Update on stats 2020-01
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Feb 1 09:33:21 CET 2020
Summary: The DANE domain count is now 1,815,489.
The number of domains that return DNSSEC-validated replies in
response to MX queries is 10,778,108. Thus DANE TLSA is
deployed on ~16.84% of domains with DNSSEC.
This month I'd like to welcome infomaniak.ch to the list of
top 20 DANE SMTP hosting providers. They're now in 5th place
with >66k domains.
Also, domeneshop.no, one of the earliest entries on the list,
have crossed 100k entries for the first time this month.
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 1,815,489 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
1021399 one.com
134322 transip.nl
100062 domeneshop.no
88088 loopia.se
66415 infomaniak.ch
37617 active24.com
31413 vevida.com
30081 antagonist.nl
26687 web4u.cz
24682 udmedia.de
19815 zxcs.nl
17317 bhosted.nl
15387 flexfilter.nl
13560 onebit.cz
9169 protonmail.ch
5854 netzone.ch
5583 previder.nl
4860 soverin.net
4741 mailplatform.eu
3771 zonemx.eu
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
6099 TOTAL
2042 DE, Germany
1218 US, United States
910 NL, Netherlands
486 FR, France
238 GB, United Kingdom
202 CZ, Czechia
128 CA, Canada
82 CH, Switzerland
76 SE, Sweden
72 SG, Singapore
67 DK, Denmark
51 FI, Finland
46 AT, Austria
45 IE, Ireland
42 JP, Japan
40 AU, Australia
34 PL, Poland
28 BR, Brazil
27 RU, Russia
22 NO, Norway
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
3133 TOTAL
1287 DE, Germany
534 US, United States
470 NL, Netherlands
266 FR, France
106 CZ, Czechia
99 GB, United Kingdom
45 SE, Sweden
33 AT, Austria
31 SG, Singapore
31 CA, Canada
30 JP, Japan
29 CH, Switzerland
18 RU, Russia
16 IE, Ireland
16 DK, Denmark
14 SI, Slovenia
13 NO, Norway
13 AU, Australia
12 BR, Brazil
9 FI, Finland
There are 5122 unique zones in which the underlying MX hosts are found,
this counts each of the above providers as just one zone, so is a
measure of the breadth of adoption in terms of organizations deploying
DANE SMTP.
The number of published MX host TLSA RRsets found is 7866. These cover
8799 distinct MX hosts (some MX hosts share the same TLSA records
through CNAMEs).
The number of domains that at some point were listed in Gmail's email
transparency report is 310 (this is my ad-hoc criterion for a domain
being a large-enough actively used email domain). Of these, 155 are in
recent (last 90 days of) reports:
univie.ac.at jpberlin.de jasperalblas.nl
gmx.at lrz.de mailplus.nl
register.bg mail.de minbzk.nl
nic.br posteo.de mindef.nl
registro.br ruhr-uni-bochum.de mm1.nl
buymyweedonline.ca tum.de ouderportaal.nl
gmx.ch uni-erlangen.de overheid.nl
open.ch uni-muenchen.de pathe.nl
protonmail.ch unitybox.de photofacts.nl
anubisnetworks.com unitymedia.de photofactsacademy.nl
clubedominante.com web.de politie.nl
gmx.com egmontpublishing.dk previder.nl
habr.com netic.dk rijksoverheid.nl
hotelsinduitsland.com star.dk ru.nl
ingthink.com tilburguniversity.edu rvo.nl
kpn.com rediris.es schoudercom.nl
mail.com uv.es schuurman-schoenen.nl
mammoetmail.com komfortkasse.eu ssonet.nl
one.com web200.eu truetickets.nl
primexbt.com zone.eu uvt.nl
protonmail.com ac-strasbourg.fr xs4all.nl
societe.com kangouroukids.fr domeneshop.no
solvinity.com octopuce.fr handelsbanken.no
t-2.com web200.hu uib.no
telfort.com comcast.net webcruitermail.no
trashmail.com dns-oarc.net atelkamera.nu
xfinity.com gmx.net debian.org
xfinityhomesecurity.com habramail.net freebsd.org
xfinitymobile.com hr-manager.net gentoo.org
active24.cz inexio.net ietf.org
atlas.cz mpssec.net isc.org
centrum.cz procurios.net lazarus-ide.org
cuni.cz riseup.net mailbox.org
itesco.cz t-2.net netbsd.org
klubpevnehozdravi.cz transip.net openssl.org
krypton.cz vevida.net ozlabs.org
onebit.cz xs4all.net samba.org
optimail.cz belastingdienst.nl torproject.org
server4u.cz bhosted.nl whatpulse.org
smtp.cz billybird.nl moikrug.ru
virusfree.cz bluerail.nl boplatssyd-automail.se
volny.cz boozyshop.nl handelsbanken.se
web4u.cz corpoflow.nl loopia.se
bayern.de denhaag.nl minmyndighetspost.se
bund.de dictu.nl personligalmanacka.se
elster.de digid.nl skatteverket.se
fau.de ezorg.nl theletter.se
freenet.de fontys.nl govtrack.us
gmx.de intermax.nl ru.ac.za
Of the ~1.82 million domains, 4167 have "partial" TLSA records, that
cover only a subset of the (secondary) MX hosts. While this protects
traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands today
at 414. Some of these have additional MX hosts that don't have broken
TLSA records, so mail can still arrive via the remaining MX hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1642. The top 13
name server operators with problem domains are:
425 registrar-servers.com
304 mijnhostingpartner.nl (varies between 200 and 500+)
96 egensajt.se
66 eurodns.com
64 2is.nl
63 movenext.nl
50 ebola.cz
45 metaregistrar.nl
31 tiscomhosting.nl
27 hostnet.nl
25 infracom.nl
22 cdmon.net
20 sylconia.net
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Eight of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
trt01.gov.br
trtrio.gov.br
trt1.jus.br
trtrj.jus.br
flytoyourheart.com
topdecorationworld.com
mobily.com.sa
sauditelecom.com.sa
threadteaching.co.uk
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
More information about the dane-users
mailing list