Update on stats 2020-09
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Oct 1 06:12:56 CEST 2020
Summary: The DANE domain count is now 2,303,613
Most of the increase from last month can be credited to
argewebhosting.nl (~150k domains). Thank you
argewebhosting.nl.
On a smaller scale, but also notable, dfn.de enabled DANE SMTP
for their own domain and a number of affiliated research
insitutitions (34 domains in all). Thanks also to dnf.de.
The number of domains that return DNSSEC-validated replies in
response to MX queries is 12,743,720. Thus DANE TLSA is
deployed on ~18.07% of domains with DNSSEC.
Speaking of stats, you can now qiery the survey's view of
your (DNSSEC-signed) via the "Explore" button at:
https://stats.dnssec-tools.org/
The site makes no live queries, it shows the status of a
domain during the most recent daily survey run.
Please be mindful of the upcoming Let's Encrypt Issuer
CA switch from X3/X4 to R3/R4 and E1/E2. See:
https://mail.sys4.de/pipermail/dane-users/2020-September/thread.html#578
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,303,613 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last Month
---------- ----------
1135621 one.com 1143500 one.com
148737 argewebhosting.nl 141329 transip.nl
143441 transip.nl 102015 domeneshop.no
102226 domeneshop.no 90188 loopia.se
90725 loopia.se 85000 infomaniak.ch
87624 infomaniak.ch 64973 forpsi.com
65609 forpsi.com 41646 pcextreme.nl
42657 webreus.nl 41210 webreus.nl
41291 pcextreme.nl 39560 active24.com
39806 active24.com 32959 antagonist.nl
33919 antagonist.nl 30569 vevida.com
30527 vevida.com 28115 zxcs.nl
29222 zxcs.nl 26638 web4u.cz
26601 web4u.cz 25610 udmedia.de
25494 udmedia.de 18038 bhosted.nl
18283 bhosted.nl 14752 flexfilter.nl
14784 flexfilter.nl 14165 onebit.cz
14256 onebit.cz 12197 protonmail.ch
12646 protonmail.ch 7191 zonemx.eu
7678 zonemx.eu 6077 soverin.net
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last Month
---------- ----------
7177 TOTAL 6864 TOTAL
2307 DE, Germany 2191 DE, Germany
1435 US, United States 1377 US, United States
1089 NL, Netherlands 1046 NL, Netherlands
596 FR, France 548 FR, France
292 GB, United Kingdom 287 GB, United Kingdom
226 CZ, Czechia 225 CZ, Czechia
161 CA, Canada 163 CA, Canada
107 SG, Singapore 100 SG, Singapore
97 CH, Switzerland 97 CH, Switzerland
94 FI, Finland 90 FI, Finland
89 SE, Sweden 84 SE, Sweden
76 DK, Denmark 71 DK, Denmark
59 AU, Australia 49 AU, Australia
51 AT, Austria 47 AT, Austria
45 IE, Ireland 43 IE, Ireland
37 RU, Russia 36 BR, Brazil
36 BR, Brazil 33 PL, Poland
34 PL, Poland 32 RU, Russia
34 JP, Japan 31 JP, Japan
34 IN, India 30 IN, India
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This Month Last month
---------- ----------
3659 TOTAL 3593 TOTAL
1520 DE, Germany 1472 DE, Germany
631 US, United States 614 US, United States
574 NL, Netherlands 591 NL, Netherlands
264 FR, France 258 FR, France
135 CZ, Czechia 146 CZ, Czechia
111 GB, United Kingdom 105 GB, United Kingdom
46 CH, Switzerland 48 CH, Switzerland
39 SG, Singapore 40 SG, Singapore
39 CA, Canada 37 CA, Canada
37 SE, Sweden 34 SE, Sweden
36 AT, Austria 26 AT, Austria
20 AU, Australia 21 RU, Russia
19 RU, Russia 19 AU, Australia
19 JP, Japan 17 JP, Japan
16 FI, Finland 15 FI, Finland
15 NO, Norway 14 NO, Norway
15 DK, Denmark 14 IE, Ireland
12 IE, Ireland 13 DK, Denmark
12 BR, Brazil 12 ID, Indonesia
10 PL, Poland 11 BR, Brazil
There are 6220 unique zones in which the underlying MX hosts are found, this
counts each of the above providers as just one zone, so is a measure of the
breadth of adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 9296. These cover
10309 distinct MX hosts (some MX hosts share the same TLSA records
through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 395 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 193
are in recent (last 90 days of) reports:
univie.ac.at gmx.de interconnect.nl
gmx.at jpberlin.de interim-netwerk.nl
triodos.be kabelmail.de keessmit.nl
clubedohardware.com.br lrz.de mailplus.nl
nic.br mail.de markteffectmail.nl
registro.br mailserver4.de minbzk.nl
gmx.ch mensa.de mindef.nl
hostpoint.ch mpg.de mkbbelangen.nl
infomaniak.ch posteo.de mm1.nl
open.ch ruhr-uni-bochum.de ns.nl
protonmail.ch tum.de ouderportaal.nl
switch.ch uni-erlangen.de overheid.nl
altospam.com uni-muenchen.de parlement.nl
clubedominante.com unitybox.de pathe.nl
coosto.com unitymedia.de politie.nl
fmc-na.com web.de positievepsychologiecongres.nl
gmx.com westlotto.de previder.nl
habr.com dk-hostmaster.dk rijksoverheid.nl
hotelsinduitsland.com egmontpublishing.dk ru.nl
infomaniak.com netic.dk rvo.nl
ingthink.com star.dk sans-mail.nl
joomlapolis.com stil.dk schoudercom.nl
kpn.com uni-c.dk schuurman-schoenen.nl
leszexpertsfle.com tilburguniversity.edu sportfondsen.nl
mail.com emta.ee sportrusten.nl
mammoetmail.com rmit.ee ssonet.nl
mx-relay.com rediris.es triodos.nl
one.com triodos.es truetickets.nl
ppcpcv.com uv.es tweedekamer.nl
pre-sustainability.com zone.eu uitgeverijpica.nl
protonmail.com zonevs.eu uvt.nl
protonvpn.com ac-strasbourg.fr wise-guys.nl
societe.com compagnie-des-sens.fr xs4all.nl
solvinity.com fidesz.hu zorgmail.nl
t-2.com idrinks.hu domeneshop.no
telfort.com mszp.hu handelsbanken.no
thalesgroup.com comcast.net uib.no
triodos.com gmx.net atelkamera.nu
vitstore.com habramail.net goget.nu
xfinity.com hr-manager.net debian.org
xfinityhomesecurity.com inexio.net freebsd.org
xfinitymobile.com mpssec.net gentoo.org
active24.cz procurios.net ietf.org
akce-incomputer.cz ripe.net isc.org
atlas.cz riseup.net mailbox.org
centrum.cz t-2.net mailop.org
cuni.cz transip.net netbsd.org
itesco.cz xs4all.net openssl.org
klenotyaurum.cz xworks.net ozlabs.org
klubpevnehozdravi.cz amsterdam.nl samba.org
krypton.cz awcloud.nl torproject.org
onebit.cz belastingdienst.nl whatpulse.org
optimail.cz bhosted.nl asf.com.pt
poptavej.cz bluerail.nl boplatssyd-automail.se
reserved.cz boozyshop.nl handelsbanken.se
smtp.cz burgernet.nl loopia.se
vas-server.cz corpoflow.nl minmyndighetspost.se
virusfree.cz dictu.nl personligalmanacka.se
volny.cz duo.nl skatteverket.se
bayern.de ezorg.nl theletter.se
bund.de gerryweber.nl kadernickyservis.sk
dfn.de herinneringenoplinnen.nl triodos.co.uk
elster.de hr.nl govtrack.us
fau.de hro.nl ru.ac.za
freenet.de
Of the ~2.3 million domains, 13780 have "partial" TLSA records, that
cover only a subset of the (secondary) MX hosts. While this protects
traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands today
at 706. Some of these have additional MX hosts that don't have broken
TLSA records, so mail can still arrive via the remaining MX hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1331. The top 15
name server operators with problem domains are:
This Month Last month
---------- ----------
372 axc.nl 374 axc.nl
361 registrar-servers.com 344 registrar-servers.com
100 movenext.nl 86 ebola.cz
85 ebola.cz 66 movenext.nl
25 tiscomhosting.nl 27 tiscomhosting.nl
25 eatserver.nl 22 eatserver.nl
24 metaregistrar.nl 20 metaregistrar.nl
18 infracom.nl 20 infracom.nl
15 cloudflare.com 15 nrdns.nl
12 nrdns.nl 15 cloudflare.com
11 iterik.nu 11 sylconia.net
11 epik.com 11 iterik.nu
10 sylconia.net 11 is.nl
10 mobi-net.ch 10 openprovider.nl
9 openprovider.nl 10 mobi-net.ch
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Seven of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
trt1.jus.br
trtrj.jus.br
accenturealumni.com
bncr.fi.cr
ofda.gov
mobily.com.sa
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
More information about the dane-users
mailing list