Update on stats 2019-06

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Jul 1 07:39:48 CEST 2019

Summary:  The DANE domain count is now 1,185,097

	  The number of domains that return DNSSEC-validated replies
	  in response to MX queries is 9,810,062.  Thus DANE TLSA
	  is deployed on 12.08% of domains with DNSSEC.

Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

Appeal:	  A handful of providers still have long-term broken DNSSEC
	  denial of existence.   It would be really great if (at least):

	       mijnhostingpartner.nl	(Much improved, remediation in progress)
	       metaregistrar.nl		(Wrong empty non-terminal handling)
	       tiscomhosting.nl		(Missing wildcard NSEC for NODATA response)
	       dotserv.com		(invalid NSEC chain order)
	       movenext.nl		(NSEC replies don't cover wildcard)
	       nrdns.nl			(Malformed NSEC3 or ServFail)
	       sylconia.nl 		(Malformed NSEC3 chain)

	  fixed their nameserver and/or zone provisioning code.  While
	  the O(10^3) affected domains are a small fraction of the
	  O(10^7) signed domains, they are a much larger fraction
	  of the signed domains for those particular providers.

Appeal:	  The number of domains with neglected outdated TLSA records,
	  has grown to ~600.  PLEASE *monitor* your deployment, and
	  implement a cert/key rollover process that does not (even
	  temporarily) disrupt the validity of your certificate
	  chain as compared to the published (cached) TLSA records:


	  If you're willing and able to help reach out to the
	  operators of MX hosts with misconfigured TLSA RRsets,
	  please get in touch.

As of today I count 1,185,097 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host.  The top 20 MX host providers by domain count

  710477 one.com
  126697 transip.nl
   97776 domeneshop.no
   36407 active24.com
   32344 vevida.com
   27345 web4u.cz
   24153 udmedia.de
   15734 flexfilter.nl
   13127 zxcs.nl
   13003 onebit.cz
   11082 bhosted.nl
    6024 netzone.ch
    5644 previder.nl
    3768 ips.nl
    3393 interconnect.nl
    2574 provalue.nl
    2277 nederhost.nl
    1694 nmugroup.com
    1573 yourdomainprovider.net
    1322 hi7.de

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 20 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat

  5347 TOTAL
  1782 DE, Germany
  1123 US, United States
   745 NL, Netherlands
   382 FR, France
   220 GB, United Kingdom
   173 CZ, Czechia
   122 CA, Canada
    86 SG, Singapore
    73 SE, Sweden
    72 CH, Switzerland
    58 DK, Denmark
    43 AT, Austria
    41 FI, Finland
    40 IE, Ireland
    38 PL, Poland
    37 BR, Brazil
    34 AU, Australia
    29 JP, Japan
    27 RU, Russia
    20 IT, Italy

IPv6 is still comparatively rare for MX hosts, and the top 20
countries by DANE MX host IPv6 GeoIP are:

  1884 TOTAL
   711 DE, Germany
   314 NL, Netherlands
   217 FR, France
   165 US, United States
   121 CZ, Czechia
    72 GB, United Kingdom
    39 SE, Sweden
    36 RU, Russia
    31 CH, Switzerland
    22 AT, Austria
    19 CA, Canada
    15 IE, Ireland
    13 NO, Norway
    11 SI, Slovenia
    11 AU, Australia
    10 FI, Finland
    10 DK, Denmark
    10 BR, Brazil
     5 LT, Republic of Lithuania
     5 IT, Italy

There are 4505 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers

The number of published MX host TLSA RRsets found is 6827.  These
cover 7282 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 255 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 136 are in recent (last 90 days of) reports:

  univie.ac.at             posteo.de              mailplus.nl
  gmx.at                   ruhr-uni-bochum.de     markteffectmail.nl
  transip.be               tum.de                 minbzk.nl
  nic.br                   uni-erlangen.de        mm1.nl
  registro.br              uni-muenchen.de        ouderportaal.nl
  gmx.ch                   unitybox.de            overheid.nl
  open.ch                  unitymedia.de          pathe.nl
  anubisnetworks.com       web.de                 photofacts.nl
  fmc-na.com               egmontpublishing.dk    politie.nl
  gmx.com                  netic.dk               previder.nl
  habr.com                 tilburguniversity.edu  rijksoverheid.nl
  hotelsinduitsland.com    web200.eu              rotterdam.nl
  kpn.com                  zone.eu                rvo.nl
  mail.com                 ac-strasbourg.fr       specsaversrelation.nl
  one.com                  insee.fr               ssonet.nl
  solvinity.com            octopuce.fr            transip.nl
  t-2.com                  web200.hu              truetickets.nl
  telfort.com              247superhost.net       utwente.nl
  trashmail.com            comcast.net            uvt.nl
  xfinity.com              dd24.net               xs4all.nl
  xfinityhomesecurity.com  dns-oarc.net           domeneshop.no
  xfinitymobile.com        gmx.net                handelsbanken.no
  active24.cz              habramail.net          uib.no
  atlas.cz                 hr-manager.net         webcruitermail.no
  centrum.cz               inexio.net             atelkamera.nu
  cuni.cz                  mpssec.net             aegee.org
  itesco.cz                procurios.net          debian.org
  klubpevnehozdravi.cz     riseup.net             freebsd.org
  nic.cz                   t-2.net                gentoo.org
  onebit.cz                transip.net            ietf.org
  server4u.cz              transversal.net        isc.org
  smtp.cz                  vevida.net             netbsd.org
  virusfree.cz             xs4all.net             openssl.org
  volny.cz                 xworks.net             ozlabs.org
  allsecur.de              belastingdienst.nl     samba.org
  bayern.de                bhosted.nl             torproject.org
  bund.de                  bluerail.nl            asf.com.pt
  elster.de                boekwinkeltjes.nl      moikrug.ru
  fau.de                   corpoflow.nl           boplatssyd-automail.se
  freenet.de               denhaag.nl             handelsbanken.se
  gmx.de                   dictu.nl               minmyndighetspost.se
  jpberlin.de              digid.nl               personligalmanacka.se
  kabelmail.de             hierinloggen.nl        skatteverket.se
  lrz.de                   hr.nl                  govtrack.us
  mail.de                  interconnect.nl
  mensa.de                 intermax.nl

Of the ~1.18 million domains, 2533 have "partial" TLSA records,
that cover only a subset of the (secondary) MX hosts.  While this
protects traffic to some of the MX hosts, such domains are still
vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 615.  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts.  A partial list is available at:


To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure.  See:



After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
759.  The top 10 name server operators with problem domains are:

  174 mijnhostingpartner.nl
   40 metaregistrar.nl
   34 tiscomhosting.nl
   34 movenext.nl
   34 dotserv.com
   31 nrdns.nl
   20 sylconia.nl
   14 is.nl
   12 dnscluster.nl
   11 vultr.com

  [ Both epik.com and binero.se have resolved all issues since last month.
    And mijnhostingpartner.nl is making great progress, if the root cause
    is resolved this month, this could be the last time they're mentioned
    here in a negative light.

    Eight of the ten problem providers are Dutch.  It would be great if
    SIDN could apply some carrot and stick to incent .NL hosting providers
    to have correctly working DNSSEC implementations. ]

If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage

Nine of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:



[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.

More information about the dane-users mailing list