Update on stats 2020-12

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Jan 1 07:05:06 CET 2021


Summary:  The DANE domain count is now 2,522,820 (up from 2,351,764
          last month and 1,734,012 this time last year).

          The number of domains that return DNSSEC-validated replies in
          response to MX queries is 13,559,686 (up from 13,221,772 last
          month and 10,715,677 this time last year).  Thus DANE TLSA is
          deployed on ~18.60% of domains with DNSSEC.

          The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has
          taken place, but some X3-issued certificates are not yet
          expired, and will soon renewed via R3.  Take proactive
          steps to avoid mail delivery issues:

              http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html

Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

As of today I count 2,522,820 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host.  The top 20 MX host providers by domain count are below.

  This month                   Last Month                   Last year
  ----------                   ----------                   ---------
  1,197,409 one.com            1,131,984 one.com            1,019,882 one.com
    146,757 transip.nl           145,526 transip.nl           132,965 transip.nl
    146,041 argewebhosting.nl    145,371 argewebhosting.nl     99,844 domeneshop.no
    103,374 domeneshop.no        103,043 domeneshop.no         88,024 loopia.se
     98,861 webhostingserver.nl   93,223 infomaniak.ch         37,425 active24.com
     96,166 infomaniak.ch         91,856 loopia.se             31,555 vevida.com
     92,051 loopia.se             66,281 forpsi.com            29,476 antagonist.nl
     66,772 forpsi.com            41,628 webreus.nl            26,738 web4u.cz
     41,264 webreus.nl            40,442 active24.com          24,646 udmedia.de
     40,642 active24.com          40,363 pcextreme.nl          18,342 zxcs.nl
     39,895 pcextreme.nl          34,985 antagonist.nl         17,227 bhosted.nl
     35,523 antagonist.nl         30,298 zxcs.nl               15,468 flexfilter.nl
     31,194 zxcs.nl               30,200 vevida.com            13,505 onebit.cz
     30,096 vevida.com            29,937 webhostingserver.nl    8,765 protonmail.ch
     27,456 webhosting.dk         26,412 web4u.cz               5,886 netzone.ch
     26,566 web4u.cz              25,722 udmedia.de             5,632 previder.nl
     25,718 udmedia.de            18,438 bhosted.nl             4,707 mailplatform.eu
     18,487 bhosted.nl            14,501 flexfilter.nl          4,116 soverin.net
     14,530 protonmail.ch         14,340 onebit.cz              3,548 ips.nl
     14,434 onebit.cz             13,807 protonmail.ch          3,239 zonemx.eu

The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).

  This month                Last month                 Last year
  ----------                ----------                 ---------
  7,799 TOTAL               7,559 TOTAL                6,015 TOTAL
  2,390 DE, Germany         2,386 DE, Germany          1,998 DE, Germany
  1,497 US, United States   1,465 US, United States    1,209 US, United States
  1,437 NL, Netherlands     1,261 NL, Netherlands        892 NL, Netherlands
    637 FR, France            624 FR, France             480 FR, France
    279 GB, United Kingdom    293 GB, United Kingdom     229 GB, United Kingdom
    227 CZ, Czechia           236 CZ, Czechia            194 CZ, Czechia
    170 CA, Canada            166 CA, Canada             128 CA, Canada
    123 FI, Finland           113 FI, Finland             82 CH, Switzerland
    113 DK, Denmark           111 SG, Singapore           79 SG, Singapore
    109 SG, Singapore          99 CH, Switzerland         74 SE, Sweden
     99 CH, Switzerland        90 SE, Sweden              67 DK, Denmark
     88 SE, Sweden             79 DK, Denmark             54 FI, Finland
     63 AU, Australia          60 AU, Australia           46 IE, Ireland
     62 AT, Austria            51 AT, Austria             45 AT, Austria
     42 IE, Ireland            45 IE, Ireland             38 PL, Poland
     40 BR, Brazil             39 IN, India               38 JP, Japan
     38 IN, India              39 BR, Brazil              38 AU, Australia
     34 JP, Japan              37 RU, Russia              30 RU, Russia
     33 PL, Poland             37 PL, Poland              26 BR, Brazil
     30 RU, Russia             35 JP, Japan               24 IT, Italy

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:

  This month                Last month                 Last year
  ----------                ----------                 ---------
  6,378 TOTAL               4,384 TOTAL                3,103 TOTAL
  3,183 NL, Netherlands     1,577 DE, Germany          1,275 DE, Germany
  1,587 DE, Germany         1,215 NL, Netherlands        540 US, United States
    606 US, United States     598 US, United States      463 NL, Netherlands
    287 FR, France            289 FR, France             261 FR, France
    136 CZ, Czechia           133 CZ, Czechia            105 CZ, Czechia
    112 GB, United Kingdom    113 GB, United Kingdom      90 GB, United Kingdom
     48 CA, Canada             45 SE, Sweden              41 SE, Sweden
     44 CH, Switzerland        45 CH, Switzerland         33 SG, Singapore
     42 AT, Austria            45 CA, Canada              30 CH, Switzerland
     38 SG, Singapore          39 SG, Singapore           28 JP, Japan
     36 SE, Sweden             36 AT, Austria             28 CA, Canada
     27 RU, Russia             22 RU, Russia              24 AT, Austria
     22 IE, Ireland            22 IE, Ireland             18 IE, Ireland
     19 UA, Ukraine            19 JP, Japan               17 RU, Russia
     19 JP, Japan              18 FI, Finland             15 DK, Denmark
     18 AU, Australia          16 NO, Norway              14 SI, Slovenia
     17 NO, Norway             15 BR, Brazil              13 NO, Norway
     17 FI, Finland            15 AU, Australia           13 ID, Indonesia
     17 DK, Denmark            14 DK, Denmark             12 FI, Finland
     14 BR, Brazil             10 UA, Ukraine             12 BR, Brazil

There are 6,291 unique zones in which the underlying MX hosts are found,
this counts each of the above providers as just one zone, so is a
measure of the breadth of adoption in terms of organizations deploying
DANE SMTP.

The number of published MX host TLSA RRsets found is 14,130.  These
cover 14,328 distinct[3] MX hosts (some MX hosts share the same TLSA
records through CNAMEs).

The number of DANE domains that at some point were listed in Gmail's
email transparency report is 420 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain).  Of these, 262
are in recent (last 90 days of) reports (see [2] below my signature).

Of the ~2.52 million domains, 13,070 (13,189 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1155
(817 last month).  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.

To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:

    https://dane.sys4.de/common_mistakes
    https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
    https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
    https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
    https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
    https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources

    http://tools.ietf.org/html/rfc7671#section-8.1
    http://tools.ietf.org/html/rfc7671#section-8.4

After eliminating parked domains that do not accept email, the number of "real"
email domains with bad DNSSEC support stands at 940 (1491 last month).  The
top 10 name server operators with problem domains are:

  This Month                 Last month                 Last year
  ----------                 ----------                 ---------
  325 registrar-servers.com  425 registrar-servers.com  347 registrar-servers.com
  116 movenext.nl            406 axc.nl                 221 mijnhostingpartner.nl
   86 ebola.cz               107 movenext.nl             95 egensajt.se
   25 tiscomhosting.nl        89 ebola.cz                62 movenext.nl
   24 epik.com                25 tiscomhosting.nl        59 eurodns.com
   23 eatserver.nl            25 mijndomein.nl           47 metaregistrar.nl
   17 infracom.nl             24 eatserver.nl            32 tiscomhosting.nl
   14 ns01.nl                 22 epik.com                29 nrdns.nl
   12 renault.fr              17 infracom.nl             26 hostnet.nl
   11 nrdns.nl                15 cloudflare.com          24 ebola.cz

If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.

Six of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:

  coren-sp.gov.br
  trt1.jus.br
  bncr.fi.cr
  ofda.gov
  mobily.com.sa
  sauditelecom.com.sa

-- 
      Viktor.

[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist.  I am not a fan of this type of defence (it can also
impose undue latency on legitimate email).  However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.

[2] DANE domains appearing in last 90 days of Google Email transparency
reports:

  univie.ac.at                  fau.de                 mijnuvt.nl
  gmx.at                        freenet.de             minbuza.nl
  boozyshop.be                  gmx.de                 minbzk.nl
  tjek.be                       jpberlin.de            mindef.nl
  triodos.be                    lrz.de                 mkbbelangen.nl
  register.bg                   mail.de                mm1.nl
  clubedohardware.com.br        mailserver4.de         nieuwsservice-rvo.nl
  nic.br                        mensa.de               ns.nl
  registro.br                   mpg.de                 ouderportaal.nl
  gmx.ch                        posteo.de              overheid.nl
  hostpoint.ch                  ruhr-uni-bochum.de     parlement.nl
  infomaniak.ch                 stwm.de                partijvoordedieren.nl
  open.ch                       tum.de                 pathe.nl
  protonmail.ch                 uni-erlangen.de        politie.nl
  switch.ch                     uni-muenchen.de        powerslim.nl
  travailler-en-suisse.ch       unitybox.de            pp-prd.nl
  altospam.com                  unitymedia.de          previder.nl
  connectsb.com                 web.de                 rijksoverheid.nl
  dailyplaylists.com            westlotto.de           rotterdam.nl
  datev.com                     dfi.dk                 ru.nl
  ecstase.com                   dk-hostmaster.dk       rvo.nl
  fmc-na.com                    egmontpublishing.dk    sans-mail.nl
  gmx.com                       netic.dk               schoudercom.nl
  habr.com                      nota.dk                schuurman-schoenen.nl
  horagames.com                 powerhosting.dk        sportrusten.nl
  hotelsinduitsland.com         star.dk                ssonet.nl
  imcnig.com                    tilburguniversity.edu  stater.nl
  infomaniak.com                just.ee                telefoonglaasje.nl
  ingthink.com                  lugeja.ee              ticketapp.nl
  intakt.com                    spam-filter.email      triodos.nl
  jula.com                      spike.email            truetickets.nl
  kpn.com                       spotler.email          tweedekamer.nl
  leszexpertsfle.com            rediris.es             uitgeverijpica.nl
  mail.com                      triodos.es             utwente.nl
  mammoetmail.com               uv.es                  uvt.nl
  matilhadobemadestramento.com  inetadmin.eu           uwv.nl
  one.com                       zone.eu                vu.nl
  orverkiezing.com              zonevs.eu              webcentral.nl
  protonmail.com                ac-strasbourg.fr       wehkampfinance.nl
  protonvpn.com                 bloctel.fr             xs4all.nl
  societe.com                   compagnie-des-sens.fr  zorgmail.nl
  solvinity.com                 kangouroukids.fr       annabellstefanussen.no
  stater.com                    srci.fr                audi.no
  stellarequipment.com          fidesz.hu              derute.no
  t-2.com                       interestexplorer.io    domeneshop.no
  thalesgroup.com               pm.me                  handelsbanken.no
  thepcw.com                    comcast.net            idrettenonline.no
  triodos.com                   gmx.net                nordicprint.no
  ugritone.com                  habramail.net          norskgrammatikk.no
  veganallsorts.com             hr-manager.net         rushtrampoline.no
  vitstore.com                  inexio.net             uib.no
  xfinity.com                   mijngezondheid.net     viphuset.no
  xfinityhomesecurity.com       mpssec.net             atelkamera.nu
  xfinitymobile.com             procurios.net          goget.nu
  active24.cz                   ripe.net               lenhud.nu
  akce-incomputer.cz            riseup.net             debian.org
  amenit.cz                     t-2.net                freebsd.org
  atlas.cz                      transip.net            gentoo.org
  bewooden.cz                   triodos.net            ietf.org
  centrum.cz                    xs4all.net             isc.org
  cuni.cz                       amsterdam.nl           mailbox.org
  flagranti.cz                  awcloud.nl             mailop.org
  hellspy.cz                    belastingdienst.nl     netbsd.org
  isportsystem.cz               bhosted.nl             openssl.org
  itesco.cz                     bhsupport.nl           ozlabs.org
  klenotyaurum.cz               bluerail.nl            samba.org
  klubpevnehozdravi.cz          boeketcadeau.nl        torproject.org
  krypton.cz                    boekwinkeltjes.nl      whatpulse.org
  nic.cz                        boozyshop.nl           asf.com.pt
  omvnovinky.cz                 burgernet.nl           boplatssyd-automail.se
  onebit.cz                     buzaservices.nl        digitaltolk.se
  optimail.cz                   cbr.nl                 ecster.se
  poptavej.cz                   chipbizz.nl            handelsbanken.se
  reserved.cz                   corpoflow.nl           loopia.se
  smtp.cz                       derooijfotografie.nl   minmyndighetspost.se
  toplist.cz                    dictu.nl               nordicprint.se
  vas-server.cz                 digid.nl               personligalmanacka.se
  vcelka.cz                     duo.nl                 polisen.se
  virusfree.cz                  efactuurdirect.nl      skatteverket.se
  volny.cz                      ezorg.nl               teknikdelar.se
  zdravestravovani.cz           gerryweber.nl          theletter.se
  bayern.de                     hostingpeople.nl       websupport.se
  brandenburg.de                hr.nl                  kadernickyservis.sk
  bund.de                       interim-netwerk.nl     triodos.co.uk
  bundesregierung.de            mailplus.nl            govtrack.us
  datev.de                      markteffectmail.nl     quantum-services.us
  dfn.de                        mijnsalon.nl           ru.ac.za
  elster.de

[3] Some significant de-duplication of MX hosts has become necessary
recently, as a result of providers using the same IP address and TLSA
RRset under multiple per-customer names.  Ideally, they'd reduce the
complexity of the deployment by migrating to a common MX hostname, but
for now this makes the numbers no longer directly comparable to previous
values.


More information about the dane-users mailing list