Update on stats 2020-01

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Feb 1 09:33:21 CET 2020

Summary:  The DANE domain count is now 1,815,489.

          The number of domains that return DNSSEC-validated replies in
          response to MX queries is 10,778,108.  Thus DANE TLSA is
          deployed on ~16.84% of domains with DNSSEC.

          This month I'd like to welcome infomaniak.ch to the list of
          top 20 DANE SMTP hosting providers.  They're now in 5th place
          with >66k domains.

          Also, domeneshop.no, one of the earliest entries on the list,
          have crossed 100k entries for the first time this month.

Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

As of today I count 1,815,489 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host.  The top 20 MX host providers by domain count are below.

  1021399 one.com
   134322 transip.nl
   100062 domeneshop.no
    88088 loopia.se
    66415 infomaniak.ch
    37617 active24.com
    31413 vevida.com
    30081 antagonist.nl
    26687 web4u.cz
    24682 udmedia.de
    19815 zxcs.nl
    17317 bhosted.nl
    15387 flexfilter.nl
    13560 onebit.cz
     9169 protonmail.ch
     5854 netzone.ch
     5583 previder.nl
     4860 soverin.net
     4741 mailplatform.eu
     3771 zonemx.eu

The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).

  6099 TOTAL
  2042 DE, Germany
  1218 US, United States
   910 NL, Netherlands
   486 FR, France
   238 GB, United Kingdom
   202 CZ, Czechia
   128 CA, Canada
    82 CH, Switzerland
    76 SE, Sweden
    72 SG, Singapore
    67 DK, Denmark
    51 FI, Finland
    46 AT, Austria
    45 IE, Ireland
    42 JP, Japan
    40 AU, Australia
    34 PL, Poland
    28 BR, Brazil
    27 RU, Russia
    22 NO, Norway

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:

  3133 TOTAL
  1287 DE, Germany
   534 US, United States
   470 NL, Netherlands
   266 FR, France
   106 CZ, Czechia
    99 GB, United Kingdom
    45 SE, Sweden
    33 AT, Austria
    31 SG, Singapore
    31 CA, Canada
    30 JP, Japan
    29 CH, Switzerland
    18 RU, Russia
    16 IE, Ireland
    16 DK, Denmark
    14 SI, Slovenia
    13 NO, Norway
    13 AU, Australia
    12 BR, Brazil
     9 FI, Finland

There are 5122 unique zones in which the underlying MX hosts are found,
this counts each of the above providers as just one zone, so is a
measure of the breadth of adoption in terms of organizations deploying

The number of published MX host TLSA RRsets found is 7866.  These cover
8799 distinct MX hosts (some MX hosts share the same TLSA records
through CNAMEs).

The number of domains that at some point were listed in Gmail's email
transparency report is 310 (this is my ad-hoc criterion for a domain
being a large-enough actively used email domain).  Of these, 155 are in
recent (last 90 days of) reports:

  univie.ac.at             jpberlin.de            jasperalblas.nl
  gmx.at                   lrz.de                 mailplus.nl
  register.bg              mail.de                minbzk.nl
  nic.br                   posteo.de              mindef.nl
  registro.br              ruhr-uni-bochum.de     mm1.nl
  buymyweedonline.ca       tum.de                 ouderportaal.nl
  gmx.ch                   uni-erlangen.de        overheid.nl
  open.ch                  uni-muenchen.de        pathe.nl
  protonmail.ch            unitybox.de            photofacts.nl
  anubisnetworks.com       unitymedia.de          photofactsacademy.nl
  clubedominante.com       web.de                 politie.nl
  gmx.com                  egmontpublishing.dk    previder.nl
  habr.com                 netic.dk               rijksoverheid.nl
  hotelsinduitsland.com    star.dk                ru.nl
  ingthink.com             tilburguniversity.edu  rvo.nl
  kpn.com                  rediris.es             schoudercom.nl
  mail.com                 uv.es                  schuurman-schoenen.nl
  mammoetmail.com          komfortkasse.eu        ssonet.nl
  one.com                  web200.eu              truetickets.nl
  primexbt.com             zone.eu                uvt.nl
  protonmail.com           ac-strasbourg.fr       xs4all.nl
  societe.com              kangouroukids.fr       domeneshop.no
  solvinity.com            octopuce.fr            handelsbanken.no
  t-2.com                  web200.hu              uib.no
  telfort.com              comcast.net            webcruitermail.no
  trashmail.com            dns-oarc.net           atelkamera.nu
  xfinity.com              gmx.net                debian.org
  xfinityhomesecurity.com  habramail.net          freebsd.org
  xfinitymobile.com        hr-manager.net         gentoo.org
  active24.cz              inexio.net             ietf.org
  atlas.cz                 mpssec.net             isc.org
  centrum.cz               procurios.net          lazarus-ide.org
  cuni.cz                  riseup.net             mailbox.org
  itesco.cz                t-2.net                netbsd.org
  klubpevnehozdravi.cz     transip.net            openssl.org
  krypton.cz               vevida.net             ozlabs.org
  onebit.cz                xs4all.net             samba.org
  optimail.cz              belastingdienst.nl     torproject.org
  server4u.cz              bhosted.nl             whatpulse.org
  smtp.cz                  billybird.nl           moikrug.ru
  virusfree.cz             bluerail.nl            boplatssyd-automail.se
  volny.cz                 boozyshop.nl           handelsbanken.se
  web4u.cz                 corpoflow.nl           loopia.se
  bayern.de                denhaag.nl             minmyndighetspost.se
  bund.de                  dictu.nl               personligalmanacka.se
  elster.de                digid.nl               skatteverket.se
  fau.de                   ezorg.nl               theletter.se
  freenet.de               fontys.nl              govtrack.us
  gmx.de                   intermax.nl            ru.ac.za

Of the ~1.82 million domains, 4167 have "partial" TLSA records, that
cover only a subset of the (secondary) MX hosts.  While this protects
traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands today
at 414.  Some of these have additional MX hosts that don't have broken
TLSA records, so mail can still arrive via the remaining MX hosts.

To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:



After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1642.  The top 13
name server operators with problem domains are:

 425 registrar-servers.com
 304 mijnhostingpartner.nl (varies between 200 and 500+)
  96 egensajt.se
  66 eurodns.com
  64 2is.nl
  63 movenext.nl
  50 ebola.cz
  45 metaregistrar.nl
  31 tiscomhosting.nl
  27 hostnet.nl
  25 infracom.nl
  22 cdmon.net
  20 sylconia.net

If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.

Eight of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:



[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist.  I am not a fan of this type of defence (it can also
impose undue latency on legitimate email).  However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.

More information about the dane-users mailing list