Update on stats 2020-02

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Mar 1 10:17:01 CET 2020


Summary:  The DANE domain count is now 1,842,179.

          The number of domains that return DNSSEC-validated replies in
          response to MX queries is 10,837,476.  Thus DANE TLSA is
          deployed on ~17.00% of domains with DNSSEC.

Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

As of today I count 1,842,179 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host.  The top 20 MX host providers by domain count are below.

  1039151 one.com
   135237 transip.nl
   100341 domeneshop.no
    88535 loopia.se
    68917 infomaniak.ch
    37835 active24.com
    31227 vevida.com
    30345 antagonist.nl
    26692 web4u.cz
    24813 udmedia.de
    22509 zxcs.nl
    17374 bhosted.nl
    15308 flexfilter.nl
    13690 onebit.cz
     9518 protonmail.ch
     5814 netzone.ch
     5575 previder.nl
     5163 soverin.net
     4756 mailplatform.eu
     4321 zonemx.eu

The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).

  6251 TOTAL
  2084 DE, Germany
  1246 US, United States
   896 NL, Netherlands
   549 FR, France
   256 GB, United Kingdom
   201 CZ, Czechia
   153 CA, Canada
    85 CH, Switzerland
    83 SG, Singapore
    78 SE, Sweden
    69 DK, Denmark
    46 AT, Austria
    44 IE, Ireland
    43 JP, Japan
    39 AU, Australia
    31 BR, Brazil
    27 RU, Russia
    26 PL, Poland
    25 IT, Italy
    23 IN, India

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:

  3176 TOTAL
  1311 DE, Germany
   531 US, United States
   453 NL, Netherlands
   263 FR, France
   112 CZ, Czechia
    98 GB, United Kingdom
    41 SE, Sweden
    35 SG, Singapore
    34 AT, Austria
    33 CH, Switzerland
    32 JP, Japan
    32 CA, Canada
    31 RU, Russia
    17 IE, Ireland
    16 DK, Denmark
    14 SI, Slovenia
    13 NO, Norway
    13 AU, Australia
    12 ID, Indonesia
    12 BR, Brazil

There are 5296 unique zones in which the underlying MX hosts are found,
this counts each of the above providers as just one zone, so is a
measure of the breadth of adoption in terms of organizations deploying
DANE SMTP.

The number of published MX host TLSA RRsets found is 8054.  These cover
8964 distinct MX hosts (some MX hosts share the same TLSA records
through CNAMEs).

The number of domains that at some point were listed in Gmail's email
transparency report is 322 (this is my ad-hoc criterion for a domain
being a large-enough actively used email domain).  Of these, 155 are in
recent (last 90 days of) reports:

  univie.ac.at             jpberlin.de            minbzk.nl
  gmx.at                   kabelmail.de           mindef.nl
  register.bg              lrz.de                 mm1.nl
  nic.br                   mail.de                ouderportaal.nl
  registro.br              mailserver4.de         overheid.nl
  buymyweedonline.ca       posteo.de              pathe.nl
  gmx.ch                   ruhr-uni-bochum.de     photofacts.nl
  infomaniak.ch            tum.de                 politie.nl
  open.ch                  uni-erlangen.de        previder.nl
  protonmail.ch            uni-muenchen.de        rijksoverheid.nl
  anubisnetworks.com       unitybox.de            ru.nl
  clubedominante.com       unitymedia.de          rvo.nl
  fmc-na.com               web.de                 schoudercom.nl
  gmx.com                  egmontpublishing.dk    schuurman-schoenen.nl
  habr.com                 netic.dk               ssonet.nl
  hotelsinduitsland.com    star.dk                truetickets.nl
  infomaniak.com           tilburguniversity.edu  uvt.nl
  ingthink.com             emta.ee                xs4all.nl
  kpn.com                  lugeja.ee              zorgmail.nl
  leszexpertsfle.com       rmit.ee                domeneshop.no
  mail.com                 rediris.es             handelsbanken.no
  mammoetmail.com          uv.es                  uib.no
  one.com                  web200.eu              webcruitermail.no
  primexbt.com             zone.eu                atelkamera.nu
  protonmail.com           ac-strasbourg.fr       goget.nu
  solvinity.com            compagnie-des-sens.fr  aegee.org
  t-2.com                  octopuce.fr            debian.org
  telfort.com              web200.hu              freebsd.org
  trashmail.com            comcast.net            gentoo.org
  vitstore.com             dns-oarc.net           ietf.org
  xfinity.com              gmx.net                isc.org
  xfinityhomesecurity.com  habramail.net          lazarus-ide.org
  xfinitymobile.com        hr-manager.net         mailbox.org
  active24.cz              inexio.net             netbsd.org
  atlas.cz                 mpssec.net             openssl.org
  centrum.cz               procurios.net          ozlabs.org
  cuni.cz                  riseup.net             samba.org
  itesco.cz                t-2.net                slackbuilds.org
  klubpevnehozdravi.cz     transip.net            torproject.org
  krypton.cz               vevida.net             whatpulse.org
  onebit.cz                xs4all.net             asf.com.pt
  optimail.cz              xworks.net             moikrug.ru
  smtp.cz                  belastingdienst.nl     boplatssyd-automail.se
  virusfree.cz             bhosted.nl             handelsbanken.se
  volny.cz                 bluerail.nl            loopia.se
  web4u.cz                 boozyshop.nl           minmyndighetspost.se
  bayern.de                corpoflow.nl           personligalmanacka.se
  bund.de                  dictu.nl               skatteverket.se
  elster.de                digid.nl               theletter.se
  fau.de                   intermax.nl            govtrack.us
  freenet.de               jasperalblas.nl        ru.ac.za
  gmx.de                   mailplus.nl

Of the ~1.84 million domains, 4424 have "partial" TLSA records, that
cover only a subset of the (secondary) MX hosts.  While this protects
traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands today
at 466.  Some of these have additional MX hosts that don't have broken
TLSA records, so mail can still arrive via the remaining MX hosts.

To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:

    https://dane.sys4.de/common_mistakes
    https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
    https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
    https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
    https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
    https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources

    http://tools.ietf.org/html/rfc7671#section-8.1
    http://tools.ietf.org/html/rfc7671#section-8.4

After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1846.  The top 13
name server operators with problem domains are:

  482 registrar-servers.com  (count still growing slowly)
  348 mijnhostingpartner.nl  (operator expects a fix "before long")
  275 axc.nl                 (new this month :-( )
   82 egensajt.se
   64 movenext.nl
   56 ebola.cz
   46 metaregistrar.nl
   30 tiscomhosting.nl
   27 hostnet.nl
   23 infracom.nl
   22 cdmon.net
   20 sylconia.net
   17 is.nl

If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.

Nine (same as last month) of the domains all whose nameservers have broken
denial of existence appear in the last 120 days of Google transparency reports:

  trt01.gov.br
  trtrio.gov.br
  trt1.jus.br
  trtrj.jus.br
  flytoyourheart.com
  topdecorationworld.com
  mobily.com.sa
  sauditelecom.com.sa
  threadteaching.co.uk

-- 
      Viktor.

[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist.  I am not a fan of this type of defence (it can also
impose undue latency on legitimate email).  However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.


More information about the dane-users mailing list