Update on stats 2021-07
Viktor Dukhovni
ietf-dane at dukhovni.org
Sun Aug 1 08:18:08 CEST 2021
NOTE: When using NSEC3 to sign your domain, please make sure your extra
iteration count is not needlessly large (i.e. above ~25, 0 is best).
For details see:
https://mail.sys4.de/pipermail/dane-users/2021-March/000594.html
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-00
Summary: The DANE domain count is now 2,653,718 (down from 2,671,696 last month).
[ One Dutch hosting provider with ~25k DANE domains last month, no
longer has MX TLSA records this month, perhaps temporarily? ]
The number of domains that return DNSSEC-validated replies in
response to MX queries is 15,663,538 (up from 15,370,647 last
month). Thus DANE TLSA is deployed on ~16.94% of domains with
DNSSEC. See https://stats.dnssec-tools.org/ for more stats.
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,653,718 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last month
---------- ----------
1227184 one.com 1229596 one.com
151493 transip.nl 150659 transip.nl
150376 argewebhosting.nl 150607 argewebhosting.nl
114457 infomaniak.ch 112821 infomaniak.ch
105236 domeneshop.no 105401 domeneshop.no
98871 webhostingserver.nl 99195 webhostingserver.nl
94187 loopia.se 94181 loopia.se
70345 forpsi.com 70039 forpsi.com
42190 active24.com 42040 active24.com
39057 zxcs.nl 39239 webreus.nl
38973 webreus.nl 38021 zxcs.nl
37753 antagonist.nl 37715 pcextreme.nl
37509 pcextreme.nl 37563 antagonist.nl
28712 vevida.com 28958 vevida.com
27550 webhosting.dk 27525 webhosting.dk
26580 web4u.cz 26607 web4u.cz
26555 udmedia.de 26407 udmedia.de
24671 hosting2go.nl 24915 hosting2go.nl
19910 protonmail.ch 24728 spamservice.nl
18975 bhosted.nl 19280 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
8815 TOTAL 8751 TOTAL
2631 DE, Germany 2635 DE, Germany
1693 US, United States 1677 US, United States
1676 NL, Netherlands 1668 NL, Netherlands
662 FR, France 653 FR, France
313 GB, United Kingdom 317 GB, United Kingdom
226 CZ, Czechia 227 CZ, Czechia
206 CA, Canada 202 CA, Canada
174 FI, Finland 169 FI, Finland
124 DK, Denmark 124 DK, Denmark
122 SG, Singapore 121 SG, Singapore
106 CH, Switzerland 106 CH, Switzerland
102 SE, Sweden 97 SE, Sweden
84 AU, Australia 81 AU, Australia
76 AT, Austria 72 AT, Austria
41 RU, Russia 45 PL, Poland
41 PL, Poland 39 NO, Norway
41 IE, Ireland 39 IE, Ireland
40 NO, Norway 38 RU, Russia
40 BR, Brazil 37 JP, Japan
38 JP, Japan 37 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
6948 TOTAL 6912 TOTAL
3301 NL, Netherlands 3291 NL, Netherlands
1810 DE, Germany 1807 DE, Germany
710 US, United States 699 US, United States
297 FR, France 292 FR, France
154 CZ, Czechia 143 GB, United Kingdom
137 GB, United Kingdom 138 CZ, Czechia
71 FI, Finland 75 FI, Finland
61 CA, Canada 59 CA, Canada
44 SG, Singapore 45 CH, Switzerland
43 SE, Sweden 44 SG, Singapore
42 CH, Switzerland 41 SE, Sweden
32 AU, Australia 30 AU, Australia
29 AT, Austria 28 AT, Austria
27 JP, Japan 25 JP, Japan
20 IE, Ireland 18 DK, Denmark
17 RU, Russia 17 RU, Russia
17 DK, Denmark 16 NO, Norway
16 NO, Norway 16 IE, Ireland
14 BR, Brazil 14 BR, Brazil
12 IN, India 11 PL, Poland
There are 7,168 unique zones (7,132 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 15,673 (15,568 last
month). These cover 15,908 distinct MX hosts (15,805 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 496 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 301
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.65 million domains, 12,719 (12,786 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1187
(also 1187 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1329 (1661 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
548 registrar-servers.com 526 registrar-servers.com
119 axc.nl 393 serverion.nl
88 ebola.cz 118 axc.nl
48 epik.com 89 ebola.cz
28 made-easy.ch 50 epik.com
27 mijndomein.nl 29 made-easy.ch
26 3zy.de 28 mijndomein.nl
24 tiscomhosting.nl 24 tiscomhosting.nl
22 netcup.net 22 cloudflare.com
20 cloudflare.com 16 movenext.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Three of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
icv-crew.com
bncr.fi.cr
peacecorps.gov
ssa.gov
sauditelecom.com.sa
kmutt.ac.th
novathreads.us
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at gmx.de ezorg.nl
gmx.at jpberlin.de healthcheckcenter.nl
triodos.be kabelmail.de herinneringenoplinnen.nl
cetelemnegocie.com.br lmu.de hetamsterdamsverbond.nl
clubedohardware.com.br lrz.de hostingpeople.nl
contactflex.com.br mail.de hr.nl
corridaeaventura.com.br mpg.de interconnect.nl
nic.br neutraler-versand.de interim-netwerk.nl
registro.br posteo.de luxiez.nl
pdac.ca ruhr-uni-bochum.de mailplus.nl
gmx.ch tum.de markteffectmail.nl
hostpoint.ch tutanota.de mijnuvt.nl
infomaniak.ch uni-erlangen.de minbuza.nl
open.ch uni-muenchen.de minbzk.nl
protonmail.ch unitymedia.de mindef.nl
switch.ch web.de mkbbelangen.nl
travailler-en-suisse.ch westlotto.de mm1.nl
simplelogin.co actie.deals mulderretail.nl
ansigtsyogaonline.com fibianet.dk nieuwsservice-rvo.nl
beaconx.com fvst.dk ns.nl
connectsb.com handelsbanken.dk ouderportaal.nl
coremultichain.com netic.dk overheid.nl
dailyplaylists.com shapeit.dk parlement.nl
datev.com shellcard.dk partijvoordedieren.nl
exegy.com stil.dk politie.nl
flaneurhomme.com tilburguniversity.edu powerslim.nl
gmx.com holt.ee pp-prd.nl
habr.com just.ee previder.nl
hotelsinduitsland.com rik.ee purdey.nl
imcnig.com envie.email rijksoverheid.nl
infomaniak.com spam-filter.email rivm.nl
ingthink.com spike.email rotterdam.nl
intakt.com spotler.email sans-mail.nl
joomlapolis.com rediris.es schoudercom.nl
jula.com triodos.es schuurman-schoenen.nl
kpn.com uv.es sportrusten.nl
leszexpertsfle.com litebit.eu ssonet.nl
mail.com transadvise.eu telefoonglaasje.nl
mammoetmail.com zone.eu triodos.nl
matilhadobemadestramento.com zonevs.eu truetickets.nl
mx-relay.com handelsbanken.fi tweedekamer.nl
mychildlebensborn.com tarjousrinki.fi uitgeverijpica.nl
nine-pine.com traficom.fi utwente.nl
one.com ac-strasbourg.fr uvt.nl
outsystems.com compagnie-des-sens.fr uwv.nl
protonmail.com edtm-actu.fr veilinghuispeerdeman.nl
protonvpn.com oo2.fr vogeldagboek.nl
sanderrossel.com fidesz.hu voorpositiviteit.nl
sankakucomplex.com mindigbutor.hu vu.nl
societe.com mszp.hu waternet.nl
solvinity.com interestexplorer.io xs4all.nl
spareklubbnorge.com pm.me zorgmail.nl
stellarequipment.com army.mil annabellstefanussen.no
t-2.com dla.mil audi.no
thalesgroup.com jten.mil bergengokart.no
triodos.com mail.mil derute.no
tutanota.com militaryonesource.mil domeneshop.no
veganallsorts.com navy.mil handelsbanken.no
veoliasophos.com nga.mil idrettenonline.no
vitstore.com osd.mil norskgrammatikk.no
webcruiter.com socom.mil rushtrampoline.no
xfinity.com uscg.mil uib.no
xfinityhomesecurity.com usmc.mil viphuset.no
xfinitymobile.com comcast.net atelkamera.nu
active24.cz fivem.net goget.nu
akce-incomputer.cz gmx.net debian.org
bewooden.cz habramail.net freebsd.org
cuni.cz hr-manager.net gentoo.org
ekokoza.cz inexio.net ietf.org
gigalekarna.cz mijngezondheid.net irtf.org
itesco.cz mpssec.net isc.org
klenotyaurum.cz procurios.net mailbox.org
klubpevnehozdravi.cz ripe.net mailop.org
manymail.cz riseup.net netbsd.org
nic.cz t-2.net openssl.org
omvnovinky.cz transip.net ozlabs.org
onebit.cz xs4all.net samba.org
optimail.cz xworks.net torproject.org
poptavej.cz 123watches.nl whatpulse.org
reserved.cz amsterdam.nl psgaz.pl
scrptd.cz awcloud.nl asf.com.pt
server4u.cz belastingdienst.nl mobily.com.sa
smtp.cz bhosted.nl bilprovningen.se
stoklasa.cz bhsupport.nl boplatssyd-automail.se
toplist.cz bibliotheekdenhaag.nl ecster.se
vas-server.cz bluerail.nl handelsbanken.se
vcelka.cz boekwinkeltjes.nl loopia.se
virusfree.cz bolerolimonadewinkel.nl loopiahosting.se
zdravestravovani.cz boozyshop.nl matlistan.se
123watches.de burgernet.nl minmyndighetspost.se
bayern.de cbr.nl personligalmanacka.se
brandenburg.de cbs.nl skatteverket.se
bund.de citrusveiling.nl teknikdelar.se
bundesregierung.de corpoflow.nl theletter.se
datev.de denhaag.nl websupport.se
dfn.de derooijfotografie.nl triodos.co.uk
ekom21.de digid.nl xepay.co.uk
elster.de duo.nl govtrack.us
fau.de edenhotels.nl quantum-services.us
followerpilot.de efactuurdirect.nl ru.ac.za
freenet.de
More information about the dane-users
mailing list