Update on stats 2022-01
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Feb 1 06:02:52 CET 2022
Summary: The DANE domain count is now 3,153,006 (c.f. 2,998,143 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 17,670,769 (up from 17,263,168 last
month). Thus DANE TLSA is deployed on ~17.84% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today I count ~3.15 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1235173 one.com 1214915 one.com
275090 hostpoint.ch 273907 hostpoint.ch
158083 infomaniak.ch 156065 infomaniak.ch
156876 transip.nl 155803 transip.nl
150857 argewebhosting.nl 150793 argewebhosting.nl
106966 domeneshop.no 106219 domeneshop.no
97403 webhostingserver.nl 97607 webhostingserver.nl
95392 loopia.se 95145 loopia.se
92990 jouwweb.nl 72612 forpsi.com
73745 forpsi.com 50892 zxcs.nl
53390 zxcs.nl 46657 active24.com
46913 active24.com 41634 webreus.nl
41099 webreus.nl 38388 antagonist.nl
38881 antagonist.nl 36106 pcextreme.nl
35846 pcextreme.nl 27209 udmedia.de
27214 udmedia.de 27073 vevida.com
26766 web4u.cz 26765 webhosting.dk
26679 vevida.com 26430 web4u.cz
26497 webhosting.dk 23331 hosting2go.nl
23458 protonmail.ch 22745 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
9425 TOTAL 9262 TOTAL
2763 DE, Germany 2704 DE, Germany
1810 NL, Netherlands 1785 NL, Netherlands
1723 US, United States 1723 US, United States
692 FR, France 674 FR, France
336 GB, United Kingdom 338 GB, United Kingdom
280 CZ, Czechia 275 CZ, Czechia
208 FI, Finland 202 FI, Finland
207 CA, Canada 199 CA, Canada
135 AT, Austria 132 DK, Denmark
134 DK, Denmark 132 AT, Austria
121 SG, Singapore 114 SG, Singapore
119 CH, Switzerland 113 CH, Switzerland
108 SE, Sweden 99 SE, Sweden
105 AU, Australia 99 AU, Australia
58 PL, Poland 54 PL, Poland
46 RU, Russia 46 RU, Russia
44 IE, Ireland 42 IE, Ireland
43 NO, Norway 41 NO, Norway
40 BR, Brazil 39 JP, Japan
39 JP, Japan 37 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7480 TOTAL 7177 TOTAL
3484 NL, Netherlands 3323 NL, Netherlands
1987 DE, Germany 1926 DE, Germany
771 US, United States 759 US, United States
298 FR, France 288 FR, France
165 CZ, Czechia 164 CZ, Czechia
144 GB, United Kingdom 144 GB, United Kingdom
82 FI, Finland 82 FI, Finland
61 CA, Canada 60 CA, Canada
50 CH, Switzerland 44 CH, Switzerland
46 AU, Australia 43 SE, Sweden
44 SE, Sweden 42 AU, Australia
41 SG, Singapore 40 SG, Singapore
32 RU, Russia 32 AT, Austria
32 AT, Austria 28 JP, Japan
28 JP, Japan 23 IE, Ireland
22 IE, Ireland 18 NO, Norway
19 NO, Norway 16 BR, Brazil
19 DK, Denmark 15 DK, Denmark
17 BR, Brazil 12 IN, India
11 SI, Slovenia 11 PL, Poland
There are 7,618 unique zones (7,482 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 16,571 (16,403 last
month). These cover 16,838 distinct MX hosts (16,670 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 580 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 327
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.15 million DANE domains, 12,666 (12,621 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1191
(1225 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
88 beta.itcomputers.eu
20 mx1.exegy.com
19 mx1.mdbraber.com
17 mx1.digi.nl
16 e-vps.hacktheplanet.nl
15 web1.ams.dcg.t-host.net
15 smtp.meninodoporto.com.pt
15 artemis.strebsjig.net
12 mail.bi9.de
11 mx01.mykolab.com
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1181 (1148 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
596 registrar-servers.com 579 registrar-servers.com
171 axc.nl 164 axc.nl
83 ebola.cz 87 ebola.cz
42 worldnic.com 39 worldnic.com
31 mijndomein.nl 32 mijndomein.nl
30 ns01.nl 29 ns01.nl
28 made-easy.ch 29 made-easy.ch
18 cloudflare.com 17 cloudflare.com
15 register.com 14 register.com
15 epik.com 11 epik.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Four of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
icv-crew.com
urbtix.hk
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at elster.de mailplus.nl
gmx.at emailn.de mailshover.nl
vbv.at fau.de markteffectmail.nl
tip.net.au freenet.de mijnhypotheekonline.nl
pcug.org.au gmx.de mijnsalon.nl
boozyshop.be jpberlin.de mijnuvt.nl
triodos.be lmu.de minbuza.nl
e-negociacao.com.br lrz.de mindef.nl
e-renegocie.com.br mail.de minvenj.nl
nic.br mpg.de mm1.nl
registro.br neutraler-versand.de mulderretail.nl
activfitness-news.ch posteo.de nieuwsservice-rvo.nl
gmx.ch ruhr-uni-bochum.de ns.nl
hostpoint.ch tum.de orangebag.nl
infomaniak.ch tutanota.de ouderportaal.nl
linsenkontakt.ch uni-augsburg.de overheid.nl
open.ch uni-erlangen.de parlement.nl
protonmail.ch uni-muenchen.de partijvoordedieren.nl
switch.ch unitymedia.de plusticket.nl
simplelogin.co web.de politie.nl
ansigtsyogaonline.com westlotto.de pp-prd.nl
anubisnetworks.com actie.deals previder.nl
boekenwereld.com exoticmix.dk rdw.nl
cm.com fibianet.dk rijksoverheid.nl
connectsb.com handelsbanken.dk rivm.nl
dailyplaylists.com jule-sweaters.dk rotterdam.nl
datev.com juliesandlau.dk sans-mail.nl
fabfilter.com netic.dk schoudercom.nl
fastware-hosting.com nota.dk schuurman-schoenen.nl
flaneurhomme.com nst.dk smartwatchbanden.nl
gmx.com seniornews.dk sportrusten.nl
habr.com shapeit.dk stater.nl
hoobly.com shellcard.dk telefoonglaasje.nl
hotelsinduitsland.com stil.dk transip.nl
imcnig.com uvm.dk triodos.nl
infomaniak.com wavell.dk tweedekamer.nl
ingthink.com tilburguniversity.edu utwente.nl
joomlapolis.com spike.email uvt.nl
jula.com spotler.email uwv.nl
kpn.com talentech.email voorpositiviteit.nl
leszexpertsfle.com rediris.es vpo.nl
librti.com triodos.es vu.nl
mail.com uv.es wasstraatdewalvis.nl
mammoetmail.com egu.eu waternet.nl
mantapsurvey.com glowliving.eu woongarantvolmacht.nl
matilhadobemadestramento.com zone.eu zorgmail.nl
mplbeauty.com zonevs.eu annabellstefanussen.no
mx-relay.com handelsbanken.fi audi.no
nanolearning.com tarjousrinki.fi derute.no
nine-pine.com traficom.fi domeneshop.no
one.com ac-strasbourg.fr forbrukslaan.no
protonmail.com compagnie-des-sens.fr guttelus.no
protonvpn.com kangouroukids.fr handelsbanken.no
renworkshops.com oo2.fr idrettenonline.no
sankakucomplex.com srci.fr kapitalkontroll.no
serverclienti.com fidesz.hu mystuff.no
societe.com mszp.hu norskgrammatikk.no
solvinity.com neolink.link plukkselv.no
stater.com pm.me rushtrampoline.no
stellarequipment.com army.mil uib.no
thalesgroup.com dla.mil viphuset.no
thepcw.com jten.mil atelkamera.nu
thepcwholesale.com mail.mil goget.nu
triodos.com militaryonesource.mil aegee.org
tutanota.com navy.mil calyxinstitute.org
up2staff.com osd.mil debian.org
veganallsorts.com socom.mil freebsd.org
vitstore.com uscg.mil gentoo.org
vivaldi.com usmc.mil ietf.org
webmailph.com comcast.net isc.org
xfinity.com fivem.net mailbox.org
xfinityhomesecurity.com gmx.net mailop.org
xfinitymobile.com habramail.net netbsd.org
ymeuniverse.com hr-manager.net openssl.org
akce-incomputer.cz inexio.net oraclegirl.org
cesnet.cz mijngezondheid.net ozlabs.org
csob.cz mpssec.net samba.org
cuni.cz procurios.net torproject.org
cvut.cz ripe.net whatpulse.org
ekokoza.cz riseup.net psgaz.pl
fio.cz t-2.net asf.com.pt
gigalekarna.cz transip.net mobily.com.sa
itesco.cz xs4all.net axmarin.se
kb.cz 123watches.nl bilprovningen.se
klenotyaurum.cz amsterdam.nl boplatssyd-automail.se
klubpevnehozdravi.cz argeweb.nl ecster.se
manymail.cz belastingdienst.nl handelsbanken.se
mkluzkoviny.cz bhsupport.nl lomervarde.se
muni.cz bluerail.nl loopia.se
nanospace.cz boekwinkeltjes.nl loopiahosting.se
nic.cz bolerolimonadewinkel.nl minmyndighetspost.se
onebit.cz boozyshop.nl polisen.se
optimail.cz burgernet.nl racketspecialisten.se
poptavej.cz cbr.nl skatteverket.se
predplatit.cz derooijfotografie.nl teknikdelar.se
scrptd.cz digid.nl theletter.se
server4u.cz duo.nl voteit.se
smtp.cz eco-logisch.nl websupport.se
sparkys.cz edenhotels.nl dovypredania.sk
stoklasa.cz ezorg.nl kadernickyservis.sk
vas-server.cz fidus.nl mastersport.sk
virusfree.cz haibu.nl mklozkoviny.sk
zdravestravovani.cz healthcheckcenter.nl rondogo.sk
bayern.de heilbron.nl toptop.sk
brandenburg.de herinneringenoplinnen.nl zapardrobnych.sk
bund.de interim-netwerk.nl triodos.co.uk
bundesregierung.de justis.nl govtrack.us
datev.de lico.nl quantum-services.us
dfn.de luxiez.nl ru.ac.za
More information about the dane-users
mailing list