC-validated replies
	  in response to MX queries is 9,866,733.  Thus DANE TLSA
	  is deployed on 12.08% of domains with DNSSEC.  [ The total
          number of tracked signed delegations (DS RRsets) is 10,026,848,
          but not all the corresponding domains are up and running. ]

Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

As of today I count 1,191,805 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host.  The top 20 MX host providers by domain count

  713339 one.com
  127741 transip.nl
   98672 domeneshop.no
   36445 active24.com
   32249 vevida.com
   27261 web4u.cz
   24283 udmedia.de
   15760 flexfilter.nl
   13854 zxcs.nl
   13118 onebit.cz
   11226 bhosted.nl
    6026 netzone.ch
    5662 previder.nl
    3704 ips.nl
    3304 interconnect.nl
    2568 provalue.nl
    2261 nederhost.nl
    1706 nmugroup.com
    1586 yourdomainprovider.net
    1295 xcellerate.nl

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 20 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat

  5965 TOTAL
  1879 DE, Germany
  1367 US, United States
   804 NL, Netherlands
   408 FR, France
   278 GB, United Kingdom
   179 CZ, Czechia
   136 CA, Canada
   127 SG, Singapore
    75 CH, Switzerland
    72 SE, Sweden
    57 DK, Denmark
    52 JP, Japan
    46 AT, Austria
    45 IE, Ireland
    43 FI, Finland
    43 AU, Australia
    36 PL, Poland
    36 BR, Brazil
    33 IN, India
    27 RU, Russia

IPv6 is less common than IPv4 for MX hosts (but improved IPv6
connectivity on my end this month finds more IPv6 DANE MTAs), and
the top 20 countries by DANE MX host IPv6 GeoIP are:

  2941 TOTAL
  1146 DE, Germany
   528 US, United States
   396 NL, Netherlands
   251 FR, France
   119 CZ, Czechia
   111 GB, United Kingdom
    41 SG, Singapore
    35 CH, Switzerland
    34 SE, Sweden
    30 RU, Russia
    27 CA, Canada
    25 JP, Japan
    24 AT, Austria
    16 IE, Ireland
    14 SI, Slovenia
    14 NO, Norway
    14 AU, Australia
    13 DK, Denmark
    12 ID, Indonesia
    12 BR, Brazil

There are 4576 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers

The number of published MX host TLSA RRsets found is 6971.  These
cover 7425 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 255 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 136 are in recent (last 90 days of) reports:

  univie.ac.at             mensa.de               mailplus.nl
  gmx.at                   posteo.de              markteffectmail.nl
  transip.be               ruhr-uni-bochum.de     minbzk.nl
  nic.br                   tum.de                 mm1.nl
  registro.br              uni-erlangen.de        ouderportaal.nl
  gmx.ch                   uni-muenchen.de        overheid.nl
  open.ch                  unitybox.de            pathe.nl
  anubisnetworks.com       unitymedia.de          photofacts.nl
  fmc-na.com               web.de                 politie.nl
  gmx.com                  egmontpublishing.dk    previder.nl
  habr.com                 netic.dk               rijksoverheid.nl
  hotelsinduitsland.com    tilburguniversity.edu  rotterdam.nl
  kpn.com                  web200.eu              rvo.nl
  mail.com                 zone.eu                ssonet.nl
  one.com                  ac-strasbourg.fr       transip.nl
  societe.com              octopuce.fr            truetickets.nl
  solvinity.com            web200.hu              utwente.nl
  t-2.com                  247superhost.net       uvt.nl
  telfort.com              comcast.net            xs4all.nl
  trashmail.com            dns-oarc.net           domeneshop.no
  xfinity.com              gmx.net                handelsbanken.no
  xfinityhomesecurity.com  habramail.net          uib.no
  xfinitymobile.com        hr-manager.net         webcruitermail.no
  active24.cz              inexio.net             atelkamera.nu
  atlas.cz                 mpssec.net             aegee.org
  centrum.cz               procurios.net          debian.org
  cuni.cz                  riseup.net             freebsd.org
  itesco.cz                t-2.net                gentoo.org
  klubpevnehozdravi.cz     transip.net            ietf.org
  nic.cz                   transversal.net        isc.org
  onebit.cz                vevida.net             netbsd.org
  smtp.cz                  xs4all.net             openssl.org
  virusfree.cz             xworks.net             ozlabs.org
  volny.cz                 belastingdienst.nl     samba.org
  allsecur.de              bhosted.nl             torproject.org
  bayern.de                bluerail.nl            asf.com.pt
  bund.de                  boekwinkeltjes.nl      moikrug.ru
  elster.de                boozyshop.nl           boplatssyd-automail.se
  fau.de                   corpoflow.nl           handelsbanken.se
  freenet.de               denhaag.nl             minmyndighetspost.se
  gmx.de                   dictu.nl               personligalmanacka.se
  jpberlin.de              digid.nl               skatteverket.se
  kabelmail.de             hr.nl                  govtrack.us
  lrz.de                   interconnect.nl
  mail.de                  intermax.nl

Of the ~1.19 million domains, 2526 have "partial" TLSA records,
that cover only a subset of the (secondary) MX hosts.  While this
protects traffic to some of the MX hosts, such domains are still
vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 501.  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts.  A partial list is available at:


To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure.  See:



After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
1178.  The top 10 name server operators with problem domains are:

  489 mijnhostingpartner.nl
   41 metaregistrar.nl
   38 movenext.nl
   34 dotserv.com
   33 tiscomhosting.nl
   31 nrdns.nl
   23 domaincontrol.com
   22 sylconia.net
   14 is.nl
   14 interhand.net

  [ Seven of the ten problem providers are Dutch.  It would be great if
    SIDN could apply some carrot and stick to incent .NL hosting providers
    to have correctly working DNSSEC implementations. ]

If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage

Ten of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:

  coren-sp.gov.br       (Nameservers REFUSE TLSA lookups)
  trt01.gov.br          (Zone mostly unsigned)
  trtrio.gov.br         (Zone mostly unsigned)
  trt1.jus.br           (Zone mostly unsigned)
  trtrj.jus.br          (Zone mostly unsigned)
  bluehosting.host      (NSEC RRs don't cover wildcard)
  rackeo.host           (NSEC RRs don't cover wildcard)
  mobily.com.sa         (firewall blocks TLSA queries)
  sauditelecom.com.sa   (firewall blocks TLSA queries)
  bog.gov.sa            (firewall blocks TLSA queries)


[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.

More information about the dane-users mailing list