Update on stats 2021-04
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat May 1 20:49:14 CEST 2021
NOTE: When using NSEC3, please make sure your iteration count is
not needlessly large (above ~25). For details see:
https://mail.sys4.de/pipermail/dane-users/2021-March/000594.html
Summary: The DANE domain count is now 2,623,358 (up from 2,580,510
last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 14,890,975 (up from 14,597,373 last
month). Thus DANE TLSA is deployed on ~17.61% of domains with
DNSSEC.
https://stats.dnssec-tools.org/
The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has
taken place, and all previously issued X3-issued certificates
are now expired. If you're still publishing the X3 hash in
your TLSA RRSet, it is best removed:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,623,358 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last month
---------- ----------
1227082 one.com 1219094 one.com
150090 transip.nl 149627 transip.nl
149333 argewebhosting.nl 148446 argewebhosting.nl
108672 infomaniak.ch 106039 infomaniak.ch
104762 domeneshop.no 104614 domeneshop.no
99669 webhostingserver.nl 99953 webhostingserver.nl
93660 loopia.se 93378 loopia.se
68752 forpsi.com 68008 forpsi.com
41710 active24.com 41460 active24.com
39907 webreus.nl 40278 webreus.nl
38426 pcextreme.nl 38710 pcextreme.nl
37231 antagonist.nl 36833 antagonist.nl
35720 zxcs.nl 34505 zxcs.nl
29296 vevida.com 29520 vevida.com
27736 webhosting.dk 27896 webhosting.dk
26588 web4u.cz 26473 web4u.cz
25968 udmedia.de 25964 udmedia.de
25447 hosting2go.nl 18829 bhosted.nl
18827 bhosted.nl 17072 protonmail.ch
17855 protonmail.ch 14579 onebit.cz
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
8579 TOTAL 8450 TOTAL
2595 DE, Germany 2555 DE, Germany
1650 US, United States 1628 US, United States
1648 NL, Netherlands 1628 NL, Netherlands
631 FR, France 624 FR, France
313 GB, United Kingdom 306 GB, United Kingdom
226 CZ, Czechia 229 CZ, Czechia
197 CA, Canada 199 CA, Canada
165 FI, Finland 150 FI, Finland
125 DK, Denmark 121 SG, Singapore
116 SG, Singapore 121 DK, Denmark
95 SE, Sweden 95 SE, Sweden
95 CH, Switzerland 93 CH, Switzerland
75 AU, Australia 77 AU, Australia
70 AT, Austria 69 AT, Austria
45 PL, Poland 39 RU, Russia
39 NO, Norway 39 PL, Poland
39 BR, Brazil 39 BR, Brazil
38 JP, Japan 38 JP, Japan
37 IE, Ireland 37 NO, Norway
36 IN, India 37 IE, Ireland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
6806 TOTAL 6706 TOTAL
3268 NL, Netherlands 3238 NL, Netherlands
1782 DE, Germany 1747 DE, Germany
659 US, United States 678 US, United States
299 FR, France 289 FR, France
147 GB, United Kingdom 144 CZ, Czechia
134 CZ, Czechia 132 GB, United Kingdom
52 CA, Canada 53 CA, Canada
46 SG, Singapore 44 CH, Switzerland
46 SE, Sweden 42 SG, Singapore
46 CH, Switzerland 42 AT, Austria
42 RU, Russia 41 SE, Sweden
33 FI, Finland 25 FI, Finland
26 AU, Australia 23 AU, Australia
26 AT, Austria 21 JP, Japan
24 JP, Japan 20 RU, Russia
17 NO, Norway 18 DK, Denmark
17 DK, Denmark 17 IE, Ireland
16 IE, Ireland 16 NO, Norway
14 BR, Brazil 14 BR, Brazil
10 SI, Slovenia 11 PL, Poland
There are 6,934 unique zones (6,808 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 15,467 (15,010 last
month). These cover 15,701 distinct MX hosts (15,241 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 478 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 297
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.62 million domains, 12,852 (12,913 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1999
(1801 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1295 (1298 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
485 registrar-servers.com 468 registrar-servers.com
119 axc.nl 122 movenext.nl
94 ebola.cz 93 ebola.cz
48 yourict.net 46 axc.nl
45 epik.com 43 epik.com
29 mijndomein.nl 31 mijndomein.nl
29 made-easy.ch 29 made-easy.ch
25 tiscomhosting.nl 25 tiscomhosting.nl
18 movenext.nl 18 infracom.nl
17 infracom.nl 16 eatserver.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Five of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
fed.be
trt1.jus.br
bncr.fi.cr
sauditelecom.com.sa
kmutt.ac.th
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at mail.de herinneringenoplinnen.nl
gmx.at mensa.de hetamsterdamsverbond.nl
idec.at mpg.de hr.nl
triodos.be posteo.de huizenzoeker.nl
clubedohardware.com.br ruhr-uni-bochum.de interim-netwerk.nl
nic.br tum.de mailplus.nl
registro.br uni-erlangen.de mailshover.nl
gmx.ch uni-muenchen.de markteffectmail.nl
hostpoint.ch unitybox.de mijnhypotheekonline.nl
infomaniak.ch unitymedia.de mijnsalon.nl
open.ch web.de mijnuvt.nl
protonmail.ch westlotto.de minbzk.nl
switch.ch actie.deals mindef.nl
travailler-en-suisse.ch bridgewalking.dk minienw.nl
simplelogin.co dfi.dk mkbbelangen.nl
connectsb.com dk-hostmaster.dk mm1.nl
dailyplaylists.com fibianet.dk ns.nl
datev.com handelsbanken.dk ongehoordnederland.nl
digitalelections.com labelking.dk ouderportaal.nl
ecstase.com netic.dk overheid.nl
exegy.com nst.dk partijvoordedieren.nl
flaneurhomme.com shapeit.dk podiumcadeaukaart.nl
gmx.com star.dk politie.nl
habr.com stil.dk powerslim.nl
horagames.com uni-c.dk pp-prd.nl
hotelsinduitsland.com uvm.dk previder.nl
imcnig.com tilburguniversity.edu provalue.nl
infomaniak.com emta.ee rijksoverheid.nl
ingthink.com lugeja.ee rivm.nl
jula.com riigikogu.ee rotterdam.nl
kpn.com rmit.ee rvo.nl
leszexpertsfle.com envie.email sans-mail.nl
mail.com spike.email schoudercom.nl
mammoetmail.com spotler.email schuurman-schoenen.nl
matilhadobemadestramento.com rediris.es sportrusten.nl
mx-relay.com triodos.es ssonet.nl
one.com uv.es stater.nl
orverkiezing.com litebit.eu telefoonglaasje.nl
outsystems.com transadvise.eu triodos.nl
protonmail.com zone.eu truetickets.nl
protonvpn.com zonevs.eu uitgeverijpica.nl
sankakucomplex.com handelsbanken.fi utwente.nl
schizinfo.com traficom.fi uvt.nl
societe.com ac-strasbourg.fr uwv.nl
solvinity.com bloctel.fr veilinghuispeerdeman.nl
stater.com compagnie-des-sens.fr voorpositiviteit.nl
stellarequipment.com oo2.fr vu.nl
t-2.com srci.fr waternet.nl
thalesgroup.com fidesz.hu xs4all.nl
thepcw.com mszp.hu zorgmail.nl
triodos.com interestexplorer.io annabellstefanussen.no
ugritone.com pm.me audi.no
vanderkam.com dla.mil derute.no
veganallsorts.com jten.mil domeneshop.no
vitstore.com mail.mil handelsbanken.no
webmailph.com militaryonesource.mil idrettenonline.no
xfinity.com navy.mil leadmail.no
xfinityhomesecurity.com nga.mil nordicprint.no
xfinitymobile.com osd.mil norskgrammatikk.no
active24.cz socom.mil uib.no
akce-incomputer.cz uscg.mil viphuset.no
colours.cz usmc.mil webcruitermail.no
cuni.cz comcast.net atelkamera.nu
flagranti.cz gmx.net goget.nu
gigalekarna.cz habramail.net aegee.org
itesco.cz hr-manager.net debian.org
klenotyaurum.cz inexio.net freebsd.org
klubpevnehozdravi.cz mijngezondheid.net gentoo.org
manymail.cz mpssec.net ietf.org
nic.cz procurios.net irtf.org
omvnovinky.cz ripe.net isc.org
onebit.cz riseup.net mailbox.org
optimail.cz t-2.net mailop.org
poptavej.cz transip.net mkpbelgium.org
reserved.cz triodos.net netbsd.org
scrptd.cz xs4all.net openssl.org
server4u.cz xworks.net ozlabs.org
smtp.cz 123watches.nl samba.org
stoklasa.cz 50plusbeurs.nl torproject.org
toplist.cz amsterdam.nl whatpulse.org
vas-server.cz argeweb.nl psgaz.pl
vcelka.cz awcloud.nl asf.com.pt
virusfree.cz belastingdienst.nl mobily.com.sa
zdravestravovani.cz bhosted.nl bilprovningen.se
agdsn.de bhsupport.nl boplatssyd-automail.se
bayern.de bluerail.nl ecster.se
brandenburg.de boeketcadeau.nl handelsbanken.se
bund.de boekwinkeltjes.nl loopia.se
bundesregierung.de boozyshop.nl minmyndighetspost.se
datev.de burgernet.nl nordicprint.se
dfn.de chipbizz.nl personligalmanacka.se
ekom21.de corpoflow.nl skatteverket.se
elster.de derooijfotografie.nl teknikdelar.se
fau.de dictu.nl theletter.se
freenet.de digid.nl pneusvet.sk
gmx.de duo.nl triodos.co.uk
jpberlin.de etz.nl govtrack.us
kabelmail.de expeditionfestival.nl quantum-services.us
lrz.de ezorg.nl ru.ac.za
More information about the dane-users
mailing list