Update on stats 2020-03
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Apr 1 08:42:59 CEST 2020
Summary: The DANE domain count is now 1,877,704.
The number of domains that return DNSSEC-validated replies in
response to MX queries is 10,922,412. Thus DANE TLSA is
deployed on ~17.19% of domains with DNSSEC.
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 1,877,704 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
1035802 one.com
136509 transip.nl
100753 domeneshop.no
88719 loopia.se
71404 infomaniak.ch
38325 active24.com
31059 vevida.com
30605 antagonist.nl
27536 webreus.nl
26933 web4u.cz
26278 zxcs.nl
24969 udmedia.de
17444 bhosted.nl
15192 flexfilter.nl
13854 onebit.cz
9816 protonmail.ch
5810 netzone.ch
5631 previder.nl
5477 soverin.net
4872 zonemx.eu
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
6347 TOTAL
2111 DE, Germany
1273 US, United States
919 NL, Netherlands
540 FR, France
261 GB, United Kingdom
215 CZ, Czechia
154 CA, Canada
87 CH, Switzerland
82 SG, Singapore
79 SE, Sweden
71 DK, Denmark
47 IE, Ireland
45 AU, Australia
41 AT, Austria
32 JP, Japan
28 IN, India
28 BR, Brazil
27 PL, Poland
25 RU, Russia
24 FI, Finland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
3247 TOTAL
1324 DE, Germany
559 US, United States
467 NL, Netherlands
270 FR, France
124 CZ, Czechia
99 GB, United Kingdom
39 SE, Sweden
39 CH, Switzerland
39 CA, Canada
35 SG, Singapore
25 RU, Russia
24 AT, Austria
20 IE, Ireland
16 ID, Indonesia
16 DK, Denmark
15 AU, Australia
14 NO, Norway
14 JP, Japan
11 FI, Finland
11 BR, Brazil
There are 5361 unique zones in which the underlying MX hosts are found,
this counts each of the above providers as just one zone, so is a
measure of the breadth of adoption in terms of organizations deploying
DANE SMTP.
The number of published MX host TLSA RRsets found is 8115. These cover
9040 distinct MX hosts (some MX hosts share the same TLSA records
through CNAMEs).
The number of domains that at some point were listed in Gmail's email
transparency report is 334 (this is my ad-hoc criterion for a domain
being a large-enough actively used email domain). Of these, 160 are in
recent (last 90 days of) reports:
univie.ac.at lrz.de hierinloggen.nl
gmx.at mail.de intermax.nl
nic.br mailserver4.de kingsquare.nl
registro.br mensa.de mailplus.nl
gmx.ch posteo.de minbzk.nl
hostpoint.ch ruhr-uni-bochum.de mindef.nl
infomaniak.ch tum.de mm1.nl
open.ch uni-erlangen.de ouderportaal.nl
protonmail.ch unitybox.de overheid.nl
anubisnetworks.com unitymedia.de pathe.nl
clubedominante.com web.de politie.nl
comeseetv.com westlotto.de previder.nl
fmc-na.com dk-hostmaster.dk rijksoverheid.nl
frenchtogether.com egmontpublishing.dk rotterdam.nl
gmx.com netic.dk ru.nl
habr.com star.dk rvo.nl
hotelsinduitsland.com stil.dk schoudercom.nl
infomaniak.com uni-c.dk schuurman-schoenen.nl
ingthink.com tilburguniversity.edu ssonet.nl
kpn.com emta.ee truetickets.nl
leszexpertsfle.com lugeja.ee uvt.nl
mail.com rmit.ee xs4all.nl
mammoetmail.com rediris.es zorgmail.nl
one.com uv.es domeneshop.no
primexbt.com litebit.eu handelsbanken.no
protonmail.com web200.eu uib.no
solvinity.com zone.eu webcruitermail.no
t-2.com ac-strasbourg.fr atelkamera.nu
telfort.com compagnie-des-sens.fr goget.nu
thalesgroup.com octopuce.fr aegee.org
trashmail.com web200.hu debian.org
xfinity.com comcast.net freebsd.org
xfinityhomesecurity.com dns-oarc.net gentoo.org
xfinitymobile.com gmx.net ietf.org
active24.cz habramail.net isc.org
atlas.cz hr-manager.net mailbox.org
centrum.cz inexio.net netbsd.org
cuni.cz mpssec.net openssl.org
itesco.cz procurios.net ozlabs.org
klubpevnehozdravi.cz riseup.net samba.org
krypton.cz t-2.net slackbuilds.org
onebit.cz transip.net torproject.org
optimail.cz xs4all.net whatpulse.org
smtp.cz xworks.net asf.com.pt
virusfree.cz belastingdienst.nl boplatssyd-automail.se
volny.cz bhosted.nl handelsbanken.se
bayern.de bluerail.nl loopia.se
bund.de boozyshop.nl minmyndighetspost.se
elster.de corpoflow.nl personligalmanacka.se
fau.de dictu.nl skatteverket.se
freenet.de digid.nl theletter.se
gmx.de ezorg.nl govtrack.us
jpberlin.de gerryweber.nl ru.ac.za
kabelmail.de
Of the ~1.88 million domains, 4504 have "partial" TLSA records, that
cover only a subset of the (secondary) MX hosts. While this protects
traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands today
at 465. Some of these have additional MX hosts that don't have broken
TLSA records, so mail can still arrive via the remaining MX hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 2050. The top 13
name server operators with problem domains are:
616 mijnhostingpartner.nl (fix expected any day now, but may be delayed)
559 registrar-servers.com (a.k.a. Neustar, continuing to grow slowly)
71 ebola.cz
70 movenext.nl
47 metaregistrar.nl
44 axc.nl
43 cdmon.net
37 hyp.net
34 flevohost.nl
30 tiscomhosting.nl
28 hostnet.nl
22 infracom.nl
18 is.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Eleven of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
trt01.gov.br
trtrio.gov.br
trt1.jus.br
trtrj.jus.br
flytoyourheart.com
topdecorationworld.com
bncr.fi.cr
mobily.com.sa
sauditelecom.com.sa
threadteaching.co.uk
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
More information about the dane-users
mailing list