Update on stats 2021-09
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Oct 1 06:22:37 CEST 2021
Summary: The DANE domain count is now 2,912,048 (up from 2,779,500 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 16,310,355 (up from 16,107,719 last
month). Thus DANE TLSA is deployed on ~17.85% of domains with
DNSSEC. See https://stats.dnssec-tools.org/ for more stats.
[ See the Credits[0] list below my signature. ]
As of today I count ~2.91 million domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last month
---------- ----------
1225237 one.com 1225124 one.com
211135 hostpoint.ch 152779 transip.nl
153581 transip.nl 150719 argewebhosting.nl
151214 argewebhosting.nl 148426 infomaniak.ch
150461 infomaniak.ch 105493 domeneshop.no
105846 domeneshop.no 98765 webhostingserver.nl
98581 webhostingserver.nl 94403 loopia.se
94743 loopia.se 86961 hostpoint.ch
71205 forpsi.com 70606 forpsi.com
46199 active24.com 46019 active24.com
43026 zxcs.nl 40474 zxcs.nl
40150 webreus.nl 40396 webreus.nl
37893 antagonist.nl 37911 antagonist.nl
36906 pcextreme.nl 37226 pcextreme.nl
28102 vevida.com 28411 vevida.com
27607 webhosting.dk 27416 webhosting.dk
26882 udmedia.de 26691 udmedia.de
26468 web4u.cz 26509 web4u.cz
24184 hosting2go.nl 24443 hosting2go.nl
20972 protonmail.ch 20574 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
9030 TOTAL 8890 TOTAL
2649 DE, Germany 2655 DE, Germany
1723 US, United States 1715 US, United States
1720 NL, Netherlands 1686 NL, Netherlands
690 FR, France 654 FR, France
330 GB, United Kingdom 330 GB, United Kingdom
231 CZ, Czechia 226 CZ, Czechia
205 CA, Canada 202 CA, Canada
196 FI, Finland 185 FI, Finland
125 DK, Denmark 125 DK, Denmark
119 SG, Singapore 114 SG, Singapore
117 AT, Austria 107 CH, Switzerland
109 CH, Switzerland 99 SE, Sweden
98 SE, Sweden 88 AU, Australia
95 AU, Australia 84 AT, Austria
50 PL, Poland 44 PL, Poland
45 RU, Russia 43 IE, Ireland
42 NO, Norway 40 RU, Russia
40 IE, Ireland 40 BR, Brazil
37 IT, Italy 39 NO, Norway
35 BR, Brazil 35 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7116 TOTAL 7009 TOTAL
3368 NL, Netherlands 3336 NL, Netherlands
1862 DE, Germany 1826 DE, Germany
728 US, United States 714 US, United States
294 FR, France 290 FR, France
141 CZ, Czechia 145 CZ, Czechia
136 GB, United Kingdom 136 GB, United Kingdom
76 FI, Finland 74 FI, Finland
63 CA, Canada 59 CA, Canada
50 CH, Switzerland 47 CH, Switzerland
44 SE, Sweden 44 SE, Sweden
43 SG, Singapore 42 SG, Singapore
39 AU, Australia 30 AU, Australia
30 RU, Russia 29 AT, Austria
30 AT, Austria 26 RU, Russia
23 JP, Japan 23 JP, Japan
21 IE, Ireland 21 IE, Ireland
17 NO, Norway 17 DK, Denmark
17 DK, Denmark 16 NO, Norway
14 BR, Brazil 14 BR, Brazil
11 PL, Poland 11 SI, Slovenia
There are 7,308 unique zones (7,242 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 15,915 (15,791 last
month). These cover 16,170 distinct MX hosts (16,039 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 538 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 314
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.91 million DANE domains, 12,805 (12,794 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1110
(1298 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1148 (1298 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
546 registrar-servers.com 542 registrar-servers.com
119 axc.nl 119 axc.nl
85 ebola.cz 89 ebola.cz
35 made-easy.ch 59 westgatehosting.com
29 mijndomein.nl 49 netcup.net
19 cloudflare.com 46 epik.com
16 worldnic.com 30 made-easy.ch
13 renault.fr 27 mijndomein.nl
11 openprovider.nl 19 cloudflare.com
9 vtx.ch 15 worldnic.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Five of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
icv-crew.com
bncr.fi.cr
kprm.gov.pl
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at freenet.de herinneringenoplinnen.nl
gmx.at gmx.de hetamsterdamsverbond.nl
triodos.be jpberlin.de hostingpeople.nl
tbibank.bg lmu.de interconnect.nl
cetelemnegocie.com.br lrz.de interim-netwerk.nl
clubedohardware.com.br mail.de luxiez.nl
e-negociacao.com.br mensa.de mailplus.nl
nic.br mpg.de mailshover.nl
registro.br mvnet.de markteffectmail.nl
pdac.ca neutraler-versand.de mijnuvt.nl
ehefueralle.ch posteo.de minbuza.nl
gmx.ch ruhr-uni-bochum.de minbzk.nl
hostpoint.ch tum.de mindef.nl
infomaniak.ch tutanota.de mkbbelangen.nl
linsenkontakt.ch uni-erlangen.de mm1.nl
open.ch uni-muenchen.de mulderretail.nl
protonmail.ch unitymedia.de nieuwsservice-rvo.nl
switch.ch web.de ns.nl
travailler-en-suisse.ch westlotto.de ouderportaal.nl
wog.ch actie.deals overheid.nl
simplelogin.co dk-hostmaster.dk parlement.nl
altospam.com fibianet.dk partijvoordedieren.nl
beaconx.com netic.dk paypro.nl
connectsb.com nota.dk politie.nl
dailyplaylists.com peterhald.dk powerslim.nl
datev.com shapeit.dk pp-prd.nl
flaneurhomme.com shellcard.dk previder.nl
gmx.com stil.dk purdey.nl
habr.com tilburguniversity.edu rijksoverheid.nl
hotelsinduitsland.com just.ee rotterdam.nl
imcnig.com rik.ee sans-mail.nl
infomaniak.com spam-filter.email schoudercom.nl
ingthink.com spike.email schuurman-schoenen.nl
intakt.com spotler.email sportrusten.nl
joomlapolis.com rediris.es ssonet.nl
jula.com triodos.es telefoonglaasje.nl
kpn.com uv.es triodos.nl
leszexpertsfle.com egu.eu truetickets.nl
mail.com qard.eu tweedekamer.nl
mailfence.com zone.eu uitgeverijpica.nl
mammoetmail.com zonevs.eu utwente.nl
matilhadobemadestramento.com handelsbanken.fi uvt.nl
mx-relay.com tarjousrinki.fi uwv.nl
mychildlebensborn.com ac-strasbourg.fr veilinghuispeerdeman.nl
nine-pine.com compagnie-des-sens.fr vogeldagboek.nl
one.com oo2.fr voorpositiviteit.nl
outsystems.com srci.fr vu.nl
protonmail.com excelsior.hu waternet.nl
protonvpn.com fidesz.hu werkenbijaldautomotive.nl
renworkshops.com gardrobom.hu xs4all.nl
sankakucomplex.com obiserver.hu zorgmail.nl
societe.com otthonplus.hu annabellstefanussen.no
solvinity.com popfilm.hu audi.no
spareklubbnorge.com pandi.id derute.no
stellarequipment.com interestexplorer.io domeneshop.no
t-2.com neolink.link handelsbanken.no
thalesgroup.com pm.me idrettenonline.no
thepcw.com army.mil leadmail.no
thepcwholesale.com dla.mil norskgrammatikk.no
triodos.com jten.mil rushtrampoline.no
tutanota.com mail.mil uib.no
veganallsorts.com militaryonesource.mil viphuset.no
veoliasophos.com navy.mil atelkamera.nu
vitstore.com nga.mil goget.nu
vivaldi.com osd.mil debian.org
webmailph.com socom.mil exim.org
xfinity.com uscg.mil freebsd.org
xfinityhomesecurity.com usmc.mil gentoo.org
xfinitymobile.com comcast.net ietf.org
30tidennivyzva.cz fivem.net isc.org
active24.cz gmx.net mailbox.org
akce-incomputer.cz habramail.net mailop.org
cuni.cz hr-manager.net netbsd.org
ekokoza.cz inexio.net openssl.org
gigalekarna.cz mijngezondheid.net ozlabs.org
itesco.cz mpssec.net samba.org
klenotyaurum.cz procurios.net torproject.org
klubpevnehozdravi.cz prolocation.net whatpulse.org
manymail.cz ripe.net psgaz.pl
mkluzkoviny.cz riseup.net asf.com.pt
nic.cz s-qrc.net mobily.com.sa
omvnovinky.cz t-2.net alterskjaer.se
onebit.cz transip.net bilprovningen.se
optimail.cz xs4all.net boplatssyd-automail.se
poptavej.cz 123watches.nl ecster.se
reserved.cz amsterdam.nl handelsbanken.se
scrptd.cz argeweb.nl loopia.se
server4u.cz awcloud.nl loopiahosting.se
smtp.cz belastingdienst.nl minmyndighetspost.se
stoklasa.cz bhosted.nl parkerat.se
vas-server.cz bluerail.nl racketspecialisten.se
virusfree.cz bolerolimonadewinkel.nl skatteverket.se
zdravestravovani.cz boozyshop.nl teknikdelar.se
123watches.de burgernet.nl theletter.se
bayern.de cbr.nl websupport.se
brandenburg.de cbs.nl flagranti.sk
bund.de citrusveiling.nl mklozkoviny.sk
bundesregierung.de corpoflow.nl najlacnejsisport.sk
datev.de derooijfotografie.nl rondogo.sk
dfn.de digid.nl toptop.sk
dvz-mv.de duo.nl triodos.co.uk
ekom21.de edenhotels.nl govtrack.us
elster.de efactuurdirect.nl quantum-services.us
fau.de ezorg.nl ru.ac.za
followerpilot.de healthcheckcenter.nl
More information about the dane-users
mailing list