Update on stats 2021-03
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Apr 1 03:44:20 CEST 2021
NOTE: When using NSEC3, please make sure your iteration count is
not needlessly large (above ~25). For details see:
https://mail.sys4.de/pipermail/dane-users/2021-March/000594.html
Summary: The DANE domain count is now 2,580,510 (up from 2,568,169
last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 14,597,373 (up from 14,288,417 last
month). Thus DANE TLSA is deployed on ~17.67% of domains with
DNSSEC.
https://stats.dnssec-tools.org/
The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has
taken place, and all previously issued X3-issued certificates
are now expired. If you're still publishing the X3 hash in
your TLSA RRSet, it is best removed:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,580,510 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last month
---------- ----------
1219094 one.com 1219827 one.com
149627 transip.nl 148553 transip.nl
148446 argewebhosting.nl 147435 argewebhosting.nl
106039 infomaniak.ch 104178 domeneshop.no
104614 domeneshop.no 102904 infomaniak.ch
99953 webhostingserver.nl 99738 webhostingserver.nl
93378 loopia.se 92884 loopia.se
68008 forpsi.com 67647 forpsi.com
41460 active24.com 41221 active24.com
40278 webreus.nl 40647 webreus.nl
38710 pcextreme.nl 39035 pcextreme.nl
36833 antagonist.nl 36298 antagonist.nl
34505 zxcs.nl 33417 zxcs.nl
29520 vevida.com 29790 vevida.com
27896 webhosting.dk 27967 webhosting.dk
26473 web4u.cz 26531 web4u.cz
25964 udmedia.de 25882 udmedia.de
18829 bhosted.nl 18695 bhosted.nl
17072 protonmail.ch 16210 protonmail.ch
14579 onebit.cz 14555 onebit.cz
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
8450 TOTAL 8200 TOTAL
2555 DE, Germany 2467 DE, Germany
1628 US, United States 1591 US, United States
1628 NL, Netherlands 1567 NL, Netherlands
624 FR, France 632 FR, France
306 GB, United Kingdom 302 GB, United Kingdom
229 CZ, Czechia 225 CZ, Czechia
199 CA, Canada 190 CA, Canada
150 FI, Finland 144 FI, Finland
121 SG, Singapore 119 DK, Denmark
121 DK, Denmark 114 SG, Singapore
95 SE, Sweden 94 CH, Switzerland
93 CH, Switzerland 92 SE, Sweden
77 AU, Australia 71 AU, Australia
69 AT, Austria 63 AT, Austria
39 RU, Russia 38 PL, Poland
39 PL, Poland 37 JP, Japan
39 BR, Brazil 36 RU, Russia
38 JP, Japan 36 IE, Ireland
37 NO, Norway 36 BR, Brazil
37 IE, Ireland 33 NO, Norway
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
6706 TOTAL 6537 TOTAL
3238 NL, Netherlands 3203 NL, Netherlands
1747 DE, Germany 1682 DE, Germany
678 US, United States 641 US, United States
289 FR, France 280 FR, France
144 CZ, Czechia 145 CZ, Czechia
132 GB, United Kingdom 123 GB, United Kingdom
53 CA, Canada 49 CA, Canada
44 CH, Switzerland 44 CH, Switzerland
42 SG, Singapore 42 SE, Sweden
42 AT, Austria 42 AT, Austria
41 SE, Sweden 39 SG, Singapore
25 FI, Finland 26 FI, Finland
23 AU, Australia 23 AU, Australia
21 JP, Japan 21 JP, Japan
20 RU, Russia 17 IE, Ireland
18 DK, Denmark 17 DK, Denmark
17 IE, Ireland 15 NO, Norway
16 NO, Norway 14 BR, Brazil
14 BR, Brazil 13 RU, Russia
11 PL, Poland 10 PL, Poland
There are 6,808 unique zones (6,612 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 15,010 (14,671 last
month). These cover 15,241 distinct MX hosts (14,882 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 465 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 297
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.58 million domains, 12,913 (12,871 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1801
(1028 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1298 (940 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
468 registrar-servers.com 439 registrar-servers.com
122 movenext.nl 119 movenext.nl
93 ebola.cz 93 ebola.cz
46 axc.nl 46 axc.nl
43 epik.com 45 made-easy.ch
31 mijndomein.nl 39 epik.com
29 made-easy.ch 34 mijndomein.nl
25 tiscomhosting.nl 26 tiscomhosting.nl
18 infracom.nl 22 eatserver.nl
16 eatserver.nl 19 infracom.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Five of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
trt1.jus.br
bncr.fi.cr
ofda.gov
mobily.com.sa
sauditelecom.com.sa
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at mpg.de hetamsterdamsverbond.nl
gmx.at posteo.de hr.nl
idec.at ruhr-uni-bochum.de interim-netwerk.nl
triodos.be tum.de introweb.nl
clubedohardware.com.br uni-erlangen.de mailplus.nl
outeletro.com.br uni-muenchen.de mailshover.nl
nic.br unitybox.de markteffectmail.nl
registro.br unitymedia.de mijnhypotheekonline.nl
gmx.ch web.de mijnsalon.nl
hostpoint.ch westlotto.de mijnuvt.nl
infomaniak.ch actie.deals minbuza.nl
open.ch bridgewalking.dk minbzk.nl
protonmail.ch dk-hostmaster.dk mindef.nl
switch.ch egmontpublishing.dk minienw.nl
travailler-en-suisse.ch fibianet.dk mkbbelangen.nl
simplelogin.co labelking.dk mm1.nl
connectsb.com netic.dk nieuwsservice-rvo.nl
dailyplaylists.com nota.dk ns.nl
datev.com nst.dk ongehoordnederland.nl
digitalelections.com peterhald.dk ouderportaal.nl
ecstase.com powerhosting.dk overheid.nl
exegy.com shapeit.dk parlement.nl
flaneurhomme.com star.dk partijvoordedieren.nl
fmc-na.com stil.dk plusticket.nl
gmx.com uni-c.dk podiumcadeaukaart.nl
habr.com uvm.dk politie.nl
horagames.com tilburguniversity.edu powerslim.nl
hotelsinduitsland.com emta.ee pp-prd.nl
imcnig.com lugeja.ee previder.nl
infomaniak.com rmit.ee provalue.nl
ingthink.com envie.email rijksoverheid.nl
jula.com spike.email rivm.nl
kpn.com spotler.email rotterdam.nl
leszexpertsfle.com rediris.es ru.nl
mail.com triodos.es rvo.nl
mammoetmail.com uv.es sans-mail.nl
matilhadobemadestramento.com litebit.eu schoudercom.nl
mx-relay.com transadvise.eu schuurman-schoenen.nl
one.com zone.eu sportrusten.nl
outsystems.com zonevs.eu ssonet.nl
protonmail.com traficom.fi stater.nl
protonvpn.com ac-strasbourg.fr telefoonglaasje.nl
sankakucomplex.com bloctel.fr triodos.nl
schizinfo.com compagnie-des-sens.fr truetickets.nl
societe.com srci.fr tweedekamer.nl
solvinity.com fidesz.hu uitgeverijpica.nl
stater.com mszp.hu utwente.nl
stellarequipment.com voorbeeldsollicitatiebrief.info uvt.nl
t-2.com interestexplorer.io uwv.nl
thalesgroup.com pm.me vu.nl
thepcw.com dla.mil waternet.nl
triodos.com jten.mil webcentral.nl
ugritone.com mail.mil wehkampfinance.nl
vanderkam.com militaryonesource.mil xs4all.nl
veganallsorts.com navy.mil zorgmail.nl
vitstore.com nga.mil annabellstefanussen.no
webmailph.com osd.mil audi.no
xfinity.com socom.mil derute.no
xfinityhomesecurity.com uscg.mil domeneshop.no
xfinitymobile.com usmc.mil handelsbanken.no
active24.cz comcast.net idrettenonline.no
akce-incomputer.cz gmx.net leadmail.no
amenit.cz habramail.net nordicprint.no
cuni.cz hr-manager.net norskgrammatikk.no
flagranti.cz inexio.net uib.no
gigalekarna.cz mijngezondheid.net viphuset.no
itesco.cz mpssec.net atelkamera.nu
klenotyaurum.cz procurios.net goget.nu
klubpevnehozdravi.cz prolocation.net debian.org
manymail.cz ripe.net freebsd.org
nic.cz riseup.net gentoo.org
omvnovinky.cz t-2.net ietf.org
onebit.cz transip.net isc.org
optimail.cz triodos.net mailbox.org
poptavej.cz xs4all.net mailop.org
reserved.cz 50plusbeurs.nl netbsd.org
server4u.cz amsterdam.nl openssl.org
smtp.cz argeweb.nl ozlabs.org
stoklasa.cz argewebhosting.nl samba.org
toplist.cz arrangementenparade.nl torproject.org
vas-server.cz awcloud.nl whatpulse.org
vcelka.cz belastingdienst.nl psgaz.pl
virusfree.cz bhosted.nl asf.com.pt
zdravestravovani.cz bhsupport.nl bilprovningen.se
agdsn.de bluerail.nl boplatssyd-automail.se
bayern.de boeketcadeau.nl ecster.se
brandenburg.de boekwinkeltjes.nl handelsbanken.se
bund.de boozyshop.nl loopia.se
bundesregierung.de burgernet.nl minmyndighetspost.se
datev.de cbr.nl nordicprint.se
dfn.de chipbizz.nl personligalmanacka.se
ekom21.de corpoflow.nl skatteverket.se
elster.de derooijfotografie.nl teknikdelar.se
fau.de dictu.nl theletter.se
freenet.de digid.nl pneusvet.sk
gmx.de duo.nl triodos.co.uk
jpberlin.de etz.nl govtrack.us
lrz.de ezorg.nl quantum-services.us
mail.de herinneringenoplinnen.nl ru.ac.za
More information about the dane-users
mailing list