Update on stats 2020-08

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Aug 31 08:20:53 CEST 2020

Summary:  The DANE domain count is now 2,151,862

          Most of the increase from last month can be credited to
          forpsi.com (~65k domains) and one.com (~109k new domains)
          Thank you forpsi.com and one.com.

          Though it is but one domain, it is nice this month to see
          ripe.net added to the list of domains with DANE TLSA records
          for their MX hosts.

          I'm also happy to report that epik.com have resolved all
          outstanding DNSSEC denial of existence issues, not only
          for the O(50) domains that had SMTP servers, but also for
          over 100k domains that did not yet, but might some day.
          It would be great to see more of the long-term resident
          DoE "sinners" make amends.

          The number of domains that return DNSSEC-validated replies in
          response to MX queries is 12,443,641.  Thus DANE TLSA is
          deployed on ~17.29% of domains with DNSSEC. It might have
          been higher than 12.5 million, but for a delay in the .NL
          data feed this month, that is expected instead in early

Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

As of today I count 2,151,862 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host.  The top 20 MX host providers by domain count are below.

  1143500 one.com
   141329 transip.nl
   102015 domeneshop.no
    90188 loopia.se
    85000 infomaniak.ch
    64973 forpsi.com
    41646 pcextreme.nl
    41210 webreus.nl
    39560 active24.com
    32959 antagonist.nl
    30569 vevida.com
    28115 zxcs.nl
    26638 web4u.cz
    25610 udmedia.de
    18038 bhosted.nl
    14752 flexfilter.nl
    14165 onebit.cz
    12197 protonmail.ch
     7191 zonemx.eu
     6077 soverin.net

The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).

  6864 TOTAL
  2191 DE, Germany
  1377 US, United States
  1046 NL, Netherlands
   548 FR, France
   287 GB, United Kingdom
   225 CZ, Czechia
   163 CA, Canada
   100 SG, Singapore
    97 CH, Switzerland
    90 FI, Finland
    84 SE, Sweden
    71 DK, Denmark
    49 AU, Australia
    47 AT, Austria
    43 IE, Ireland
    36 BR, Brazil
    33 PL, Poland
    32 RU, Russia
    31 JP, Japan
    30 IN, India

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:

  3593 TOTAL
  1472 DE, Germany
   614 US, United States
   591 NL, Netherlands
   258 FR, France
   146 CZ, Czechia
   105 GB, United Kingdom
    48 CH, Switzerland
    40 SG, Singapore
    37 CA, Canada
    34 SE, Sweden
    26 AT, Austria
    21 RU, Russia
    19 AU, Australia
    17 JP, Japan
    15 FI, Finland
    14 NO, Norway
    14 IE, Ireland
    13 DK, Denmark
    12 ID, Indonesia
    11 BR, Brazil

There are 6056 unique zones in which the underlying MX hosts are found, this
counts each of the above providers as just one zone, so is a measure of the
breadth of adoption in terms of organizations deploying DANE SMTP.

The number of published MX host TLSA RRsets found is 9058.  These cover
10054 distinct MX hosts (some MX hosts share the same TLSA records
through CNAMEs).

The number of DANE domains that at some point were listed in Gmail's
email transparency report is 372 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain).  Of these, 183
are in recent (last 90 days of) reports:

  univie.ac.at             freenet.de                keessmit.nl
  gmx.at                   gmx.de                    mailplus.nl
  triodos.be               jpberlin.de               markteffectmail.nl
  clubedohardware.com.br   kabelmail.de              minbzk.nl
  nic.br                   lrz.de                    mindef.nl
  registro.br              mail.de                   mkbbelangen.nl
  gmx.ch                   mailserver4.de            mm1.nl
  hostpoint.ch             posteo.de                 ouderportaal.nl
  infomaniak.ch            ruhr-uni-bochum.de        overheid.nl
  open.ch                  tum.de                    parlement.nl
  protonmail.ch            uni-erlangen.de           pathe.nl
  switch.ch                uni-muenchen.de           politie.nl
  clubedominante.com       unitybox.de               previder.nl
  coosto.com               unitymedia.de             professioneelbegeleiden.nl
  fmc-na.com               web.de                    rijksoverheid.nl
  gmx.com                  westlotto.de              rotterdam.nl
  habr.com                 egmontpublishing.dk       ru.nl
  hotelsinduitsland.com    netic.dk                  rvo.nl
  infomaniak.com           star.dk                   schoudercom.nl
  ingthink.com             stil.dk                   schuurman-schoenen.nl
  kpn.com                  uni-c.dk                  ssonet.nl
  leszexpertsfle.com       tilburguniversity.edu     triodos.nl
  mail.com                 emta.ee                   truetickets.nl
  mailzerver.com           rmit.ee                   tweedekamer.nl
  mammoetmail.com          rediris.es                uitgeverijpica.nl
  mx-relay.com             triodos.es                utwente.nl
  one.com                  uv.es                     uvt.nl
  pre-sustainability.com   zone.eu                   wise-guys.nl
  protonmail.com           zonevs.eu                 xs4all.nl
  protonvpn.com            ac-strasbourg.fr          zorgmail.nl
  societe.com              compagnie-des-sens.fr     domeneshop.no
  solvinity.com            fidesz.hu                 handelsbanken.no
  t-2.com                  idrinks.hu                uib.no
  telfort.com              mszp.hu                   webcruitermail.no
  thalesgroup.com          comcast.net               atelkamera.nu
  triodos.com              gmx.net                   goget.nu
  vitstore.com             habramail.net             aegee.org
  xfinity.com              hr-manager.net            debian.org
  xfinityhomesecurity.com  inexio.net                freebsd.org
  xfinitymobile.com        mpssec.net                gentoo.org
  active24.cz              procurios.net             ietf.org
  akce-incomputer.cz       ripe.net                  isc.org
  atlas.cz                 riseup.net                mailbox.org
  centrum.cz               t-2.net                   netbsd.org
  cuni.cz                  transip.net               openssl.org
  itesco.cz                xs4all.net                ozlabs.org
  klenotyaurum.cz          xworks.net                samba.org
  klubpevnehozdravi.cz     belastingdienst.nl        torproject.org
  krypton.cz               bhosted.nl                whatpulse.org
  nic.cz                   bluerail.nl               asf.com.pt
  onebit.cz                boozyshop.nl              boplatssyd-automail.se
  optimail.cz              corpoflow.nl              handelsbanken.se
  poptavej.cz              dictu.nl                  loopia.se
  reserved.cz              digid.nl                  minmyndighetspost.se
  smtp.cz                  duo.nl                    personligalmanacka.se
  virusfree.cz             ezorg.nl                  skatteverket.se
  volny.cz                 gerryweber.nl             theletter.se
  bayern.de                herinneringenoplinnen.nl  kadernickyservis.sk
  bund.de                  hr.nl                     triodos.co.uk
  elster.de                interconnect.nl           govtrack.us
  fau.de                   interim-netwerk.nl        ru.ac.za

Of the ~2.15 million domains, 13702 have "partial" TLSA records, that
cover only a subset of the (secondary) MX hosts.  While this protects
traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands today
at 650.  Some of these have additional MX hosts that don't have broken
TLSA records, so mail can still arrive via the remaining MX hosts.

To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:



After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1093.  The top 15
name server operators with problem domains are:

    374 axc.nl
    344 registrar-servers.com
     86 ebola.cz
     66 movenext.nl
     27 tiscomhosting.nl
     22 eatserver.nl
     20 metaregistrar.nl
     20 infracom.nl
     15 nrdns.nl
     15 cloudflare.com
     11 sylconia.net
     11 iterik.nu
     11 is.nl
     10 openprovider.nl
     10 mobi-net.ch

If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.

Eight of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:

  sauditelecom.com.sa [2]


[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist.  I am not a fan of this type of defence (it can also
impose undue latency on legitimate email).  However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.

[2] https://dnsviz.net/d/sauditelecom.com.sa/X0yQQA/dnssec/
    Today the entire sauditelecom.com.sa zone is down, the
    DS records don't match any zone apex DNSKEY RRs...

More information about the dane-users mailing list