Update on stats 2021-01
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Feb 1 10:49:10 CET 2021
Summary: The DANE domain count is now 2,544,101 (up from 2,522,820
last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 13,923,656 (up from 13,559,686 last
month). Thus DANE TLSA is deployed on ~18.27% of domains with
DNSSEC.
The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has
taken place, but some X3-issued certificates are not yet
expired, and will soon renewed via R3. Take proactive steps
to avoid mail delivery issues:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,544,101 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last month
---------- ----------
1205788 one.com 1,197,409 one.com
147619 transip.nl 146,757 transip.nl
146775 argewebhosting.nl 146,041 argewebhosting.nl
103761 domeneshop.no 103,374 domeneshop.no
99912 infomaniak.ch 98,861 webhostingserver.nl
99338 webhostingserver.nl 96,166 infomaniak.ch
92519 loopia.se 92,051 loopia.se
67146 forpsi.com 66,772 forpsi.com
40970 webreus.nl 41,264 webreus.nl
40962 active24.com 40,642 active24.com
39427 pcextreme.nl 39,895 pcextreme.nl
35906 antagonist.nl 35,523 antagonist.nl
32396 zxcs.nl 31,194 zxcs.nl
30001 vevida.com 30,096 vevida.com
27989 webhosting.dk 27,456 webhosting.dk
26427 web4u.cz 26,566 web4u.cz
25822 udmedia.de 25,718 udmedia.de
18607 bhosted.nl 18,487 bhosted.nl
15356 protonmail.ch 14,530 protonmail.ch
14474 onebit.cz 14,434 onebit.cz
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
8033 TOTAL 7,799 TOTAL
2432 DE, Germany 2,390 DE, Germany
1542 US, United States 1,497 US, United States
1524 NL, Netherlands 1,437 NL, Netherlands
635 FR, France 637 FR, France
294 GB, United Kingdom 279 GB, United Kingdom
221 CZ, Czechia 227 CZ, Czechia
175 CA, Canada 170 CA, Canada
142 FI, Finland 123 FI, Finland
120 DK, Denmark 113 DK, Denmark
113 SG, Singapore 109 SG, Singapore
96 CH, Switzerland 99 CH, Switzerland
87 SE, Sweden 88 SE, Sweden
69 AU, Australia 63 AU, Australia
66 AT, Austria 62 AT, Austria
37 IN, India 42 IE, Ireland
36 PL, Poland 40 BR, Brazil
35 IE, Ireland 38 IN, India
35 BR, Brazil 34 JP, Japan
34 JP, Japan 33 PL, Poland
31 NO, Norway 30 RU, Russia
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
6444 TOTAL 6,378 TOTAL
3179 NL, Netherlands 3,183 NL, Netherlands
1639 DE, Germany 1,587 DE, Germany
618 US, United States 606 US, United States
283 FR, France 287 FR, France
131 CZ, Czechia 136 CZ, Czechia
122 GB, United Kingdom 112 GB, United Kingdom
52 CA, Canada 48 CA, Canada
43 CH, Switzerland 44 CH, Switzerland
43 AT, Austria 42 AT, Austria
40 SG, Singapore 38 SG, Singapore
38 SE, Sweden 36 SE, Sweden
26 AU, Australia 27 RU, Russia
22 RU, Russia 22 IE, Ireland
20 IE, Ireland 19 UA, Ukraine
18 JP, Japan 19 JP, Japan
18 FI, Finland 18 AU, Australia
18 DK, Denmark 17 NO, Norway
17 UA, Ukraine 17 FI, Finland
16 NO, Norway 17 DK, Denmark
12 BR, Brazil 14 BR, Brazil
There are 6,428 unique zones (6,291 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 14,448 (14,130 last
month). These cover 14,652 distinct[3] MX hosts (14,328 last month,
some MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 423 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 260
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.54 million domains, 12,995 (13,070 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1229
(1155 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 940 (1491 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
405 registrar-servers.com 325 registrar-servers.com
119 movenext.nl 116 movenext.nl
86 ebola.cz 86 ebola.cz
35 criscompinformatika.hu 25 tiscomhosting.nl
33 epik.com 24 epik.com
31 mijndomein.nl 23 eatserver.nl
25 tiscomhosting.nl 17 infracom.nl
24 eatserver.nl 14 ns01.nl
18 cloudflare.com 12 renault.fr
17 infracom.nl 11 nrdns.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Five of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
trt1.jus.br
trtrj.jus.br
bncr.fi.cr
ofda.gov
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at dfn.de markteffectmail.nl
gmx.at elster.de mijnsalon.nl
boozyshop.be fau.de mijnuvt.nl
tjek.be freenet.de minbuza.nl
triodos.be gmx.de minbzk.nl
register.bg jpberlin.de mindef.nl
clubedohardware.com.br lrz.de mkbbelangen.nl
outeletro.com.br mail.de mm1.nl
nic.br mailserver4.de ns.nl
registro.br mensa.de ouderportaal.nl
gmx.ch mpg.de overheid.nl
hostpoint.ch posteo.de parlement.nl
infomaniak.ch ruhr-uni-bochum.de partijvoordedieren.nl
open.ch stwm.de pathe.nl
protonmail.ch tum.de politie.nl
switch.ch uni-erlangen.de powerslim.nl
travailler-en-suisse.ch uni-muenchen.de pp-prd.nl
connectsb.com unitybox.de previder.nl
dailyplaylists.com unitymedia.de rijksoverheid.nl
datev.com web.de rotterdam.nl
ecstase.com westlotto.de ru.nl
fmc-na.com dfi.dk rvo.nl
gmx.com dk-hostmaster.dk sans-mail.nl
habr.com egmontpublishing.dk schoudercom.nl
horagames.com netic.dk schuurman-schoenen.nl
hotelsinduitsland.com nota.dk sportrusten.nl
imcnig.com nst.dk ssonet.nl
infomaniak.com peterhald.dk stater.nl
ingthink.com powerhosting.dk telefoonglaasje.nl
intakt.com star.dk ticketapp.nl
jula.com uvm.dk triodos.nl
kpn.com tilburguniversity.edu truetickets.nl
leszexpertsfle.com lugeja.ee tweedekamer.nl
mail.com spam-filter.email uitgeverijpica.nl
mammoetmail.com spike.email uvt.nl
matilhadobemadestramento.com rediris.es uwv.nl
one.com triodos.es vu.nl
protonmail.com uv.es webcentral.nl
protonvpn.com zone.eu wehkampfinance.nl
sankakucomplex.com zonevs.eu xs4all.nl
societe.com ac-strasbourg.fr zorgmail.nl
solvinity.com compagnie-des-sens.fr annabellstefanussen.no
stater.com srci.fr audi.no
stellarequipment.com fidesz.hu derute.no
t-2.com interestexplorer.io domeneshop.no
thalesgroup.com pm.me handelsbanken.no
thepcw.com comcast.net idrettenonline.no
triodos.com gmx.net nordicprint.no
ugritone.com habramail.net norskgrammatikk.no
veganallsorts.com hr-manager.net rushtrampoline.no
vitstore.com inexio.net uib.no
xfinity.com mijngezondheid.net viphuset.no
xfinityhomesecurity.com mpssec.net atelkamera.nu
xfinitymobile.com procurios.net goget.nu
active24.cz prolocation.net lenhud.nu
akce-incomputer.cz ripe.net debian.org
amenit.cz riseup.net freebsd.org
atlas.cz t-2.net gentoo.org
bewooden.cz transip.net ietf.org
centrum.cz triodos.net isc.org
cuni.cz xs4all.net mailbox.org
flagranti.cz amsterdam.nl mailop.org
gigalekarna.cz argewebhosting.nl netbsd.org
hellspy.cz arrangementenparade.nl openssl.org
isportsystem.cz awcloud.nl ozlabs.org
itesco.cz belastingdienst.nl samba.org
klenotyaurum.cz bhosted.nl torproject.org
klubpevnehozdravi.cz bhsupport.nl whatpulse.org
nic.cz bluerail.nl asf.com.pt
omvnovinky.cz boeketcadeau.nl boplatssyd-automail.se
onebit.cz boekwinkeltjes.nl digitaltolk.se
optimail.cz boozyshop.nl ecster.se
poptavej.cz burgernet.nl handelsbanken.se
reserved.cz cbr.nl loopia.se
smtp.cz chipbizz.nl minmyndighetspost.se
stoklasa.cz corpoflow.nl nordicprint.se
toplist.cz derooijfotografie.nl personligalmanacka.se
vas-server.cz dictu.nl polisen.se
vcelka.cz digid.nl skatteverket.se
virusfree.cz duo.nl teknikdelar.se
volny.cz efactuurdirect.nl theletter.se
zdravestravovani.cz ezorg.nl websupport.se
bayern.de gerryweber.nl pneusvet.sk
brandenburg.de hostingpeople.nl triodos.co.uk
bund.de hr.nl govtrack.us
bundesregierung.de interim-netwerk.nl ru.ac.za
datev.de introweb.nl
[3] Some significant de-duplication of MX hosts has become necessary
recently, as a result of providers using the same IP address and TLSA
RRset under multiple per-customer names. Ideally, they'd reduce the
complexity of the deployment by migrating to a common MX hostname, but
for now this makes the numbers no longer directly comparable to values
prior to 2020-12.
More information about the dane-users
mailing list