Update on stats 2019-01
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Feb 1 01:20:11 CET 2019
Summary: The DANE domain count is now 1,067,099
Much of this month's adoption bump can be credited to
one.com, thank you one.com. Another significant addition,
is onebit.cz in 7th place, with ~13k domains.
The number of domains with DNSSEC MX records is 9,458,550.
Thus DANE TLSA is deployed on 11.2% of domains with DNSSEC.
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 1,067,099 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host. The top 20 MX host providers by domain count
are:
673032 one.com
120167 transip.nl
96963 domeneshop.no
35412 active24.com
32677 vevida.com
23990 udmedia.de
12791 onebit.cz
10880 bhosted.nl
5621 previder.nl
3604 interconnect.nl
2519 provalue.nl
2381 nederhost.nl
1611 nmugroup.com
1459 yourdomainprovider.net
1325 prolocation.net
1307 hi7.de
1250 surfmailfilter.nl
1131 xcellerate.nl
1048 soverin.net
798 omc-mail.com
The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 20 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat
over-represented):
4706 TOTAL
1597 DE, Germany
1003 US, United States
637 NL, Netherlands
351 FR, France
191 GB, United Kingdom
151 CZ, Czechia
88 CA, Canada
72 SG, Singapore
67 CH, Switzerland
64 SE, Sweden
42 DK, Denmark
40 IE, Ireland
40 BR, Brazil
36 AT, Austria
32 FI, Finland
32 AU, Australia
28 PL, Poland
26 RU, Russia
20 JP, Japan
17 NO, Norway
IPv6 is still comparatively rare for MX hosts, and the top 20
countries by DANE MX host IPv6 GeoIP are (same top 6).
2389 TOTAL
935 DE, Germany
384 US, United States
335 NL, Netherlands
208 FR, France
110 CZ, Czechia
88 GB, United Kingdom
37 RU, Russia
34 SE, Sweden
33 SG, Singapore
28 CH, Switzerland
21 AT, Austria
19 CA, Canada
15 IE, Ireland
13 JP, Japan
12 SI, Slovenia
12 FI, Finland
11 NO, Norway
11 DK, Denmark
11 BR, Brazil
10 AU, Australia
There are 3958 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.
The number of published MX host TLSA RRsets found is 5760. These
cover 6193 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).
The number of domains that at some point were listed in Gmail's
email transparency report is 218 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain). Of
these, 109 are in recent (last 90 days of) reports:
univie.ac.at mail.de overheid.nl
gmx.at posteo.de pathe.nl
nic.br ruhr-uni-bochum.de photofacts.nl
registro.br tum.de photofactsacademy.nl
gmx.ch uni-erlangen.de politie.nl
open.ch unitybox.de rijksoverheid.nl
anubisnetworks.com unitymedia.de saxion.nl
fmc-na.com web.de ssonet.nl
gmx.com dk-hostmaster.dk transip.nl
habr.com egmontpublishing.dk truetickets.nl
hotelsinduitsland.com netic.dk utwente.nl
kpn.com tilburguniversity.edu uvt.nl
mail.com insee.fr xs4all.nl
one.com octopuce.fr domeneshop.no
solvinity.com web200.hu handelsbanken.no
t-2.com comcast.net webcruitermail.no
telfort.com dd24.net atelkamera.nu
trashmail.com dns-oarc.net aegee.org
xfinity.com gmx.net debian.org
xfinityhomesecurity.com habramail.net freebsd.org
xfinitymobile.com hr-manager.net gentoo.org
active24.cz inexio.net ietf.org
cuni.cz mpssec.net isc.org
itesco.cz r4p3.net mailbox.org
klubpevnehozdravi.cz riseup.net netbsd.org
nic.cz t-2.net openssl.org
smtp.cz transip.net samba.org
virusfree.cz xs4all.net torproject.org
allsecur.de ardanta.nl asf.com.pt
bayern.de bhosted.nl handelsbanken.se
bund.de boekwinkeltjes.nl minmyndighetspost.se
elster.de boozyshop.nl personligalmanacka.se
fau.de hierinloggen.nl skatteverket.se
freenet.de intermax.nl t-2.si
gmx.de mailplus.nl govtrack.us
jpberlin.de minbzk.nl
lrz.de ouderportaal.nl
Of the ~1.07 million domains, 2328 have "partial" TLSA records,
that cover only a subset of the MX hosts. While this protects
traffic to some of the MX hosts, such domains are still vulnerable
to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 402. Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts. A partial list is available at:
https://github.com/danefail/list
To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure. See:
https://dane.sys4.de/common_mistakes
http://imrryr.org/~viktor/ICANN61-viktor.pdf
http://imrryr.org/~viktor/icann61-viktor.mp3
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
519. The top 10 name server operators with problem domains are:
36 tiscomhosting.nl
35 dotserv.com
31 nrdns.nl
30 sylconia.net
27 metaregistrar.nl
23 active24.cz (customer zones with broken wildcard cnames)
21 nazwa.pl (customer zones with broken wildcard NS RRs)
18 movenext.nl
13 host-redirect.com
13 binero.se (remediation in progress)
If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage
possible.
Four of the domains all whose nameservers have broken denial of
existence appear in historical Google reports:
accenturealumni.com
trtrio.gov.br
trtrj.jus.br
trt01.gov.br
--
Viktor.
[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist. I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.
More information about the dane-users
mailing list