Update on stats 2022-07

Viktor Dukhovni ietf-dane at dukhovni.org
Mon Aug 1 07:04:22 CEST 2022


Summary:  The DANE domain count is now 3,584,050 (c.f. 3,553,159 last
          month).

          The number of domains that return DNSSEC-validated replies in
          response to MX queries is 19,130,407 (up from 18,845,352 last
          month).  Thus DANE TLSA is deployed on ~18.73% of domains with
          DNSSEC.  For more stats, see <https://stats.dnssec-tools.org/>.
          [ See the Credits[0] list below my signature. ]

As of today I count ~3.58 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1].  As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host.  The top 20 MX host providers
by domain count are below.

  This month                   Last Month
  ----------                   ----------
  1236935 one.com              1241738 one.com
   280585 hostpoint.ch          279135 hostpoint.ch
   189107 infomaniak.ch         184346 mijndomein.nl
   184512 mijndomein.nl         176747 infomaniak.ch
   162755 transip.nl            162079 transip.nl
   159073 argewebhosting.nl     158826 argewebhosting.nl
   112570 hostnet.nl            112883 hostnet.nl
   107805 domeneshop.no         107551 domeneshop.no
   104255 jouwweb.nl            101152 jouwweb.nl
    96819 loopia.se              96925 loopia.se
    94919 webhostingserver.nl    95235 webhostingserver.nl
    77692 forpsi.com             77276 forpsi.com
    63160 zxcs.nl                62102 zxcs.nl
    47265 active24.com           47236 active24.com
    40191 webreus.nl             40429 webreus.nl
    39451 antagonist.nl          39297 antagonist.nl
    34401 pcextreme.nl           34585 pcextreme.nl
    29158 protonmail.ch          28545 protonmail.ch
    27581 udmedia.de             27627 udmedia.de
    26543 web4u.cz               26577 web4u.cz

The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk.  Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).

  This month                 Last month
  -----------                ----------
  10134 TOTAL                10177 TOTAL
   3005 DE, Germany           2978 DE, Germany
   1894 NL, Netherlands       1890 NL, Netherlands
   1774 US, United States     1811 US, United States
    763 FR, France             763 FR, France
    356 GB, United Kingdom     362 GB, United Kingdom
    338 CZ, Czechia            340 CZ, Czechia
    235 FI, Finland            236 CA, Canada
    224 CA, Canada             232 FI, Finland
    156 AT, Austria            154 AT, Austria
    129 CH, Switzerland        130 CH, Switzerland
    127 SG, Singapore          126 SG, Singapore
    127 DK, Denmark            126 DK, Denmark
    110 SE, Sweden             115 SE, Sweden
    110 AU, Australia          108 AU, Australia
     56 PL, Poland              57 PL, Poland
     54 RU, Russia              56 JP, Japan
     54 JP, Japan               50 RU, Russia
     48 NO, Norway              50 HU, Hungary
     41 IE, Ireland             44 NO, Norway
     40 BR, Brazil              42 BR, Brazil

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:

  This month               Last month
  ----------               ----------
  7968 TOTAL               7936 TOTAL
  3557 NL, Netherlands     3552 NL, Netherlands
  2241 DE, Germany         2216 DE, Germany
   831 US, United States    801 US, United States
   347 FR, France           337 FR, France
   172 CZ, Czechia          193 CZ, Czechia
   149 GB, United Kingdom   163 GB, United Kingdom
    77 CH, Switzerland       74 FI, Finland
    76 FI, Finland           71 CA, Canada
    65 CA, Canada            59 CH, Switzerland
    54 AU, Australia         53 AU, Australia
    43 SE, Sweden            45 AT, Austria
    36 SG, Singapore         42 SE, Sweden
    36 JP, Japan             39 SG, Singapore
    35 AT, Austria           38 JP, Japan
    24 RU, Russia            27 RU, Russia
    21 NO, Norway            22 IE, Ireland
    20 DK, Denmark           19 DK, Denmark
    19 IE, Ireland           18 NO, Norway
    16 BR, Brazil            15 BR, Brazil
    12 LT, Lithuania         12 LT, Lithuania

There are 8,375 unique zones (8,342 last month) in which the underlying
MX hosts are found.  This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.

The number of published MX host TLSA RRsets found is 17,725 (17,639 last
month).  These cover 18,019 distinct MX hosts (17,929 last month, some
MX hosts share the same TLSA records through CNAMEs).

The number of DANE domains that at some point were listed in Gmail's
email transparency report is 702 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain).  Of these, 410
are in recent (last 90 days of) reports (see [2] below my signature).

Of the ~3.58 million DANE domains, 13,921 (14,518 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.  While this
protects traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 2,442
(1,026 last month).  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.  The affected domain counts for the top 10 problem MX hosts are:

  1270   unit.nmugroup.com
    86   beta.itcomputers.eu
    44   relay-1.rws.nl
    43   relay-2.rws.nl
    35   mx2.synetcon.net
    26   fsn1-c04.xemo-net.de
    19   mx1.mdbraber.com
    15   artemis.strebsjig.net
    14   e-vps.hacktheplanet.nl
    12   mail.blanketmail.de

To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:

    https://dane.sys4.de/common_mistakes
    https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
    https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
    https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
    https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
    https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources

    https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
    https://datatracker.ietf.org/doc/html/rfc7671#section-8.4

After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 2,068 (1,408 last
month).  The top 10 name server operators with problem domains are:

  This Month                 Last month
  ----------                 ----------
  593 registrar-servers.com  591 registrar-servers.com
  402 worldnic.com           302 worldnic.com
  249 mijndomein.nl          245 mijndomein.nl
  138 axc.nl                 137 axc.nl
   77 ebola.cz                79 ebola.cz
   60 openprovider.nl         46 psi-japan.net
   55 zihlmann.net            32 openprovider.nl
   41 psi-japan.net           30 made-easy.ch
   29 made-easy.ch            30 ispapi.net
   26 ns01.nl                 27 register.com

If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.

Three of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:

  urbtix.hk
  mailazy.net
  novathreads.us

--
      Viktor.

[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.  Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE.  More data
sources of ccTLD signed delegations welcome.

[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist.  I am not a fan of this type of defence (it can also
impose undue latency on legitimate email).  However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.

[2] DANE domains appearing in last 90 days of Google Email transparency
reports:

univie.ac.at                  123watches.de             hobbygigant.nl
gmx.at                        bayern.de                 hostnet.nl
vbv.at                        brandenburg.de            hr.nl
tip.net.au                    bund.de                   interconnect.nl
cetelemnegocie.com.br         bundesregierung.de        interim-netwerk.nl
e-negociacao.com.br           datev.de                  jayno.nl
nic.br                        dfn.de                    kiesrijk.nl
registro.br                   elster.de                 lico.nl
20km.ch                       ewetel.de                 luxiez.nl
activfitness-news.ch          fau.de                    mail-studio.nl
cbd420.ch                     freenet.de                mailplus.nl
gmx.ch                        gmx.de                    mailshover.nl
hostpoint.ch                  jpberlin.de               managementboek.nl
infomaniak.ch                 lmu.de                    markteffectmail.nl
linsenkontakt.ch              lrz.de                    mcmta.nl
migros-runnwin.ch             mail.de                   mijndomein.nl
onemillionrun.ch              mensa.de                  minbzk.nl
open.ch                       mpg.de                    mindef.nl
protonmail.ch                 posteo.de                 mm1.nl
sms-gagnant.ch                ruhr-uni-bochum.de        mulderretail.nl
switch.ch                     spacenet.de               netsamen.nl
travailler-en-suisse.ch       tum.de                    nieuwsservice-rvo.nl
simplelogin.co                tutanota.de               ns.nl
402automotive.com             uni-augsburg.de           nuudcare.nl
albourne.com                  uni-erlangen.de           orangebag.nl
altospam.com                  uni-kl.de                 otys.nl
bymalina.com                  uni-muenchen.de           ouderportaal.nl
cm.com                        vicinityclo.de            overheid.nl
connectsb.com                 web.de                    partijvoordedieren.nl
cryptowallet.com              westlotto.de              ploegendienst-festival.nl
dailyplaylists.com            allbuy.dk                 politie.nl
datev.com                     egmontpublishing.dk       pp-prd.nl
exegy.com                     fibianet.dk               previder.nl
fabfilter.com                 inkpro.dk                 rdw.nl
fastware-hosting.com          juliesandlau.dk           revolt.nl
flaneurhomme.com              netic.dk                  rijksoverheid.nl
gmx.com                       nordd.dk                  roken.nl
groed.com                     nota.dk                   rug.nl
habr.com                      peterhald.dk              rvo.nl
hoobly.com                    powerhosting.dk           sans-mail.nl
hotelsinduitsland.com         seniornews.dk             schoudercom.nl
imcnig.com                    shapeit.dk                schuurman-schoenen.nl
infomaniak.com                shellcard.dk              smartwatchbanden.nl
ingthink.com                  stil.dk                   sportrusten.nl
joomlapolis.com               tricommerce.dk            ssonet.nl
jula.com                      uvm.dk                    stater.nl
kabayarefashion.com           webhosting.dk             telefoonglaasje.nl
klbrlive.com                  tilburguniversity.edu     thealphamen.nl
leszexpertsfle.com            holtmail.ee               transip.nl
librti.com                    just.ee                   travelclown.nl
liefleven.com                 rik.ee                    triodos.nl
mactabeauty.com               myownconference.email     uitgeverijpica.nl
mail.com                      spike.email               utwente.nl
mailfence.com                 spotler.email             uvt.nl
matilhadobemadestramento.com  nuudcare.es               uwv.nl
mplbeauty.com                 rediris.es                valys.nl
mx-relay.com                  triodos.es                venauto.nl
nanolearning.com              uv.es                     vimexx.nl
nine-pine.com                 egu.eu                    vitalize.nl
nuudcare.com                  finesoftware.eu           vogeldagboek.nl
one.com                       litebit.eu                voorpositiviteit.nl
orsys.com                     zone.eu                   vrijevolkfestival.nl
pieter-pot.com                zonevs.eu                 wannahavesfashion.nl
polyas.com                    fsol.fi                   watchbandjes-shop.nl
pompomlondon.com              handelsbanken.fi          waternet.nl
ppcpcv.com                    metaburn.fi               xel.nl
protonmail.com                tarjousrinki.fi           ziggo.nl
protonvpn.com                 ac-strasbourg.fr          zorgmail.nl
renworkshops.com              compagnie-des-sens.fr     annabellstefanussen.no
run-motion.com                edtm-actu.fr              audi.no
runbox.com                    kangouroukids.fr          deldinbil.no
sankakucomplex.com            nuudcare.fr               derute.no
scorecloud.com                oo2.fr                    domeneshop.no
serverclienti.com             privea.fr                 guttelus.no
societe.com                   fidesz.hu                 handelsbanken.no
solvinity.com                 pandi.id                  hyttefeber.no
stater.com                    bluebiz.info              idrettenonline.no
stellarequipment.com          eurocontrol.int           mystuff.no
t-2.com                       neolink.link              norskgrammatikk.no
thalesgroup.com               pm.me                     plukkselv.no
thegreenery.com               proton.me                 raskebriller.no
thepcw.com                    army.mil                  rushtrampoline.no
thepcwholesale.com            dla.mil                   spillfabrikken.no
triodos.com                   jten.mil                  uib.no
truewaykids.com               mail.mil                  viphuset.no
tutanota.com                  militaryonesource.mil     analysedanmark.nu
up2staff.com                  navy.mil                  atelkamera.nu
veganallsorts.com             nga.mil                   goget.nu
vivaldi.com                   osd.mil                   lenhud.nu
webcruiter.com                socom.mil                 debian.org
webmailph.com                 uscg.mil                  freebsd.org
xfinity.com                   usmc.mil                  gentoo.org
xfinityhomesecurity.com       benjaminfulford.net       ietf.org
xfinitymobile.com             comcast.net               isc.org
bncr.fi.cr                    ewetel.net                mailbox.org
akce-incomputer.cz            fivem.net                 mailop.org
amenit.cz                     gmx.net                   netbsd.org
atlas.cz                      habramail.net             openssl.org
bewooden.cz                   hr-manager.net            oraclegirl.org
centrum.cz                    inexio.net                ozlabs.org
csob.cz                       mijngezondheid.net        samba.org
cuni.cz                       mpssec.net                torproject.org
cvut.cz                       procurios.net             biotechnologia.com.pl
dedra.cz                      ripe.net                  asf.com.pt
directmail-fraus.cz           riseup.net                mobily.com.sa
e-kondomy.cz                  t-2.net                   barons.se
ekokoza.cz                    transip.net               bilprovningen.se
fio.cz                        xs4all.net                ecster.se
itesco.cz                     123watches.nl             geflemetalfestival.se
itnetwork.cz                  amsterdam.nl              handelsbanken.se
kb.cz                         aquastorexl.nl            kronofogden.se
klenotyaurum.cz               argeweb.nl                lomervarde.se
klubpevnehozdravi.cz          belastingdienst.nl        loopia.se
ksporting.cz                  beterspellen.nl           loopiahosting.se
manymail.cz                   blushfashionstore.nl      minmyndighetspost.se
markomat.cz                   bobo.nl                   parksnackan.se
mfcr.cz                       boekwinkeltjes.nl         polisen.se
mkluzkoviny.cz                boozyshop.nl              silverdotter.se
muni.cz                       bratsites-grs.nl          skatteverket.se
nanospace.cz                  bruut.nl                  teknikdelar.se
nic.cz                        burgernet.nl              theletter.se
onebit.cz                     cbr.nl                    websupport.se
optimail.cz                   cbs.nl                    centrum.sk
outlet-alpine.cz              corpoflow.nl              dovypredania.sk
poptavej.cz                   derooijfotografie.nl      kadernickyservis.sk
pre.cz                        devoorleeshoek.nl         mklozkoviny.sk
predplatit.cz                 dictu.nl                  pneusvet.sk
scrptd.cz                     digid.nl                  pobox.sk
server4u.cz                   dimehouse.nl              rondogo.sk
smtp.cz                       duo.nl                    satro.sk
sparkys.cz                    eco-logisch.nl            zapardrobnych.sk
vas-server.cz                 edenhotels.nl             nuudcare.co.uk
vcelka.cz                     expeditionfestival.nl     triodos.co.uk
virusfree.cz                  extinctionrebellion.nl    govtrack.us
volny.cz                      ezorg.nl                  quantum-services.us
zdravestravovani.cz           fivecityspa.nl            ru.ac.za
zlate-mince.cz                herinneringenoplinnen.nl


More information about the dane-users mailing list