Update on stats 2022-05

Viktor Dukhovni ietf-dane at dukhovni.org
Wed Jun 1 05:58:56 CEST 2022


Summary:  The DANE domain count is now 3,235,913 (c.f. 3,197,734 last
          month).

          The number of domains that return DNSSEC-validated replies in
          response to MX queries is 18,591,690 (up from 18,409,733 last
          month).  Thus DANE TLSA is deployed on ~17.40% of domains with
          DNSSEC.  For more stats, see <https://stats.dnssec-tools.org/>.
          [ See the Credits[0] list below my signature. ]

          Another milestone, as of today, the .COM TLD now has more than
          5 million signed delegations.

As of today I count ~3.24 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1].  As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host.  The top 20 MX host providers
by domain count are below.

  This month                   Last Month
  ----------                   ----------
  1242988 one.com              1243696 one.com
   278263 hostpoint.ch          277421 hostpoint.ch
   165958 infomaniak.ch         164315 infomaniak.ch
   160813 transip.nl            159902 transip.nl
   158555 argewebhosting.nl     158479 argewebhosting.nl
   107363 domeneshop.no         107350 domeneshop.no
    98980 jouwweb.nl             97611 jouwweb.nl
    96757 loopia.se              96400 loopia.se
    95704 webhostingserver.nl    96065 webhostingserver.nl
    76489 forpsi.com             75966 forpsi.com
    60790 zxcs.nl                59337 zxcs.nl
    47127 active24.com           47090 active24.com
    40731 webreus.nl             41006 webreus.nl
    39430 antagonist.nl          39296 antagonist.nl
    34847 pcextreme.nl           35099 pcextreme.nl
    27612 udmedia.de             27513 udmedia.de
    26602 protonmail.ch          26802 web4u.cz
    26570 web4u.cz               25925 webhosting.dk
    25850 webhosting.dk          25763 vevida.com
    25519 vevida.com             25515 protonmail.ch

The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).

  This month                 Last month
  -----------                ----------
  10052 TOTAL                9944 TOTAL
   2983 DE, Germany          2956 DE, Germany
   1864 NL, Netherlands      1844 NL, Netherlands
   1790 US, United States    1789 US, United States
    737 FR, France            737 FR, France
    349 GB, United Kingdom    346 GB, United Kingdom
    325 CZ, Czechia           331 CZ, Czechia
    228 FI, Finland           226 FI, Finland
    225 CA, Canada            213 CA, Canada
    159 AT, Austria           156 AT, Austria
    137 SG, Singapore         130 SG, Singapore
    129 DK, Denmark           129 CH, Switzerland
    129 CH, Switzerland       127 DK, Denmark
    109 AU, Australia         110 SE, Sweden
    107 SE, Sweden            106 AU, Australia
     59 PL, Poland             59 PL, Poland
     52 JP, Japan              48 JP, Japan
     51 RU, Russia             46 RU, Russia
     47 NO, Norway             46 NO, Norway
     44 BR, Brazil             43 BR, Brazil
     41 IE, Ireland            40 IE, Ireland

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:

  This month               Last month
  ----------               ----------
  7869 TOTAL               7816 TOTAL
  3534 NL, Netherlands     3507 NL, Netherlands
  2202 DE, Germany         2162 DE, Germany
   817 US, United States    812 US, United States
   322 FR, France           317 FR, France
   191 CZ, Czechia          187 CZ, Czechia
   150 GB, United Kingdom   158 GB, United Kingdom
    76 FI, Finland           82 FI, Finland
    71 CA, Canada            63 CA, Canada
    59 CH, Switzerland       60 CH, Switzerland
    51 AU, Australia         50 AU, Australia
    42 SE, Sweden            45 AT, Austria
    40 SG, Singapore         40 SG, Singapore
    38 AT, Austria           39 SE, Sweden
    37 JP, Japan             32 JP, Japan
    25 NO, Norway            30 RU, Russia
    22 DK, Denmark           22 IE, Ireland
    18 IE, Ireland           20 DK, Denmark
    16 RU, Russia            19 NO, Norway
    15 BR, Brazil            15 BG, Bulgaria
    12 LT, Lithuania         13 LT, Lithuania

There are 8,234 unique zones (8,119 last month) in which the underlying
MX hosts are found.  This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.

The number of published MX host TLSA RRsets found is 17,494 (17,295 last
month).  These cover 17,782 distinct MX hosts (17,568 last month, some
MX hosts share the same TLSA records through CNAMEs).

The number of DANE domains that at some point were listed in Gmail's
email transparency report is 643 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain).  Of these, 387
are in recent (last 90 days of) reports (see [2] below my signature).

Of the ~3.24 million DANE domains, 12,258 (27,938 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.  While this
protects traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,109
(1,147 last month).  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.  The affected domain counts for the top 10 problem MX hosts are:

  85 beta.itcomputers.eu
  19 mx1.mdbraber.com
  16 e-vps.hacktheplanet.nl
  15 mail.nationaalarchief.nl
  15 mail.gregdouglas.net
  15 artemis.strebsjig.net
  11 mail.ontharen-rotterdam.nl
   9 mx1.digi.nl
   9 mx01.mykolab.com
   9 mail.qusign.net

To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:

    https://dane.sys4.de/common_mistakes
    https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
    https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
    https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
    https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
    https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources

    https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
    https://datatracker.ietf.org/doc/html/rfc7671#section-8.4

After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,408 (1,181 last
month).  The top 10 name server operators with problem domains are:

  This Month                 Last month
  ----------                 ----------
  573 registrar-servers.com  563 registrar-servers.com
  236 mijndomein.nl          151 axc.nl
  159 worldnic.com            90 worldnic.com
  145 axc.nl                  76 ebola.cz
   85 ebola.cz                41 epik.com
   31 openprovider.nl         39 mijndomein.nl
   31 made-easy.ch            32 openprovider.nl
   31 epik.com                31 made-easy.ch
   26 ns01.nl                 27 register.com
   24 register.com            26 ns01.nl

If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.

Four of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:

  coren-sp.gov.br
  mailazy.net
  kprm.gov.pl
  novathreads.us

--
      Viktor.

[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.  Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE.  More data
sources of ccTLD signed delegations welcome.

[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist.  I am not a fan of this type of defence (it can also
impose undue latency on legitimate email).  However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.

[2] DANE domains appearing in last 90 days of Google Email transparency
reports:

123watches.nl             ietf.org                      revolt.nl
402automotive.com         imcnig.com                    rijksoverheid.nl
ac-strasbourg.fr          inexio.net                    ripe.net
activfitness-news.ch      infomaniak.ch                 riseup.net
akce-incomputer.cz        infomaniak.com                rivm.nl
altidev.com               ingthink.com                  rondogo.sk
altospam.com              interim-netwerk.nl            rotterdam.nl
amenit.cz                 isc.org                       ru.ac.za
amsterdam.nl              itesco.cz                     ruhr-uni-bochum.de
analysedanmark.nu         joomlapolis.com               run-motion.com
ansigtsyogaonline.com     jpberlin.de                   runbox.com
argeweb.nl                jten.mil                      rushtrampoline.no
army.mil                  jula.com                      rvo.nl
asf.com.pt                kadernickyservis.sk           samba.org
atelkamera.nu             kantarresearch.com            sankakucomplex.com
atlas.cz                  kb.cz                         sans-mail.nl
audi.no                   kindredcircle.org             satro.sk
bantschowundbantschow.de  klbrlive.com                  schoudercom.nl
bayern.de                 klenotyaurum.cz               schuurman-schoenen.nl
belastingdienst.nl        klubpevnehozdravi.cz          scorecloud.com
benjaminfulford.net       kpn.com                       scrptd.cz
bergengokart.no           kralingsebosfestival.nl       seniornews.dk
beterspellen.nl           kronofogden.se                server4u.cz
bewooden.cz               ksporting.cz                  serverclienti.com
bhosted.nl                lansstyrelsen.se              shapeit.dk
bilprovningen.se          leszexpertsfle.com            shellcard.dk
biotechnologia.com.pl     librti.com                    sidn.nl
bluebiz.info              lico.nl                       simplelogin.co
bncr.fi.cr                linhard.nl                    skatteverket.se
boekwinkeltjes.nl         linsenkontakt.ch              skyaccess.nl
bolerolimonadewinkel.nl   litebit.eu                    smartwatchbanden.nl
boozyshop.nl              lmu.de                        smtp.cz
borgerforslag.dk          loopia.se                     societe.com
brandenburg.de            loopiahosting.se              socom.mil
brassthistle.com          lrz.de                        solvinity.com
bratsites-grs.nl          luxiez.nl                     spamservice.nl
bund.de                   mactabeauty.com               sparkys.cz
bundesregierung.de        mail-studio.nl                spike.email
burgernet.nl              mail.com                      spillfabrikken.no
caracamilla.nl            mail.de                       sportrusten.nl
cbd420.ch                 mail.mil                      spotler.email
cbr.nl                    mailbox.org                   srsforward.com
centrum.cz                mailop.org                    ssonet.nl
centrum.sk                mailplus.nl                   stater.com
cetelemnegocie.com.br     mailshover.nl                 stater.nl
cm.com                    mammoetmail.com               stellarequipment.com
comcast.net               managementboek.nl             stil.dk
compagnie-des-sens.fr     manymail.cz                   stoklasa.cz
connectsb.com             markomat.cz                   switch.ch
corpoflow.nl              markteffectmail.nl            t-2.com
csob.cz                   matilhadobemadestramento.com  t-2.net
cuni.cz                   mensa.de                      talentech.email
cvut.cz                   metaburn.fi                   tarjousrinki.fi
dailyplaylists.com        mijngezondheid.net            teknikdelar.se
datev.com                 mijnuvt.nl                    telefoonglaasje.nl
datev.de                  militaryonesource.mil         thalesgroup.com
debian.org                minbuza.nl                    thegreenery.com
dedra.cz                  minbzk.nl                     theletter.se
deldinbil.no              mindef.nl                     thepcw.com
derooijfotografie.nl      minmyndighetspost.se          thepcwholesale.com
derute.no                 mklozkoviny.sk                theruleofliberty.com
dfn.de                    mkluzkoviny.cz                tilburguniversity.edu
dictu.nl                  mm1.nl                        tjenestekompaniet.no
digid.nl                  mobily.com.sa                 toptop.sk
digitaleverkiezing.nl     mpg.de                        torproject.org
directmail-fraus.cz       mplbeauty.com                 traficom.fi
dk-hostmaster.dk          mpssec.net                    transip.nl
dla.mil                   mulderretail.nl               travailler-en-suisse.ch
domeneshop.no             muni.cz                       tricommerce.dk
dressuurnatuurlijk.nl     mx-relay.com                  triodos.co.uk
duo.nl                    mystuff.no                    triodos.com
e-kondomy.cz              myvillage.com                 triodos.es
e-negociacao.com.br       nanolearning.com              triodos.nl
eco-logisch.nl            nanospace.cz                  truewaykids.com
ecster.se                 navy.mil                      tum.de
edenhotels.nl             neolink.link                  tutanota.com
edtm-actu.fr              netbsd.org                    tutanota.de
efactuurdirect.nl         netic.dk                      uib.no
egmontpublishing.dk       nic.br                        uitgeverijpica.nl
egu.eu                    nic.cz                        uni-augsburg.de
ekokoza.cz                nieuwsservice-rvo.nl          uni-c.dk
elster.de                 nine-pine.com                 uni-erlangen.de
erotik-service.ch         norskgrammatikk.no            uni-kl.de
exegy.com                 ns.nl                         uni-muenchen.de
extinctionrebellion.nl    one.com                       univie.ac.at
ezorg.nl                  onebit.cz                     up2staff.com
fabfilter.com             oo2.fr                        uscg.mil
fastware-hosting.com      open.ch                       usmc.mil
fau.de                    openssl.org                   utwente.nl
fibianet.dk               optimail.cz                   uv.es
fidesz.hu                 oraclegirl.org                uvt.nl
fidus.nl                  orangebag.nl                  uwv.nl
finesoftware.eu           orsys.com                     valys.nl
fio.cz                    osd.mil                       vas-server.cz
fivem.net                 otys.nl                       vcelka.cz
flaneurhomme.com          ouderenfonds.nl               veganallsorts.com
freebsd.org               ouderportaal.nl               venauto.nl
freenet.de                outlet-alpine.cz              vicinityclo.de
fsol.fi                   overheid.nl                   vimexx.nl
gentoo.org                ozlabs.org                    viphuset.no
gezond.nl                 partijvoordedieren.nl         virusfree.cz
gmx.at                    peterhald.dk                  vitalize.nl
gmx.ch                    pieter-pot.com                vitstore.com
gmx.com                   pm.me                         vivaldi.com
gmx.de                    pobox.sk                      vogeldagboek.nl
gmx.net                   podiumcadeaukaart.nl          volny.cz
goget.nu                  polisen.se                    voorpositiviteit.nl
govtrack.us               politie.nl                    vu.nl
guttelus.no               pompomlondon.com              waternet.nl
habr.com                  poptavej.cz                   web.de
habramail.net             posteo.de                     webcruiter.com
handelsbanken.dk          pp-prd.nl                     webmailph.com
handelsbanken.fi          ppcpcv.com                    websupport.se
handelsbanken.no          pre.cz                        westlotto.de
handelsbanken.se          predplatit.cz                 win-rar.com
healthcheckcenter.nl      previder.nl                   wog.ch
herinneringenoplinnen.nl  procurios.net                 xel.nl
herobrine.org             promorealdeals.ch             xfinity.com
hi7.de                    proton.me                     xfinityhomesecurity.com
high5.nl                  protonmail.ch                 xfinitymobile.com
hobbygigant.nl            protonmail.com                xs4all.net
hoobly.com                protonvpn.com                 ymeuniverse.com
hostingpeople.nl          publicroam.nl                 zapardrobnych.sk
hostpoint.ch              pvv.nl                        zdravestravovani.cz
hotelsinduitsland.com     quantum-services.us           zlate-mince.cz
hr-manager.net            raskebriller.no               zone.ee
hr.nl                     rediris.es                    zone.eu
hyttefeber.no             registro.br                   zonevs.eu
idrettenonline.no         renworkshops.com              zorgmail.nl


More information about the dane-users mailing list