Update on stats 2019-10

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Nov 1 19:43:13 CET 2019

Summary:  The DANE domain count is now 1,496,391

	  A significant portion of this month's domain count increase
	  is a result of one.com signing a large number of .DK domains,
          120 thousand and counting.  Thank you one.com.

	  The number of domains that return DNSSEC-validated replies
	  in response to MX queries is  10,133,312.  Thus DANE TLSA
	  is deployed on ~14.76% of domains with DNSSEC.

Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

As of today I count 1,496,391 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host.  The top 20 MX host providers by domain count

  862263 one.com
  131061 transip.nl
   98911 domeneshop.no
   88102 loopia.se
   36969 active24.com
   31854 vevida.com
   26514 web4u.cz
   24392 udmedia.de
   17203 bhosted.nl
   16582 zxcs.nl
   15626 flexfilter.nl
   13333 onebit.cz
    7765 protonmail.ch
    5972 netzone.ch
    5608 previder.nl
    4683 mailplatform.eu
    3623 ips.nl
    3202 interconnect.nl
    2578 provalue.nl
    2321 zonemx.eu

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 20 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat

  5760 TOTAL
  1938 DE, Germany
  1159 US, United States
   834 NL, Netherlands
   417 FR, France
   236 GB, United Kingdom
   190 CZ, Czechia
   117 CA, Canada
    96 SG, Singapore
    80 CH, Switzerland
    76 SE, Sweden
    58 FI, Finland
    58 DK, Denmark
    48 AT, Austria
    46 IE, Ireland
    37 PL, Poland
    35 JP, Japan
    33 AU, Australia
    29 RU, Russia
    29 BR, Brazil
    24 IT, Italy

IPv6 is less common than IPv4 for MX hosts (but improved IPv6
connectivity on my end this month finds more IPv6 DANE MTAs), and
the top 20 countries by DANE MX host IPv6 GeoIP are:

  2975 TOTAL
  1220 DE, Germany
   510 US, United States
   422 NL, Netherlands
   244 FR, France
   105 CZ, Czechia
    95 GB, United Kingdom
    41 SE, Sweden
    36 CH, Switzerland
    35 SG, Singapore
    28 CA, Canada
    26 AT, Austria
    25 RU, Russia
    24 JP, Japan
    19 IE, Ireland
    16 DK, Denmark
    14 SI, Slovenia
    13 NO, Norway
    12 FI, Finland
    12 BR, Brazil
    11 ID, Indonesia

There are 4865 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers

The number of published MX host TLSA RRsets found is 7418.  These
cover 8194 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 275 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 142 are in recent (last 90 days of) reports:

  univie.ac.at             mensa.de               minbzk.nl
  gmx.at                   posteo.de              mm1.nl
  nic.br                   ruhr-uni-bochum.de     ouderportaal.nl
  registro.br              tum.de                 overheid.nl
  buymyweedonline.ca       uni-erlangen.de        parlement.nl
  gmx.ch                   uni-muenchen.de        pathe.nl
  open.ch                  unitybox.de            photofacts.nl
  protonmail.ch            unitymedia.de          photofactsacademy.nl
  anubisnetworks.com       web.de                 politie.nl
  fmc-na.com               egmontpublishing.dk    previder.nl
  gmx.com                  netic.dk               rijksoverheid.nl
  habr.com                 tilburguniversity.edu  rvo.nl
  hotelsinduitsland.com    web200.eu              schoudercom.nl
  kpn.com                  zone.eu                schuurman-schoenen.nl
  mail.com                 ac-strasbourg.fr       ssonet.nl
  mammoetmail.com          octopuce.fr            truetickets.nl
  metafaq.com              web200.hu              tweedekamer.nl
  one.com                  247superhost.net       uitgeverijpica.nl
  protonmail.com           comcast.net            utwente.nl
  solvinity.com            dns-oarc.net           uvt.nl
  t-2.com                  gmx.net                xs4all.nl
  telfort.com              habramail.net          domeneshop.no
  trashmail.com            hr-manager.net         handelsbanken.no
  xfinity.com              inexio.net             uib.no
  xfinityhomesecurity.com  mpssec.net             webcruitermail.no
  xfinitymobile.com        procurios.net          atelkamera.nu
  active24.cz              riseup.net             debian.org
  atlas.cz                 t-2.net                freebsd.org
  centrum.cz               transip.net            gentoo.org
  cuni.cz                  transversal.net        ietf.org
  klubpevnehozdravi.cz     vevida.net             isc.org
  onebit.cz                xs4all.net             netbsd.org
  optimail.cz              belastingdienst.nl     openssl.org
  smtp.cz                  bhosted.nl             ozlabs.org
  virusfree.cz             billybird.nl           samba.org
  volny.cz                 bluerail.nl            torproject.org
  web4u.cz                 boozyshop.nl           whatpulse.org
  allsecur.de              corpoflow.nl           moikrug.ru
  bayern.de                dictu.nl               boplatssyd-automail.se
  bund.de                  digid.nl               handelsbanken.se
  elster.de                digistate.nl           loopia.se
  fau.de                   ezorg.nl               minmyndighetspost.se
  freenet.de               fontys.nl              personligalmanacka.se
  gmx.de                   hr.nl                  skatteverket.se
  jpberlin.de              hro.nl                 theletter.se
  lc-srv.de                intermax.nl            govtrack.us
  lrz.de                   kingsquare.nl
  mail.de                  mailplus.nl

Of the ~1.49 million domains, 3142 have "partial" TLSA records,
that cover only a subset of the (secondary) MX hosts.  While this
protects traffic to some of the MX hosts, such domains are still
vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 393.  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts.  A partial list is available at:


To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure.  See:



After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
988.  The top 10 name server operators with problem domains are:

  255 mijnhostingpartner.nl
   59 egensajt.se
   48 movenext.nl
   43 metaregistrar.nl
   33 tiscomhosting.nl
   30 nrdns.nl
   29 webscale.co.za
   26 hostnet.nl
   21 sylconia.net
   14 is.nl

If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage

Eight of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:



[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.

More information about the dane-users mailing list