Update on stats 2019-04

Viktor Dukhovni ietf-dane at dukhovni.org
Wed May 1 23:54:54 CEST 2019

Summary:  The DANE domain count is now 1,122,806

	  The number of domains that return DNSSEC-validated replies
	  in response to MX queries is 9,596,909.  Thus DANE TLSA
	  is deployed on 11.69% of domains with DNSSEC.

Appeal:	  The number of domains with neglected outdated TLSA records,
	  has grown to ~500.  PLEASE *monitor* your deployment, and
	  implement a cert/key rollover process that does not (even
	  temporarily) disrupt the validity of your certificate
	  chain as compared to the published (cached) TLSA records:


	  If you're willing and able to help reach out to the
	  operators of MX hosts with misconfigured TLSA RRsets,
	  please get in touch.

Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

As of today I count 1,122,806 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host.  The top 20 MX host providers by domain count

  684247 one.com
  124234 transip.nl
   96829 domeneshop.no
   36048 active24.com
   32637 vevida.com
   24093 udmedia.de
   15998 flexfilter.nl
   13011 onebit.cz
   11310 zxcs.nl
   10924 bhosted.nl
    5995 netzone.ch
    5642 previder.nl
    3876 ips.nl
    3434 interconnect.nl
    2487 provalue.nl
    2331 nederhost.nl
    1630 nmugroup.com
    1431 yourdomainprovider.net
    1323 hi7.de
    1311 xcellerate.nl

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 20 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat

  5123 TOTAL
  1710 DE, Germany
  1055 US, United States
   689 NL, Netherlands
   393 FR, France
   218 GB, United Kingdom
   177 CZ, Czechia
   111 CA, Canada
    84 SG, Singapore
    71 CH, Switzerland
    70 SE, Sweden
    55 DK, Denmark
    46 IE, Ireland
    39 AU, Australia
    39 AT, Austria
    37 FI, Finland
    37 BR, Brazil
    30 PL, Poland
    26 RU, Russia
    24 JP, Japan
    20 NO, Norway

IPv6 is still comparatively rare for MX hosts, and the top 20
countries by DANE MX host IPv6 GeoIP are:

  1897 TOTAL
   721 DE, Germany
   315 NL, Netherlands
   226 FR, France
   140 US, United States
   115 CZ, Czechia
    81 GB, United Kingdom
    44 SE, Sweden
    30 CH, Switzerland
    27 CA, Canada
    24 RU, Russia
    20 AT, Austria
    16 IE, Ireland
    14 NO, Norway
    12 SI, Slovenia
    11 AU, Australia
    10 FI, Finland
     9 UA, Ukraine
     9 DK, Denmark
     7 PL, Poland
     7 BE, Belgium

There are 4334 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers

The number of published MX host TLSA RRsets found is 6402.  These
cover 6840 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 234 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 122 are in recent (last 90 days of) reports:

  univie.ac.at             tu-darmstadt.de        markteffectmail.nl
  gmx.at                   tum.de                 minbzk.nl
  nic.br                   uni-erlangen.de        ouderportaal.nl
  registro.br              uni-muenchen.de        overheid.nl
  gmx.ch                   unitybox.de            pathe.nl
  open.ch                  unitymedia.de          photofacts.nl
  anubisnetworks.com       web.de                 photofactsacademy.nl
  fmc-na.com               egmontpublishing.dk    politie.nl
  gmx.com                  netic.dk               previder.nl
  habr.com                 sitnet.dk              rijksoverheid.nl
  hotelsinduitsland.com    tilburguniversity.edu  rvo.nl
  mail.com                 zone.eu                ssonet.nl
  one.com                  dovecot.fi             transip.nl
  solvinity.com            ac-strasbourg.fr       truetickets.nl
  t-2.com                  insee.fr               uvt.nl
  trashmail.com            octopuce.fr            xs4all.nl
  xfinity.com              web200.hu              domeneshop.no
  xfinityhomesecurity.com  comcast.net            handelsbanken.no
  xfinitymobile.com        dns-oarc.net           uib.no
  active24.cz              gmx.net                webcruitermail.no
  atlas.cz                 habramail.net          atelkamera.nu
  centrum.cz               hr-manager.net         aegee.org
  cuni.cz                  inexio.net             debian.org
  itesco.cz                mpssec.net             freebsd.org
  klubpevnehozdravi.cz     procurios.net          gentoo.org
  onebit.cz                riseup.net             ietf.org
  smtp.cz                  t-2.net                isc.org
  virusfree.cz             transip.net            netbsd.org
  volny.cz                 vevida.net             openssl.org
  bayern.de                xs4all.net             ozlabs.org
  bund.de                  atletiekunie.nl        samba.org
  elster.de                bhosted.nl             torproject.org
  fau.de                   boekwinkeltjes.nl      asf.com.pt
  freenet.de               corpoflow.nl           moikrug.ru
  gmx.de                   denhaag.nl             handelsbanken.se
  jpberlin.de              dictu.nl               iis.se
  lrz.de                   digid.nl               minmyndighetspost.se
  mail.de                  hierinloggen.nl        personligalmanacka.se
  mensa.de                 interconnect.nl        skatteverket.se
  posteo.de                intermax.nl            govtrack.us
  ruhr-uni-bochum.de       mailplus.nl

Of the ~1.12 million domains, 2494 have "partial" TLSA records,
that cover only a subset of the (secondary) MX hosts.  While this
protects traffic to some of the MX hosts, such domains are still
vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 567.  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts.  A partial list is available at:


To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure.  See:



After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
729.  The top 10 name server operators with problem domains are:

 194 mijnhostingpartner.nl
  38 metaregistrar.nl
  34 tiscomhosting.nl
  33 dotserv.com
  32 binero.se
  31 nrdns.nl
  29 movenext.nl
  26 sylconia.net
  26 active24.cz
  16 nazwa.pl

  [ All issues at last month's #2 epik.com are now resolved.
    Their prompt attention and action is appreciated.

    Around half of the mijnhostingpartner.nl domains err only in
    having an extraneous 512-bit RSA ZSK for algorithm 7 which is
    not used to sign the zone, but leaves the door open to attacks.
    It also violates a requirement for each algorithm in the DNSKEY
    RRset to have at least one active key.  Violation of the algorithm
    agility requirement is unlikely to cause interoperability problems
    in this particular case, but given the needlessly weak keys, I've
    decided to continue to track these until all the extraneos keys
    are gone. ]

If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage

Seven of the domains all whose nameservers have broken denial of
existence appear in historical Google reports:



[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.

More information about the dane-users mailing list