From ietf-dane at dukhovni.org Tue Mar 1 01:28:21 2022 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Mon, 28 Feb 2022 19:28:21 -0500 Subject: Update on stats 2022-02 Message-ID: Summary: The DANE domain count is now 3,171,233 (c.f. 3,153,006 last month). The number of domains that return DNSSEC-validated replies in response to MX queries is 17,945,028 (up from 17,670,769 last month). Thus DANE TLSA is deployed on ~17.67% of domains with DNSSEC. For more stats, see . [ See the Credits[0] list below my signature. ] As of today I count ~3.17 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last Month ---------- ---------- 1239857 one.com 1235173 one.com 276109 hostpoint.ch 275090 hostpoint.ch 160146 infomaniak.ch 158083 infomaniak.ch 157827 transip.nl 156876 transip.nl 150199 argewebhosting.nl 150857 argewebhosting.nl 107297 domeneshop.no 106966 domeneshop.no 97131 webhostingserver.nl 97403 webhostingserver.nl 95810 loopia.se 95392 loopia.se 95176 jouwweb.nl 92990 jouwweb.nl 74648 forpsi.com 73745 forpsi.com 55862 zxcs.nl 53390 zxcs.nl 47053 active24.com 46913 active24.com 41756 webreus.nl 41099 webreus.nl 39085 antagonist.nl 38881 antagonist.nl 35599 pcextreme.nl 35846 pcextreme.nl 27485 udmedia.de 27214 udmedia.de 26856 web4u.cz 26766 web4u.cz 26320 vevida.com 26679 vevida.com 26289 webhosting.dk 26497 webhosting.dk 24182 protonmail.ch 23458 protonmail.ch The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ---------- ---------- 9660 TOTAL 9425 TOTAL 2843 DE, Germany 2763 DE, Germany 1828 NL, Netherlands 1810 NL, Netherlands 1766 US, United States 1723 US, United States 712 FR, France 692 FR, France 337 GB, United Kingdom 336 GB, United Kingdom 296 CZ, Czechia 280 CZ, Czechia 214 CA, Canada 208 FI, Finland 213 FI, Finland 207 CA, Canada 150 AT, Austria 135 AT, Austria 135 DK, Denmark 134 DK, Denmark 128 SG, Singapore 121 SG, Singapore 124 CH, Switzerland 119 CH, Switzerland 109 SE, Sweden 108 SE, Sweden 107 AU, Australia 105 AU, Australia 59 PL, Poland 58 PL, Poland 45 RU, Russia 46 RU, Russia 45 NO, Norway 44 IE, Ireland 41 JP, Japan 43 NO, Norway 41 IE, Ireland 40 BR, Brazil 36 BR, Brazil 39 JP, Japan IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 7636 TOTAL 7480 TOTAL 3492 NL, Netherlands 3484 NL, Netherlands 2105 DE, Germany 1987 DE, Germany 799 US, United States 771 US, United States 299 FR, France 298 FR, France 158 CZ, Czechia 165 CZ, Czechia 151 GB, United Kingdom 144 GB, United Kingdom 82 FI, Finland 82 FI, Finland 63 CA, Canada 61 CA, Canada 57 CH, Switzerland 50 CH, Switzerland 49 AU, Australia 46 AU, Australia 45 SE, Sweden 44 SE, Sweden 42 SG, Singapore 41 SG, Singapore 33 AT, Austria 32 RU, Russia 32 JP, Japan 32 AT, Austria 25 RU, Russia 28 JP, Japan 21 IE, Ireland 22 IE, Ireland 19 NO, Norway 19 NO, Norway 19 DK, Denmark 19 DK, Denmark 14 BR, Brazil 17 BR, Brazil 11 SI, Slovenia 11 SI, Slovenia There are 7,895 unique zones (7,618 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 16,959 (16,571 last month). These cover 17,222 distinct MX hosts (16,838 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 593 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 326 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~3.17 million DANE domains, 12,742 (12,666 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1136 (1191 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are: 87 beta.itcomputers.eu 19 mx1.mdbraber.com 18 mx3.ski-bergtouren.ch 16 e-vps.hacktheplanet.nl 15 web1.ams.dcg.t-host.net 15 artemis.strebsjig.net 11 sfo-exc03.corp.sfo.ch 11 mx01.mykolab.com 10 mail.campana.email 9 urmail.space To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1181 (1148 last month). The top 10 name server operators with problem domains are: This Month Last month ---------- ---------- 569 registrar-servers.com 596 registrar-servers.com 152 axc.nl 171 axc.nl 82 ebola.cz 83 ebola.cz 56 worldnic.com 42 worldnic.com 38 mijndomein.nl 31 mijndomein.nl 30 ns01.nl 30 ns01.nl 29 made-easy.ch 28 made-easy.ch 26 hostline.fr 18 cloudflare.com 20 register.com 15 register.com 18 cloudflare.com 15 epik.com If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Six of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: coren-sp.gov.br icv-crew.com urbtix.hk mailazy.net kprm.gov.pl novathreads.us -- Viktor. [0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at bund.de hro.nl gmx.at bundesregierung.de interim-netwerk.nl tip.net.au datev.de lico.nl boozyshop.be dfn.de luxiez.nl triodos.be elster.de mailplus.nl clubedohardware.com.br emailn.de mailshover.nl e-negociacao.com.br fau.de mijnhypotheekonline.nl e-renegocie.com.br freenet.de mijnsalon.nl nic.br gmx.de mijnuvt.nl registro.br jpberlin.de minbuza.nl activfitness-news.ch lmu.de minbzk.nl gmx.ch lrz.de mindef.nl hostpoint.ch mail.de mm1.nl infomaniak.ch mensa.de nieuwsservice-rvo.nl linsenkontakt.ch mpg.de ns.nl open.ch posteo.de orangebag.nl protonmail.ch ruhr-uni-bochum.de otys.nl switch.ch tum.de ouderportaal.nl simplelogin.co tutanota.de overheid.nl 402automotive.com uni-augsburg.de partijvoordedieren.nl anubisnetworks.com uni-erlangen.de plusticket.nl cm.com uni-kl.de politie.nl connectsb.com uni-muenchen.de pp-prd.nl dailyplaylists.com unitymedia.de previder.nl datev.com web.de rdw.nl fabfilter.com westlotto.de rijksoverheid.nl fastware-hosting.com actie.deals rivm.nl flaneurhomme.com exoticmix.dk rotterdam.nl gmx.com fibianet.dk rvo.nl habr.com handelsbanken.dk sans-mail.nl hoobly.com jule-sweaters.dk schoudercom.nl hotelsinduitsland.com juliesandlau.dk schuurman-schoenen.nl imcnig.com netic.dk sportrusten.nl infomaniak.com nota.dk ssonet.nl ingthink.com seniornews.dk stater.nl joomlapolis.com shapeit.dk sushipoint.nl jula.com shellcard.dk telefoonglaasje.nl kpn.com stil.dk transip.nl langerhans.com wavell.dk triodos.nl leszexpertsfle.com tilburguniversity.edu utwente.nl librti.com spike.email uvt.nl mail.com spotler.email uwv.nl mammoetmail.com talentech.email vimexx.nl matilhadobemadestramento.com rediris.es voorpositiviteit.nl mplbeauty.com triodos.es vpo.nl mx-relay.com uv.es vu.nl nanolearning.com egu.eu vvv-venlo.nl nine-pine.com zone.eu waternet.nl one.com zonevs.eu woongarantvolmacht.nl protonmail.com handelsbanken.fi zorgmail.nl protonvpn.com tarjousrinki.fi annabellstefanussen.no renworkshops.com traficom.fi audi.no run-motion.com ac-strasbourg.fr bergengokart.no sankakucomplex.com compagnie-des-sens.fr derute.no serverclienti.com kangouroukids.fr domeneshop.no societe.com oo2.fr guttelus.no solvinity.com fidesz.hu handelsbanken.no sportnotch.com neolink.link idrettenonline.no stater.com pm.me malestudio.no stellarequipment.com army.mil mystuff.no t-2.com dla.mil norskgrammatikk.no thalesgroup.com jten.mil rushtrampoline.no thepcw.com mail.mil uib.no thepcwholesale.com militaryonesource.mil viphuset.no triodos.com navy.mil atelkamera.nu tutanota.com nga.mil goget.nu up2staff.com osd.mil lenhud.nu veganallsorts.com socom.mil aegee.org vitstore.com uscg.mil calyxinstitute.org vivaldi.com usmc.mil debian.org webcruiter.com comcast.net freebsd.org webmailph.com fivem.net gentoo.org xfinity.com gmx.net ietf.org xfinityhomesecurity.com habramail.net irtf.org xfinitymobile.com hr-manager.net isc.org ymeuniverse.com inexio.net mailbox.org bncr.fi.cr mijngezondheid.net mailop.org akce-incomputer.cz mpssec.net netbsd.org bewooden.cz procurios.net oraclegirl.org csob.cz ripe.net ozlabs.org cuni.cz riseup.net samba.org cvut.cz t-2.net torproject.org e-kondomy.cz transip.net asf.com.pt ekokoza.cz xs4all.net mobily.com.sa fio.cz 123watches.nl bilprovningen.se itesco.cz amsterdam.nl ecster.se kb.cz argeweb.nl handelsbanken.se klenotyaurum.cz belastingdienst.nl lomervarde.se klubpevnehozdravi.cz bhsupport.nl loopia.se ksporting.cz bluerail.nl minmyndighetspost.se manymail.cz bolerolimonadewinkel.nl polisen.se mkluzkoviny.cz boozyshop.nl racketspecialisten.se muni.cz burgernet.nl skatteverket.se nanospace.cz caracamilla.nl teknikdelar.se onebit.cz cbr.nl theletter.se optimail.cz corpoflow.nl voteit.se poptavej.cz derooijfotografie.nl dovypredania.sk pre.cz dictu.nl mastersport.sk predplatit.cz digid.nl mklozkoviny.sk scrptd.cz duo.nl pneusvet.sk server4u.cz eco-logisch.nl rondogo.sk smtp.cz edenhotels.nl satro.sk sparkys.cz ezorg.nl toptop.sk stoklasa.cz fidus.nl zapardrobnych.sk vas-server.cz haibu.nl triodos.co.uk virusfree.cz healthcheckcenter.nl govtrack.us zdravestravovani.cz herinneringenoplinnen.nl quantum-services.us bayern.de high5.nl ru.ac.za brandenburg.de hr.nl