Update on stats 2021-02
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Mar 1 02:36:14 CET 2021
Summary: The DANE domain count is now 2,568,169 (up from 2,544,101
last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 14,288,417 (up from 13,923,656 last
month). Thus DANE TLSA is deployed on ~17.97% of domains with
DNSSEC.
https://stats.dnssec-tools.org/
The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has
taken place, and all previously issued X3-issued certificates
are now expired. If you're still publishing the X3 hash in
your TLSA RRSet, it is best removed:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,568,169 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last month
---------- ----------
1219827 one.com 1205788 one.com
148553 transip.nl 147619 transip.nl
147435 argewebhosting.nl 146775 argewebhosting.nl
104178 domeneshop.no 103761 domeneshop.no
102904 infomaniak.ch 99912 infomaniak.ch
99738 webhostingserver.nl 99338 webhostingserver.nl
92884 loopia.se 92519 loopia.se
67647 forpsi.com 67146 forpsi.com
41221 active24.com 40970 webreus.nl
40647 webreus.nl 40962 active24.com
39035 pcextreme.nl 39427 pcextreme.nl
36298 antagonist.nl 35906 antagonist.nl
33417 zxcs.nl 32396 zxcs.nl
29790 vevida.com 30001 vevida.com
27967 webhosting.dk 27989 webhosting.dk
26531 web4u.cz 26427 web4u.cz
25882 udmedia.de 25822 udmedia.de
18695 bhosted.nl 18607 bhosted.nl
16210 protonmail.ch 15356 protonmail.ch
14555 onebit.cz 14474 onebit.cz
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
8200 TOTAL 8033 TOTAL
2467 DE, Germany 2432 DE, Germany
1591 US, United States 1542 US, United States
1567 NL, Netherlands 1524 NL, Netherlands
632 FR, France 635 FR, France
302 GB, United Kingdom 294 GB, United Kingdom
225 CZ, Czechia 221 CZ, Czechia
190 CA, Canada 175 CA, Canada
144 FI, Finland 142 FI, Finland
119 DK, Denmark 120 DK, Denmark
114 SG, Singapore 113 SG, Singapore
94 CH, Switzerland 96 CH, Switzerland
92 SE, Sweden 87 SE, Sweden
71 AU, Australia 69 AU, Australia
63 AT, Austria 66 AT, Austria
38 PL, Poland 37 IN, India
37 JP, Japan 36 PL, Poland
36 RU, Russia 35 IE, Ireland
36 IE, Ireland 35 BR, Brazil
36 BR, Brazil 34 JP, Japan
33 NO, Norway 31 NO, Norway
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
6537 TOTAL 6444 TOTAL
3203 NL, Netherlands 3179 NL, Netherlands
1682 DE, Germany 1639 DE, Germany
641 US, United States 618 US, United States
280 FR, France 283 FR, France
145 CZ, Czechia 131 CZ, Czechia
123 GB, United Kingdom 122 GB, United Kingdom
49 CA, Canada 52 CA, Canada
44 CH, Switzerland 43 CH, Switzerland
42 SE, Sweden 43 AT, Austria
42 AT, Austria 40 SG, Singapore
39 SG, Singapore 38 SE, Sweden
26 FI, Finland 26 AU, Australia
23 AU, Australia 22 RU, Russia
21 JP, Japan 20 IE, Ireland
17 IE, Ireland 18 JP, Japan
17 DK, Denmark 18 FI, Finland
15 NO, Norway 18 DK, Denmark
14 BR, Brazil 17 UA, Ukraine
13 RU, Russia 16 NO, Norway
10 PL, Poland 12 BR, Brazil
There are 6,612 unique zones (6,428 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 14,671 (14,448 last
month). These cover 14,882 distinct MX hosts (14,652 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 449 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 283
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.57 million domains, 12,871 (12,995 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1028
(1229 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1298 (940 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
439 registrar-servers.com 405 registrar-servers.com
119 movenext.nl 119 movenext.nl
93 ebola.cz 86 ebola.cz
46 axc.nl 35 criscompinformatika.hu
45 made-easy.ch 33 epik.com
39 epik.com 31 mijndomein.nl
34 mijndomein.nl 25 tiscomhosting.nl
26 tiscomhosting.nl 24 eatserver.nl
22 eatserver.nl 18 cloudflare.com
19 infracom.nl 17 infracom.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Six of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
trt1.jus.br
bncr.fi.cr
ofda.gov
ticketspy.nl
sauditelecom.com.sa
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at lrz.de hr.nl
gmx.at mail.de interim-netwerk.nl
triodos.be mailserver4.de introweb.nl
register.bg mensa.de mailplus.nl
clubedohardware.com.br mpg.de markteffectmail.nl
outeletro.com.br posteo.de mijnhypotheekonline.nl
nic.br ruhr-uni-bochum.de mijnsalon.nl
registro.br stwm.de mijnuvt.nl
gmx.ch tum.de minbuza.nl
hostpoint.ch uni-erlangen.de minbzk.nl
infomaniak.ch uni-muenchen.de mindef.nl
open.ch unitybox.de minienw.nl
protonmail.ch unitymedia.de mkbbelangen.nl
switch.ch web.de mm1.nl
travailler-en-suisse.ch westlotto.de ns.nl
simplelogin.co dk-hostmaster.dk ouderportaal.nl
connectsb.com egmontpublishing.dk overheid.nl
dailyplaylists.com labelking.dk parlement.nl
datev.com netic.dk partijvoordedieren.nl
ecstase.com nota.dk pathe.nl
flaneurhomme.com nst.dk politie.nl
fmc-na.com peterhald.dk powerslim.nl
gmx.com powerhosting.dk pp-prd.nl
habr.com star.dk previder.nl
horagames.com uvm.dk rijksoverheid.nl
hotelsinduitsland.com tilburguniversity.edu rotterdam.nl
imcnig.com emta.ee ru.nl
infomaniak.com lugeja.ee rvo.nl
ingthink.com rmit.ee sans-mail.nl
intakt.com envie.email schoudercom.nl
jula.com spike.email schuurman-schoenen.nl
kpn.com spotler.email sportrusten.nl
leszexpertsfle.com rediris.es ssonet.nl
mail.com triodos.es stater.nl
mammoetmail.com uv.es telefoonglaasje.nl
matilhadobemadestramento.com litebit.eu triodos.nl
one.com transadvise.eu truetickets.nl
protonmail.com zone.eu tweedekamer.nl
protonvpn.com zonevs.eu uitgeverijpica.nl
sankakucomplex.com traficom.fi utwente.nl
societe.com ac-strasbourg.fr uvt.nl
solvinity.com bloctel.fr uwv.nl
stater.com compagnie-des-sens.fr vu.nl
stellarequipment.com srci.fr waternet.nl
t-2.com fidesz.hu webcentral.nl
thalesgroup.com interestexplorer.io wehkampfinance.nl
thepcw.com pm.me xs4all.nl
triodos.com dla.mil zorgmail.nl
ugritone.com jten.mil annabellstefanussen.no
vanderkam.com mail.mil audi.no
veganallsorts.com militaryonesource.mil derute.no
vitstore.com navy.mil domeneshop.no
webmailph.com nga.mil handelsbanken.no
xfinity.com osd.mil idrettenonline.no
xfinityhomesecurity.com socom.mil leadmail.no
xfinitymobile.com uscg.mil nordicprint.no
active24.cz usmc.mil norskgrammatikk.no
akce-incomputer.cz comcast.net rushtrampoline.no
amenit.cz gmx.net uib.no
bewooden.cz habramail.net viphuset.no
cuni.cz hr-manager.net atelkamera.nu
flagranti.cz inexio.net goget.nu
gigalekarna.cz mijngezondheid.net lenhud.nu
hellspy.cz mpssec.net debian.org
isportsystem.cz procurios.net freebsd.org
itesco.cz prolocation.net gentoo.org
klenotyaurum.cz ripe.net ietf.org
klubpevnehozdravi.cz riseup.net isc.org
manymail.cz t-2.net mailbox.org
nic.cz transip.net mailop.org
omvnovinky.cz triodos.net netbsd.org
onebit.cz xs4all.net openssl.org
optimail.cz amsterdam.nl ozlabs.org
poptavej.cz argewebhosting.nl samba.org
reserved.cz arrangementenparade.nl torproject.org
smtp.cz awcloud.nl whatpulse.org
stoklasa.cz belastingdienst.nl asf.com.pt
toplist.cz bhosted.nl bilprovningen.se
vas-server.cz bhsupport.nl boplatssyd-automail.se
vcelka.cz bluerail.nl ecster.se
virusfree.cz boeketcadeau.nl handelsbanken.se
zdravestravovani.cz boekwinkeltjes.nl loopia.se
agdsn.de boozyshop.nl minmyndighetspost.se
bayern.de burgernet.nl nordicprint.se
brandenburg.de cbr.nl personligalmanacka.se
bund.de chipbizz.nl polisen.se
bundesregierung.de corpoflow.nl skatteverket.se
datev.de derooijfotografie.nl teknikdelar.se
dfn.de dictu.nl theletter.se
ekom21.de digid.nl pneusvet.sk
elster.de duo.nl triodos.co.uk
fau.de etz.nl govtrack.us
freenet.de ezorg.nl quantum-services.us
gmx.de hetamsterdamsverbond.nl ru.ac.za
jpberlin.de
More information about the dane-users
mailing list