Update on stats 2019-12

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Jan 1 07:14:17 CET 2020

Summary:  The DANE domain count is now 1,734,012.

          The number of domains that return DNSSEC-validated replies in
          response to MX queries is 10,715,677.  This is another large
          increase over last month when the total was  10,448,578.  Thus
          DANE TLSA is deployed on ~16.18% of domains with DNSSEC.

          Also adoption of ECDSA P-256 (algorithm 13) continues to grow,
          and the number of domains using P-256 KSKs has now surpassed
          RSA-SHA256 (algorithm 8) to become the most widely used DNSSEC
          algorithm.  See: https://stats.dnssec-tools.org/#parameter

          Happy New Year!  Great progress over the past twelve months,
          Last year's December totals were 774,820 DANE SMTP domains and
          8,878,369 DNSSEC-signed domains.]

Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

As of today I count 1,734,012 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer
domains they host.  The top 20 MX host providers by domain count

   1019882 one.com
    132965 transip.nl
     99844 domeneshop.no
     88024 loopia.se
     37425 active24.com
     31555 vevida.com
     29476 antagonist.nl
     26738 web4u.cz
     24646 udmedia.de
     18342 zxcs.nl
     17227 bhosted.nl
     15468 flexfilter.nl
     13505 onebit.cz
      8765 protonmail.ch
      5886 netzone.ch
      5632 previder.nl
      4707 mailplatform.eu
      4116 soverin.net
      3548 ips.nl
      3239 zonemx.eu

The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled
MX hosts shows the below top 20 countries (each unique IP address
is counted, so multi-homed MX hosts are perhaps somewhat

  6015 TOTAL
  1998 DE, Germany
  1209 US, United States
   892 NL, Netherlands
   480 FR, France
   229 GB, United Kingdom
   194 CZ, Czechia
   128 CA, Canada
    82 CH, Switzerland
    79 SG, Singapore
    74 SE, Sweden
    67 DK, Denmark
    54 FI, Finland
    46 IE, Ireland
    45 AT, Austria
    38 PL, Poland
    38 JP, Japan
    38 AU, Australia
    30 RU, Russia
    26 BR, Brazil
    24 IT, Italy

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:

  3103 TOTAL
  1275 DE, Germany
   540 US, United States
   463 NL, Netherlands
   261 FR, France
   105 CZ, Czechia
    90 GB, United Kingdom
    41 SE, Sweden
    33 SG, Singapore
    30 CH, Switzerland
    28 JP, Japan
    28 CA, Canada
    24 AT, Austria
    18 IE, Ireland
    17 RU, Russia
    15 DK, Denmark
    14 SI, Slovenia
    13 NO, Norway
    13 ID, Indonesia
    12 FI, Finland
    12 BR, Brazil

There are 5053 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers

The number of published MX host TLSA RRsets found is 7743.  These
cover 8629 distinct MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of domains that at some point were listed in Gmail's
email transparency report is 297 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain).  Of
these, 147 are in recent (last 90 days of) reports:

  univie.ac.at             jpberlin.de            jasperalblas.nl
  gmx.at                   lrz.de                 mailplus.nl
  register.bg              mail.de                minbzk.nl
  nic.br                   posteo.de              mindef.nl
  registro.br              ruhr-uni-bochum.de     mm1.nl
  buymyweedonline.ca       tum.de                 ouderportaal.nl
  gmx.ch                   uni-erlangen.de        overheid.nl
  open.ch                  uni-muenchen.de        pathe.nl
  protonmail.ch            unitybox.de            photofacts.nl
  anubisnetworks.com       unitymedia.de          photofactsacademy.nl
  clubedominante.com       web.de                 politie.nl
  gmx.com                  egmontpublishing.dk    previder.nl
  habr.com                 netic.dk               rijksoverheid.nl
  hotelsinduitsland.com    star.dk                ru.nl
  ingthink.com             tilburguniversity.edu  rvo.nl
  kpn.com                  rediris.es             schoudercom.nl
  mail.com                 uv.es                  schuurman-schoenen.nl
  mammoetmail.com          komfortkasse.eu        ssonet.nl
  one.com                  web200.eu              truetickets.nl
  primexbt.com             zone.eu                uvt.nl
  protonmail.com           ac-strasbourg.fr       xs4all.nl
  societe.com              kangouroukids.fr       domeneshop.no
  solvinity.com            octopuce.fr            handelsbanken.no
  t-2.com                  web200.hu              uib.no
  telfort.com              comcast.net            webcruitermail.no
  trashmail.com            dns-oarc.net           atelkamera.nu
  xfinity.com              gmx.net                debian.org
  xfinityhomesecurity.com  habramail.net          freebsd.org
  xfinitymobile.com        hr-manager.net         gentoo.org
  active24.cz              inexio.net             ietf.org
  atlas.cz                 mpssec.net             isc.org
  centrum.cz               procurios.net          lazarus-ide.org
  cuni.cz                  riseup.net             mailbox.org
  itesco.cz                t-2.net                netbsd.org
  klubpevnehozdravi.cz     transip.net            openssl.org
  krypton.cz               vevida.net             ozlabs.org
  onebit.cz                xs4all.net             samba.org
  optimail.cz              belastingdienst.nl     torproject.org
  server4u.cz              bhosted.nl             whatpulse.org
  smtp.cz                  billybird.nl           moikrug.ru
  virusfree.cz             bluerail.nl            boplatssyd-automail.se
  volny.cz                 boozyshop.nl           handelsbanken.se
  web4u.cz                 corpoflow.nl           loopia.se
  bayern.de                denhaag.nl             minmyndighetspost.se
  bund.de                  dictu.nl               personligalmanacka.se
  elster.de                digid.nl               skatteverket.se
  fau.de                   ezorg.nl               theletter.se
  freenet.de               fontys.nl              govtrack.us
  gmx.de                   intermax.nl            ru.ac.za

Of the ~1.73 million domains, 3382 have "partial" TLSA records,
that cover only a subset of the (secondary) MX hosts.  While this
protects traffic to some of the MX hosts, such domains are still
vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 426.  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining
MX hosts.  A partial list is available at:


To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:



After eliminating parked domains that do not accept email, the
number of "real" email domains with bad DNSSEC support stands at
1372.  The top 11 name server operators with problem domains are:

  347 registrar-servers.com   (new this month, fix expected in days)
  221 mijnhostingpartner.nl   (varies between 200 and 500+)
   95 egensajt.se
   62 movenext.nl
   59 eurodns.com
   47 metaregistrar.nl
   32 tiscomhosting.nl
   29 nrdns.nl
   26 hostnet.nl
   24 ebola.cz
   20 sylconia.net

If anyone has good contacts at some of these providers, please
encourage them to remediate not only the broken domains (I can send
them a list), but also the root cause that makes the breakage

Nine of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:



[1] Some domains deliberately include MX hosts that are always
down, presumably as a hurdle to botnet SMTP code that gives up
where real MTAs might persist.  I am not a fan of this type of
defence (it can also impose undue latency on legitimate email).
However, provided the dead hosts still have TLSA records, (which
don't need to match anything, just need to exist and be well-formed)
there's no loss of security.

More information about the dane-users mailing list