From ietf-dane at dukhovni.org Wed Jun 1 05:58:56 2022 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Tue, 31 May 2022 23:58:56 -0400 Subject: Update on stats 2022-05 Message-ID: Summary: The DANE domain count is now 3,235,913 (c.f. 3,197,734 last month). The number of domains that return DNSSEC-validated replies in response to MX queries is 18,591,690 (up from 18,409,733 last month). Thus DANE TLSA is deployed on ~17.40% of domains with DNSSEC. For more stats, see . [ See the Credits[0] list below my signature. ] Another milestone, as of today, the .COM TLD now has more than 5 million signed delegations. As of today I count ~3.24 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last Month ---------- ---------- 1242988 one.com 1243696 one.com 278263 hostpoint.ch 277421 hostpoint.ch 165958 infomaniak.ch 164315 infomaniak.ch 160813 transip.nl 159902 transip.nl 158555 argewebhosting.nl 158479 argewebhosting.nl 107363 domeneshop.no 107350 domeneshop.no 98980 jouwweb.nl 97611 jouwweb.nl 96757 loopia.se 96400 loopia.se 95704 webhostingserver.nl 96065 webhostingserver.nl 76489 forpsi.com 75966 forpsi.com 60790 zxcs.nl 59337 zxcs.nl 47127 active24.com 47090 active24.com 40731 webreus.nl 41006 webreus.nl 39430 antagonist.nl 39296 antagonist.nl 34847 pcextreme.nl 35099 pcextreme.nl 27612 udmedia.de 27513 udmedia.de 26602 protonmail.ch 26802 web4u.cz 26570 web4u.cz 25925 webhosting.dk 25850 webhosting.dk 25763 vevida.com 25519 vevida.com 25515 protonmail.ch The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ----------- ---------- 10052 TOTAL 9944 TOTAL 2983 DE, Germany 2956 DE, Germany 1864 NL, Netherlands 1844 NL, Netherlands 1790 US, United States 1789 US, United States 737 FR, France 737 FR, France 349 GB, United Kingdom 346 GB, United Kingdom 325 CZ, Czechia 331 CZ, Czechia 228 FI, Finland 226 FI, Finland 225 CA, Canada 213 CA, Canada 159 AT, Austria 156 AT, Austria 137 SG, Singapore 130 SG, Singapore 129 DK, Denmark 129 CH, Switzerland 129 CH, Switzerland 127 DK, Denmark 109 AU, Australia 110 SE, Sweden 107 SE, Sweden 106 AU, Australia 59 PL, Poland 59 PL, Poland 52 JP, Japan 48 JP, Japan 51 RU, Russia 46 RU, Russia 47 NO, Norway 46 NO, Norway 44 BR, Brazil 43 BR, Brazil 41 IE, Ireland 40 IE, Ireland IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 7869 TOTAL 7816 TOTAL 3534 NL, Netherlands 3507 NL, Netherlands 2202 DE, Germany 2162 DE, Germany 817 US, United States 812 US, United States 322 FR, France 317 FR, France 191 CZ, Czechia 187 CZ, Czechia 150 GB, United Kingdom 158 GB, United Kingdom 76 FI, Finland 82 FI, Finland 71 CA, Canada 63 CA, Canada 59 CH, Switzerland 60 CH, Switzerland 51 AU, Australia 50 AU, Australia 42 SE, Sweden 45 AT, Austria 40 SG, Singapore 40 SG, Singapore 38 AT, Austria 39 SE, Sweden 37 JP, Japan 32 JP, Japan 25 NO, Norway 30 RU, Russia 22 DK, Denmark 22 IE, Ireland 18 IE, Ireland 20 DK, Denmark 16 RU, Russia 19 NO, Norway 15 BR, Brazil 15 BG, Bulgaria 12 LT, Lithuania 13 LT, Lithuania There are 8,234 unique zones (8,119 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 17,494 (17,295 last month). These cover 17,782 distinct MX hosts (17,568 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 643 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 387 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~3.24 million DANE domains, 12,258 (27,938 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1,109 (1,147 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are: 85 beta.itcomputers.eu 19 mx1.mdbraber.com 16 e-vps.hacktheplanet.nl 15 mail.nationaalarchief.nl 15 mail.gregdouglas.net 15 artemis.strebsjig.net 11 mail.ontharen-rotterdam.nl 9 mx1.digi.nl 9 mx01.mykolab.com 9 mail.qusign.net To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1,408 (1,181 last month). The top 10 name server operators with problem domains are: This Month Last month ---------- ---------- 573 registrar-servers.com 563 registrar-servers.com 236 mijndomein.nl 151 axc.nl 159 worldnic.com 90 worldnic.com 145 axc.nl 76 ebola.cz 85 ebola.cz 41 epik.com 31 openprovider.nl 39 mijndomein.nl 31 made-easy.ch 32 openprovider.nl 31 epik.com 31 made-easy.ch 26 ns01.nl 27 register.com 24 register.com 26 ns01.nl If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Four of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br mailazy.net kprm.gov.pl novathreads.us -- Viktor. [0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: 123watches.nl ietf.org revolt.nl 402automotive.com imcnig.com rijksoverheid.nl ac-strasbourg.fr inexio.net ripe.net activfitness-news.ch infomaniak.ch riseup.net akce-incomputer.cz infomaniak.com rivm.nl altidev.com ingthink.com rondogo.sk altospam.com interim-netwerk.nl rotterdam.nl amenit.cz isc.org ru.ac.za amsterdam.nl itesco.cz ruhr-uni-bochum.de analysedanmark.nu joomlapolis.com run-motion.com ansigtsyogaonline.com jpberlin.de runbox.com argeweb.nl jten.mil rushtrampoline.no army.mil jula.com rvo.nl asf.com.pt kadernickyservis.sk samba.org atelkamera.nu kantarresearch.com sankakucomplex.com atlas.cz kb.cz sans-mail.nl audi.no kindredcircle.org satro.sk bantschowundbantschow.de klbrlive.com schoudercom.nl bayern.de klenotyaurum.cz schuurman-schoenen.nl belastingdienst.nl klubpevnehozdravi.cz scorecloud.com benjaminfulford.net kpn.com scrptd.cz bergengokart.no kralingsebosfestival.nl seniornews.dk beterspellen.nl kronofogden.se server4u.cz bewooden.cz ksporting.cz serverclienti.com bhosted.nl lansstyrelsen.se shapeit.dk bilprovningen.se leszexpertsfle.com shellcard.dk biotechnologia.com.pl librti.com sidn.nl bluebiz.info lico.nl simplelogin.co bncr.fi.cr linhard.nl skatteverket.se boekwinkeltjes.nl linsenkontakt.ch skyaccess.nl bolerolimonadewinkel.nl litebit.eu smartwatchbanden.nl boozyshop.nl lmu.de smtp.cz borgerforslag.dk loopia.se societe.com brandenburg.de loopiahosting.se socom.mil brassthistle.com lrz.de solvinity.com bratsites-grs.nl luxiez.nl spamservice.nl bund.de mactabeauty.com sparkys.cz bundesregierung.de mail-studio.nl spike.email burgernet.nl mail.com spillfabrikken.no caracamilla.nl mail.de sportrusten.nl cbd420.ch mail.mil spotler.email cbr.nl mailbox.org srsforward.com centrum.cz mailop.org ssonet.nl centrum.sk mailplus.nl stater.com cetelemnegocie.com.br mailshover.nl stater.nl cm.com mammoetmail.com stellarequipment.com comcast.net managementboek.nl stil.dk compagnie-des-sens.fr manymail.cz stoklasa.cz connectsb.com markomat.cz switch.ch corpoflow.nl markteffectmail.nl t-2.com csob.cz matilhadobemadestramento.com t-2.net cuni.cz mensa.de talentech.email cvut.cz metaburn.fi tarjousrinki.fi dailyplaylists.com mijngezondheid.net teknikdelar.se datev.com mijnuvt.nl telefoonglaasje.nl datev.de militaryonesource.mil thalesgroup.com debian.org minbuza.nl thegreenery.com dedra.cz minbzk.nl theletter.se deldinbil.no mindef.nl thepcw.com derooijfotografie.nl minmyndighetspost.se thepcwholesale.com derute.no mklozkoviny.sk theruleofliberty.com dfn.de mkluzkoviny.cz tilburguniversity.edu dictu.nl mm1.nl tjenestekompaniet.no digid.nl mobily.com.sa toptop.sk digitaleverkiezing.nl mpg.de torproject.org directmail-fraus.cz mplbeauty.com traficom.fi dk-hostmaster.dk mpssec.net transip.nl dla.mil mulderretail.nl travailler-en-suisse.ch domeneshop.no muni.cz tricommerce.dk dressuurnatuurlijk.nl mx-relay.com triodos.co.uk duo.nl mystuff.no triodos.com e-kondomy.cz myvillage.com triodos.es e-negociacao.com.br nanolearning.com triodos.nl eco-logisch.nl nanospace.cz truewaykids.com ecster.se navy.mil tum.de edenhotels.nl neolink.link tutanota.com edtm-actu.fr netbsd.org tutanota.de efactuurdirect.nl netic.dk uib.no egmontpublishing.dk nic.br uitgeverijpica.nl egu.eu nic.cz uni-augsburg.de ekokoza.cz nieuwsservice-rvo.nl uni-c.dk elster.de nine-pine.com uni-erlangen.de erotik-service.ch norskgrammatikk.no uni-kl.de exegy.com ns.nl uni-muenchen.de extinctionrebellion.nl one.com univie.ac.at ezorg.nl onebit.cz up2staff.com fabfilter.com oo2.fr uscg.mil fastware-hosting.com open.ch usmc.mil fau.de openssl.org utwente.nl fibianet.dk optimail.cz uv.es fidesz.hu oraclegirl.org uvt.nl fidus.nl orangebag.nl uwv.nl finesoftware.eu orsys.com valys.nl fio.cz osd.mil vas-server.cz fivem.net otys.nl vcelka.cz flaneurhomme.com ouderenfonds.nl veganallsorts.com freebsd.org ouderportaal.nl venauto.nl freenet.de outlet-alpine.cz vicinityclo.de fsol.fi overheid.nl vimexx.nl gentoo.org ozlabs.org viphuset.no gezond.nl partijvoordedieren.nl virusfree.cz gmx.at peterhald.dk vitalize.nl gmx.ch pieter-pot.com vitstore.com gmx.com pm.me vivaldi.com gmx.de pobox.sk vogeldagboek.nl gmx.net podiumcadeaukaart.nl volny.cz goget.nu polisen.se voorpositiviteit.nl govtrack.us politie.nl vu.nl guttelus.no pompomlondon.com waternet.nl habr.com poptavej.cz web.de habramail.net posteo.de webcruiter.com handelsbanken.dk pp-prd.nl webmailph.com handelsbanken.fi ppcpcv.com websupport.se handelsbanken.no pre.cz westlotto.de handelsbanken.se predplatit.cz win-rar.com healthcheckcenter.nl previder.nl wog.ch herinneringenoplinnen.nl procurios.net xel.nl herobrine.org promorealdeals.ch xfinity.com hi7.de proton.me xfinityhomesecurity.com high5.nl protonmail.ch xfinitymobile.com hobbygigant.nl protonmail.com xs4all.net hoobly.com protonvpn.com ymeuniverse.com hostingpeople.nl publicroam.nl zapardrobnych.sk hostpoint.ch pvv.nl zdravestravovani.cz hotelsinduitsland.com quantum-services.us zlate-mince.cz hr-manager.net raskebriller.no zone.ee hr.nl rediris.es zone.eu hyttefeber.no registro.br zonevs.eu idrettenonline.no renworkshops.com zorgmail.nl