Update on stats 2020-08
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Aug 31 08:20:53 CEST 2020
Summary: The DANE domain count is now 2,151,862
Most of the increase from last month can be credited to
forpsi.com (~65k domains) and one.com (~109k new domains)
Thank you forpsi.com and one.com.
Though it is but one domain, it is nice this month to see
ripe.net added to the list of domains with DANE TLSA records
for their MX hosts.
I'm also happy to report that epik.com have resolved all
outstanding DNSSEC denial of existence issues, not only
for the O(50) domains that had SMTP servers, but also for
over 100k domains that did not yet, but might some day.
It would be great to see more of the long-term resident
DoE "sinners" make amends.
The number of domains that return DNSSEC-validated replies in
response to MX queries is 12,443,641. Thus DANE TLSA is
deployed on ~17.29% of domains with DNSSEC. It might have
been higher than 12.5 million, but for a delay in the .NL
data feed this month, that is expected instead in early
September.
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,151,862 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
1143500 one.com
141329 transip.nl
102015 domeneshop.no
90188 loopia.se
85000 infomaniak.ch
64973 forpsi.com
41646 pcextreme.nl
41210 webreus.nl
39560 active24.com
32959 antagonist.nl
30569 vevida.com
28115 zxcs.nl
26638 web4u.cz
25610 udmedia.de
18038 bhosted.nl
14752 flexfilter.nl
14165 onebit.cz
12197 protonmail.ch
7191 zonemx.eu
6077 soverin.net
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
6864 TOTAL
2191 DE, Germany
1377 US, United States
1046 NL, Netherlands
548 FR, France
287 GB, United Kingdom
225 CZ, Czechia
163 CA, Canada
100 SG, Singapore
97 CH, Switzerland
90 FI, Finland
84 SE, Sweden
71 DK, Denmark
49 AU, Australia
47 AT, Austria
43 IE, Ireland
36 BR, Brazil
33 PL, Poland
32 RU, Russia
31 JP, Japan
30 IN, India
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
3593 TOTAL
1472 DE, Germany
614 US, United States
591 NL, Netherlands
258 FR, France
146 CZ, Czechia
105 GB, United Kingdom
48 CH, Switzerland
40 SG, Singapore
37 CA, Canada
34 SE, Sweden
26 AT, Austria
21 RU, Russia
19 AU, Australia
17 JP, Japan
15 FI, Finland
14 NO, Norway
14 IE, Ireland
13 DK, Denmark
12 ID, Indonesia
11 BR, Brazil
There are 6056 unique zones in which the underlying MX hosts are found, this
counts each of the above providers as just one zone, so is a measure of the
breadth of adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 9058. These cover
10054 distinct MX hosts (some MX hosts share the same TLSA records
through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 372 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 183
are in recent (last 90 days of) reports:
univie.ac.at freenet.de keessmit.nl
gmx.at gmx.de mailplus.nl
triodos.be jpberlin.de markteffectmail.nl
clubedohardware.com.br kabelmail.de minbzk.nl
nic.br lrz.de mindef.nl
registro.br mail.de mkbbelangen.nl
gmx.ch mailserver4.de mm1.nl
hostpoint.ch posteo.de ouderportaal.nl
infomaniak.ch ruhr-uni-bochum.de overheid.nl
open.ch tum.de parlement.nl
protonmail.ch uni-erlangen.de pathe.nl
switch.ch uni-muenchen.de politie.nl
clubedominante.com unitybox.de previder.nl
coosto.com unitymedia.de professioneelbegeleiden.nl
fmc-na.com web.de rijksoverheid.nl
gmx.com westlotto.de rotterdam.nl
habr.com egmontpublishing.dk ru.nl
hotelsinduitsland.com netic.dk rvo.nl
infomaniak.com star.dk schoudercom.nl
ingthink.com stil.dk schuurman-schoenen.nl
kpn.com uni-c.dk ssonet.nl
leszexpertsfle.com tilburguniversity.edu triodos.nl
mail.com emta.ee truetickets.nl
mailzerver.com rmit.ee tweedekamer.nl
mammoetmail.com rediris.es uitgeverijpica.nl
mx-relay.com triodos.es utwente.nl
one.com uv.es uvt.nl
pre-sustainability.com zone.eu wise-guys.nl
protonmail.com zonevs.eu xs4all.nl
protonvpn.com ac-strasbourg.fr zorgmail.nl
societe.com compagnie-des-sens.fr domeneshop.no
solvinity.com fidesz.hu handelsbanken.no
t-2.com idrinks.hu uib.no
telfort.com mszp.hu webcruitermail.no
thalesgroup.com comcast.net atelkamera.nu
triodos.com gmx.net goget.nu
vitstore.com habramail.net aegee.org
xfinity.com hr-manager.net debian.org
xfinityhomesecurity.com inexio.net freebsd.org
xfinitymobile.com mpssec.net gentoo.org
active24.cz procurios.net ietf.org
akce-incomputer.cz ripe.net isc.org
atlas.cz riseup.net mailbox.org
centrum.cz t-2.net netbsd.org
cuni.cz transip.net openssl.org
itesco.cz xs4all.net ozlabs.org
klenotyaurum.cz xworks.net samba.org
klubpevnehozdravi.cz belastingdienst.nl torproject.org
krypton.cz bhosted.nl whatpulse.org
nic.cz bluerail.nl asf.com.pt
onebit.cz boozyshop.nl boplatssyd-automail.se
optimail.cz corpoflow.nl handelsbanken.se
poptavej.cz dictu.nl loopia.se
reserved.cz digid.nl minmyndighetspost.se
smtp.cz duo.nl personligalmanacka.se
virusfree.cz ezorg.nl skatteverket.se
volny.cz gerryweber.nl theletter.se
bayern.de herinneringenoplinnen.nl kadernickyservis.sk
bund.de hr.nl triodos.co.uk
elster.de interconnect.nl govtrack.us
fau.de interim-netwerk.nl ru.ac.za
Of the ~2.15 million domains, 13702 have "partial" TLSA records, that
cover only a subset of the (secondary) MX hosts. While this protects
traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands today
at 650. Some of these have additional MX hosts that don't have broken
TLSA records, so mail can still arrive via the remaining MX hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1093. The top 15
name server operators with problem domains are:
374 axc.nl
344 registrar-servers.com
86 ebola.cz
66 movenext.nl
27 tiscomhosting.nl
22 eatserver.nl
20 metaregistrar.nl
20 infracom.nl
15 nrdns.nl
15 cloudflare.com
11 sylconia.net
11 iterik.nu
11 is.nl
10 openprovider.nl
10 mobi-net.ch
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Eight of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
trt1.jus.br
trtrj.jus.br
bncr.fi.cr
ofda.gov
amsterdam.nl
mobily.com.sa
sauditelecom.com.sa [2]
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] https://dnsviz.net/d/sauditelecom.com.sa/X0yQQA/dnssec/
Today the entire sauditelecom.com.sa zone is down, the
DS records don't match any zone apex DNSKEY RRs...
https://twitter.com/VDukhovni/status/1300313582945669120
More information about the dane-users
mailing list