Update on stats 2020-06
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Jul 1 07:13:25 CEST 2020
Summary: The DANE domain count is now 1,929,893
The number of domains that return DNSSEC-validated replies in
response to MX queries is 11,728,469. Thus DANE TLSA is
deployed on ~16.45% of domains with DNSSEC.
DANE as a percentage of DNSSEC domains is dropping recently,
because growth in DNSSEC adoption has started to outpace
growth in DANE adoption. This is a good problem to have,
deploy even more DNSSEC, please! At this rate, I am
anticipating ~13 million signed domains by the end of 2020,
but a surprise large-scale deployment would be even better.
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 1,929,893 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
1038314 one.com
140578 transip.nl
101181 domeneshop.no
89447 loopia.se
80663 infomaniak.ch
41035 webreus.nl
39255 active24.com
32282 antagonist.nl
30793 vevida.com
28642 zxcs.nl
26840 web4u.cz
25353 udmedia.de
17599 bhosted.nl
15003 flexfilter.nl
14114 onebit.cz
11144 protonmail.ch
6432 zonemx.eu
5926 soverin.net
5790 netzone.ch
5590 previder.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
6728 TOTAL
2147 DE, Germany
1336 US, United States
1008 NL, Netherlands
576 FR, France
283 GB, United Kingdom
226 CZ, Czechia
153 CA, Canada
102 SG, Singapore
93 CH, Switzerland
84 FI, Finland
82 SE, Sweden
70 DK, Denmark
51 AU, Australia
48 AT, Austria
42 IE, Ireland
35 BR, Brazil
32 IN, India
30 JP, Japan
28 RU, Russia
26 PL, Poland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
3458 TOTAL
1426 DE, Germany
565 US, United States
521 NL, Netherlands
274 FR, France
125 CZ, Czechia
105 GB, United Kingdom
46 RU, Russia
42 CH, Switzerland
40 SG, Singapore
40 CA, Canada
36 SE, Sweden
32 AT, Austria
20 AU, Australia
16 JP, Japan
16 IE, Ireland
14 NO, Norway
14 DK, Denmark
13 ID, Indonesia
12 FI, Finland
11 BR, Brazil
There are 5760 unique zones in which the underlying MX hosts are found, this
counts each of the above providers as just one zone, so is a measure of the
breadth of adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 8056. These cover 9041
distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's email
transparency report is 353 (this is my ad-hoc criterion for a domain being a
large-enough actively used email domain). Of these, 172 are in recent (last 90
days of) reports:
univie.ac.at jpberlin.de maximum.nl
gmx.at kabelmail.de minbzk.nl
triodos.be lrz.de mindef.nl
clubedohardware.com.br mail.de mkbbelangen.nl
nic.br mailserver4.de mm1.nl
registro.br posteo.de ouderportaal.nl
gmx.ch ruhr-uni-bochum.de overheid.nl
hostpoint.ch tu-chemnitz.de pathe.nl
infomaniak.ch tum.de politie.nl
open.ch uni-erlangen.de previder.nl
protonmail.ch uni-muenchen.de professioneelbegeleiden.n
switch.ch unitybox.de rijksoverheid.nl
clubedominante.com unitymedia.de rotterdam.nl
coosto.com web.de ru.nl
fmc-na.com westlotto.de rvo.nl
gmx.com egmontpublishing.dk schoudercom.nl
habr.com netic.dk schuurman-schoenen.nl
hotelsinduitsland.com star.dk sportfondsen.nl
infomaniak.com lugeja.ee ssonet.nl
ingthink.com rediris.es triodos.nl
kpn.com triodos.es truetickets.nl
leszexpertsfle.com uv.es uitgeverijpica.nl
mail.com litebit.eu utwente.nl
mailzerver.com zone.eu xs4all.nl
mammoetmail.com zonevs.eu zaantheater.nl
mx-relay.com ac-strasbourg.fr zorgmail.nl
one.com compagnie-des-sens.fr domeneshop.no
pre-sustainability.com fidesz.hu handelsbanken.no
primexbt.com comcast.net uib.no
protonmail.com dns-oarc.net webcruitermail.no
societe.com gmx.net atelkamera.nu
solvinity.com habramail.net goget.nu
t-2.com hr-manager.net aegee.org
telfort.com inexio.net debian.org
thalesgroup.com mpssec.net freebsd.org
triodos.com procurios.net gentoo.org
xfinity.com riseup.net ietf.org
xfinityhomesecurity.com t-2.net isc.org
xfinitymobile.com transip.net lazarus-ide.org
active24.cz xs4all.net mailbox.org
atlas.cz xworks.net netbsd.org
centrum.cz belastingdienst.nl openssl.org
cuni.cz bhosted.nl ozlabs.org
itesco.cz bluerail.nl samba.org
klubpevnehozdravi.cz boekwinkeltjes.nl torproject.org
krypton.cz boozyshop.nl whatpulse.org
nic.cz corpoflow.nl boplatssyd-automail.se
onebit.cz dictu.nl handelsbanken.se
optimail.cz digid.nl loopia.se
smtp.cz duo.nl minmyndighetspost.se
virusfree.cz ezorg.nl personligalmanacka.se
volny.cz gerryweber.nl skatteverket.se
bayern.de herinneringenoplinnen.nl theletter.se
bund.de hr.nl kadernickyservis.sk
elster.de interconnect.nl triodos.co.uk
fau.de keessmit.nl govtrack.us
freenet.de mailplus.nl ru.ac.za
gmx.de
Of the ~1.93 million domains, 5387 have "partial" TLSA records, that
cover only a subset of the (secondary) MX hosts. While this protects
traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands today
at 806. Some of these have additional MX hosts that don't have broken
TLSA records, so mail can still arrive via the remaining MX hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1093. The top 16
name server operators with problem domains are:
379 registrar-servers.com - NameCheap, no ETA... :-(
366 axc.nl - Usually fixed promptly, not this month
86 ebola.cz
71 movenext.nl
36 cdmon.net
31 flevohost.nl
29 tiscomhosting.nl
28 hostnet.nl
24 nrdns.nl
23 eatserver.nl
22 metaregistrar.nl
22 infracom.nl
20 epik.com
17 vandersalm-it.nl
15 is.nl
12 sylconia.net
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Eight of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
trt01.gov.br
trtrio.gov.br
trt1.jus.br
trtrj.jus.br
bncr.fi.cr
mobily.com.sa
sauditelecom.com.sa
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
More information about the dane-users
mailing list