Update on stats 2019-09

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Oct 1 04:10:17 CEST 2019

Summary:  The DANE domain count is now 1,334,411

	  A significant portion of this month's domain count increase
	  is a result of new DANE TLSA records at loopia.se, serving
	  just over 88 thousand domains.  Thank you loopia.se.

	  The number of domains that return DNSSEC-validated replies
	  in response to MX queries is  9,997,451.  Thus DANE TLSA
	  is deployed on ~13.34% of domains with DNSSEC.

Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

As of today I count 1,334,411 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host.  The top 20 MX host providers by domain count

  741311 one.com
  130008 transip.nl
   98598 domeneshop.no
   88127 loopia.se
   36931 active24.com
   31978 vevida.com
   26891 web4u.cz
   24424 udmedia.de
   17089 bhosted.nl
   15705 zxcs.nl
   15680 flexfilter.nl
   13349 onebit.cz
    7394 protonmail.ch
    5978 netzone.ch
    5626 previder.nl
    4678 mailplatform.eu
    3635 ips.nl
    3279 interconnect.nl
    2578 provalue.nl
    2214 nederhost.nl

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 20 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat

  6227 TOTAL
  1964 DE, Germany
  1397 US, United States
   879 NL, Netherlands
   436 FR, France
   284 GB, United Kingdom
   187 CZ, Czechia
   140 CA, Canada
   128 SG, Singapore
    75 SE, Sweden
    73 CH, Switzerland
    58 DK, Denmark
    52 JP, Japan
    51 FI, Finland
    49 IE, Ireland
    45 AT, Austria
    44 AU, Australia
    40 IN, India
    36 PL, Poland
    32 BR, Brazil
    28 RU, Russia

IPv6 is less common than IPv4 for MX hosts (but improved IPv6
connectivity on my end this month finds more IPv6 DANE MTAs), and
the top 20 countries by DANE MX host IPv6 GeoIP are:

  3081 TOTAL
  1222 DE, Germany
   562 US, United States
   425 NL, Netherlands
   258 FR, France
   110 GB, United Kingdom
   105 CZ, Czechia
    43 SG, Singapore
    41 SE, Sweden
    32 CH, Switzerland
    30 CA, Canada
    27 JP, Japan
    25 RU, Russia
    25 AT, Austria
    19 IE, Ireland
    15 DK, Denmark
    14 NO, Norway
    14 IN, India
    13 AU, Australia
    12 SI, Slovenia
    12 ID, Indonesia

There are 4738 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers

The number of published MX host TLSA RRsets found is 7241.  These
cover 7766 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 273 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 142 are in recent (last 90 days of) reports:

  univie.ac.at             mensa.de               ouderportaal.nl
  gmx.at                   posteo.de              overheid.nl
  nic.br                   ruhr-uni-bochum.de     parlement.nl
  registro.br              tum.de                 pathe.nl
  buymyweedonline.ca       uni-erlangen.de        photofacts.nl
  gmx.ch                   unitybox.de            photofactsacademy.nl
  open.ch                  unitymedia.de          politie.nl
  protonmail.ch            web.de                 previder.nl
  anubisnetworks.com       egmontpublishing.dk    rijksoverheid.nl
  fmc-na.com               netic.dk               rvo.nl
  gmx.com                  tilburguniversity.edu  schuurman-schoenen.nl
  habr.com                 web200.eu              ssonet.nl
  hotelsinduitsland.com    zone.eu                transip.nl
  kpn.com                  ac-strasbourg.fr       truetickets.nl
  mail.com                 octopuce.fr            tweedekamer.nl
  mammoetmail.com          web200.hu              uitgeverijpica.nl
  metafaq.com              247superhost.net       utwente.nl
  one.com                  comcast.net            uvt.nl
  protonmail.com           dns-oarc.net           xs4all.nl
  societe.com              gmx.net                domeneshop.no
  solvinity.com            habramail.net          handelsbanken.no
  t-2.com                  hr-manager.net         uib.no
  telfort.com              inexio.net             webcruitermail.no
  trashmail.com            mpssec.net             atelkamera.nu
  xfinity.com              procurios.net          debian.org
  xfinityhomesecurity.com  riseup.net             freebsd.org
  xfinitymobile.com        t-2.net                gentoo.org
  active24.cz              transip.net            ietf.org
  atlas.cz                 transversal.net        isc.org
  centrum.cz               vevida.net             netbsd.org
  cuni.cz                  xs4all.net             openssl.org
  klubpevnehozdravi.cz     belastingdienst.nl     ozlabs.org
  onebit.cz                bhosted.nl             samba.org
  optimail.cz              billybird.nl           torproject.org
  smtp.cz                  bluerail.nl            whatpulse.org
  virusfree.cz             boozyshop.nl           asf.com.pt
  volny.cz                 corpoflow.nl           moikrug.ru
  web4u.cz                 dictu.nl               boplatssyd-automail.se
  allsecur.de              digid.nl               handelsbanken.se
  bayern.de                digistate.nl           loopia.se
  bund.de                  fontys.nl              minmyndighetspost.se
  elster.de                hr.nl                  personligalmanacka.se
  fau.de                   hro.nl                 skatteverket.se
  freenet.de               interconnect.nl        theletter.se
  gmx.de                   intermax.nl            truepos.se
  jpberlin.de              mailplus.nl            govtrack.us
  lrz.de                   minbzk.nl
  mail.de                  mm1.nl

Of the ~1.33 million domains, 2884 have "partial" TLSA records,
that cover only a subset of the (secondary) MX hosts.  While this
protects traffic to some of the MX hosts, such domains are still
vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 391.  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts.  A partial list is available at:


To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure.  See:



After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
768.  The top 10 name server operators with problem domains are:

  164 mijnhostingpartner.nl
   49 movenext.nl
   41 metaregistrar.nl
   33 tiscomhosting.nl
   31 nrdns.nl
   26 hostnet.nl
   21 sylconia.net
   15 is.nl
   13 interhand.net
   12 dnscluster.nl

  [ The above list no longer includes "gransy.com" where all issues were
    recently resolved.  Thanks!  Nine of the ten problem providers
    are Dutch!  More progress by .NL DNS providers would be great. ]

If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage

Ten of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:



[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.

More information about the dane-users mailing list