Update on stats 2022-02
Viktor Dukhovni
ietf-dane at dukhovni.org
Tue Mar 1 01:28:21 CET 2022
Summary: The DANE domain count is now 3,171,233 (c.f. 3,153,006 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 17,945,028 (up from 17,670,769 last
month). Thus DANE TLSA is deployed on ~17.67% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today I count ~3.17 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1239857 one.com 1235173 one.com
276109 hostpoint.ch 275090 hostpoint.ch
160146 infomaniak.ch 158083 infomaniak.ch
157827 transip.nl 156876 transip.nl
150199 argewebhosting.nl 150857 argewebhosting.nl
107297 domeneshop.no 106966 domeneshop.no
97131 webhostingserver.nl 97403 webhostingserver.nl
95810 loopia.se 95392 loopia.se
95176 jouwweb.nl 92990 jouwweb.nl
74648 forpsi.com 73745 forpsi.com
55862 zxcs.nl 53390 zxcs.nl
47053 active24.com 46913 active24.com
41756 webreus.nl 41099 webreus.nl
39085 antagonist.nl 38881 antagonist.nl
35599 pcextreme.nl 35846 pcextreme.nl
27485 udmedia.de 27214 udmedia.de
26856 web4u.cz 26766 web4u.cz
26320 vevida.com 26679 vevida.com
26289 webhosting.dk 26497 webhosting.dk
24182 protonmail.ch 23458 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
9660 TOTAL 9425 TOTAL
2843 DE, Germany 2763 DE, Germany
1828 NL, Netherlands 1810 NL, Netherlands
1766 US, United States 1723 US, United States
712 FR, France 692 FR, France
337 GB, United Kingdom 336 GB, United Kingdom
296 CZ, Czechia 280 CZ, Czechia
214 CA, Canada 208 FI, Finland
213 FI, Finland 207 CA, Canada
150 AT, Austria 135 AT, Austria
135 DK, Denmark 134 DK, Denmark
128 SG, Singapore 121 SG, Singapore
124 CH, Switzerland 119 CH, Switzerland
109 SE, Sweden 108 SE, Sweden
107 AU, Australia 105 AU, Australia
59 PL, Poland 58 PL, Poland
45 RU, Russia 46 RU, Russia
45 NO, Norway 44 IE, Ireland
41 JP, Japan 43 NO, Norway
41 IE, Ireland 40 BR, Brazil
36 BR, Brazil 39 JP, Japan
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7636 TOTAL 7480 TOTAL
3492 NL, Netherlands 3484 NL, Netherlands
2105 DE, Germany 1987 DE, Germany
799 US, United States 771 US, United States
299 FR, France 298 FR, France
158 CZ, Czechia 165 CZ, Czechia
151 GB, United Kingdom 144 GB, United Kingdom
82 FI, Finland 82 FI, Finland
63 CA, Canada 61 CA, Canada
57 CH, Switzerland 50 CH, Switzerland
49 AU, Australia 46 AU, Australia
45 SE, Sweden 44 SE, Sweden
42 SG, Singapore 41 SG, Singapore
33 AT, Austria 32 RU, Russia
32 JP, Japan 32 AT, Austria
25 RU, Russia 28 JP, Japan
21 IE, Ireland 22 IE, Ireland
19 NO, Norway 19 NO, Norway
19 DK, Denmark 19 DK, Denmark
14 BR, Brazil 17 BR, Brazil
11 SI, Slovenia 11 SI, Slovenia
There are 7,895 unique zones (7,618 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 16,959 (16,571 last
month). These cover 17,222 distinct MX hosts (16,838 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 593 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 326
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.17 million DANE domains, 12,742 (12,666 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1136
(1191 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
87 beta.itcomputers.eu
19 mx1.mdbraber.com
18 mx3.ski-bergtouren.ch
16 e-vps.hacktheplanet.nl
15 web1.ams.dcg.t-host.net
15 artemis.strebsjig.net
11 sfo-exc03.corp.sfo.ch
11 mx01.mykolab.com
10 mail.campana.email
9 urmail.space
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1181 (1148 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
569 registrar-servers.com 596 registrar-servers.com
152 axc.nl 171 axc.nl
82 ebola.cz 83 ebola.cz
56 worldnic.com 42 worldnic.com
38 mijndomein.nl 31 mijndomein.nl
30 ns01.nl 30 ns01.nl
29 made-easy.ch 28 made-easy.ch
26 hostline.fr 18 cloudflare.com
20 register.com 15 register.com
18 cloudflare.com 15 epik.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Six of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
icv-crew.com
urbtix.hk
mailazy.net
kprm.gov.pl
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at bund.de hro.nl
gmx.at bundesregierung.de interim-netwerk.nl
tip.net.au datev.de lico.nl
boozyshop.be dfn.de luxiez.nl
triodos.be elster.de mailplus.nl
clubedohardware.com.br emailn.de mailshover.nl
e-negociacao.com.br fau.de mijnhypotheekonline.nl
e-renegocie.com.br freenet.de mijnsalon.nl
nic.br gmx.de mijnuvt.nl
registro.br jpberlin.de minbuza.nl
activfitness-news.ch lmu.de minbzk.nl
gmx.ch lrz.de mindef.nl
hostpoint.ch mail.de mm1.nl
infomaniak.ch mensa.de nieuwsservice-rvo.nl
linsenkontakt.ch mpg.de ns.nl
open.ch posteo.de orangebag.nl
protonmail.ch ruhr-uni-bochum.de otys.nl
switch.ch tum.de ouderportaal.nl
simplelogin.co tutanota.de overheid.nl
402automotive.com uni-augsburg.de partijvoordedieren.nl
anubisnetworks.com uni-erlangen.de plusticket.nl
cm.com uni-kl.de politie.nl
connectsb.com uni-muenchen.de pp-prd.nl
dailyplaylists.com unitymedia.de previder.nl
datev.com web.de rdw.nl
fabfilter.com westlotto.de rijksoverheid.nl
fastware-hosting.com actie.deals rivm.nl
flaneurhomme.com exoticmix.dk rotterdam.nl
gmx.com fibianet.dk rvo.nl
habr.com handelsbanken.dk sans-mail.nl
hoobly.com jule-sweaters.dk schoudercom.nl
hotelsinduitsland.com juliesandlau.dk schuurman-schoenen.nl
imcnig.com netic.dk sportrusten.nl
infomaniak.com nota.dk ssonet.nl
ingthink.com seniornews.dk stater.nl
joomlapolis.com shapeit.dk sushipoint.nl
jula.com shellcard.dk telefoonglaasje.nl
kpn.com stil.dk transip.nl
langerhans.com wavell.dk triodos.nl
leszexpertsfle.com tilburguniversity.edu utwente.nl
librti.com spike.email uvt.nl
mail.com spotler.email uwv.nl
mammoetmail.com talentech.email vimexx.nl
matilhadobemadestramento.com rediris.es voorpositiviteit.nl
mplbeauty.com triodos.es vpo.nl
mx-relay.com uv.es vu.nl
nanolearning.com egu.eu vvv-venlo.nl
nine-pine.com zone.eu waternet.nl
one.com zonevs.eu woongarantvolmacht.nl
protonmail.com handelsbanken.fi zorgmail.nl
protonvpn.com tarjousrinki.fi annabellstefanussen.no
renworkshops.com traficom.fi audi.no
run-motion.com ac-strasbourg.fr bergengokart.no
sankakucomplex.com compagnie-des-sens.fr derute.no
serverclienti.com kangouroukids.fr domeneshop.no
societe.com oo2.fr guttelus.no
solvinity.com fidesz.hu handelsbanken.no
sportnotch.com neolink.link idrettenonline.no
stater.com pm.me malestudio.no
stellarequipment.com army.mil mystuff.no
t-2.com dla.mil norskgrammatikk.no
thalesgroup.com jten.mil rushtrampoline.no
thepcw.com mail.mil uib.no
thepcwholesale.com militaryonesource.mil viphuset.no
triodos.com navy.mil atelkamera.nu
tutanota.com nga.mil goget.nu
up2staff.com osd.mil lenhud.nu
veganallsorts.com socom.mil aegee.org
vitstore.com uscg.mil calyxinstitute.org
vivaldi.com usmc.mil debian.org
webcruiter.com comcast.net freebsd.org
webmailph.com fivem.net gentoo.org
xfinity.com gmx.net ietf.org
xfinityhomesecurity.com habramail.net irtf.org
xfinitymobile.com hr-manager.net isc.org
ymeuniverse.com inexio.net mailbox.org
bncr.fi.cr mijngezondheid.net mailop.org
akce-incomputer.cz mpssec.net netbsd.org
bewooden.cz procurios.net oraclegirl.org
csob.cz ripe.net ozlabs.org
cuni.cz riseup.net samba.org
cvut.cz t-2.net torproject.org
e-kondomy.cz transip.net asf.com.pt
ekokoza.cz xs4all.net mobily.com.sa
fio.cz 123watches.nl bilprovningen.se
itesco.cz amsterdam.nl ecster.se
kb.cz argeweb.nl handelsbanken.se
klenotyaurum.cz belastingdienst.nl lomervarde.se
klubpevnehozdravi.cz bhsupport.nl loopia.se
ksporting.cz bluerail.nl minmyndighetspost.se
manymail.cz bolerolimonadewinkel.nl polisen.se
mkluzkoviny.cz boozyshop.nl racketspecialisten.se
muni.cz burgernet.nl skatteverket.se
nanospace.cz caracamilla.nl teknikdelar.se
onebit.cz cbr.nl theletter.se
optimail.cz corpoflow.nl voteit.se
poptavej.cz derooijfotografie.nl dovypredania.sk
pre.cz dictu.nl mastersport.sk
predplatit.cz digid.nl mklozkoviny.sk
scrptd.cz duo.nl pneusvet.sk
server4u.cz eco-logisch.nl rondogo.sk
smtp.cz edenhotels.nl satro.sk
sparkys.cz ezorg.nl toptop.sk
stoklasa.cz fidus.nl zapardrobnych.sk
vas-server.cz haibu.nl triodos.co.uk
virusfree.cz healthcheckcenter.nl govtrack.us
zdravestravovani.cz herinneringenoplinnen.nl quantum-services.us
bayern.de high5.nl ru.ac.za
brandenburg.de hr.nl
More information about the dane-users
mailing list