Update on stats 2019-08

Viktor Dukhovni ietf-dane at dukhovni.org
Tue Sep 3 00:12:28 CEST 2019

Summary:  The DANE domain count is now 1,227,756.

	  The number of domains that return DNSSEC-validated replies
	  in response to MX queries is  9,878,661.  Thus DANE TLSA
	  is deployed on ~12.42% of domains with DNSSEC.

Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

As of today I count 1,227,756 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host.  The top 20 MX host providers by domain count

  734903 one.com
  127486 transip.nl
   98404 domeneshop.no
   36596 active24.com
   32070 vevida.com
   26968 web4u.cz
   24317 udmedia.de
   16392 bhosted.nl
   15667 flexfilter.nl
   13799 zxcs.nl
   13156 onebit.cz
    7109 protonmail.ch
    6010 netzone.ch
    5620 previder.nl
    3664 ips.nl
    3298 interconnect.nl
    2572 provalue.nl
    2225 nederhost.nl
    1913 spamcluster.nl
    1701 nmugroup.com

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 20 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat

  6089 TOTAL
  1917 DE, Germany
  1385 US, United States
   839 NL, Netherlands
   414 FR, France
   274 GB, United Kingdom
   181 CZ, Czechia
   143 CA, Canada
   128 SG, Singapore
    78 CH, Switzerland
    71 SE, Sweden
    59 DK, Denmark
    51 JP, Japan
    49 AT, Austria
    48 FI, Finland
    45 IE, Ireland
    43 AU, Australia
    39 PL, Poland
    38 IN, India
    32 BR, Brazil
    28 RU, Russia

IPv6 is less common than IPv4 for MX hosts (but improved IPv6
connectivity on my end this month finds more IPv6 DANE MTAs), and
the top 20 countries by DANE MX host IPv6 GeoIP are:

  3002 TOTAL
  1172 DE, Germany
   523 US, United States
   410 NL, Netherlands
   254 FR, France
   116 CZ, Czechia
   110 GB, United Kingdom
    43 SG, Singapore
    41 RU, Russia
    35 CH, Switzerland
    34 SE, Sweden
    34 CA, Canada
    26 JP, Japan
    24 AT, Austria
    18 IE, Ireland
    15 IN, India
    15 DK, Denmark
    14 SI, Slovenia
    14 AU, Australia
    13 NO, Norway
    12 ID, Indonesia

There are 4654 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers

The number of published MX host TLSA RRsets found is 7097.  These
cover 7555 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 263 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 134 are in recent (last 90 days of) reports:

  univie.ac.at             kabelmail.de           intermax.nl
  gmx.at                   lrz.de                 mailplus.nl
  nic.br                   mail.de                markteffectmail.nl
  registro.br              mensa.de               mm1.nl
  gmx.ch                   posteo.de              ouderportaal.nl
  open.ch                  ruhr-uni-bochum.de     overheid.nl
  protonmail.ch            tum.de                 parlement.nl
  anubisnetworks.com       uni-erlangen.de        pathe.nl
  fmc-na.com               unitybox.de            photofacts.nl
  gmx.com                  unitymedia.de          politie.nl
  habr.com                 web.de                 previder.nl
  hotelsinduitsland.com    egmontpublishing.dk    rvo.nl
  kpn.com                  netic.dk               transip.nl
  mail.com                 tilburguniversity.edu  truetickets.nl
  mammoetmail.com          web200.eu              tweedekamer.nl
  metafaq.com              zone.eu                uitgeverijpica.nl
  one.com                  ac-strasbourg.fr       utwente.nl
  protonmail.com           octopuce.fr            uvt.nl
  societe.com              web200.hu              xs4all.nl
  solvinity.com            247superhost.net       domeneshop.no
  t-2.com                  comcast.net            handelsbanken.no
  telfort.com              dns-oarc.net           uib.no
  trashmail.com            gmx.net                webcruitermail.no
  xfinity.com              habramail.net          atelkamera.nu
  xfinityhomesecurity.com  hr-manager.net         aegee.org
  xfinitymobile.com        inexio.net             debian.org
  active24.cz              mpssec.net             freebsd.org
  atlas.cz                 procurios.net          gentoo.org
  centrum.cz               riseup.net             ietf.org
  cuni.cz                  t-2.net                isc.org
  itesco.cz                transip.net            netbsd.org
  klubpevnehozdravi.cz     transversal.net        openssl.org
  nic.cz                   vevida.net             ozlabs.org
  onebit.cz                xs4all.net             samba.org
  smtp.cz                  xworks.net             torproject.org
  virusfree.cz             belastingdienst.nl     whatpulse.org
  volny.cz                 bhosted.nl             asf.com.pt
  allsecur.de              billybird.nl           moikrug.ru
  bayern.de                bluerail.nl            boplatssyd-automail.se
  bund.de                  boozyshop.nl           handelsbanken.se
  elster.de                corpoflow.nl           minmyndighetspost.se
  fau.de                   dictu.nl               personligalmanacka.se
  freenet.de               digid.nl               skatteverket.se
  gmx.de                   hr.nl                  govtrack.us
  jpberlin.de              interconnect.nl

Of the ~1.23 million domains, 2868 have "partial" TLSA records,
that cover only a subset of the (secondary) MX hosts.  While this
protects traffic to some of the MX hosts, such domains are still
vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 537.  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts.  A partial list is available at:


To avoid getting listed, please make sure to monitor the validity
of your own TLSA records, and implement a reliable key rotation
procedure.  See:



After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
1278.  The top 10 name server operators with problem domains are:

  526 mijnhostingpartner.nl
   44 movenext.nl
   39 metaregistrar.nl
   38 gransy.com
   33 tiscomhosting.nl
   31 nrdns.nl
   26 hostnet.nl
   21 sylconia.net
   16 serv-ict.net
   16 axc.nl

  [ The above list no longer includes "dotserv.com" where all issues were
    recently resolved.  Thanks!  Nine of the ten problem providers
    are Dutch!  It would be great if SIDN could apply some carrot
    and stick to incent .NL hosting providers to have correctly
    working DNSSEC implementations. ]

If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage

Eight of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:



[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.

More information about the dane-users mailing list