Update on stats 2020-10
Viktor Dukhovni
ietf-dane at dukhovni.org
Sun Nov 1 03:36:58 CET 2020
Summary: The DANE domain count is now 2,312,209
The number of domains that return DNSSEC-validated replies in
response to MX queries is 12,951,015. Thus DANE TLSA is
deployed on ~17.85% of domains with DNSSEC.
Please be mindful of the upcoming Let's Encrypt Issuer
CA switch from X3/X4 to R3/R4 and E1/E2. See:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,312,209 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last Month
---------- ----------
1,135,322 one.com 1,135,621 one.com
147,497 argewebhosting.nl 148,737 argewebhosting.nl
144,505 transip.nl 143,441 transip.nl
102,517 domeneshop.no 102,226 domeneshop.no
91,246 loopia.se 90,725 loopia.se
90,381 infomaniak.ch 87,624 infomaniak.ch
65,843 forpsi.com 65,609 forpsi.com
41,983 webreus.nl 42,657 webreus.nl
40,816 pcextreme.nl 41,291 pcextreme.nl
40,094 active24.com 39,806 active24.com
34,527 antagonist.nl 33,919 antagonist.nl
30,427 vevida.com 30,527 vevida.com
29,638 zxcs.nl 29,222 zxcs.nl
26,515 web4u.cz 26,601 web4u.cz
25,522 udmedia.de 25,494 udmedia.de
18,409 bhosted.nl 18,283 bhosted.nl
14,660 flexfilter.nl 14,784 flexfilter.nl
14,272 onebit.cz 14,256 onebit.cz
13,133 protonmail.ch 12,646 protonmail.ch
8,151 zonemx.eu 7,678 zonemx.eu
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last Month
---------- ----------
7347 TOTAL 7177 TOTAL
2332 DE, Germany 2307 DE, Germany
1439 US, United States 1435 US, United States
1175 NL, Netherlands 1089 NL, Netherlands
602 FR, France 596 FR, France
289 GB, United Kingdom 292 GB, United Kingdom
233 CZ, Czechia 226 CZ, Czechia
170 CA, Canada 161 CA, Canada
112 FI, Finland 107 SG, Singapore
108 SG, Singapore 97 CH, Switzerland
102 CH, Switzerland 94 FI, Finland
90 SE, Sweden 89 SE, Sweden
76 DK, Denmark 76 DK, Denmark
56 AU, Australia 59 AU, Australia
50 AT, Austria 51 AT, Austria
46 IE, Ireland 45 IE, Ireland
39 IN, India 37 RU, Russia
37 JP, Japan 36 BR, Brazil
36 BR, Brazil 34 PL, Poland
35 RU, Russia 34 JP, Japan
34 PL, Poland 34 IN, India
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This Month Last month
---------- ----------
3786 TOTAL 3659 TOTAL
1549 DE, Germany 1520 DE, Germany
628 NL, Netherlands 631 US, United States
595 US, United States 574 NL, Netherlands
280 FR, France 264 FR, France
139 CZ, Czechia 135 CZ, Czechia
113 GB, United Kingdom 111 GB, United Kingdom
49 RU, Russia 46 CH, Switzerland
49 CH, Switzerland 39 SG, Singapore
43 CA, Canada 39 CA, Canada
38 SG, Singapore 37 SE, Sweden
36 SE, Sweden 36 AT, Austria
32 AT, Austria 20 AU, Australia
21 IE, Ireland 19 RU, Russia
20 JP, Japan 19 JP, Japan
16 NO, Norway 16 FI, Finland
16 FI, Finland 15 NO, Norway
16 DK, Denmark 15 DK, Denmark
16 AU, Australia 12 IE, Ireland
14 LV, Latvia 12 BR, Brazil
14 BR, Brazil 10 PL, Poland
There are 6457 (6220 last month) unique zones in which the underlying MX hosts
are found, this counts each of the above providers as just one zone, so is a
measure of the breadth of adoption in terms of organizations deploying DANE
SMTP.
The number of published MX host TLSA RRsets found is 9618 (9296 last month).
These cover 10622 (10309 last month) distinct MX hosts (some MX hosts share the
same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's email
transparency report is 389 (395 last month, this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 190 (193
last month) are in recent (last 90 days of) reports:
univie.ac.at gmx.de mailplus.nl
gmx.at jpberlin.de markteffectmail.nl
tjek.be lrz.de minbuza.nl
triodos.be mail.de minbzk.nl
clubedohardware.com.br mailserver4.de mindef.nl
nic.br mensa.de mkbbelangen.nl
registro.br mpg.de mm1.nl
gmx.ch posteo.de ns.nl
hostpoint.ch ruhr-uni-bochum.de ouderportaal.nl
infomaniak.ch tum.de overheid.nl
open.ch uni-erlangen.de parlement.nl
protonmail.ch uni-muenchen.de pathe.nl
switch.ch unitybox.de politie.nl
altospam.com unitymedia.de previder.nl
clubedominante.com web.de rijksoverheid.nl
coosto.com westlotto.de ru.nl
fmc-na.com dk-hostmaster.dk rvo.nl
gmx.com egmontpublishing.dk sans-mail.nl
habr.com netic.dk schoudercom.nl
hotelsinduitsland.com powerhosting.dk schuurman-schoenen.nl
infomaniak.com star.dk sportfondsen.nl
ingthink.com tilburguniversity.edu sportrusten.nl
kpn.com just.ee ssonet.nl
leszexpertsfle.com rediris.es triodos.nl
mail.com triodos.es truetickets.nl
mammoetmail.com uv.es tweedekamer.nl
one.com inetadmin.eu uitgeverijpica.nl
orverkiezing.com zone.eu utwente.nl
ppcpcv.com zonevs.eu uvt.nl
protonmail.com ac-strasbourg.fr vu.nl
protonvpn.com compagnie-des-sens.fr wise-guys.nl
solvinity.com kangouroukids.fr xs4all.nl
t-2.com fidesz.hu zorgmail.nl
telfort.com mszp.hu domeneshop.no
thalesgroup.com comcast.net handelsbanken.no
triodos.com gmx.net uib.no
vitstore.com habramail.net atelkamera.nu
xfinity.com hr-manager.net goget.nu
xfinityhomesecurity.com inexio.net debian.org
xfinitymobile.com mpssec.net freebsd.org
active24.cz procurios.net gentoo.org
akce-incomputer.cz ripe.net ietf.org
amenit.cz riseup.net isc.org
atlas.cz t-2.net mailbox.org
centrum.cz transip.net mailop.org
cuni.cz xs4all.net netbsd.org
itesco.cz amsterdam.nl openssl.org
klenotyaurum.cz awcloud.nl ozlabs.org
klubpevnehozdravi.cz belastingdienst.nl samba.org
krypton.cz bhosted.nl torproject.org
onebit.cz bluerail.nl whatpulse.org
optimail.cz boekwinkeltjes.nl asf.com.pt
poptavej.cz boozyshop.nl boplatssyd-automail.se
reserved.cz burgernet.nl handelsbanken.se
smtp.cz corpoflow.nl loopia.se
vas-server.cz dictu.nl minmyndighetspost.se
virusfree.cz digid.nl personligalmanacka.se
volny.cz duo.nl skatteverket.se
bayern.de ezorg.nl theletter.se
bund.de gerryweber.nl kadernickyservis.sk
dfn.de hr.nl triodos.co.uk
elster.de hro.nl govtrack.us
fau.de interim-netwerk.nl ru.ac.za
freenet.de
Of the ~2.3 million domains, 13253 (13780 last month) have "partial" TLSA
records, that cover only a subset of the (secondary) MX hosts. While this
protects traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to advertise
STARTTLS (even though TLSA records are published) stands today at 771 (706 last
month). Some of these have additional MX hosts that don't have broken TLSA
records, so mail can still arrive via the remaining MX hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of "real"
email domains with bad DNSSEC support stands at 1431 (1331 last month). The
top 15 name server operators with problem domains are:
This Month Last month
---------- ----------
412 registrar-servers.com 372 axc.nl
385 axc.nl 361 registrar-servers.com
107 movenext.nl 100 movenext.nl
85 ebola.cz 85 ebola.cz
25 tiscomhosting.nl 25 tiscomhosting.nl
25 eatserver.nl 25 eatserver.nl
20 epik.com 24 metaregistrar.nl
18 metaregistrar.nl 18 infracom.nl
18 infracom.nl 15 cloudflare.com
14 cloudflare.com 12 nrdns.nl
12 ns01.nl 11 iterik.nu
12 nrdns.nl 11 epik.com
11 sylconia.net 10 sylconia.net
11 iterik.nu 10 mobi-net.ch
10 mobi-net.ch 9 openprovider.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Seven of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
trt1.jus.br
trtrj.jus.br
accenturealumni.com
bncr.fi.cr
ofda.gov
mobily.com.sa
sauditelecom.com.sa
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
More information about the dane-users
mailing list