Update on stats 2020-10

Viktor Dukhovni ietf-dane at dukhovni.org
Sun Nov 1 03:36:58 CET 2020

Summary:  The DANE domain count is now 2,312,209

          The number of domains that return DNSSEC-validated replies in
          response to MX queries is 12,951,015.  Thus DANE TLSA is
          deployed on ~17.85% of domains with DNSSEC.

          Please be mindful of the upcoming Let's Encrypt Issuer
          CA switch from X3/X4 to R3/R4 and E1/E2.  See:


Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

As of today I count 2,312,209 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host.  The top 20 MX host providers by domain count are below.

  This month                    Last Month
  ----------                    ----------
  1,135,322 one.com             1,135,621 one.com
    147,497 argewebhosting.nl     148,737 argewebhosting.nl
    144,505 transip.nl            143,441 transip.nl
    102,517 domeneshop.no         102,226 domeneshop.no
     91,246 loopia.se              90,725 loopia.se
     90,381 infomaniak.ch          87,624 infomaniak.ch
     65,843 forpsi.com             65,609 forpsi.com
     41,983 webreus.nl             42,657 webreus.nl
     40,816 pcextreme.nl           41,291 pcextreme.nl
     40,094 active24.com           39,806 active24.com
     34,527 antagonist.nl          33,919 antagonist.nl
     30,427 vevida.com             30,527 vevida.com
     29,638 zxcs.nl                29,222 zxcs.nl
     26,515 web4u.cz               26,601 web4u.cz
     25,522 udmedia.de             25,494 udmedia.de
     18,409 bhosted.nl             18,283 bhosted.nl
     14,660 flexfilter.nl          14,784 flexfilter.nl
     14,272 onebit.cz              14,256 onebit.cz
     13,133 protonmail.ch          12,646 protonmail.ch
      8,151 zonemx.eu               7,678 zonemx.eu

The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).

  This month                    Last Month
  ----------                    ----------
  7347 TOTAL                    7177 TOTAL
  2332 DE, Germany              2307 DE, Germany
  1439 US, United States        1435 US, United States
  1175 NL, Netherlands          1089 NL, Netherlands
   602 FR, France                596 FR, France
   289 GB, United Kingdom        292 GB, United Kingdom
   233 CZ, Czechia               226 CZ, Czechia
   170 CA, Canada                161 CA, Canada
   112 FI, Finland               107 SG, Singapore
   108 SG, Singapore              97 CH, Switzerland
   102 CH, Switzerland            94 FI, Finland
    90 SE, Sweden                 89 SE, Sweden
    76 DK, Denmark                76 DK, Denmark
    56 AU, Australia              59 AU, Australia
    50 AT, Austria                51 AT, Austria
    46 IE, Ireland                45 IE, Ireland
    39 IN, India                  37 RU, Russia
    37 JP, Japan                  36 BR, Brazil
    36 BR, Brazil                 34 PL, Poland
    35 RU, Russia                 34 JP, Japan
    34 PL, Poland                 34 IN, India

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:

  This Month                    Last month
  ----------                    ----------
  3786 TOTAL                    3659 TOTAL
  1549 DE, Germany              1520 DE, Germany
   628 NL, Netherlands           631 US, United States
   595 US, United States         574 NL, Netherlands
   280 FR, France                264 FR, France
   139 CZ, Czechia               135 CZ, Czechia
   113 GB, United Kingdom        111 GB, United Kingdom
    49 RU, Russia                 46 CH, Switzerland
    49 CH, Switzerland            39 SG, Singapore
    43 CA, Canada                 39 CA, Canada
    38 SG, Singapore              37 SE, Sweden
    36 SE, Sweden                 36 AT, Austria
    32 AT, Austria                20 AU, Australia
    21 IE, Ireland                19 RU, Russia
    20 JP, Japan                  19 JP, Japan
    16 NO, Norway                 16 FI, Finland
    16 FI, Finland                15 NO, Norway
    16 DK, Denmark                15 DK, Denmark
    16 AU, Australia              12 IE, Ireland
    14 LV, Latvia                 12 BR, Brazil
    14 BR, Brazil                 10 PL, Poland

There are 6457 (6220 last month) unique zones in which the underlying MX hosts
are found, this counts each of the above providers as just one zone, so is a
measure of the breadth of adoption in terms of organizations deploying DANE

The number of published MX host TLSA RRsets found is 9618 (9296 last month).
These cover 10622 (10309 last month) distinct MX hosts (some MX hosts share the
same TLSA records through CNAMEs).

The number of DANE domains that at some point were listed in Gmail's email
transparency report is 389 (395 last month, this is my ad-hoc criterion for a
domain being a large-enough actively used email domain).  Of these, 190 (193
last month) are in recent (last 90 days of) reports:

  univie.ac.at             gmx.de                 mailplus.nl
  gmx.at                   jpberlin.de            markteffectmail.nl
  tjek.be                  lrz.de                 minbuza.nl
  triodos.be               mail.de                minbzk.nl
  clubedohardware.com.br   mailserver4.de         mindef.nl
  nic.br                   mensa.de               mkbbelangen.nl
  registro.br              mpg.de                 mm1.nl
  gmx.ch                   posteo.de              ns.nl
  hostpoint.ch             ruhr-uni-bochum.de     ouderportaal.nl
  infomaniak.ch            tum.de                 overheid.nl
  open.ch                  uni-erlangen.de        parlement.nl
  protonmail.ch            uni-muenchen.de        pathe.nl
  switch.ch                unitybox.de            politie.nl
  altospam.com             unitymedia.de          previder.nl
  clubedominante.com       web.de                 rijksoverheid.nl
  coosto.com               westlotto.de           ru.nl
  fmc-na.com               dk-hostmaster.dk       rvo.nl
  gmx.com                  egmontpublishing.dk    sans-mail.nl
  habr.com                 netic.dk               schoudercom.nl
  hotelsinduitsland.com    powerhosting.dk        schuurman-schoenen.nl
  infomaniak.com           star.dk                sportfondsen.nl
  ingthink.com             tilburguniversity.edu  sportrusten.nl
  kpn.com                  just.ee                ssonet.nl
  leszexpertsfle.com       rediris.es             triodos.nl
  mail.com                 triodos.es             truetickets.nl
  mammoetmail.com          uv.es                  tweedekamer.nl
  one.com                  inetadmin.eu           uitgeverijpica.nl
  orverkiezing.com         zone.eu                utwente.nl
  ppcpcv.com               zonevs.eu              uvt.nl
  protonmail.com           ac-strasbourg.fr       vu.nl
  protonvpn.com            compagnie-des-sens.fr  wise-guys.nl
  solvinity.com            kangouroukids.fr       xs4all.nl
  t-2.com                  fidesz.hu              zorgmail.nl
  telfort.com              mszp.hu                domeneshop.no
  thalesgroup.com          comcast.net            handelsbanken.no
  triodos.com              gmx.net                uib.no
  vitstore.com             habramail.net          atelkamera.nu
  xfinity.com              hr-manager.net         goget.nu
  xfinityhomesecurity.com  inexio.net             debian.org
  xfinitymobile.com        mpssec.net             freebsd.org
  active24.cz              procurios.net          gentoo.org
  akce-incomputer.cz       ripe.net               ietf.org
  amenit.cz                riseup.net             isc.org
  atlas.cz                 t-2.net                mailbox.org
  centrum.cz               transip.net            mailop.org
  cuni.cz                  xs4all.net             netbsd.org
  itesco.cz                amsterdam.nl           openssl.org
  klenotyaurum.cz          awcloud.nl             ozlabs.org
  klubpevnehozdravi.cz     belastingdienst.nl     samba.org
  krypton.cz               bhosted.nl             torproject.org
  onebit.cz                bluerail.nl            whatpulse.org
  optimail.cz              boekwinkeltjes.nl      asf.com.pt
  poptavej.cz              boozyshop.nl           boplatssyd-automail.se
  reserved.cz              burgernet.nl           handelsbanken.se
  smtp.cz                  corpoflow.nl           loopia.se
  vas-server.cz            dictu.nl               minmyndighetspost.se
  virusfree.cz             digid.nl               personligalmanacka.se
  volny.cz                 duo.nl                 skatteverket.se
  bayern.de                ezorg.nl               theletter.se
  bund.de                  gerryweber.nl          kadernickyservis.sk
  dfn.de                   hr.nl                  triodos.co.uk
  elster.de                hro.nl                 govtrack.us
  fau.de                   interim-netwerk.nl     ru.ac.za

Of the ~2.3 million domains, 13253 (13780 last month) have "partial" TLSA
records, that cover only a subset of the (secondary) MX hosts.  While this
protects traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to advertise
STARTTLS (even though TLSA records are published) stands today at 771 (706 last
month).  Some of these have additional MX hosts that don't have broken TLSA
records, so mail can still arrive via the remaining MX hosts.

To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:



After eliminating parked domains that do not accept email, the number of "real"
email domains with bad DNSSEC support stands at 1431 (1331 last month).  The
top 15 name server operators with problem domains are:

  This Month                  Last month
  ----------                  ----------
  412 registrar-servers.com   372 axc.nl
  385 axc.nl                  361 registrar-servers.com
  107 movenext.nl             100 movenext.nl
   85 ebola.cz                 85 ebola.cz
   25 tiscomhosting.nl         25 tiscomhosting.nl
   25 eatserver.nl             25 eatserver.nl
   20 epik.com                 24 metaregistrar.nl
   18 metaregistrar.nl         18 infracom.nl
   18 infracom.nl              15 cloudflare.com
   14 cloudflare.com           12 nrdns.nl
   12 ns01.nl                  11 iterik.nu
   12 nrdns.nl                 11 epik.com
   11 sylconia.net             10 sylconia.net
   11 iterik.nu                10 mobi-net.ch
   10 mobi-net.ch               9 openprovider.nl

If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.

Seven of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:



[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist.  I am not a fan of this type of defence (it can also
impose undue latency on legitimate email).  However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.

More information about the dane-users mailing list