Update on stats 2019-06
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Jul 1 07:39:48 CEST 2019
Summary: The DANE domain count is now 1,185,097
The number of domains that return DNSSEC-validated replies
in response to MX queries is 9,810,062. Thus DANE TLSA
is deployed on 12.08% of domains with DNSSEC.
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
Appeal: A handful of providers still have long-term broken DNSSEC
denial of existence. It would be really great if (at least):
mijnhostingpartner.nl (Much improved, remediation in progress)
metaregistrar.nl (Wrong empty non-terminal handling)
tiscomhosting.nl (Missing wildcard NSEC for NODATA response)
dotserv.com (invalid NSEC chain order)
movenext.nl (NSEC replies don't cover wildcard)
nrdns.nl (Malformed NSEC3 or ServFail)
sylconia.nl (Malformed NSEC3 chain)
fixed their nameserver and/or zone provisioning code. While
the O(10^3) affected domains are a small fraction of the
O(10^7) signed domains, they are a much larger fraction
of the signed domains for those particular providers.
Appeal: The number of domains with neglected outdated TLSA records,
has grown to ~600. PLEASE *monitor* your deployment, and
implement a cert/key rollover process that does not (even
temporarily) disrupt the validity of your certificate
chain as compared to the published (cached) TLSA records:
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
If you're willing and able to help reach out to the
operators of MX hosts with misconfigured TLSA RRsets,
please get in touch.
As of today I count 1,185,097 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host. The top 20 MX host providers by domain count
are:
710477 one.com
126697 transip.nl
97776 domeneshop.no
36407 active24.com
32344 vevida.com
27345 web4u.cz
24153 udmedia.de
15734 flexfilter.nl
13127 zxcs.nl
13003 onebit.cz
11082 bhosted.nl
6024 netzone.ch
5644 previder.nl
3768 ips.nl
3393 interconnect.nl
2574 provalue.nl
2277 nederhost.nl
1694 nmugroup.com
1573 yourdomainprovider.net
1322 hi7.de
The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 20 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
5347 TOTAL
1782 DE, Germany
1123 US, United States
745 NL, Netherlands
382 FR, France
220 GB, United Kingdom
173 CZ, Czechia
122 CA, Canada
86 SG, Singapore
73 SE, Sweden
72 CH, Switzerland
58 DK, Denmark
43 AT, Austria
41 FI, Finland
40 IE, Ireland
38 PL, Poland
37 BR, Brazil
34 AU, Australia
29 JP, Japan
27 RU, Russia
20 IT, Italy
IPv6 is still comparatively rare for MX hosts, and the top 20
countries by DANE MX host IPv6 GeoIP are:
1884 TOTAL
711 DE, Germany
314 NL, Netherlands
217 FR, France
165 US, United States
121 CZ, Czechia
72 GB, United Kingdom
39 SE, Sweden
36 RU, Russia
31 CH, Switzerland
22 AT, Austria
19 CA, Canada
15 IE, Ireland
13 NO, Norway
11 SI, Slovenia
11 AU, Australia
10 FI, Finland
10 DK, Denmark
10 BR, Brazil
5 LT, Republic of Lithuania
5 IT, Italy
There are 4505 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.
The number of published MX host TLSA RRsets found is 6827. These
cover 7282 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).
The number of domains that at some point were listed in Gmail's
email transparency report is 255 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain). Of
these, 136 are in recent (last 90 days of) reports:
univie.ac.at posteo.de mailplus.nl
gmx.at ruhr-uni-bochum.de markteffectmail.nl
transip.be tum.de minbzk.nl
nic.br uni-erlangen.de mm1.nl
registro.br uni-muenchen.de ouderportaal.nl
gmx.ch unitybox.de overheid.nl
open.ch unitymedia.de pathe.nl
anubisnetworks.com web.de photofacts.nl
fmc-na.com egmontpublishing.dk politie.nl
gmx.com netic.dk previder.nl
habr.com tilburguniversity.edu rijksoverheid.nl
hotelsinduitsland.com web200.eu rotterdam.nl
kpn.com zone.eu rvo.nl
mail.com ac-strasbourg.fr specsaversrelation.nl
one.com insee.fr ssonet.nl
solvinity.com octopuce.fr transip.nl
t-2.com web200.hu truetickets.nl
telfort.com 247superhost.net utwente.nl
trashmail.com comcast.net uvt.nl
xfinity.com dd24.net xs4all.nl
xfinityhomesecurity.com dns-oarc.net domeneshop.no
xfinitymobile.com gmx.net handelsbanken.no
active24.cz habramail.net uib.no
atlas.cz hr-manager.net webcruitermail.no
centrum.cz inexio.net atelkamera.nu
cuni.cz mpssec.net aegee.org
itesco.cz procurios.net debian.org
klubpevnehozdravi.cz riseup.net freebsd.org
nic.cz t-2.net gentoo.org
onebit.cz transip.net ietf.org
server4u.cz transversal.net isc.org
smtp.cz vevida.net netbsd.org
virusfree.cz xs4all.net openssl.org
volny.cz xworks.net ozlabs.org
allsecur.de belastingdienst.nl samba.org
bayern.de bhosted.nl torproject.org
bund.de bluerail.nl asf.com.pt
elster.de boekwinkeltjes.nl moikrug.ru
fau.de corpoflow.nl boplatssyd-automail.se
freenet.de denhaag.nl handelsbanken.se
gmx.de dictu.nl minmyndighetspost.se
jpberlin.de digid.nl personligalmanacka.se
kabelmail.de hierinloggen.nl skatteverket.se
lrz.de hr.nl govtrack.us
mail.de interconnect.nl
mensa.de intermax.nl
Of the ~1.18 million domains, 2533 have "partial" TLSA records,
that cover only a subset of the (secondary) MX hosts. While this
protects traffic to some of the MX hosts, such domains are still
vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 615. Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts. A partial list is available at:
https://github.com/danefail/list
To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure. See:
https://dane.sys4.de/common_mistakes
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
759. The top 10 name server operators with problem domains are:
174 mijnhostingpartner.nl
40 metaregistrar.nl
34 tiscomhosting.nl
34 movenext.nl
34 dotserv.com
31 nrdns.nl
20 sylconia.nl
14 is.nl
12 dnscluster.nl
11 vultr.com
[ Both epik.com and binero.se have resolved all issues since last month.
And mijnhostingpartner.nl is making great progress, if the root cause
is resolved this month, this could be the last time they're mentioned
here in a negative light.
Eight of the ten problem providers are Dutch. It would be great if
SIDN could apply some carrot and stick to incent .NL hosting providers
to have correctly working DNSSEC implementations. ]
If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage
possible.
Nine of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
trt01.gov.br
trtrio.gov.br
trt1.jus.br
trtrj.jus.br
key.com
keybank.com
sauditelecom.com.sa
bog.gov.sa
--
Viktor.
[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist. I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.
More information about the dane-users
mailing list