Update on stats 2021-03

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Apr 1 03:44:20 CEST 2021

NOTE:     When using NSEC3, please make sure your iteration count is
          not needlessly large (above ~25).  For details see:


Summary:  The DANE domain count is now 2,580,510 (up from 2,568,169 
          last month).

          The number of domains that return DNSSEC-validated replies in
          response to MX queries is 14,597,373 (up from 14,288,417 last
          month).  Thus DANE TLSA is deployed on ~17.67% of domains with


          The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has
          taken place, and all previously issued X3-issued certificates
          are now expired.  If you're still publishing the X3 hash in
          your TLSA RRSet, it is best removed:


Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

As of today I count 2,580,510 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host.  The top 20 MX host providers by domain count are below.

  This month                   Last month
  ----------                   ----------
  1219094 one.com              1219827 one.com             
   149627 transip.nl            148553 transip.nl          
   148446 argewebhosting.nl     147435 argewebhosting.nl   
   106039 infomaniak.ch         104178 domeneshop.no       
   104614 domeneshop.no         102904 infomaniak.ch       
    99953 webhostingserver.nl    99738 webhostingserver.nl 
    93378 loopia.se              92884 loopia.se           
    68008 forpsi.com             67647 forpsi.com          
    41460 active24.com           41221 active24.com        
    40278 webreus.nl             40647 webreus.nl          
    38710 pcextreme.nl           39035 pcextreme.nl        
    36833 antagonist.nl          36298 antagonist.nl       
    34505 zxcs.nl                33417 zxcs.nl             
    29520 vevida.com             29790 vevida.com          
    27896 webhosting.dk          27967 webhosting.dk       
    26473 web4u.cz               26531 web4u.cz            
    25964 udmedia.de             25882 udmedia.de          
    18829 bhosted.nl             18695 bhosted.nl          
    17072 protonmail.ch          16210 protonmail.ch       
    14579 onebit.cz              14555 onebit.cz           

The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).

  This month               Last month
  ----------               ----------
  8450 TOTAL               8200 TOTAL              
  2555 DE, Germany         2467 DE, Germany        
  1628 US, United States   1591 US, United States  
  1628 NL, Netherlands     1567 NL, Netherlands    
   624 FR, France           632 FR, France         
   306 GB, United Kingdom   302 GB, United Kingdom 
   229 CZ, Czechia          225 CZ, Czechia        
   199 CA, Canada           190 CA, Canada         
   150 FI, Finland          144 FI, Finland        
   121 SG, Singapore        119 DK, Denmark        
   121 DK, Denmark          114 SG, Singapore      
    95 SE, Sweden            94 CH, Switzerland    
    93 CH, Switzerland       92 SE, Sweden         
    77 AU, Australia         71 AU, Australia      
    69 AT, Austria           63 AT, Austria        
    39 RU, Russia            38 PL, Poland         
    39 PL, Poland            37 JP, Japan          
    39 BR, Brazil            36 RU, Russia         
    38 JP, Japan             36 IE, Ireland        
    37 NO, Norway            36 BR, Brazil         
    37 IE, Ireland           33 NO, Norway         

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:

  This month               Last month
  ----------               ----------
  6706 TOTAL               6537 TOTAL             
  3238 NL, Netherlands     3203 NL, Netherlands   
  1747 DE, Germany         1682 DE, Germany       
   678 US, United States    641 US, United States 
   289 FR, France           280 FR, France        
   144 CZ, Czechia          145 CZ, Czechia       
   132 GB, United Kingdom   123 GB, United Kingdom
    53 CA, Canada            49 CA, Canada        
    44 CH, Switzerland       44 CH, Switzerland   
    42 SG, Singapore         42 SE, Sweden        
    42 AT, Austria           42 AT, Austria       
    41 SE, Sweden            39 SG, Singapore     
    25 FI, Finland           26 FI, Finland       
    23 AU, Australia         23 AU, Australia     
    21 JP, Japan             21 JP, Japan         
    20 RU, Russia            17 IE, Ireland       
    18 DK, Denmark           17 DK, Denmark       
    17 IE, Ireland           15 NO, Norway        
    16 NO, Norway            14 BR, Brazil        
    14 BR, Brazil            13 RU, Russia        
    11 PL, Poland            10 PL, Poland        

There are 6,808 unique zones (6,612 last month) in which the underlying
MX hosts are found.  This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.

The number of published MX host TLSA RRsets found is 15,010 (14,671 last
month).  These cover 15,241 distinct MX hosts (14,882 last month, some
MX hosts share the same TLSA records through CNAMEs).

The number of DANE domains that at some point were listed in Gmail's
email transparency report is 465 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain).  Of these, 297
are in recent (last 90 days of) reports (see [2] below my signature).

Of the ~2.58 million domains, 12,913 (12,871 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1801
(1028 last month).  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX

To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:



After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1298 (940 last
month).  The top 10 name server operators with problem domains are:

  This month                  Last month
  ----------                  ----------
  468 registrar-servers.com  439 registrar-servers.com
  122 movenext.nl            119 movenext.nl          
   93 ebola.cz                93 ebola.cz             
   46 axc.nl                  46 axc.nl               
   43 epik.com                45 made-easy.ch         
   31 mijndomein.nl           39 epik.com             
   29 made-easy.ch            34 mijndomein.nl        
   25 tiscomhosting.nl        26 tiscomhosting.nl     
   18 infracom.nl             22 eatserver.nl         
   16 eatserver.nl            19 infracom.nl          

If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.

Five of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:



[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist.  I am not a fan of this type of defence (it can also
impose undue latency on legitimate email).  However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.

[2] DANE domains appearing in last 90 days of Google Email transparency

univie.ac.at                  mpg.de                           hetamsterdamsverbond.nl
gmx.at                        posteo.de                        hr.nl
idec.at                       ruhr-uni-bochum.de               interim-netwerk.nl
triodos.be                    tum.de                           introweb.nl
clubedohardware.com.br        uni-erlangen.de                  mailplus.nl
outeletro.com.br              uni-muenchen.de                  mailshover.nl
nic.br                        unitybox.de                      markteffectmail.nl
registro.br                   unitymedia.de                    mijnhypotheekonline.nl
gmx.ch                        web.de                           mijnsalon.nl
hostpoint.ch                  westlotto.de                     mijnuvt.nl
infomaniak.ch                 actie.deals                      minbuza.nl
open.ch                       bridgewalking.dk                 minbzk.nl
protonmail.ch                 dk-hostmaster.dk                 mindef.nl
switch.ch                     egmontpublishing.dk              minienw.nl
travailler-en-suisse.ch       fibianet.dk                      mkbbelangen.nl
simplelogin.co                labelking.dk                     mm1.nl
connectsb.com                 netic.dk                         nieuwsservice-rvo.nl
dailyplaylists.com            nota.dk                          ns.nl
datev.com                     nst.dk                           ongehoordnederland.nl
digitalelections.com          peterhald.dk                     ouderportaal.nl
ecstase.com                   powerhosting.dk                  overheid.nl
exegy.com                     shapeit.dk                       parlement.nl
flaneurhomme.com              star.dk                          partijvoordedieren.nl
fmc-na.com                    stil.dk                          plusticket.nl
gmx.com                       uni-c.dk                         podiumcadeaukaart.nl
habr.com                      uvm.dk                           politie.nl
horagames.com                 tilburguniversity.edu            powerslim.nl
hotelsinduitsland.com         emta.ee                          pp-prd.nl
imcnig.com                    lugeja.ee                        previder.nl
infomaniak.com                rmit.ee                          provalue.nl
ingthink.com                  envie.email                      rijksoverheid.nl
jula.com                      spike.email                      rivm.nl
kpn.com                       spotler.email                    rotterdam.nl
leszexpertsfle.com            rediris.es                       ru.nl
mail.com                      triodos.es                       rvo.nl
mammoetmail.com               uv.es                            sans-mail.nl
matilhadobemadestramento.com  litebit.eu                       schoudercom.nl
mx-relay.com                  transadvise.eu                   schuurman-schoenen.nl
one.com                       zone.eu                          sportrusten.nl
outsystems.com                zonevs.eu                        ssonet.nl
protonmail.com                traficom.fi                      stater.nl
protonvpn.com                 ac-strasbourg.fr                 telefoonglaasje.nl
sankakucomplex.com            bloctel.fr                       triodos.nl
schizinfo.com                 compagnie-des-sens.fr            truetickets.nl
societe.com                   srci.fr                          tweedekamer.nl
solvinity.com                 fidesz.hu                        uitgeverijpica.nl
stater.com                    mszp.hu                          utwente.nl
stellarequipment.com          voorbeeldsollicitatiebrief.info  uvt.nl
t-2.com                       interestexplorer.io              uwv.nl
thalesgroup.com               pm.me                            vu.nl
thepcw.com                    dla.mil                          waternet.nl
triodos.com                   jten.mil                         webcentral.nl
ugritone.com                  mail.mil                         wehkampfinance.nl
vanderkam.com                 militaryonesource.mil            xs4all.nl
veganallsorts.com             navy.mil                         zorgmail.nl
vitstore.com                  nga.mil                          annabellstefanussen.no
webmailph.com                 osd.mil                          audi.no
xfinity.com                   socom.mil                        derute.no
xfinityhomesecurity.com       uscg.mil                         domeneshop.no
xfinitymobile.com             usmc.mil                         handelsbanken.no
active24.cz                   comcast.net                      idrettenonline.no
akce-incomputer.cz            gmx.net                          leadmail.no
amenit.cz                     habramail.net                    nordicprint.no
cuni.cz                       hr-manager.net                   norskgrammatikk.no
flagranti.cz                  inexio.net                       uib.no
gigalekarna.cz                mijngezondheid.net               viphuset.no
itesco.cz                     mpssec.net                       atelkamera.nu
klenotyaurum.cz               procurios.net                    goget.nu
klubpevnehozdravi.cz          prolocation.net                  debian.org
manymail.cz                   ripe.net                         freebsd.org
nic.cz                        riseup.net                       gentoo.org
omvnovinky.cz                 t-2.net                          ietf.org
onebit.cz                     transip.net                      isc.org
optimail.cz                   triodos.net                      mailbox.org
poptavej.cz                   xs4all.net                       mailop.org
reserved.cz                   50plusbeurs.nl                   netbsd.org
server4u.cz                   amsterdam.nl                     openssl.org
smtp.cz                       argeweb.nl                       ozlabs.org
stoklasa.cz                   argewebhosting.nl                samba.org
toplist.cz                    arrangementenparade.nl           torproject.org
vas-server.cz                 awcloud.nl                       whatpulse.org
vcelka.cz                     belastingdienst.nl               psgaz.pl
virusfree.cz                  bhosted.nl                       asf.com.pt
zdravestravovani.cz           bhsupport.nl                     bilprovningen.se
agdsn.de                      bluerail.nl                      boplatssyd-automail.se
bayern.de                     boeketcadeau.nl                  ecster.se
brandenburg.de                boekwinkeltjes.nl                handelsbanken.se
bund.de                       boozyshop.nl                     loopia.se
bundesregierung.de            burgernet.nl                     minmyndighetspost.se
datev.de                      cbr.nl                           nordicprint.se
dfn.de                        chipbizz.nl                      personligalmanacka.se
ekom21.de                     corpoflow.nl                     skatteverket.se
elster.de                     derooijfotografie.nl             teknikdelar.se
fau.de                        dictu.nl                         theletter.se
freenet.de                    digid.nl                         pneusvet.sk
gmx.de                        duo.nl                           triodos.co.uk
jpberlin.de                   etz.nl                           govtrack.us
lrz.de                        ezorg.nl                         quantum-services.us
mail.de                       herinneringenoplinnen.nl         ru.ac.za

More information about the dane-users mailing list