Update on stats 2020-06

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Jul 1 07:13:25 CEST 2020


Summary:  The DANE domain count is now 1,929,893

          The number of domains that return DNSSEC-validated replies in
          response to MX queries is 11,728,469.  Thus DANE TLSA is
          deployed on ~16.45% of domains with DNSSEC.

          DANE as a percentage of DNSSEC domains is dropping recently,
          because growth in DNSSEC adoption has started to outpace
          growth in DANE adoption.  This is a good problem to have,
          deploy even more DNSSEC, please!  At this rate, I am
          anticipating ~13 million signed domains by the end of 2020,
          but a surprise large-scale deployment would be even better.

Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.


As of today I count 1,929,893 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host.  The top 20 MX host providers by domain count are below.

  1038314 one.com
   140578 transip.nl
   101181 domeneshop.no
    89447 loopia.se
    80663 infomaniak.ch
    41035 webreus.nl
    39255 active24.com
    32282 antagonist.nl
    30793 vevida.com
    28642 zxcs.nl
    26840 web4u.cz
    25353 udmedia.de
    17599 bhosted.nl
    15003 flexfilter.nl
    14114 onebit.cz
    11144 protonmail.ch
     6432 zonemx.eu
     5926 soverin.net
     5790 netzone.ch
     5590 previder.nl

The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).

  6728 TOTAL
  2147 DE, Germany
  1336 US, United States
  1008 NL, Netherlands
   576 FR, France
   283 GB, United Kingdom
   226 CZ, Czechia
   153 CA, Canada
   102 SG, Singapore
    93 CH, Switzerland
    84 FI, Finland
    82 SE, Sweden
    70 DK, Denmark
    51 AU, Australia
    48 AT, Austria
    42 IE, Ireland
    35 BR, Brazil
    32 IN, India
    30 JP, Japan
    28 RU, Russia
    26 PL, Poland

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:

  3458 TOTAL
  1426 DE, Germany
   565 US, United States
   521 NL, Netherlands
   274 FR, France
   125 CZ, Czechia
   105 GB, United Kingdom
    46 RU, Russia
    42 CH, Switzerland
    40 SG, Singapore
    40 CA, Canada
    36 SE, Sweden
    32 AT, Austria
    20 AU, Australia
    16 JP, Japan
    16 IE, Ireland
    14 NO, Norway
    14 DK, Denmark
    13 ID, Indonesia
    12 FI, Finland
    11 BR, Brazil

There are 5760 unique zones in which the underlying MX hosts are found, this
counts each of the above providers as just one zone, so is a measure of the
breadth of adoption in terms of organizations deploying DANE SMTP.

The number of published MX host TLSA RRsets found is 8056.  These cover 9041
distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs).

The number of DANE domains that at some point were listed in Gmail's email
transparency report is 353 (this is my ad-hoc criterion for a domain being a
large-enough actively used email domain).  Of these, 172 are in recent (last 90
days of) reports:

  univie.ac.at             jpberlin.de               maximum.nl
  gmx.at                   kabelmail.de              minbzk.nl
  triodos.be               lrz.de                    mindef.nl
  clubedohardware.com.br   mail.de                   mkbbelangen.nl
  nic.br                   mailserver4.de            mm1.nl
  registro.br              posteo.de                 ouderportaal.nl
  gmx.ch                   ruhr-uni-bochum.de        overheid.nl
  hostpoint.ch             tu-chemnitz.de            pathe.nl
  infomaniak.ch            tum.de                    politie.nl
  open.ch                  uni-erlangen.de           previder.nl
  protonmail.ch            uni-muenchen.de           professioneelbegeleiden.n
  switch.ch                unitybox.de               rijksoverheid.nl
  clubedominante.com       unitymedia.de             rotterdam.nl
  coosto.com               web.de                    ru.nl
  fmc-na.com               westlotto.de              rvo.nl
  gmx.com                  egmontpublishing.dk       schoudercom.nl
  habr.com                 netic.dk                  schuurman-schoenen.nl
  hotelsinduitsland.com    star.dk                   sportfondsen.nl
  infomaniak.com           lugeja.ee                 ssonet.nl
  ingthink.com             rediris.es                triodos.nl
  kpn.com                  triodos.es                truetickets.nl
  leszexpertsfle.com       uv.es                     uitgeverijpica.nl
  mail.com                 litebit.eu                utwente.nl
  mailzerver.com           zone.eu                   xs4all.nl
  mammoetmail.com          zonevs.eu                 zaantheater.nl
  mx-relay.com             ac-strasbourg.fr          zorgmail.nl
  one.com                  compagnie-des-sens.fr     domeneshop.no
  pre-sustainability.com   fidesz.hu                 handelsbanken.no
  primexbt.com             comcast.net               uib.no
  protonmail.com           dns-oarc.net              webcruitermail.no
  societe.com              gmx.net                   atelkamera.nu
  solvinity.com            habramail.net             goget.nu
  t-2.com                  hr-manager.net            aegee.org
  telfort.com              inexio.net                debian.org
  thalesgroup.com          mpssec.net                freebsd.org
  triodos.com              procurios.net             gentoo.org
  xfinity.com              riseup.net                ietf.org
  xfinityhomesecurity.com  t-2.net                   isc.org
  xfinitymobile.com        transip.net               lazarus-ide.org
  active24.cz              xs4all.net                mailbox.org
  atlas.cz                 xworks.net                netbsd.org
  centrum.cz               belastingdienst.nl        openssl.org
  cuni.cz                  bhosted.nl                ozlabs.org
  itesco.cz                bluerail.nl               samba.org
  klubpevnehozdravi.cz     boekwinkeltjes.nl         torproject.org
  krypton.cz               boozyshop.nl              whatpulse.org
  nic.cz                   corpoflow.nl              boplatssyd-automail.se
  onebit.cz                dictu.nl                  handelsbanken.se
  optimail.cz              digid.nl                  loopia.se
  smtp.cz                  duo.nl                    minmyndighetspost.se
  virusfree.cz             ezorg.nl                  personligalmanacka.se
  volny.cz                 gerryweber.nl             skatteverket.se
  bayern.de                herinneringenoplinnen.nl  theletter.se
  bund.de                  hr.nl                     kadernickyservis.sk
  elster.de                interconnect.nl           triodos.co.uk
  fau.de                   keessmit.nl               govtrack.us
  freenet.de               mailplus.nl               ru.ac.za
  gmx.de

Of the ~1.93 million domains, 5387 have "partial" TLSA records, that
cover only a subset of the (secondary) MX hosts.  While this protects
traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands today
at 806.  Some of these have additional MX hosts that don't have broken
TLSA records, so mail can still arrive via the remaining MX hosts.

To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:

    https://dane.sys4.de/common_mistakes
    https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
    https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
    https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
    https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
    https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources

    http://tools.ietf.org/html/rfc7671#section-8.1
    http://tools.ietf.org/html/rfc7671#section-8.4

After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1093.  The top 16
name server operators with problem domains are:

    379 registrar-servers.com - NameCheap, no ETA... :-(
    366 axc.nl                - Usually fixed promptly, not this month
     86 ebola.cz
     71 movenext.nl
     36 cdmon.net
     31 flevohost.nl
     29 tiscomhosting.nl
     28 hostnet.nl
     24 nrdns.nl
     23 eatserver.nl
     22 metaregistrar.nl
     22 infracom.nl
     20 epik.com
     17 vandersalm-it.nl
     15 is.nl
     12 sylconia.net

If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.

Eight of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:

  coren-sp.gov.br
  trt01.gov.br
  trtrio.gov.br
  trt1.jus.br
  trtrj.jus.br
  bncr.fi.cr
  mobily.com.sa
  sauditelecom.com.sa

-- 
      Viktor.

[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist.  I am not a fan of this type of defence (it can also
impose undue latency on legitimate email).  However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.


More information about the dane-users mailing list