Update on stats 2020-09

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Oct 1 06:12:56 CEST 2020

Summary:  The DANE domain count is now 2,303,613

          Most of the increase from last month can be credited to
          argewebhosting.nl (~150k domains).  Thank you

          On a smaller scale, but also notable, dfn.de enabled DANE SMTP
          for their own domain and a number of affiliated research
          insitutitions (34 domains in all).  Thanks also to dnf.de.

          The number of domains that return DNSSEC-validated replies in
          response to MX queries is 12,743,720.  Thus DANE TLSA is
          deployed on ~18.07% of domains with DNSSEC.

          Speaking of stats, you can now qiery the survey's view of
          your (DNSSEC-signed) via the "Explore" button at:


          The site makes no live queries, it shows the status of a
          domain during the most recent daily survey run.

          Please be mindful of the upcoming Let's Encrypt Issuer
          CA switch from X3/X4 to R3/R4 and E1/E2.  See:


Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

As of today I count 2,303,613 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host.  The top 20 MX host providers by domain count are below.

  This month                    Last Month
  ----------                    ----------
  1135621 one.com               1143500 one.com
   148737 argewebhosting.nl      141329 transip.nl
   143441 transip.nl             102015 domeneshop.no
   102226 domeneshop.no           90188 loopia.se
    90725 loopia.se               85000 infomaniak.ch
    87624 infomaniak.ch           64973 forpsi.com
    65609 forpsi.com              41646 pcextreme.nl
    42657 webreus.nl              41210 webreus.nl
    41291 pcextreme.nl            39560 active24.com
    39806 active24.com            32959 antagonist.nl
    33919 antagonist.nl           30569 vevida.com
    30527 vevida.com              28115 zxcs.nl
    29222 zxcs.nl                 26638 web4u.cz
    26601 web4u.cz                25610 udmedia.de
    25494 udmedia.de              18038 bhosted.nl
    18283 bhosted.nl              14752 flexfilter.nl
    14784 flexfilter.nl           14165 onebit.cz
    14256 onebit.cz               12197 protonmail.ch
    12646 protonmail.ch            7191 zonemx.eu
     7678 zonemx.eu                6077 soverin.net

The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).

  This month                    Last Month
  ----------                    ----------
  7177 TOTAL                    6864 TOTAL
  2307 DE, Germany              2191 DE, Germany
  1435 US, United States        1377 US, United States
  1089 NL, Netherlands          1046 NL, Netherlands
   596 FR, France                548 FR, France
   292 GB, United Kingdom        287 GB, United Kingdom
   226 CZ, Czechia               225 CZ, Czechia
   161 CA, Canada                163 CA, Canada
   107 SG, Singapore             100 SG, Singapore
    97 CH, Switzerland            97 CH, Switzerland
    94 FI, Finland                90 FI, Finland
    89 SE, Sweden                 84 SE, Sweden
    76 DK, Denmark                71 DK, Denmark
    59 AU, Australia              49 AU, Australia
    51 AT, Austria                47 AT, Austria
    45 IE, Ireland                43 IE, Ireland
    37 RU, Russia                 36 BR, Brazil
    36 BR, Brazil                 33 PL, Poland
    34 PL, Poland                 32 RU, Russia
    34 JP, Japan                  31 JP, Japan
    34 IN, India                  30 IN, India

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:

   This Month                    Last month                 
   ----------                    ----------                 
   3659 TOTAL                    3593 TOTAL                 
   1520 DE, Germany              1472 DE, Germany           
    631 US, United States         614 US, United States     
    574 NL, Netherlands           591 NL, Netherlands       
    264 FR, France                258 FR, France            
    135 CZ, Czechia               146 CZ, Czechia           
    111 GB, United Kingdom        105 GB, United Kingdom    
     46 CH, Switzerland            48 CH, Switzerland       
     39 SG, Singapore              40 SG, Singapore         
     39 CA, Canada                 37 CA, Canada            
     37 SE, Sweden                 34 SE, Sweden            
     36 AT, Austria                26 AT, Austria           
     20 AU, Australia              21 RU, Russia            
     19 RU, Russia                 19 AU, Australia         
     19 JP, Japan                  17 JP, Japan             
     16 FI, Finland                15 FI, Finland           
     15 NO, Norway                 14 NO, Norway            
     15 DK, Denmark                14 IE, Ireland           
     12 IE, Ireland                13 DK, Denmark           
     12 BR, Brazil                 12 ID, Indonesia         
     10 PL, Poland                 11 BR, Brazil            

There are 6220 unique zones in which the underlying MX hosts are found, this
counts each of the above providers as just one zone, so is a measure of the
breadth of adoption in terms of organizations deploying DANE SMTP.

The number of published MX host TLSA RRsets found is 9296.  These cover
10309 distinct MX hosts (some MX hosts share the same TLSA records
through CNAMEs).

The number of DANE domains that at some point were listed in Gmail's
email transparency report is 395 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain).  Of these, 193
are in recent (last 90 days of) reports:

  univie.ac.at             gmx.de                    interconnect.nl
  gmx.at                   jpberlin.de               interim-netwerk.nl
  triodos.be               kabelmail.de              keessmit.nl
  clubedohardware.com.br   lrz.de                    mailplus.nl
  nic.br                   mail.de                   markteffectmail.nl
  registro.br              mailserver4.de            minbzk.nl
  gmx.ch                   mensa.de                  mindef.nl
  hostpoint.ch             mpg.de                    mkbbelangen.nl
  infomaniak.ch            posteo.de                 mm1.nl
  open.ch                  ruhr-uni-bochum.de        ns.nl
  protonmail.ch            tum.de                    ouderportaal.nl
  switch.ch                uni-erlangen.de           overheid.nl
  altospam.com             uni-muenchen.de           parlement.nl
  clubedominante.com       unitybox.de               pathe.nl
  coosto.com               unitymedia.de             politie.nl
  fmc-na.com               web.de                    positievepsychologiecongres.nl
  gmx.com                  westlotto.de              previder.nl
  habr.com                 dk-hostmaster.dk          rijksoverheid.nl
  hotelsinduitsland.com    egmontpublishing.dk       ru.nl
  infomaniak.com           netic.dk                  rvo.nl
  ingthink.com             star.dk                   sans-mail.nl
  joomlapolis.com          stil.dk                   schoudercom.nl
  kpn.com                  uni-c.dk                  schuurman-schoenen.nl
  leszexpertsfle.com       tilburguniversity.edu     sportfondsen.nl
  mail.com                 emta.ee                   sportrusten.nl
  mammoetmail.com          rmit.ee                   ssonet.nl
  mx-relay.com             rediris.es                triodos.nl
  one.com                  triodos.es                truetickets.nl
  ppcpcv.com               uv.es                     tweedekamer.nl
  pre-sustainability.com   zone.eu                   uitgeverijpica.nl
  protonmail.com           zonevs.eu                 uvt.nl
  protonvpn.com            ac-strasbourg.fr          wise-guys.nl
  societe.com              compagnie-des-sens.fr     xs4all.nl
  solvinity.com            fidesz.hu                 zorgmail.nl
  t-2.com                  idrinks.hu                domeneshop.no
  telfort.com              mszp.hu                   handelsbanken.no
  thalesgroup.com          comcast.net               uib.no
  triodos.com              gmx.net                   atelkamera.nu
  vitstore.com             habramail.net             goget.nu
  xfinity.com              hr-manager.net            debian.org
  xfinityhomesecurity.com  inexio.net                freebsd.org
  xfinitymobile.com        mpssec.net                gentoo.org
  active24.cz              procurios.net             ietf.org
  akce-incomputer.cz       ripe.net                  isc.org
  atlas.cz                 riseup.net                mailbox.org
  centrum.cz               t-2.net                   mailop.org
  cuni.cz                  transip.net               netbsd.org
  itesco.cz                xs4all.net                openssl.org
  klenotyaurum.cz          xworks.net                ozlabs.org
  klubpevnehozdravi.cz     amsterdam.nl              samba.org
  krypton.cz               awcloud.nl                torproject.org
  onebit.cz                belastingdienst.nl        whatpulse.org
  optimail.cz              bhosted.nl                asf.com.pt
  poptavej.cz              bluerail.nl               boplatssyd-automail.se
  reserved.cz              boozyshop.nl              handelsbanken.se
  smtp.cz                  burgernet.nl              loopia.se
  vas-server.cz            corpoflow.nl              minmyndighetspost.se
  virusfree.cz             dictu.nl                  personligalmanacka.se
  volny.cz                 duo.nl                    skatteverket.se
  bayern.de                ezorg.nl                  theletter.se
  bund.de                  gerryweber.nl             kadernickyservis.sk
  dfn.de                   herinneringenoplinnen.nl  triodos.co.uk
  elster.de                hr.nl                     govtrack.us
  fau.de                   hro.nl                    ru.ac.za

Of the ~2.3 million domains, 13780 have "partial" TLSA records, that
cover only a subset of the (secondary) MX hosts.  While this protects
traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands today
at 706.  Some of these have additional MX hosts that don't have broken
TLSA records, so mail can still arrive via the remaining MX hosts.

To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:



After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1331.  The top 15
name server operators with problem domains are:

    This Month                  Last month                 
    ----------                  ----------                 
    372 axc.nl                  374 axc.nl
    361 registrar-servers.com   344 registrar-servers.com
    100 movenext.nl              86 ebola.cz
     85 ebola.cz                 66 movenext.nl
     25 tiscomhosting.nl         27 tiscomhosting.nl
     25 eatserver.nl             22 eatserver.nl
     24 metaregistrar.nl         20 metaregistrar.nl
     18 infracom.nl              20 infracom.nl
     15 cloudflare.com           15 nrdns.nl
     12 nrdns.nl                 15 cloudflare.com
     11 iterik.nu                11 sylconia.net
     11 epik.com                 11 iterik.nu
     10 sylconia.net             11 is.nl
     10 mobi-net.ch              10 openprovider.nl
      9 openprovider.nl          10 mobi-net.ch

If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.

Seven of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:



[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist.  I am not a fan of this type of defence (it can also
impose undue latency on legitimate email).  However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.

More information about the dane-users mailing list