Update on stats 2020-07
Viktor Dukhovni
ietf-dane at dukhovni.org
Sun Aug 2 02:34:58 CEST 2020
Summary: The DANE domain count is now 1,974,938
Much of the increase from last month is due to ~42k domains
hosted by pcextreme.nl. Thank you PCextreme.
The number of domains that return DNSSEC-validated replies in
response to MX queries is 12,108,902. Thus DANE TLSA is
deployed on ~16.30% of domains with DNSSEC.
DANE as a percentage of DNSSEC domains is dropping recently,
because growth in DNSSEC adoption has started to outpace
growth in DANE adoption. This is a good problem to have,
deploy even more DNSSEC, please! At this rate, I am
anticipating ~13 million signed domains by the end of 2020,
but a surprise large-scale deployment would be even better.
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 1,974,938 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
1034619 one.com
141535 transip.nl
101743 domeneshop.no
89837 loopia.se
83032 infomaniak.ch
42021 pcextreme.nl
41648 webreus.nl
39437 active24.com
32936 antagonist.nl
30714 vevida.com
28703 zxcs.nl
26693 web4u.cz
25440 udmedia.de
17613 bhosted.nl
14851 flexfilter.nl
14114 onebit.cz
11688 protonmail.ch
6829 zonemx.eu
6035 soverin.net
5773 netzone.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
6864 TOTAL
2191 DE, Germany
1377 US, United States
1046 NL, Netherlands
548 FR, France
287 GB, United Kingdom
225 CZ, Czechia
163 CA, Canada
100 SG, Singapore
97 CH, Switzerland
90 FI, Finland
84 SE, Sweden
71 DK, Denmark
49 AU, Australia
47 AT, Austria
43 IE, Ireland
36 BR, Brazil
33 PL, Poland
32 RU, Russia
31 JP, Japan
30 IN, India
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
3555 TOTAL
1459 DE, Germany
580 NL, Netherlands
572 US, United States
263 FR, France
127 CZ, Czechia
111 GB, United Kingdom
49 CH, Switzerland
41 RU, Russia
41 CA, Canada
40 SE, Sweden
37 SG, Singapore
25 AT, Austria
19 AU, Australia
16 JP, Japan
16 IE, Ireland
15 DK, Denmark
14 NO, Norway
14 FI, Finland
13 ID, Indonesia
11 BR, Brazil
There are 5893 unique zones in which the underlying MX hosts are found, this
counts each of the above providers as just one zone, so is a measure of the
breadth of adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 8284. These cover 9276
distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's email
transparency report is 356 (this is my ad-hoc criterion for a domain being a
large-enough actively used email domain). Of these, 174 are in recent (last 90
days of) reports:
ac-strasbourg.fr interim-netwerk.nl ru.ac.za
active24.cz isc.org ru.nl
aegee.org itesco.cz ruhr-uni-bochum.de
atelkamera.nu jpberlin.de rvo.nl
atlas.cz kabelmail.de samba.org
bayern.de kadernickyservis.sk schoudercom.nl
belastingdienst.nl keessmit.nl schuurman-schoenen.nl
bhosted.nl klubpevnehozdravi.cz skatteverket.se
bluerail.nl kpn.com smtp.cz
boekwinkeltjes.nl krypton.cz societe.com
boozyshop.nl leszexpertsfle.com solvinity.com
boplatssyd-automail.se loopia.se sportfondsen.nl
bund.de lrz.de ssonet.nl
centrum.cz lugeja.ee star.dk
clubedohardware.com.br mail.com stil.dk
clubedominante.com mail.de switch.ch
comcast.net mailbox.org t-2.com
compagnie-des-sens.fr mailplus.nl t-2.net
corpoflow.nl mailserver4.de telfort.com
cuni.cz mailzerver.com thalesgroup.com
debian.org mammoetmail.com theletter.se
dictu.nl markteffectmail.nl tilburguniversity.edu
digid.nl maximum.nl torproject.org
domeneshop.no minbzk.nl transip.net
duo.nl mindef.nl triodos.be
egmontpublishing.dk minmyndighetspost.se triodos.co.uk
elster.de mkbbelangen.nl triodos.com
emta.ee mm1.nl triodos.es
ezorg.nl mpssec.net triodos.nl
fau.de mx-relay.com truetickets.nl
fidesz.hu netbsd.org tum.de
fmc-na.com netic.dk uib.no
freebsd.org nic.br uitgeverijpica.nl
freenet.de nic.cz uni-c.dk
gentoo.org one.com uni-erlangen.de
gerryweber.nl onebit.cz uni-muenchen.de
gmx.at open.ch unitybox.de
gmx.ch openssl.org unitymedia.de
gmx.com optimail.cz univie.ac.at
gmx.de ouderportaal.nl utwente.nl
gmx.net overheid.nl uv.es
goget.nu ozlabs.org uvt.nl
govtrack.us pathe.nl virusfree.cz
habr.com personligalmanacka.se volny.cz
habramail.net politie.nl web.de
handelsbanken.no posteo.de webcruitermail.no
handelsbanken.se pre-sustainability.com westlotto.de
herinneringenoplinnen.nl previder.nl whatpulse.org
hostpoint.ch procurios.net xfinity.com
hotelsinduitsland.com professioneelbegeleiden.nl xfinityhomesecurity.com
hr-manager.net protonmail.ch xfinitymobile.com
hr.nl protonmail.com xs4all.net
ietf.org rediris.es xs4all.nl
inexio.net registro.br xworks.net
infomaniak.ch rijksoverheid.nl zaantheater.nl
infomaniak.com riseup.net zone.eu
ingthink.com rmit.ee zonevs.eu
interconnect.nl rotterdam.nl zorgmail.nl
Of the ~1.97 million domains, 13448 have "partial" TLSA records, that
cover only a subset of the (secondary) MX hosts. While this protects
traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands today
at 602. Some of these have additional MX hosts that don't have broken
TLSA records, so mail can still arrive via the remaining MX hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1093. The top 15
name server operators with problem domains are:
367 axc.nl
350 registrar-servers.com
86 ebola.cz
64 movenext.nl
34 epik.com
28 tiscomhosting.nl
24 metaregistrar.nl
22 nrdns.nl
22 infracom.nl
22 eatserver.nl
11 sylconia.net
11 iterik.nu
11 icosnethosting.com
10 openprovider.nl
10 is.nl
[ The situation with epik.com is more worrisome than it looks,
while only 34 domains have SMTP servers affected by incorrect
TLSA record denial of existence, in fact well over 100k domains
exhibit the same symptoms, but presently don't receive email.
Given the pervasive failure to provision complete NSEC chains
for domains with zone-apex wildcard records, I expect this will
get worse, before it gets better. My correspondence with Epik
support has not yet reached someone who is able to understand
and solve the problem.
Essentially the same issue of missing NSEC for the zone-apex
wildcard is plaguing axc.nl. Perhaps it is too easy for
PowerDNS users to get this wrong. Don't know what can be done
to help them correct their provisioning practices. ]
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Six of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
trt1.jus.br
trtrj.jus.br
bncr.fi.cr
mobily.com.sa
sauditelecom.com.sa
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
More information about the dane-users
mailing list