From ietf-dane at dukhovni.org Fri Oct 1 06:22:37 2021 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Fri, 1 Oct 2021 00:22:37 -0400 Subject: Update on stats 2021-09 Message-ID: Summary: The DANE domain count is now 2,912,048 (up from 2,779,500 last month). The number of domains that return DNSSEC-validated replies in response to MX queries is 16,310,355 (up from 16,107,719 last month). Thus DANE TLSA is deployed on ~17.85% of domains with DNSSEC. See https://stats.dnssec-tools.org/ for more stats. [ See the Credits[0] list below my signature. ] As of today I count ~2.91 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last month ---------- ---------- 1225237 one.com 1225124 one.com 211135 hostpoint.ch 152779 transip.nl 153581 transip.nl 150719 argewebhosting.nl 151214 argewebhosting.nl 148426 infomaniak.ch 150461 infomaniak.ch 105493 domeneshop.no 105846 domeneshop.no 98765 webhostingserver.nl 98581 webhostingserver.nl 94403 loopia.se 94743 loopia.se 86961 hostpoint.ch 71205 forpsi.com 70606 forpsi.com 46199 active24.com 46019 active24.com 43026 zxcs.nl 40474 zxcs.nl 40150 webreus.nl 40396 webreus.nl 37893 antagonist.nl 37911 antagonist.nl 36906 pcextreme.nl 37226 pcextreme.nl 28102 vevida.com 28411 vevida.com 27607 webhosting.dk 27416 webhosting.dk 26882 udmedia.de 26691 udmedia.de 26468 web4u.cz 26509 web4u.cz 24184 hosting2go.nl 24443 hosting2go.nl 20972 protonmail.ch 20574 protonmail.ch The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ---------- ---------- 9030 TOTAL 8890 TOTAL 2649 DE, Germany 2655 DE, Germany 1723 US, United States 1715 US, United States 1720 NL, Netherlands 1686 NL, Netherlands 690 FR, France 654 FR, France 330 GB, United Kingdom 330 GB, United Kingdom 231 CZ, Czechia 226 CZ, Czechia 205 CA, Canada 202 CA, Canada 196 FI, Finland 185 FI, Finland 125 DK, Denmark 125 DK, Denmark 119 SG, Singapore 114 SG, Singapore 117 AT, Austria 107 CH, Switzerland 109 CH, Switzerland 99 SE, Sweden 98 SE, Sweden 88 AU, Australia 95 AU, Australia 84 AT, Austria 50 PL, Poland 44 PL, Poland 45 RU, Russia 43 IE, Ireland 42 NO, Norway 40 RU, Russia 40 IE, Ireland 40 BR, Brazil 37 IT, Italy 39 NO, Norway 35 BR, Brazil 35 IT, Italy IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 7116 TOTAL 7009 TOTAL 3368 NL, Netherlands 3336 NL, Netherlands 1862 DE, Germany 1826 DE, Germany 728 US, United States 714 US, United States 294 FR, France 290 FR, France 141 CZ, Czechia 145 CZ, Czechia 136 GB, United Kingdom 136 GB, United Kingdom 76 FI, Finland 74 FI, Finland 63 CA, Canada 59 CA, Canada 50 CH, Switzerland 47 CH, Switzerland 44 SE, Sweden 44 SE, Sweden 43 SG, Singapore 42 SG, Singapore 39 AU, Australia 30 AU, Australia 30 RU, Russia 29 AT, Austria 30 AT, Austria 26 RU, Russia 23 JP, Japan 23 JP, Japan 21 IE, Ireland 21 IE, Ireland 17 NO, Norway 17 DK, Denmark 17 DK, Denmark 16 NO, Norway 14 BR, Brazil 14 BR, Brazil 11 PL, Poland 11 SI, Slovenia There are 7,308 unique zones (7,242 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 15,915 (15,791 last month). These cover 16,170 distinct MX hosts (16,039 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 538 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 314 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~2.91 million DANE domains, 12,805 (12,794 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1110 (1298 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1148 (1298 last month). The top 10 name server operators with problem domains are: This month Last month ---------- ---------- 546 registrar-servers.com 542 registrar-servers.com 119 axc.nl 119 axc.nl 85 ebola.cz 89 ebola.cz 35 made-easy.ch 59 westgatehosting.com 29 mijndomein.nl 49 netcup.net 19 cloudflare.com 46 epik.com 16 worldnic.com 30 made-easy.ch 13 renault.fr 27 mijndomein.nl 11 openprovider.nl 19 cloudflare.com 9 vtx.ch 15 worldnic.com If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Five of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br icv-crew.com bncr.fi.cr kprm.gov.pl novathreads.us -- Viktor. [0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at freenet.de herinneringenoplinnen.nl gmx.at gmx.de hetamsterdamsverbond.nl triodos.be jpberlin.de hostingpeople.nl tbibank.bg lmu.de interconnect.nl cetelemnegocie.com.br lrz.de interim-netwerk.nl clubedohardware.com.br mail.de luxiez.nl e-negociacao.com.br mensa.de mailplus.nl nic.br mpg.de mailshover.nl registro.br mvnet.de markteffectmail.nl pdac.ca neutraler-versand.de mijnuvt.nl ehefueralle.ch posteo.de minbuza.nl gmx.ch ruhr-uni-bochum.de minbzk.nl hostpoint.ch tum.de mindef.nl infomaniak.ch tutanota.de mkbbelangen.nl linsenkontakt.ch uni-erlangen.de mm1.nl open.ch uni-muenchen.de mulderretail.nl protonmail.ch unitymedia.de nieuwsservice-rvo.nl switch.ch web.de ns.nl travailler-en-suisse.ch westlotto.de ouderportaal.nl wog.ch actie.deals overheid.nl simplelogin.co dk-hostmaster.dk parlement.nl altospam.com fibianet.dk partijvoordedieren.nl beaconx.com netic.dk paypro.nl connectsb.com nota.dk politie.nl dailyplaylists.com peterhald.dk powerslim.nl datev.com shapeit.dk pp-prd.nl flaneurhomme.com shellcard.dk previder.nl gmx.com stil.dk purdey.nl habr.com tilburguniversity.edu rijksoverheid.nl hotelsinduitsland.com just.ee rotterdam.nl imcnig.com rik.ee sans-mail.nl infomaniak.com spam-filter.email schoudercom.nl ingthink.com spike.email schuurman-schoenen.nl intakt.com spotler.email sportrusten.nl joomlapolis.com rediris.es ssonet.nl jula.com triodos.es telefoonglaasje.nl kpn.com uv.es triodos.nl leszexpertsfle.com egu.eu truetickets.nl mail.com qard.eu tweedekamer.nl mailfence.com zone.eu uitgeverijpica.nl mammoetmail.com zonevs.eu utwente.nl matilhadobemadestramento.com handelsbanken.fi uvt.nl mx-relay.com tarjousrinki.fi uwv.nl mychildlebensborn.com ac-strasbourg.fr veilinghuispeerdeman.nl nine-pine.com compagnie-des-sens.fr vogeldagboek.nl one.com oo2.fr voorpositiviteit.nl outsystems.com srci.fr vu.nl protonmail.com excelsior.hu waternet.nl protonvpn.com fidesz.hu werkenbijaldautomotive.nl renworkshops.com gardrobom.hu xs4all.nl sankakucomplex.com obiserver.hu zorgmail.nl societe.com otthonplus.hu annabellstefanussen.no solvinity.com popfilm.hu audi.no spareklubbnorge.com pandi.id derute.no stellarequipment.com interestexplorer.io domeneshop.no t-2.com neolink.link handelsbanken.no thalesgroup.com pm.me idrettenonline.no thepcw.com army.mil leadmail.no thepcwholesale.com dla.mil norskgrammatikk.no triodos.com jten.mil rushtrampoline.no tutanota.com mail.mil uib.no veganallsorts.com militaryonesource.mil viphuset.no veoliasophos.com navy.mil atelkamera.nu vitstore.com nga.mil goget.nu vivaldi.com osd.mil debian.org webmailph.com socom.mil exim.org xfinity.com uscg.mil freebsd.org xfinityhomesecurity.com usmc.mil gentoo.org xfinitymobile.com comcast.net ietf.org 30tidennivyzva.cz fivem.net isc.org active24.cz gmx.net mailbox.org akce-incomputer.cz habramail.net mailop.org cuni.cz hr-manager.net netbsd.org ekokoza.cz inexio.net openssl.org gigalekarna.cz mijngezondheid.net ozlabs.org itesco.cz mpssec.net samba.org klenotyaurum.cz procurios.net torproject.org klubpevnehozdravi.cz prolocation.net whatpulse.org manymail.cz ripe.net psgaz.pl mkluzkoviny.cz riseup.net asf.com.pt nic.cz s-qrc.net mobily.com.sa omvnovinky.cz t-2.net alterskjaer.se onebit.cz transip.net bilprovningen.se optimail.cz xs4all.net boplatssyd-automail.se poptavej.cz 123watches.nl ecster.se reserved.cz amsterdam.nl handelsbanken.se scrptd.cz argeweb.nl loopia.se server4u.cz awcloud.nl loopiahosting.se smtp.cz belastingdienst.nl minmyndighetspost.se stoklasa.cz bhosted.nl parkerat.se vas-server.cz bluerail.nl racketspecialisten.se virusfree.cz bolerolimonadewinkel.nl skatteverket.se zdravestravovani.cz boozyshop.nl teknikdelar.se 123watches.de burgernet.nl theletter.se bayern.de cbr.nl websupport.se brandenburg.de cbs.nl flagranti.sk bund.de citrusveiling.nl mklozkoviny.sk bundesregierung.de corpoflow.nl najlacnejsisport.sk datev.de derooijfotografie.nl rondogo.sk dfn.de digid.nl toptop.sk dvz-mv.de duo.nl triodos.co.uk ekom21.de edenhotels.nl govtrack.us elster.de efactuurdirect.nl quantum-services.us fau.de ezorg.nl ru.ac.za followerpilot.de healthcheckcenter.nl