From ietf-dane at dukhovni.org  Fri Feb  1 01:20:11 2019
From: ietf-dane at dukhovni.org (Viktor Dukhovni)
Date: Thu, 31 Jan 2019 19:20:11 -0500
Subject: Update on stats 2019-01
Message-ID: <20190201002011.GQ4140@straasha.imrryr.org>

Summary:  The DANE domain count is now 1,067,099

	  Much of this month's adoption bump can be credited to
	  one.com, thank you one.com.  Another significant addition,
	  is onebit.cz in 7th place, with ~13k domains.

	  The number of domains with DNSSEC MX records is 9,458,550.
	  Thus DANE TLSA is deployed on 11.2% of domains with DNSSEC.

Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

As of today I count 1,067,099 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host.  The top 20 MX host providers by domain count
are:

  673032 one.com
  120167 transip.nl
   96963 domeneshop.no
   35412 active24.com
   32677 vevida.com
   23990 udmedia.de
   12791 onebit.cz
   10880 bhosted.nl
    5621 previder.nl
    3604 interconnect.nl
    2519 provalue.nl
    2381 nederhost.nl
    1611 nmugroup.com
    1459 yourdomainprovider.net
    1325 prolocation.net
    1307 hi7.de
    1250 surfmailfilter.nl
    1131 xcellerate.nl
    1048 soverin.net
     798 omc-mail.com

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 20 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat
over-represented):

  4706 TOTAL 
  1597 DE, Germany
  1003 US, United States
   637 NL, Netherlands
   351 FR, France
   191 GB, United Kingdom
   151 CZ, Czechia
    88 CA, Canada
    72 SG, Singapore
    67 CH, Switzerland
    64 SE, Sweden
    42 DK, Denmark
    40 IE, Ireland
    40 BR, Brazil
    36 AT, Austria
    32 FI, Finland
    32 AU, Australia
    28 PL, Poland
    26 RU, Russia
    20 JP, Japan
    17 NO, Norway

IPv6 is still comparatively rare for MX hosts, and the top 20
countries by DANE MX host IPv6 GeoIP are (same top 6).

 2389 TOTAL
  935 DE, Germany
  384 US, United States
  335 NL, Netherlands
  208 FR, France
  110 CZ, Czechia
   88 GB, United Kingdom
   37 RU, Russia
   34 SE, Sweden
   33 SG, Singapore
   28 CH, Switzerland
   21 AT, Austria
   19 CA, Canada
   15 IE, Ireland
   13 JP, Japan
   12 SI, Slovenia
   12 FI, Finland
   11 NO, Norway
   11 DK, Denmark
   11 BR, Brazil
   10 AU, Australia

There are 3958 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.

The number of published MX host TLSA RRsets found is 5760.  These
cover 6193 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 218 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 109 are in recent (last 90 days of) reports:

  univie.ac.at             mail.de                overheid.nl
  gmx.at                   posteo.de              pathe.nl
  nic.br                   ruhr-uni-bochum.de     photofacts.nl
  registro.br              tum.de                 photofactsacademy.nl
  gmx.ch                   uni-erlangen.de        politie.nl
  open.ch                  unitybox.de            rijksoverheid.nl
  anubisnetworks.com       unitymedia.de          saxion.nl
  fmc-na.com               web.de                 ssonet.nl
  gmx.com                  dk-hostmaster.dk       transip.nl
  habr.com                 egmontpublishing.dk    truetickets.nl
  hotelsinduitsland.com    netic.dk               utwente.nl
  kpn.com                  tilburguniversity.edu  uvt.nl
  mail.com                 insee.fr               xs4all.nl
  one.com                  octopuce.fr            domeneshop.no
  solvinity.com            web200.hu              handelsbanken.no
  t-2.com                  comcast.net            webcruitermail.no
  telfort.com              dd24.net               atelkamera.nu
  trashmail.com            dns-oarc.net           aegee.org
  xfinity.com              gmx.net                debian.org
  xfinityhomesecurity.com  habramail.net          freebsd.org
  xfinitymobile.com        hr-manager.net         gentoo.org
  active24.cz              inexio.net             ietf.org
  cuni.cz                  mpssec.net             isc.org
  itesco.cz                r4p3.net               mailbox.org
  klubpevnehozdravi.cz     riseup.net             netbsd.org
  nic.cz                   t-2.net                openssl.org
  smtp.cz                  transip.net            samba.org
  virusfree.cz             xs4all.net             torproject.org
  allsecur.de              ardanta.nl             asf.com.pt
  bayern.de                bhosted.nl             handelsbanken.se
  bund.de                  boekwinkeltjes.nl      minmyndighetspost.se
  elster.de                boozyshop.nl           personligalmanacka.se
  fau.de                   hierinloggen.nl        skatteverket.se
  freenet.de               intermax.nl            t-2.si
  gmx.de                   mailplus.nl            govtrack.us
  jpberlin.de              minbzk.nl
  lrz.de                   ouderportaal.nl

Of the ~1.07 million domains, 2328 have "partial" TLSA records,
that cover only a subset of the MX hosts.  While this protects
traffic to some of the MX hosts, such domains are still vulnerable
to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 402.  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts.  A partial list is available at:

  https://github.com/danefail/list

To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure.  See:

    https://dane.sys4.de/common_mistakes
    http://imrryr.org/~viktor/ICANN61-viktor.pdf
    http://imrryr.org/~viktor/icann61-viktor.mp3

    http://tools.ietf.org/html/rfc7671#section-8.1
    http://tools.ietf.org/html/rfc7671#section-8.4

After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
519.  The top 10 name server operators with problem domains are:

  36 tiscomhosting.nl
  35 dotserv.com
  31 nrdns.nl
  30 sylconia.net
  27 metaregistrar.nl
  23 active24.cz	(customer zones with broken wildcard cnames)
  21 nazwa.pl		(customer zones with broken wildcard NS RRs)
  18 movenext.nl
  13 host-redirect.com
  13 binero.se		(remediation in progress)

If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage
possible.

Four of the domains all whose nameservers have broken denial of
existence appear in historical Google reports:

 accenturealumni.com
 trtrio.gov.br
 trtrj.jus.br
 trt01.gov.br

-- 
        Viktor.

[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.