Update on stats 2018-12
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Jan 1 03:50:32 CET 2019
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
Summary: The DANE domain count is now 774,820
This month's adoption bump can be credited to vevida.com
who enabled DANE for ~33 thousand domains. Thank you
vevida.com.
The number of domains with DNSSEC MX records is 8,878,369.
Thus DANE TLSA is deployed on 8.72% of domains with DNSSEC.
There are somewhat fewer DNSSEC domains this month. This
is because a hosting provider with O(200k) previously
signed domains is modernizing their DNSSEC stack (moving
to ECDSA I hear), but chose to disable DNSSEC in the
interim. With a bit of luck, the numbers will soon be
back up, and perhaps there'll be DANE support as well.
As of today I count 774,820 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host. The top 20 MX host providers by domain count are:
399441 one.com
117127 transip.nl
96917 domeneshop.no
35201 active24.com
32626 vevida.com
23894 udmedia.de
10707 bhosted.nl
10587 wido.info
5654 previder.nl
3577 interconnect.nl
2521 provalue.nl
2369 nederhost.nl
1619 nmugroup.com
1456 yourdomainprovider.net
1288 hi7.de
1286 xcellerate.nl
1073 surfmailfilter.nl
1023 soverin.net
783 omc-mail.com
693 sciver.net
The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 20 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat
over-represented):
4581 TOTAL
1522 DE, Germany
964 US, United States
599 NL, Netherlands
368 FR, France
160 GB, United Kingdom
142 CZ, Czech Republic
115 CA, Canada
63 CH, Switzerland
60 SG, Singapore
58 SE, Sweden
46 BR, Brazil
40 DK, Denmark
35 IE, Ireland
35 AT, Austria
28 AU, Australia
27 FI, Finland
25 RU, Russian Federation
23 GR, Greece
22 PL, Poland
22 JP, Japan
IPv6 is still comparatively rare for MX hosts, and the top 20
countries by DANE MX host IPv6 GeoIP are (same top 6).
2296 TOTAL
893 DE, Germany
428 US, United States
358 NL, Netherlands
204 FR, France
78 CZ, Czech Republic
70 GB, United Kingdom
41 SE, Sweden
33 SG, Singapore
24 CH, Switzerland
19 AT, Austria
15 IE, Ireland
12 SI, Slovenia
12 FI, Finland
12 CA, Canada
11 BR, Brazil
10 NO, Norway
9 ID, Indonesia
9 AU, Australia
8 DK, Denmark
6 RU, Russian Federation
There are 3801 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.
The number of published MX host TLSA RRsets found is 5488. These
cover 5896 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).
The number of domains that at some point were listed in Gmail's
email transparency report is 208 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain). Of
these, 116 are in recent (last 90 days of) reports:
gmx.at lrz.de markteffectmail.nl
nic.br mail.de ouderportaal.nl
registro.br posteo.de overheid.nl
gmx.ch ruhr-uni-bochum.de pathe.nl
open.ch tum.de photofacts.nl
anubisnetworks.com uni-erlangen.de photofactsacademy.nl
gmx.com unitybox.de politie.nl
habr.com unitymedia.de rijksoverheid.nl
hotelsinduitsland.com web.de rotterdam.nl
kpn.com dk-hostmaster.dk saxion.nl
mail.com egmontpublishing.dk ssonet.nl
one.com netic.dk transip.nl
societe.com tilburguniversity.edu truetickets.nl
solvinity.com eupvsec.eu uvt.nl
t-2.com insee.fr xs4all.nl
trashmail.com octopuce.fr domeneshop.no
xfinity.com web200.hu handelsbanken.no
xfinityhomesecurity.com comcast.net webcruitermail.no
xfinitymobile.com dd24.net atelkamera.nu
active24.cz dns-oarc.net aegee.org
atlas.cz gmx.net debian.org
centrum.cz habramail.net freebsd.org
cuni.cz hr-manager.net gentoo.org
destroystores.cz inexio.net ietf.org
itesco.cz mpssec.net isc.org
klubpevnehozdravi.cz procurios.net lazarus-ide.org
nic.cz r4p3.net mailbox.org
smtp.cz t-2.net netbsd.org
virusfree.cz transip.net openssl.org
volny.cz xs4all.net samba.org
allsecur.de xworks.net torproject.org
bayern.de ardanta.nl asf.com.pt
bund.de bhosted.nl handelsbanken.se
elster.de boekwinkeltjes.nl minmyndighetspost.se
fau.de boozyshop.nl personligalmanacka.se
freenet.de hierinloggen.nl skatteverket.se
gmx.de hr.nl t-2.si
jpberlin.de hro.nl govtrack.us
kabelmail.de intermax.nl
Of the ~775000 domains, 2186 have "partial" TLSA records, that
cover only a subset of the MX hosts. While this protects traffic
to some of the MX hosts, such domains are still vulnerable to the
usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 253. Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts. A partial list is available at:
https://github.com/danefail/list
To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure. See:
https://dane.sys4.de/common_mistakes
http://imrryr.org/~viktor/ICANN61-viktor.pdf
http://imrryr.org/~viktor/icann61-viktor.mp3
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
508. The top 10 name server operators with problem domains are:
50 dotserv.com
36 tiscomhosting.nl
30 sylconia.net
30 nrdns.nl
27 metaregistrar.nl
24 active24.cz (customer zones with broken wildcard cnames)
21 nazwa.pl (customer zones with broken wildcard NS RRs)
13 movenext.nl
13 host-redirect.com
11 is.nl
If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage
possible.
Four of the domains all whose nameservers have broken denial of
existence appear in historical Google reports:
trt1.jus.br
trtrio.gov.br
trtrj.jus.br
trt01.gov.br
--
Viktor.
[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist. I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.
More information about the dane-users
mailing list