Update on stats 2021-12

Viktor Dukhovni ietf-dane at dukhovni.org
Sat Jan 1 13:07:59 CET 2022

Summary:  The DANE domain count is now 2,998,143 (c.f. 3,005,393
          last month and 2,522,820 this time last year).

          The number of domains that return DNSSEC-validated replies in
          response to MX queries is 17,263,168 (up from 16,982,372 last
          month and 13,559,686 this time last year).  Thus DANE TLSA is
          deployed on ~17.36% of domains with DNSSEC.  For more stats,
          see <https://stats.dnssec-tools.org/>.  [ See the Credits[0]
          list below my signature. ]

As of today I count ~3.0 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1].  As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host.  The top 20 MX host providers
by domain count are below.

  This month                   Last Month                   Last year
  ----------                   ----------                   ---------
  1214915 one.com              1230165 one.com              1197409 one.com
   273907 hostpoint.ch          272727 hostpoint.ch          146757 transip.nl
   156065 infomaniak.ch         154952 transip.nl            146041 argewebhosting.nl
   155803 transip.nl            154347 infomaniak.ch         103374 domeneshop.no
   150793 argewebhosting.nl     149718 argewebhosting.nl      98861 webhostingserver.nl
   106219 domeneshop.no         106004 domeneshop.no          96166 infomaniak.ch
    97607 webhostingserver.nl    98029 webhostingserver.nl    92051 loopia.se
    95145 loopia.se              95100 loopia.se              66772 forpsi.com
    72612 forpsi.com             71946 forpsi.com             41264 webreus.nl
    50892 zxcs.nl                48270 zxcs.nl                40642 active24.com
    46657 active24.com           46581 active24.com           39895 pcextreme.nl
    41634 webreus.nl             42121 webreus.nl             35523 antagonist.nl
    38388 antagonist.nl          38213 antagonist.nl          31194 zxcs.nl
    36106 pcextreme.nl           36362 pcextreme.nl           30096 vevida.com
    27209 udmedia.de             27450 vevida.com             27456 webhosting.dk
    27073 vevida.com             26984 udmedia.de             26566 web4u.cz
    26765 webhosting.dk          26916 webhosting.dk          25718 udmedia.de
    26430 web4u.cz               26483 web4u.cz               18487 bhosted.nl
    23331 hosting2go.nl          23612 hosting2go.nl          14530 protonmail.ch
    22745 protonmail.ch          22118 protonmail.ch          14434 onebit.cz

The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).

  This month               Last month               Last year
  ----------               ----------               ---------
  9262 TOTAL               9230 TOTAL               7799 TOTAL
  2704 DE, Germany         2691 DE, Germany         2390 DE, Germany
  1785 NL, Netherlands     1781 NL, Netherlands     1497 US, United States
  1723 US, United States   1710 US, United States   1437 NL, Netherlands
   674 FR, France           697 FR, France           637 FR, France
   338 GB, United Kingdom   325 GB, United Kingdom   279 GB, United Kingdom
   275 CZ, Czechia          264 CZ, Czechia          227 CZ, Czechia
   202 FI, Finland          206 CA, Canada           170 CA, Canada
   199 CA, Canada           204 FI, Finland          123 FI, Finland
   132 DK, Denmark          131 AT, Austria          113 DK, Denmark
   132 AT, Austria          129 DK, Denmark          109 SG, Singapore
   114 SG, Singapore        118 SG, Singapore         99 CH, Switzerland
   113 CH, Switzerland      108 CH, Switzerland       88 SE, Sweden
    99 SE, Sweden            98 SE, Sweden            63 AU, Australia
    99 AU, Australia         93 AU, Australia         62 AT, Austria
    54 PL, Poland            56 PL, Poland            42 IE, Ireland
    46 RU, Russia            44 NO, Norway            40 BR, Brazil
    42 IE, Ireland           43 RU, Russia            38 IN, India
    41 NO, Norway            43 IE, Ireland           34 JP, Japan
    39 JP, Japan             38 JP, Japan             33 PL, Poland
    37 BR, Brazil            38 BR, Brazil            30 RU, Russia

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:

  This month               Last month               Last year
  ----------               ----------               ---------
  7177 TOTAL               7274 TOTAL               6378 TOTAL
  3323 NL, Netherlands     3431 NL, Netherlands     3183 NL, Netherlands
  1926 DE, Germany         1903 DE, Germany         1587 DE, Germany
   759 US, United States    757 US, United States    606 US, United States
   288 FR, France           300 FR, France           287 FR, France
   164 CZ, Czechia          156 CZ, Czechia          136 CZ, Czechia
   144 GB, United Kingdom   133 GB, United Kingdom   112 GB, United Kingdom
    82 FI, Finland           80 FI, Finland           48 CA, Canada
    60 CA, Canada            60 CA, Canada            44 CH, Switzerland
    44 CH, Switzerland       45 CH, Switzerland       42 AT, Austria
    43 SE, Sweden            42 SG, Singapore         38 SG, Singapore
    42 AU, Australia         42 SE, Sweden            36 SE, Sweden
    40 SG, Singapore         38 AU, Australia         27 RU, Russia
    32 AT, Austria           31 AT, Austria           22 IE, Ireland
    28 JP, Japan             28 JP, Japan             19 UA, Ukraine
    23 IE, Ireland           26 RU, Russia            19 JP, Japan
    18 NO, Norway            23 IE, Ireland           18 AU, Australia
    16 BR, Brazil            19 NO, Norway            17 NO, Norway
    15 DK, Denmark           18 DK, Denmark           17 FI, Finland
    12 IN, India             15 BR, Brazil            17 DK, Denmark
    11 PL, Poland            13 IN, India             14 BR, Brazil

There are 7,482 unique zones (7,451 last month and 6,291 this time last
year) in which the underlying MX hosts are found.  This counts each of
the above providers as just one zone, so is a measure of the breadth of
adoption in terms of organizations deploying DANE SMTP.

The number of published MX host TLSA RRsets found is 16,403 (16,295 last
month and 14,130 this time last year).  These cover 16,670 distinct MX
hosts (16,562 last month and 14,328 this time last year, some MX hosts
share the same TLSA records through CNAMEs).

The number of DANE domains that at some point were listed in Gmail's
email transparency report is 575 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain).  Of these, 330
are in recent (last 90 days of) reports (see [2] below my signature).

Of the ~3.0 million DANE domains, 12,621 (12,750 last month and 13,070
this time  last year) have "partial" TLSA records, that cover only a
subset of the (secondary) MX hosts.  While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual active
attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1225
(1086 last month and 1155 this time last year).  Some of these have
additional MX hosts that don't have broken TLSA records, so mail can
still arrive via the remaining MX hosts.  The affected domain counts for
the top 10 problem MX hosts are:

    90 beta.itcomputers.eu
    44 smtp.meninadoporto.shop
    32 node1.4spam.nl
    19 mx1.mdbraber.com
    16 mail.odissee.net
    16 e-vps.hacktheplanet.nl
    15 web1.ams.dcg.t-host.net
    15 smtp.meninodoporto.com.pt
    15 artemis.strebsjig.net
    12 mail.bi9.de

To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:



After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1181 (1148 last
month).  The top 10 name server operators with problem domains are:

  This Month                 Last month                 Last year
  ----------                 ----------                 ---------
  579 registrar-servers.com  564 registrar-servers.com  325 registrar-servers.com
  164 axc.nl                 124 axc.nl                 116 movenext.nl
   87 ebola.cz                88 ebola.cz                86 ebola.cz
   39 worldnic.com            33 worldnic.com            25 tiscomhosting.nl
   32 mijndomein.nl           30 mijndomein.nl           24 epik.com
   29 ns01.nl                 30 made-easy.ch            23 eatserver.nl
   29 made-easy.ch            16 cloudflare.com          17 infracom.nl
   17 cloudflare.com          11 vtx.ch                  14 ns01.nl
   14 register.com            11 openprovider.nl         12 renault.fr
   11 epik.com                10 register.com            11 nrdns.nl

If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.

Six of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:



[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.  Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE.  More data
sources of ccTLD signed delegations welcome.

[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist.  I am not a fan of this type of defence (it can also
impose undue latency on legitimate email).  However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.

[2] DANE domains appearing in last 90 days of Google Email transparency

123watches.nl             ingthink.com                  quantum-services.us
30tidennivyzva.cz         interestexplorer.io           racketspecialisten.se
ac-strasbourg.fr          interim-netwerk.nl            rdw.nl
actie.deals               isc.org                       rediris.es
activfitness-news.ch      itesco.cz                     registro.br
aegee.org                 joomlapolis.com               rijksoverheid.nl
akce-incomputer.cz        jpberlin.de                   ripe.net
amsterdam.nl              jten.mil                      riseup.net
annabellstefanussen.no    jula.com                      rivm.nl
ansigtsyogaonline.com     jule-sweaters.dk              rondogo.sk
argeweb.nl                juliesandlau.dk               rotterdam.nl
army.mil                  just.ee                       ruhr-uni-bochum.de
artsenzorg.nl             justis.nl                     rushtrampoline.no
asf.com.pt                kadernickyservis.sk           samba.org
atelkamera.nu             kapitalkontroll.no            sankakucomplex.com
audi.no                   kb.cz                         sans-mail.nl
axmarin.se                klenotyaurum.cz               schizinfo.com
bayern.de                 klubpevnehozdravi.cz          schoudercom.nl
belastingdienst.nl        kpn.com                       schuurman-schoenen.nl
bhsupport.nl              leszexpertsfle.com            scrptd.cz
bilprovningen.se          librti.com                    seniornews.dk
bluebiz.info              linsenkontakt.ch              server4u.cz
bluerail.nl               lomervarde.se                 serverclienti.com
boekenwereld.com          loopia.se                     shapeit.dk
boekwinkeltjes.nl         loopiahosting.se              shellcard.dk
bolerolimonadewinkel.nl   lrz.de                        simplelogin.co
boozyshop.be              luxiez.nl                     skatteverket.se
boozyshop.nl              mail.com                      smartwatchbanden.nl
boplatssyd-automail.se    mail.de                       smtp.cz
brandenburg.de            mail.mil                      societe.com
bund.de                   mailbox.org                   socom.mil
bundesregierung.de        mailop.org                    solvinity.com
burgernet.nl              mailplus.nl                   spareklubbnorge.com
calyxinstitute.org        mailshover.nl                 sparkys.cz
cbr.nl                    mammoetmail.com               spike.email
cbs.nl                    mantapsurvey.com              sportrusten.nl
cesnet.cz                 manymail.cz                   spotler.email
cetelemnegocie.com.br     markteffectmail.nl            srci.fr
cm.com                    mastersport.sk                ssonet.nl
comcast.net               matilhadobemadestramento.com  stellarequipment.com
compagnie-des-sens.fr     mijngezondheid.net            stoklasa.cz
connectsb.com             mijnuvt.nl                    switch.ch
corpoflow.nl              militaryonesource.mil         t-2.net
csob.cz                   minbuza.nl                    talentech.email
cuni.cz                   minbzk.nl                     tarjousrinki.fi
cvut.cz                   mindef.nl                     teknikdelar.se
dailyplaylists.com        minmyndighetspost.se          telefoonglaasje.nl
datev.com                 minvenj.nl                    thalesgroup.com
datev.de                  mklozkoviny.sk                theletter.se
debian.org                mkluzkoviny.cz                thepcw.com
derooijfotografie.nl      mm1.nl                        thepcwholesale.com
derute.no                 mobily.com.sa                 tilburguniversity.edu
dfn.de                    mpg.de                        tip.net.au
digid.nl                  mplbeauty.com                 toptop.sk
dla.mil                   mpssec.net                    torproject.org
domeneshop.no             mszp.hu                       traficom.fi
dovypredania.sk           mulderretail.nl               transip.net
duo.nl                    muni.cz                       travailler-en-suisse.ch
e-renegocie.com.br        mvnet.de                      triodos.be
eco-logisch.nl            mx-relay.com                  triodos.co.uk
ecster.se                 mystuff.no                    triodos.com
edenhotels.nl             najlacnejsisport.sk           triodos.es
edtm-actu.fr              nanolearning.com              triodos.nl
egu.eu                    nanospace.cz                  tum.de
ekokoza.cz                navy.mil                      tutanota.com
elster.de                 netbsd.org                    tutanota.de
emailn.de                 netic.dk                      tweedekamer.nl
envie.email               neutraler-versand.de          uib.no
exegy.com                 nic.br                        uitgeverijpica.nl
exoticmix.dk              nic.cz                        uni-augsburg.de
ezorg.nl                  nieuwsservice-rvo.nl          uni-erlangen.de
fabfilter.com             nine-pine.com                 uni-muenchen.de
fau.de                    norskgrammatikk.no            unitymedia.de
fibianet.dk               nota.dk                       univie.ac.at
fidesz.hu                 ns.nl                         uscg.mil
fivem.net                 nst.dk                        usmc.mil
flaneurhomme.com          one.com                       utwente.nl
forbrukslaan.no           onebit.cz                     uv.es
freebsd.org               oo2.fr                        uvm.dk
freenet.de                open.ch                       uvt.nl
gentoo.org                openssl.org                   uwv.nl
gigalekarna.cz            optimail.cz                   vas-server.cz
glowliving.eu             orangebag.nl                  vbv.at
gmx.at                    osd.mil                       veganallsorts.com
gmx.ch                    ouderenfonds.nl               viphuset.no
gmx.com                   ouderportaal.nl               virusfree.cz
gmx.de                    outsystems.com                vitstore.com
gmx.net                   overheid.nl                   vivaldi.com
goget.nu                  ozlabs.org                    voorpositiviteit.nl
govtrack.us               parlement.nl                  vpo.nl
habr.com                  partijvoordedieren.nl         vu.nl
habramail.net             paypro.nl                     waternet.nl
handelsbanken.dk          pcug.org.au                   wavell.dk
handelsbanken.fi          pictolezen.be                 web.de
handelsbanken.no          plukkselv.no                  webcruiter.com
handelsbanken.se          plusticket.nl                 webhosting.dk
healthcheckcenter.nl      pm.me                         webmailph.com
heilbron.nl               podiumcadeaukaart.nl          websupport.se
herinneringenoplinnen.nl  politie.nl                    westlotto.de
hoobly.com                poptavej.cz                   whatpulse.org
hostpoint.ch              posteo.de                     woongarantvolmacht.nl
hotelsinduitsland.com     powerhosting.dk               xfinity.com
hr-manager.net            pp-prd.nl                     xfinityhomesecurity.com
huizenzoeker.nl           previder.nl                   xfinitymobile.com
idrettenonline.no         procurios.net                 xs4all.net
ietf.org                  protonmail.ch                 ymeuniverse.com
imcnig.com                protonmail.com                zdravestravovani.cz
inexio.net                protonvpn.com                 zone.eu
infomaniak.ch             psgaz.pl                      zonevs.eu
infomaniak.com            purdey.nl                     zorgmail.nl

