Update on stats 2020-05
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Jun 1 04:57:27 CEST 2020
Summary: The DANE domain count is now 1,915,922.
The number of domains that return DNSSEC-validated replies in
response to MX queries is 11,527,814. Thus DANE TLSA is
deployed on ~16.61% of domains with DNSSEC.
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 1,915,922 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
1037280 one.com
139399 transip.nl
100897 domeneshop.no
89161 loopia.se
78214 infomaniak.ch
38950 active24.com
35233 webreus.nl
31605 antagonist.nl
30879 vevida.com
28311 zxcs.nl
26922 web4u.cz
25215 udmedia.de
17576 bhosted.nl
14932 flexfilter.nl
14026 onebit.cz
10759 protonmail.ch
6048 zonemx.eu
5785 netzone.ch
5780 soverin.net
5580 previder.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
6637 TOTAL
2140 DE, Germany
1312 US, United States
991 NL, Netherlands
563 FR, France
273 GB, United Kingdom
225 CZ, Czechia
156 CA, Canada
96 SG, Singapore
88 CH, Switzerland
80 SE, Sweden
77 FI, Finland
68 DK, Denmark
54 AU, Australia
46 AT, Austria
45 IE, Ireland
35 BR, Brazil
34 IN, India
30 RU, Russia
30 PL, Poland
27 JP, Japan
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
3386 TOTAL
1407 DE, Germany
545 US, United States
518 NL, Netherlands
263 FR, France
120 CZ, Czechia
108 GB, United Kingdom
42 CA, Canada
41 CH, Switzerland
39 SG, Singapore
35 SE, Sweden
31 RU, Russia
31 AT, Austria
19 IE, Ireland
19 AU, Australia
16 JP, Japan
15 DK, Denmark
12 NO, Norway
12 ID, Indonesia
12 FI, Finland
11 BR, Brazil
There are 5649 unique zones in which the underlying MX hosts are found, this
counts each of the above providers as just one zone, so is a measure of the
breadth of adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 7879. These cover 8848
distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's email
transparency report is 353 (this is my ad-hoc criterion for a domain being a
large-enough actively used email domain). Of these, 184 are in recent (last 90
days of) reports:
univie.ac.at lrz.de keessmit.nl
gmx.at mail.de kingsquare.nl
triodos.be mailserver4.de mailplus.nl
nic.br mensa.de minbzk.nl
registro.br posteo.de mindef.nl
gmx.ch ruhr-uni-bochum.de mkbbelangen.nl
hostpoint.ch tu-chemnitz.de mm1.nl
infomaniak.ch tum.de ouderportaal.nl
open.ch uni-erlangen.de overheid.nl
protonmail.ch uni-muenchen.de pathe.nl
switch.ch unitybox.de politie.nl
clubedominante.com unitymedia.de previder.nl
comeseetv.com web.de professioneelbegeleiden.n
coosto.com westlotto.de rijksoverheid.nl
fmc-na.com dk-hostmaster.dk rotterdam.nl
gmx.com egmontpublishing.dk ru.nl
habr.com netic.dk rvo.nl
hotelsinduitsland.com star.dk schoudercom.nl
infomaniak.com stil.dk schuurman-schoenen.nl
ingthink.com uni-c.dk sportfondsen.nl
kpn.com tilburguniversity.edu ssonet.nl
leszexpertsfle.com emta.ee triodos.nl
mail.com lugeja.ee truetickets.nl
mailzerver.com rmit.ee uitgeverijpica.nl
mammoetmail.com rediris.es utwente.nl
mx-relay.com triodos.es uvt.nl
one.com uv.es xs4all.nl
orverkiezing.com litebit.eu zaantheater.nl
pre-sustainability.com zone.eu zorgmail.nl
primexbt.com zonevs.eu domeneshop.no
protonmail.com ac-strasbourg.fr handelsbanken.no
societe.com compagnie-des-sens.fr uib.no
solvinity.com fidesz.hu webcruitermail.no
t-2.com comcast.net atelkamera.nu
telfort.com dns-oarc.net goget.nu
thalesgroup.com gmx.net aegee.org
trashmail.com habramail.net debian.org
triodos.com hr-manager.net freebsd.org
xfinity.com inexio.net gentoo.org
xfinityhomesecurity.com mpssec.net ietf.org
xfinitymobile.com procurios.net isc.org
active24.cz riseup.net lazarus-ide.org
atlas.cz t-2.net mailbox.org
centrum.cz transip.net netbsd.org
cuni.cz xs4all.net openssl.org
itesco.cz xworks.net ozlabs.org
klubpevnehozdravi.cz belastingdienst.nl samba.org
krypton.cz bhosted.nl torproject.org
nic.cz bluerail.nl whatpulse.org
onebit.cz boekwinkeltjes.nl asf.com.pt
optimail.cz boozyshop.nl boplatssyd-automail.se
smtp.cz corpoflow.nl handelsbanken.se
virusfree.cz dictu.nl loopia.se
volny.cz digid.nl minmyndighetspost.se
bayern.de duo.nl personligalmanacka.se
bund.de ezorg.nl skatteverket.se
elster.de gerryweber.nl theletter.se
fau.de herinneringenoplinnen.nl kadernickyservis.sk
freenet.de hierinloggen.nl triodos.co.uk
gmx.de hr.nl govtrack.us
jpberlin.de intermax.nl ru.ac.za
kabelmail.de
Of the ~1.92 million domains, 5001 have "partial" TLSA records, that
cover only a subset of the (secondary) MX hosts. While this protects
traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands today
at 528. Some of these have additional MX hosts that don't have broken
TLSA records, so mail can still arrive via the remaining MX hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1093. The top 13
name server operators with problem domains are:
344 registrar-servers.com
81 ebola.cz
72 movenext.nl
38 cdmon.net
33 flevohost.nl
30 tiscomhosting.nl
28 hostnet.nl
23 nrdns.nl
22 infracom.nl
19 metaregistrar.nl
18 eatserver.nl
17 epik.com
16 is.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Eight of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
trt01.gov.br
trtrio.gov.br
trt1.jus.br
trtrj.jus.br
bncr.fi.cr
mobily.com.sa
sauditelecom.com.sa
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
More information about the dane-users
mailing list