Update on stats 2021-01

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Feb 1 10:49:10 CET 2021

Summary:  The DANE domain count is now 2,544,101 (up from 2,522,820
          last month).

          The number of domains that return DNSSEC-validated replies in
          response to MX queries is 13,923,656 (up from 13,559,686 last
          month).  Thus DANE TLSA is deployed on ~18.27% of domains with

          The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has
          taken place, but some X3-issued certificates are not yet
          expired, and will soon renewed via R3.  Take proactive steps
          to avoid mail delivery issues:


Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

As of today I count 2,544,101 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host.  The top 20 MX host providers by domain count are below.

  This month                   Last month
  ----------                   ----------
  1205788 one.com              1,197,409 one.com
   147619 transip.nl             146,757 transip.nl
   146775 argewebhosting.nl      146,041 argewebhosting.nl
   103761 domeneshop.no          103,374 domeneshop.no
    99912 infomaniak.ch           98,861 webhostingserver.nl
    99338 webhostingserver.nl     96,166 infomaniak.ch
    92519 loopia.se               92,051 loopia.se
    67146 forpsi.com              66,772 forpsi.com
    40970 webreus.nl              41,264 webreus.nl
    40962 active24.com            40,642 active24.com
    39427 pcextreme.nl            39,895 pcextreme.nl
    35906 antagonist.nl           35,523 antagonist.nl
    32396 zxcs.nl                 31,194 zxcs.nl
    30001 vevida.com              30,096 vevida.com
    27989 webhosting.dk           27,456 webhosting.dk
    26427 web4u.cz                26,566 web4u.cz
    25822 udmedia.de              25,718 udmedia.de
    18607 bhosted.nl              18,487 bhosted.nl
    15356 protonmail.ch           14,530 protonmail.ch
    14474 onebit.cz               14,434 onebit.cz

The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).

  This month               Last month
  ----------               ----------
  8033 TOTAL               7,799 TOTAL
  2432 DE, Germany         2,390 DE, Germany
  1542 US, United States   1,497 US, United States
  1524 NL, Netherlands     1,437 NL, Netherlands
   635 FR, France            637 FR, France
   294 GB, United Kingdom    279 GB, United Kingdom
   221 CZ, Czechia           227 CZ, Czechia
   175 CA, Canada            170 CA, Canada
   142 FI, Finland           123 FI, Finland
   120 DK, Denmark           113 DK, Denmark
   113 SG, Singapore         109 SG, Singapore
    96 CH, Switzerland        99 CH, Switzerland
    87 SE, Sweden             88 SE, Sweden
    69 AU, Australia          63 AU, Australia
    66 AT, Austria            62 AT, Austria
    37 IN, India              42 IE, Ireland
    36 PL, Poland             40 BR, Brazil
    35 IE, Ireland            38 IN, India
    35 BR, Brazil             34 JP, Japan
    34 JP, Japan              33 PL, Poland
    31 NO, Norway             30 RU, Russia

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:

  This month               Last month
  ----------               ----------
  6444 TOTAL               6,378 TOTAL
  3179 NL, Netherlands     3,183 NL, Netherlands
  1639 DE, Germany         1,587 DE, Germany
   618 US, United States     606 US, United States
   283 FR, France            287 FR, France
   131 CZ, Czechia           136 CZ, Czechia
   122 GB, United Kingdom    112 GB, United Kingdom
    52 CA, Canada             48 CA, Canada
    43 CH, Switzerland        44 CH, Switzerland
    43 AT, Austria            42 AT, Austria
    40 SG, Singapore          38 SG, Singapore
    38 SE, Sweden             36 SE, Sweden
    26 AU, Australia          27 RU, Russia
    22 RU, Russia             22 IE, Ireland
    20 IE, Ireland            19 UA, Ukraine
    18 JP, Japan              19 JP, Japan
    18 FI, Finland            18 AU, Australia
    18 DK, Denmark            17 NO, Norway
    17 UA, Ukraine            17 FI, Finland
    16 NO, Norway             17 DK, Denmark
    12 BR, Brazil             14 BR, Brazil

There are 6,428 unique zones (6,291 last month) in which the underlying
MX hosts are found.  This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.

The number of published MX host TLSA RRsets found is 14,448 (14,130 last
month).  These cover 14,652 distinct[3] MX hosts (14,328 last month,
some MX hosts share the same TLSA records through CNAMEs).

The number of DANE domains that at some point were listed in Gmail's
email transparency report is 423 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain).  Of these, 260
are in recent (last 90 days of) reports (see [2] below my signature).

Of the ~2.54 million domains, 12,995 (13,070 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1229
(1155 last month).  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX

To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:



After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 940 (1491 last
month).  The top 10 name server operators with problem domains are:

  This month                  Last month
  ----------                  ----------
  405 registrar-servers.com   325 registrar-servers.com
  119 movenext.nl             116 movenext.nl
   86 ebola.cz                 86 ebola.cz
   35 criscompinformatika.hu   25 tiscomhosting.nl
   33 epik.com                 24 epik.com
   31 mijndomein.nl            23 eatserver.nl
   25 tiscomhosting.nl         17 infracom.nl
   24 eatserver.nl             14 ns01.nl
   18 cloudflare.com           12 renault.fr
   17 infracom.nl              11 nrdns.nl

If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.

Five of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:



[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist.  I am not a fan of this type of defence (it can also
impose undue latency on legitimate email).  However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.

[2] DANE domains appearing in last 90 days of Google Email transparency

  univie.ac.at                  dfn.de                  markteffectmail.nl
  gmx.at                        elster.de               mijnsalon.nl
  boozyshop.be                  fau.de                  mijnuvt.nl
  tjek.be                       freenet.de              minbuza.nl
  triodos.be                    gmx.de                  minbzk.nl
  register.bg                   jpberlin.de             mindef.nl
  clubedohardware.com.br        lrz.de                  mkbbelangen.nl
  outeletro.com.br              mail.de                 mm1.nl
  nic.br                        mailserver4.de          ns.nl
  registro.br                   mensa.de                ouderportaal.nl
  gmx.ch                        mpg.de                  overheid.nl
  hostpoint.ch                  posteo.de               parlement.nl
  infomaniak.ch                 ruhr-uni-bochum.de      partijvoordedieren.nl
  open.ch                       stwm.de                 pathe.nl
  protonmail.ch                 tum.de                  politie.nl
  switch.ch                     uni-erlangen.de         powerslim.nl
  travailler-en-suisse.ch       uni-muenchen.de         pp-prd.nl
  connectsb.com                 unitybox.de             previder.nl
  dailyplaylists.com            unitymedia.de           rijksoverheid.nl
  datev.com                     web.de                  rotterdam.nl
  ecstase.com                   westlotto.de            ru.nl
  fmc-na.com                    dfi.dk                  rvo.nl
  gmx.com                       dk-hostmaster.dk        sans-mail.nl
  habr.com                      egmontpublishing.dk     schoudercom.nl
  horagames.com                 netic.dk                schuurman-schoenen.nl
  hotelsinduitsland.com         nota.dk                 sportrusten.nl
  imcnig.com                    nst.dk                  ssonet.nl
  infomaniak.com                peterhald.dk            stater.nl
  ingthink.com                  powerhosting.dk         telefoonglaasje.nl
  intakt.com                    star.dk                 ticketapp.nl
  jula.com                      uvm.dk                  triodos.nl
  kpn.com                       tilburguniversity.edu   truetickets.nl
  leszexpertsfle.com            lugeja.ee               tweedekamer.nl
  mail.com                      spam-filter.email       uitgeverijpica.nl
  mammoetmail.com               spike.email             uvt.nl
  matilhadobemadestramento.com  rediris.es              uwv.nl
  one.com                       triodos.es              vu.nl
  protonmail.com                uv.es                   webcentral.nl
  protonvpn.com                 zone.eu                 wehkampfinance.nl
  sankakucomplex.com            zonevs.eu               xs4all.nl
  societe.com                   ac-strasbourg.fr        zorgmail.nl
  solvinity.com                 compagnie-des-sens.fr   annabellstefanussen.no
  stater.com                    srci.fr                 audi.no
  stellarequipment.com          fidesz.hu               derute.no
  t-2.com                       interestexplorer.io     domeneshop.no
  thalesgroup.com               pm.me                   handelsbanken.no
  thepcw.com                    comcast.net             idrettenonline.no
  triodos.com                   gmx.net                 nordicprint.no
  ugritone.com                  habramail.net           norskgrammatikk.no
  veganallsorts.com             hr-manager.net          rushtrampoline.no
  vitstore.com                  inexio.net              uib.no
  xfinity.com                   mijngezondheid.net      viphuset.no
  xfinityhomesecurity.com       mpssec.net              atelkamera.nu
  xfinitymobile.com             procurios.net           goget.nu
  active24.cz                   prolocation.net         lenhud.nu
  akce-incomputer.cz            ripe.net                debian.org
  amenit.cz                     riseup.net              freebsd.org
  atlas.cz                      t-2.net                 gentoo.org
  bewooden.cz                   transip.net             ietf.org
  centrum.cz                    triodos.net             isc.org
  cuni.cz                       xs4all.net              mailbox.org
  flagranti.cz                  amsterdam.nl            mailop.org
  gigalekarna.cz                argewebhosting.nl       netbsd.org
  hellspy.cz                    arrangementenparade.nl  openssl.org
  isportsystem.cz               awcloud.nl              ozlabs.org
  itesco.cz                     belastingdienst.nl      samba.org
  klenotyaurum.cz               bhosted.nl              torproject.org
  klubpevnehozdravi.cz          bhsupport.nl            whatpulse.org
  nic.cz                        bluerail.nl             asf.com.pt
  omvnovinky.cz                 boeketcadeau.nl         boplatssyd-automail.se
  onebit.cz                     boekwinkeltjes.nl       digitaltolk.se
  optimail.cz                   boozyshop.nl            ecster.se
  poptavej.cz                   burgernet.nl            handelsbanken.se
  reserved.cz                   cbr.nl                  loopia.se
  smtp.cz                       chipbizz.nl             minmyndighetspost.se
  stoklasa.cz                   corpoflow.nl            nordicprint.se
  toplist.cz                    derooijfotografie.nl    personligalmanacka.se
  vas-server.cz                 dictu.nl                polisen.se
  vcelka.cz                     digid.nl                skatteverket.se
  virusfree.cz                  duo.nl                  teknikdelar.se
  volny.cz                      efactuurdirect.nl       theletter.se
  zdravestravovani.cz           ezorg.nl                websupport.se
  bayern.de                     gerryweber.nl           pneusvet.sk
  brandenburg.de                hostingpeople.nl        triodos.co.uk
  bund.de                       hr.nl                   govtrack.us
  bundesregierung.de            interim-netwerk.nl      ru.ac.za
  datev.de                      introweb.nl

[3] Some significant de-duplication of MX hosts has become necessary
recently, as a result of providers using the same IP address and TLSA
RRset under multiple per-customer names.  Ideally, they'd reduce the
complexity of the deployment by migrating to a common MX hostname, but
for now this makes the numbers no longer directly comparable to values
prior to 2020-12.

More information about the dane-users mailing list