Update on stats 2021-09

Viktor Dukhovni ietf-dane at dukhovni.org
Fri Oct 1 06:22:37 CEST 2021

Summary:  The DANE domain count is now 2,912,048 (up from 2,779,500 last month).

          The number of domains that return DNSSEC-validated replies in
          response to MX queries is 16,310,355 (up from 16,107,719 last
          month).  Thus DANE TLSA is deployed on ~17.85% of domains with
          DNSSEC.  See https://stats.dnssec-tools.org/ for more stats.
          [ See the Credits[0] list below my signature. ]

As of today I count ~2.91 million domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1].  As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host.  The top 20 MX host providers by domain count are below.

  This month                   Last month
  ----------                   ----------
  1225237 one.com              1225124 one.com             
   211135 hostpoint.ch          152779 transip.nl          
   153581 transip.nl            150719 argewebhosting.nl   
   151214 argewebhosting.nl     148426 infomaniak.ch       
   150461 infomaniak.ch         105493 domeneshop.no       
   105846 domeneshop.no          98765 webhostingserver.nl 
    98581 webhostingserver.nl    94403 loopia.se           
    94743 loopia.se              86961 hostpoint.ch        
    71205 forpsi.com             70606 forpsi.com          
    46199 active24.com           46019 active24.com        
    43026 zxcs.nl                40474 zxcs.nl             
    40150 webreus.nl             40396 webreus.nl          
    37893 antagonist.nl          37911 antagonist.nl       
    36906 pcextreme.nl           37226 pcextreme.nl        
    28102 vevida.com             28411 vevida.com          
    27607 webhosting.dk          27416 webhosting.dk       
    26882 udmedia.de             26691 udmedia.de          
    26468 web4u.cz               26509 web4u.cz            
    24184 hosting2go.nl          24443 hosting2go.nl       
    20972 protonmail.ch          20574 protonmail.ch       

The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).

  This month               Last month
  ----------               ----------
  9030 TOTAL               8890 TOTAL              
  2649 DE, Germany         2655 DE, Germany        
  1723 US, United States   1715 US, United States  
  1720 NL, Netherlands     1686 NL, Netherlands    
   690 FR, France           654 FR, France         
   330 GB, United Kingdom   330 GB, United Kingdom 
   231 CZ, Czechia          226 CZ, Czechia        
   205 CA, Canada           202 CA, Canada         
   196 FI, Finland          185 FI, Finland        
   125 DK, Denmark          125 DK, Denmark        
   119 SG, Singapore        114 SG, Singapore      
   117 AT, Austria          107 CH, Switzerland    
   109 CH, Switzerland       99 SE, Sweden         
    98 SE, Sweden            88 AU, Australia      
    95 AU, Australia         84 AT, Austria        
    50 PL, Poland            44 PL, Poland         
    45 RU, Russia            43 IE, Ireland        
    42 NO, Norway            40 RU, Russia         
    40 IE, Ireland           40 BR, Brazil         
    37 IT, Italy             39 NO, Norway         
    35 BR, Brazil            35 IT, Italy          

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:

  This month               Last month
  ----------               ----------
  7116 TOTAL               7009 TOTAL              
  3368 NL, Netherlands     3336 NL, Netherlands    
  1862 DE, Germany         1826 DE, Germany        
   728 US, United States    714 US, United States  
   294 FR, France           290 FR, France         
   141 CZ, Czechia          145 CZ, Czechia        
   136 GB, United Kingdom   136 GB, United Kingdom 
    76 FI, Finland           74 FI, Finland        
    63 CA, Canada            59 CA, Canada         
    50 CH, Switzerland       47 CH, Switzerland    
    44 SE, Sweden            44 SE, Sweden         
    43 SG, Singapore         42 SG, Singapore      
    39 AU, Australia         30 AU, Australia      
    30 RU, Russia            29 AT, Austria        
    30 AT, Austria           26 RU, Russia         
    23 JP, Japan             23 JP, Japan          
    21 IE, Ireland           21 IE, Ireland        
    17 NO, Norway            17 DK, Denmark        
    17 DK, Denmark           16 NO, Norway         
    14 BR, Brazil            14 BR, Brazil         
    11 PL, Poland            11 SI, Slovenia       

There are 7,308 unique zones (7,242 last month) in which the underlying
MX hosts are found.  This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.

The number of published MX host TLSA RRsets found is 15,915 (15,791 last
month).  These cover 16,170 distinct MX hosts (16,039 last month, some
MX hosts share the same TLSA records through CNAMEs).

The number of DANE domains that at some point were listed in Gmail's
email transparency report is 538 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain).  Of these, 314
are in recent (last 90 days of) reports (see [2] below my signature).

Of the ~2.91 million DANE domains, 12,805 (12,794 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts.  While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.

The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1110
(1298 last month).  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX

To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:



After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1148 (1298 last
month).  The top 10 name server operators with problem domains are:

  This month                  Last month
  ----------                  ----------
  546 registrar-servers.com  542 registrar-servers.com  
  119 axc.nl                 119 axc.nl                 
   85 ebola.cz                89 ebola.cz               
   35 made-easy.ch            59 westgatehosting.com    
   29 mijndomein.nl           49 netcup.net             
   19 cloudflare.com          46 epik.com               
   16 worldnic.com            30 made-easy.ch           
   13 renault.fr              27 mijndomein.nl          
   11 openprovider.nl         19 cloudflare.com         
    9 vtx.ch                  15 worldnic.com           

If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.

Five of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:



[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.  Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE.  More data
sources of ccTLD signed delegations welcome.

[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist.  I am not a fan of this type of defence (it can also
impose undue latency on legitimate email).  However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.

[2] DANE domains appearing in last 90 days of Google Email transparency

univie.ac.at                  freenet.de               herinneringenoplinnen.nl
gmx.at                        gmx.de                   hetamsterdamsverbond.nl
triodos.be                    jpberlin.de              hostingpeople.nl
tbibank.bg                    lmu.de                   interconnect.nl
cetelemnegocie.com.br         lrz.de                   interim-netwerk.nl
clubedohardware.com.br        mail.de                  luxiez.nl
e-negociacao.com.br           mensa.de                 mailplus.nl
nic.br                        mpg.de                   mailshover.nl
registro.br                   mvnet.de                 markteffectmail.nl
pdac.ca                       neutraler-versand.de     mijnuvt.nl
ehefueralle.ch                posteo.de                minbuza.nl
gmx.ch                        ruhr-uni-bochum.de       minbzk.nl
hostpoint.ch                  tum.de                   mindef.nl
infomaniak.ch                 tutanota.de              mkbbelangen.nl
linsenkontakt.ch              uni-erlangen.de          mm1.nl
open.ch                       uni-muenchen.de          mulderretail.nl
protonmail.ch                 unitymedia.de            nieuwsservice-rvo.nl
switch.ch                     web.de                   ns.nl
travailler-en-suisse.ch       westlotto.de             ouderportaal.nl
wog.ch                        actie.deals              overheid.nl
simplelogin.co                dk-hostmaster.dk         parlement.nl
altospam.com                  fibianet.dk              partijvoordedieren.nl
beaconx.com                   netic.dk                 paypro.nl
connectsb.com                 nota.dk                  politie.nl
dailyplaylists.com            peterhald.dk             powerslim.nl
datev.com                     shapeit.dk               pp-prd.nl
flaneurhomme.com              shellcard.dk             previder.nl
gmx.com                       stil.dk                  purdey.nl
habr.com                      tilburguniversity.edu    rijksoverheid.nl
hotelsinduitsland.com         just.ee                  rotterdam.nl
imcnig.com                    rik.ee                   sans-mail.nl
infomaniak.com                spam-filter.email        schoudercom.nl
ingthink.com                  spike.email              schuurman-schoenen.nl
intakt.com                    spotler.email            sportrusten.nl
joomlapolis.com               rediris.es               ssonet.nl
jula.com                      triodos.es               telefoonglaasje.nl
kpn.com                       uv.es                    triodos.nl
leszexpertsfle.com            egu.eu                   truetickets.nl
mail.com                      qard.eu                  tweedekamer.nl
mailfence.com                 zone.eu                  uitgeverijpica.nl
mammoetmail.com               zonevs.eu                utwente.nl
matilhadobemadestramento.com  handelsbanken.fi         uvt.nl
mx-relay.com                  tarjousrinki.fi          uwv.nl
mychildlebensborn.com         ac-strasbourg.fr         veilinghuispeerdeman.nl
nine-pine.com                 compagnie-des-sens.fr    vogeldagboek.nl
one.com                       oo2.fr                   voorpositiviteit.nl
outsystems.com                srci.fr                  vu.nl
protonmail.com                excelsior.hu             waternet.nl
protonvpn.com                 fidesz.hu                werkenbijaldautomotive.nl
renworkshops.com              gardrobom.hu             xs4all.nl
sankakucomplex.com            obiserver.hu             zorgmail.nl
societe.com                   otthonplus.hu            annabellstefanussen.no
solvinity.com                 popfilm.hu               audi.no
spareklubbnorge.com           pandi.id                 derute.no
stellarequipment.com          interestexplorer.io      domeneshop.no
t-2.com                       neolink.link             handelsbanken.no
thalesgroup.com               pm.me                    idrettenonline.no
thepcw.com                    army.mil                 leadmail.no
thepcwholesale.com            dla.mil                  norskgrammatikk.no
triodos.com                   jten.mil                 rushtrampoline.no
tutanota.com                  mail.mil                 uib.no
veganallsorts.com             militaryonesource.mil    viphuset.no
veoliasophos.com              navy.mil                 atelkamera.nu
vitstore.com                  nga.mil                  goget.nu
vivaldi.com                   osd.mil                  debian.org
webmailph.com                 socom.mil                exim.org
xfinity.com                   uscg.mil                 freebsd.org
xfinityhomesecurity.com       usmc.mil                 gentoo.org
xfinitymobile.com             comcast.net              ietf.org
30tidennivyzva.cz             fivem.net                isc.org
active24.cz                   gmx.net                  mailbox.org
akce-incomputer.cz            habramail.net            mailop.org
cuni.cz                       hr-manager.net           netbsd.org
ekokoza.cz                    inexio.net               openssl.org
gigalekarna.cz                mijngezondheid.net       ozlabs.org
itesco.cz                     mpssec.net               samba.org
klenotyaurum.cz               procurios.net            torproject.org
klubpevnehozdravi.cz          prolocation.net          whatpulse.org
manymail.cz                   ripe.net                 psgaz.pl
mkluzkoviny.cz                riseup.net               asf.com.pt
nic.cz                        s-qrc.net                mobily.com.sa
omvnovinky.cz                 t-2.net                  alterskjaer.se
onebit.cz                     transip.net              bilprovningen.se
optimail.cz                   xs4all.net               boplatssyd-automail.se
poptavej.cz                   123watches.nl            ecster.se
reserved.cz                   amsterdam.nl             handelsbanken.se
scrptd.cz                     argeweb.nl               loopia.se
server4u.cz                   awcloud.nl               loopiahosting.se
smtp.cz                       belastingdienst.nl       minmyndighetspost.se
stoklasa.cz                   bhosted.nl               parkerat.se
vas-server.cz                 bluerail.nl              racketspecialisten.se
virusfree.cz                  bolerolimonadewinkel.nl  skatteverket.se
zdravestravovani.cz           boozyshop.nl             teknikdelar.se
123watches.de                 burgernet.nl             theletter.se
bayern.de                     cbr.nl                   websupport.se
brandenburg.de                cbs.nl                   flagranti.sk
bund.de                       citrusveiling.nl         mklozkoviny.sk
bundesregierung.de            corpoflow.nl             najlacnejsisport.sk
datev.de                      derooijfotografie.nl     rondogo.sk
dfn.de                        digid.nl                 toptop.sk
dvz-mv.de                     duo.nl                   triodos.co.uk
ekom21.de                     edenhotels.nl            govtrack.us
elster.de                     efactuurdirect.nl        quantum-services.us
fau.de                        ezorg.nl                 ru.ac.za
followerpilot.de              healthcheckcenter.nl

More information about the dane-users mailing list