Update on stats 2019-02

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Mar 1 08:04:58 CET 2019 

Summary:  The DANE domain count is now 1,076,237

	  The number of domains that return DNSSEC-validated replies
	  in response to MX queries is 9,397,166.  Thus DANE TLSA
	  is deployed on 11.45% of domains with DNSSEC.
	    
Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

As of today I count 1,076,237 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host.  The top 20 MX host providers by domain count
are:

  679515 one.com
  121564 transip.nl
   96967 domeneshop.no
   35708 active24.com
   32613 vevida.com
   24067 udmedia.de
   12902 onebit.cz
   10954 bhosted.nl
    5628 previder.nl
    3591 interconnect.nl
    2499 provalue.nl
    2361 nederhost.nl
    1653 nmugroup.com
    1460 yourdomainprovider.net
    1330 hi7.de
    1316 prolocation.net
    1285 xcellerate.nl
    1261 surfmailfilter.nl
    1101 soverin.net
     827 mailbox.org

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 20 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).

  4801 TOTAL
  1629 DE, Germany
  1001 US, United States
   658 NL, Netherlands
   356 FR, France
   188 GB, United Kingdom
   161 CZ, Czechia
    97 CA, Canada
    78 SG, Singapore
    68 CH, Switzerland
    64 SE, Sweden
    47 DK, Denmark
    43 IE, Ireland
    42 BR, Brazil
    38 AT, Austria
    36 AU, Australia
    30 FI, Finland
    26 PL, Poland
    26 JP, Japan
    24 RU, Russia
    18 NO, Norway

IPv6 is still comparatively rare for MX hosts, and the top 20
countries by DANE MX host IPv6 GeoIP are:

  1834 TOTAL
   664 DE, Germany
   320 NL, Netherlands
   207 FR, France
   162 US, United States
   117 CZ, Czechia
    82 GB, United Kingdom
    35 SE, Sweden
    32 RU, Russia
    30 CH, Switzerland
    23 CA, Canada
    20 AT, Austria
    13 IE, Ireland
    12 DK, Denmark
    11 NO, Norway
    11 AU, Australia
     9 SI, Slovenia
     9 FI, Finland
     8 UA, Ukraine
     6 IT, Italy
     5 SK, Slovakia

There are 4032 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed.

The number of published MX host TLSA RRsets found is 5941.  These
cover 6373 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 225 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 113 are in recent (last 90 days of) reports:

  univie.ac.at             posteo.de              ouderportaal.nl
  gmx.at                   ruhr-uni-bochum.de     overheid.nl
  nic.br                   tu-darmstadt.de        pathe.nl
  registro.br              tum.de                 photofacts.nl
  gmx.ch                   uni-erlangen.de        photofactsacademy.nl
  open.ch                  unitybox.de            politie.nl
  anubisnetworks.com       unitymedia.de          rijksoverheid.nl
  fmc-na.com               web.de                 ssonet.nl
  gmx.com                  dk-hostmaster.dk       transip.nl
  habr.com                 egmontpublishing.dk    truetickets.nl
  hotelsinduitsland.com    netic.dk               utwente.nl
  kpn.com                  tilburguniversity.edu  uvt.nl
  mail.com                 dovecot.fi             xs4all.nl
  one.com                  insee.fr               domeneshop.no
  solvinity.com            octopuce.fr            handelsbanken.no
  t-2.com                  web200.hu              webcruitermail.no
  telfort.com              comcast.net            atelkamera.nu
  trashmail.com            dd24.net               aegee.org
  xfinity.com              gmx.net                debian.org
  xfinityhomesecurity.com  habramail.net          freebsd.org
  xfinitymobile.com        hr-manager.net         gentoo.org
  active24.cz              inexio.net             ietf.org
  cuni.cz                  mpssec.net             isc.org
  itesco.cz                procurios.net          mailbox.org
  klubpevnehozdravi.cz     riseup.net             netbsd.org
  onebit.cz                t-2.net                openssl.org
  smtp.cz                  transip.net            ozlabs.org
  virusfree.cz             vevida.net             samba.org
  allsecur.de              xs4all.net             torproject.org
  bayern.de                ardanta.nl             asf.com.pt
  bund.de                  atletiekunie.nl        handelsbanken.se
  elster.de                bhosted.nl             iis.se
  fau.de                   boozyshop.nl           minmyndighetspost.se
  freenet.de               hierinloggen.nl        personligalmanacka.se
  gmx.de                   interconnect.nl        skatteverket.se
  jpberlin.de              intermax.nl            t-2.si
  lrz.de                   mailplus.nl            govtrack.us
  mail.de                  minbzk.nl

Of the DANE email domains, 2014 are listed in the Alexa top 1 million
(web site) list.

Of the ~1.08 million domains, 2324 have "partial" TLSA records,
that cover only a subset of the MX hosts.  While this protects
traffic to some of the MX hosts, such domains are still vulnerable
to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 259.  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts.  A partial list is available at:

  https://github.com/danefail/list

To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure.  See:

    https://dane.sys4.de/common_mistakes
    https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources

    http://tools.ietf.org/html/rfc7671#section-8.1
    http://tools.ietf.org/html/rfc7671#section-8.4

After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
525.  The top 10 name server operators with problem domains are:

  35 dotserv.com
  34 tiscomhosting.nl
  31 schefczyk.net
  31 nrdns.nl
  30 sylconia.net
  25 metaregistrar.nl
  24 active24.cz	(customer zones with broken wildcard cnames)
  21 nazwa.pl		(customer zones with broken wildcard NS RRs)
  19 movenext.nl
  12 is.nl

If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage
possible.

Seven of the domains all whose nameservers have broken denial of
existence appear in historical Google reports:

  trt01.gov.br
  trtrio.gov.br
  trt1.jus.br
  trtrj.jus.br
  accenturealumni.com
  rackeo.host
  sauditelecom.com.sa

-- 
        Viktor.

[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.

More information about the dane-users mailing list