Update on stats 2021-06

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Jul 1 03:39:53 CEST 2021


NOTE:     When using NSEC3 to sign your domain, please make sure your extra
          iteration count is not needlessly large (i.e. above ~25, 0 is best).
          For details see:

              https://mail.sys4.de/pipermail/dane-users/2021-March/000594.html
              https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-00

Summary:  The DANE domain count is now 2,671,696 (up from 2,638,525 last month).

          The number of domains that return DNSSEC-validated replies in
          response to MX queries is 15,370,647 (up from 15,118,039 last
          month).  Thus DANE TLSA is deployed on ~17.38% of domains with
          DNSSEC.  See https://stats.dnssec-tools.org/ for more stats.

          The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has
          taken place, and all previously issued X3-issued certificates
          are now expired.  If you're still publishing the X3 hash in
          your TLSA RRSet, it is best removed:

              http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html

Credits:  The coverage of DNSSEC domains continues to improve with
	  ongoing data support from Paul Vixie of Farsight Security.
	  Credits also due to ICANN for gTLD data via CZDS, and to
	  the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
	  .NL, .NU, .ORG and .SE.  More data sources of ccTLD
	  signed delegations welcome.

As of today I count 2,671,696 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host.  The top 20 MX host providers by domain count are below.

  This month                   Last month
  ----------                   ----------
  1229596 one.com              1228949 one.com            
   150659 transip.nl            150486 transip.nl         
   150607 argewebhosting.nl     150288 argewebhosting.nl  
   112821 infomaniak.ch         110793 infomaniak.ch      
   105401 domeneshop.no         104816 domeneshop.no      
    99195 webhostingserver.nl    99494 webhostingserver.nl
    94181 loopia.se              93948 loopia.se          
    70039 forpsi.com             69464 forpsi.com         
    42040 active24.com           41882 active24.com       
    39239 webreus.nl             39617 webreus.nl         
    38021 zxcs.nl                38179 pcextreme.nl       
    37715 pcextreme.nl           37449 antagonist.nl      
    37563 antagonist.nl          37023 zxcs.nl            
    28958 vevida.com             29200 vevida.com         
    27525 webhosting.dk          27706 webhosting.dk      
    26607 web4u.cz               26564 web4u.cz           
    26407 udmedia.de             26255 udmedia.de         
    24915 hosting2go.nl          25168 hosting2go.nl      
    24728 spamservice.nl         18914 bhosted.nl         
    19280 protonmail.ch          18594 protonmail.ch      

The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).

  This month               Last month
  ----------               ----------
  8751 TOTAL               8677 TOTAL              
  2635 DE, Germany         2631 DE, Germany        
  1677 US, United States   1664 US, United States  
  1668 NL, Netherlands     1644 NL, Netherlands    
   653 FR, France           636 FR, France         
   317 GB, United Kingdom   328 GB, United Kingdom 
   227 CZ, Czechia          224 CZ, Czechia        
   202 CA, Canada           201 CA, Canada         
   169 FI, Finland          167 FI, Finland        
   124 DK, Denmark          124 DK, Denmark        
   121 SG, Singapore        120 SG, Singapore      
   106 CH, Switzerland      100 SE, Sweden         
    97 SE, Sweden            98 CH, Switzerland    
    81 AU, Australia         79 AU, Australia      
    72 AT, Austria           73 AT, Austria        
    45 PL, Poland            44 PL, Poland         
    39 NO, Norway            41 IE, Ireland        
    39 IE, Ireland           39 NO, Norway         
    38 RU, Russia            37 BR, Brazil         
    37 JP, Japan             36 JP, Japan          
    37 BR, Brazil            35 RU, Russia         

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:

  This month               Last month
  ----------               ----------
  6912 TOTAL               6851 TOTAL             
  3291 NL, Netherlands     3253 NL, Netherlands   
  1807 DE, Germany         1802 DE, Germany       
   699 US, United States    664 US, United States 
   292 FR, France           296 FR, France        
   143 GB, United Kingdom   145 CZ, Czechia       
   138 CZ, Czechia          142 GB, United Kingdom
    75 FI, Finland           76 FI, Finland       
    59 CA, Canada            58 CA, Canada        
    45 CH, Switzerland       45 SG, Singapore     
    44 SG, Singapore         44 CH, Switzerland   
    41 SE, Sweden            43 SE, Sweden        
    30 AU, Australia         29 AT, Austria       
    28 AT, Austria           28 AU, Australia     
    25 JP, Japan             27 RU, Russia        
    18 DK, Denmark           26 JP, Japan         
    17 RU, Russia            17 NO, Norway        
    16 NO, Norway            17 IE, Ireland       
    16 IE, Ireland           17 DK, Denmark       
    14 BR, Brazil            14 BR, Brazil        
    11 PL, Poland            12 PL, Poland        

There are 7,132 unique zones (7,053 last month) in which the underlying
MX hosts are found.  This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.

The number of published MX host TLSA RRsets found is 15,568 (15,479 last
month).  These cover 15,805 distinct MX hosts (15,711 last month, some
MX hosts share the same TLSA records through CNAMEs).

The number of DANE domains that at some point were listed in Gmail's
email transparency report is 489 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain).  Of these, 294
are in recent (last 90 days of) reports (see [2] below my signature).

Of the ~2.67 million domains, 12,786 (12,757 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1187
(1976 last month).  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.

To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:

    https://dane.sys4.de/common_mistakes
    https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
    https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
    https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
    https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
    https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources

    http://tools.ietf.org/html/rfc7671#section-8.1
    http://tools.ietf.org/html/rfc7671#section-8.4

After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1661 (1295 last
month).  The top 10 name server operators with problem domains are:

  This month                  Last month
  ----------                  ----------
  526 registrar-servers.com   509 registrar-servers.com
  393 serverion.nl            122 axc.nl               
  118 axc.nl                   93 ebola.cz             
   89 ebola.cz                 45 epik.com             
   50 epik.com                 32 mijndomein.nl        
   29 made-easy.ch             29 made-easy.ch         
   28 mijndomein.nl            24 tiscomhosting.nl     
   24 tiscomhosting.nl         22 cloudflare.com       
   22 cloudflare.com           18 movenext.nl          
   16 movenext.nl              17 openprovider.nl      
                               17 worldnic.com

If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.

Three of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:

  bncr.fi.cr
  kmutt.ac.th
  sauditelecom.com.sa

--
      Viktor.

[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist.  I am not a fan of this type of defence (it can also
impose undue latency on legitimate email).  However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.

[2] DANE domains appearing in last 90 days of Google Email transparency
reports:

univie.ac.at                   jpberlin.de              duo.nl
gmx.at                         kabelmail.de             expeditionfestival.nl
triodos.be                     lrz.de                   ezorg.nl
cetelemnegocie.com.br          mail.de                  herinneringenoplinnen.nl
clubedohardware.com.br         mensa.de                 hr.nl
contactflex.com.br             mpg.de                   huizenzoeker.nl
corridaeaventura.com.br        neutraler-versand.de     interim-netwerk.nl
nic.br                         posteo.de                luxiez.nl
registro.br                    ruhr-uni-bochum.de       mail-studio.nl
pdac.ca                        tum.de                   mailplus.nl
gmx.ch                         tutanota.de              markteffectmail.nl
hostpoint.ch                   uni-erlangen.de          mijnuvt.nl
infomaniak.ch                  uni-muenchen.de          minbuza.nl
open.ch                        unitymedia.de            minbzk.nl
protonmail.ch                  web.de                   mindef.nl
switch.ch                      westlotto.de             mkbbelangen.nl
travailler-en-suisse.ch        actie.deals              mm1.nl
simplelogin.co                 dfi.dk                   nieuwsservice-rvo.nl
ansigtsyogaonline.com          dk-hostmaster.dk         ns.nl
connectsb.com                  fibianet.dk              ouderportaal.nl
coremultichain.com             fvst.dk                  overheid.nl
dailyplaylists.com             handelsbanken.dk         partijvoordedieren.nl
datev.com                      netic.dk                 politie.nl
ecstase.com                    shapeit.dk               powerslim.nl
exegy.com                      shellcard.dk             pp-prd.nl
flaneurhomme.com               stil.dk                  previder.nl
gmx.com                        tilburguniversity.edu    pvv.nl
habr.com                       holt.ee                  rijksoverheid.nl
hotelsinduitsland.com          just.ee                  rivm.nl
imcnig.com                     riigikogu.ee             rotterdam.nl
infomaniak.com                 envie.email              rvo.nl
ingthink.com                   spam-filter.email        sans-mail.nl
intakt.com                     spike.email              schoudercom.nl
jula.com                       spotler.email            schuurman-schoenen.nl
kpn.com                        rediris.es               sportrusten.nl
leszexpertsfle.com             triodos.es               ssonet.nl
mail.com                       uv.es                    telefoonglaasje.nl
mammoetmail.com                litebit.eu               triodos.nl
matilhadobemadestramento.com   transadvise.eu           truetickets.nl
mx-relay.com                   zone.eu                  uitgeverijpica.nl
nine-pine.com                  zonevs.eu                utwente.nl
one.com                        handelsbanken.fi         uvt.nl
orverkiezing.com               traficom.fi              uwv.nl
outsystems.com                 ac-strasbourg.fr         veilinghuispeerdeman.nl
protonmail.com                 compagnie-des-sens.fr    voorpositiviteit.nl
protonvpn.com                  edtm-actu.fr             vu.nl
sanderrossel.com               oo2.fr                   waternet.nl
sankakucomplex.com             srci.fr                  xs4all.nl
societe.com                    fidesz.hu                zorgmail.nl
solvinity.com                  mszp.hu                  annabellstefanussen.no
stellarequipment.com           tuta.io                  audi.no
t-2.com                        pm.me                    bergengokart.no
thalesgroup.com                army.mil                 derute.no
triodos.com                    dla.mil                  domeneshop.no
tutanota.com                   jten.mil                 handelsbanken.no
veganallsorts.com              mail.mil                 idrettenonline.no
vitstore.com                   militaryonesource.mil    norskgrammatikk.no
webcruiter.com                 navy.mil                 rushtrampoline.no
xfinity.com                    nga.mil                  uib.no
xfinityhomesecurity.com        osd.mil                  viphuset.no
xfinitymobile.com              socom.mil                webcruitermail.no
active24.cz                    uscg.mil                 atelkamera.nu
akce-incomputer.cz             usmc.mil                 goget.nu
bewooden.cz                    comcast.net              aegee.org
colours.cz                     gmx.net                  debian.org
cuni.cz                        habramail.net            freebsd.org
ekokoza.cz                     hr-manager.net           gentoo.org
gigalekarna.cz                 inexio.net               ietf.org
itesco.cz                      mijngezondheid.net       irtf.org
klenotyaurum.cz                mpssec.net               isc.org
klubpevnehozdravi.cz           procurios.net            mailbox.org
manymail.cz                    ripe.net                 mailop.org
nic.cz                         riseup.net               mkpbelgium.org
omvnovinky.cz                  t-2.net                  netbsd.org
onebit.cz                      transip.net              openssl.org
optimail.cz                    xs4all.net               ozlabs.org
poptavej.cz                    xworks.net               samba.org
reserved.cz                    123watches.nl            torproject.org
scrptd.cz                      amsterdam.nl             whatpulse.org
server4u.cz                    awcloud.nl               asf.com.pt
smtp.cz                        belastingdienst.nl       mobily.com.sa
stoklasa.cz                    beterspellen.nl          bilprovningen.se
toplist.cz                     bhosted.nl               boplatssyd-automail.se
vas-server.cz                  bhsupport.nl             ecster.se
vcelka.cz                      bibliotheekdenhaag.nl    handelsbanken.se
virusfree.cz                   bluerail.nl              loopia.se
zdravestravovani.cz            boekwinkeltjes.nl        matlistan.se
bayern.de                      bolerolimonadewinkel.nl  minmyndighetspost.se
brandenburg.de                 boozyshop.nl             personligalmanacka.se
bund.de                        bratpack-charly.nl       skatteverket.se
bundesregierung.de             bratsites-grs.nl         teknikdelar.se
datev.de                       burgernet.nl             theletter.se
dfn.de                         cbr.nl                   websupport.se
ekom21.de                      corpoflow.nl             triodos.co.uk
elster.de                      denhaag.nl               xepay.co.uk
fau.de                         derooijfotografie.nl     govtrack.us
freenet.de                     dictu.nl                 quantum-services.us
gmx.de                         digid.nl                 ru.ac.za


More information about the dane-users mailing list