Update on stats 2022-04
Viktor Dukhovni
ietf-dane at dukhovni.org
Sun May 1 07:34:11 CEST 2022
Summary: The DANE domain count is now 3,197,734 (c.f. 3,172,531 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 18,409,733 (up from 18,166,397 last
month). Thus DANE TLSA is deployed on ~17.36% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today I count ~3.20 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1243696 one.com 1222787 one.com
277421 hostpoint.ch 276929 hostpoint.ch
164315 infomaniak.ch 162459 infomaniak.ch
159902 transip.nl 159841 argewebhosting.nl
158479 argewebhosting.nl 159047 transip.nl
107350 domeneshop.no 107424 domeneshop.no
97611 jouwweb.nl 96804 jouwweb.nl
96400 loopia.se 96629 webhostingserver.nl
96065 webhostingserver.nl 96028 loopia.se
75966 forpsi.com 75489 forpsi.com
59337 zxcs.nl 57815 zxcs.nl
47090 active24.com 47064 active24.com
41006 webreus.nl 41338 webreus.nl
39296 antagonist.nl 39129 antagonist.nl
35099 pcextreme.nl 35339 pcextreme.nl
27513 udmedia.de 27537 udmedia.de
26802 web4u.cz 26871 web4u.cz
25925 webhosting.dk 26105 webhosting.dk
25763 vevida.com 26035 vevida.com
25515 protonmail.ch 24796 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
9944 TOTAL 9827 TOTAL
2956 DE, Germany 2919 DE, Germany
1844 NL, Netherlands 1827 NL, Netherlands
1789 US, United States 1796 US, United States
737 FR, France 725 FR, France
346 GB, United Kingdom 331 GB, United Kingdom
331 CZ, Czechia 315 CZ, Czechia
226 FI, Finland 227 FI, Finland
213 CA, Canada 212 CA, Canada
156 AT, Austria 151 AT, Austria
130 SG, Singapore 133 DK, Denmark
129 CH, Switzerland 128 SG, Singapore
127 DK, Denmark 126 CH, Switzerland
110 SE, Sweden 106 SE, Sweden
106 AU, Australia 102 AU, Australia
59 PL, Poland 59 PL, Poland
48 JP, Japan 45 NO, Norway
46 RU, Russia 43 RU, Russia
46 NO, Norway 43 JP, Japan
43 BR, Brazil 43 IE, Ireland
40 IE, Ireland 39 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7816 TOTAL 7726 TOTAL
3507 NL, Netherlands 3485 NL, Netherlands
2162 DE, Germany 2125 DE, Germany
812 US, United States 808 US, United States
317 FR, France 314 FR, France
187 CZ, Czechia 171 CZ, Czechia
158 GB, United Kingdom 139 GB, United Kingdom
82 FI, Finland 83 FI, Finland
63 CA, Canada 65 CA, Canada
60 CH, Switzerland 55 CH, Switzerland
50 AU, Australia 47 AU, Australia
45 AT, Austria 43 SE, Sweden
40 SG, Singapore 41 SG, Singapore
39 SE, Sweden 37 RU, Russia
32 JP, Japan 36 IE, Ireland
30 RU, Russia 34 AT, Austria
22 IE, Ireland 31 JP, Japan
20 DK, Denmark 20 NO, Norway
19 NO, Norway 20 DK, Denmark
15 BG, Bulgaria 15 UA, Ukraine
13 LT, Lithuania 13 BR, Brazil
There are 8,119 unique zones (8,039 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 17,295 (17,131 last
month). These cover 17,568 distinct MX hosts (17,403 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 625 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 369
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.20 million DANE domains, 27,938 (12,731 last month, ~15k new
MX-hosted by onebit.cz) have "partial" TLSA records, that cover only a subset
of the (secondary) MX hosts. While this protects traffic to some of the MX
hosts, such domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,147
(1,102 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
88 vps01.marcus.services
46 mx2.xarisasp.nl
19 mx1.mdbraber.com
16 e-vps.hacktheplanet.nl
15 web1.ams.dcg.t-host.net
15 artemis.strebsjig.net
13 mta11.pointner.at
13 delos.xs4arabia.com
12 mail-01.dd24.net
10 mx01.mykolab.com
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,408 (1,181 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
563 registrar-servers.com 550 registrar-servers.com
151 axc.nl 149 axc.nl
90 worldnic.com 80 worldnic.com
76 ebola.cz 78 ebola.cz
41 epik.com 35 mijndomein.nl
39 mijndomein.nl 32 openprovider.nl
32 openprovider.nl 31 made-easy.ch
31 made-easy.ch 26 ns01.nl
27 register.com 25 register.com
26 ns01.nl 17 dotroll.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Five of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
urbtix.hk
mailazy.net
kprm.gov.pl
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at smtp.cz hostingpeople.nl
gmx.at sparkys.cz hr.nl
tip.net.au stoklasa.cz hro.nl
cetelemnegocie.com.br vas-server.cz interim-netwerk.nl
clubedohardware.com.br vcelka.cz kralingsebosfestival.nl
e-negociacao.com.br virusfree.cz lico.nl
e-renegocie.com.br volny.cz linhard.nl
nic.br zdravestravovani.cz luxiez.nl
registro.br bantschowundbantschow.de mailplus.nl
activfitness-news.ch bayern.de managementboek.nl
cbd420.ch brandenburg.de markteffectmail.nl
erotik-service.ch bund.de mijnuvt.nl
gmx.ch bundesregierung.de minbuza.nl
hostpoint.ch datev.de minbzk.nl
infomaniak.ch dfn.de mindef.nl
linsenkontakt.ch elster.de mm1.nl
open.ch fau.de mulderretail.nl
promorealdeals.ch freenet.de nieuwsservice-rvo.nl
protonmail.ch gmx.de ns.nl
switch.ch hi7.de orangebag.nl
wog.ch jpberlin.de otys.nl
simplelogin.co lmu.de ouderenfonds.nl
402automotive.com lrz.de ouderportaal.nl
altidev.com mail.de overheid.nl
altospam.com mensa.de partijvoordedieren.nl
ansigtsyogaonline.com mpg.de podiumcadeaukaart.nl
brassthistle.com posteo.de politie.nl
cm.com ruhr-uni-bochum.de pp-prd.nl
connectsb.com tum.de previder.nl
dailyplaylists.com tutanota.de publicroam.nl
datev.com uni-augsburg.de rijksoverheid.nl
fabfilter.com uni-erlangen.de rivm.nl
fastware-hosting.com uni-kl.de rotterdam.nl
flaneurhomme.com uni-muenchen.de rvo.nl
gmx.com vicinityclo.de sans-mail.nl
habr.com web.de schoudercom.nl
hoobly.com westlotto.de schuurman-schoenen.nl
hotelsinduitsland.com dk-hostmaster.dk sidn.nl
imcnig.com fibianet.dk skyaccess.nl
infomaniak.com handelsbanken.dk smartwatchbanden.nl
ingthink.com netic.dk sportrusten.nl
jula.com nota.dk ssonet.nl
kantarresearch.com peterhald.dk stater.nl
kpn.com seniornews.dk sushipoint.nl
langerhans.com shapeit.dk telefoonglaasje.nl
leszexpertsfle.com shellcard.dk transip.nl
librti.com stil.dk triodos.nl
mactabeauty.com uni-c.dk uitgeverijpica.nl
mail.com tilburguniversity.edu utwente.nl
mammoetmail.com zone.ee uvt.nl
matilhadobemadestramento.com spike.email uwv.nl
mplbeauty.com spotler.email valys.nl
mx-relay.com talentech.email vimexx.nl
myvillage.com rediris.es vitalize.nl
nanolearning.com triodos.es vogeldagboek.nl
nine-pine.com uv.es voorpositiviteit.nl
one.com egu.eu vu.nl
orsys.com zone.eu vvv-venlo.nl
ppcpcv.com zonevs.eu waternet.nl
protonmail.com handelsbanken.fi zorgmail.nl
protonvpn.com metaburn.fi annabellstefanussen.no
renworkshops.com tarjousrinki.fi audi.no
run-motion.com traficom.fi bergengokart.no
sankakucomplex.com ac-strasbourg.fr deldinbil.no
scorecloud.com compagnie-des-sens.fr derute.no
serverclienti.com edtm-actu.fr domeneshop.no
societe.com oo2.fr guttelus.no
solvinity.com fidesz.hu handelsbanken.no
sportnotch.com bluebiz.info hyttefeber.no
srsforward.com neolink.link idrettenonline.no
stater.com pm.me mystuff.no
stellarequipment.com army.mil norskgrammatikk.no
t-2.com dla.mil raskebriller.no
thalesgroup.com jten.mil rushtrampoline.no
thepcw.com mail.mil spillfabrikken.no
thepcwholesale.com militaryonesource.mil tjenestekompaniet.no
theruleofliberty.com navy.mil uib.no
triodos.com nga.mil viphuset.no
truewaykids.com osd.mil atelkamera.nu
tutanota.com socom.mil goget.nu
up2staff.com uscg.mil lenhud.nu
veganallsorts.com usmc.mil debian.org
vitstore.com comcast.net freebsd.org
vivaldi.com fivem.net gentoo.org
webcruiter.com gmx.net herobrine.org
webmailph.com habramail.net ietf.org
win-rar.com hr-manager.net irtf.org
xfinity.com inexio.net isc.org
xfinityhomesecurity.com mijngezondheid.net kindredcircle.org
xfinitymobile.com mpssec.net mailbox.org
ymeuniverse.com procurios.net mailop.org
bncr.fi.cr ripe.net netbsd.org
akce-incomputer.cz riseup.net oraclegirl.org
amenit.cz t-2.net ozlabs.org
atlas.cz transip.net registradores.org
bewooden.cz xs4all.net samba.org
centrum.cz 123watches.nl torproject.org
csob.cz 50plusbeurs.nl biotechnologia.com.pl
cuni.cz amsterdam.nl asf.com.pt
cvut.cz belastingdienst.nl bilprovningen.se
dedra.cz bhosted.nl ecster.se
directmail-fraus.cz boekwinkeltjes.nl handelsbanken.se
e-kondomy.cz bolerolimonadewinkel.nl lansstyrelsen.se
ekokoza.cz boozyshop.nl lomervarde.se
fio.cz burgernet.nl loopia.se
itesco.cz caracamilla.nl minmyndighetspost.se
kb.cz cbr.nl polisen.se
klenotyaurum.cz corpoflow.nl racketspecialisten.se
klubpevnehozdravi.cz derooijfotografie.nl skatteverket.se
ksporting.cz dictu.nl teknikdelar.se
manymail.cz digid.nl theletter.se
mkluzkoviny.cz digitaleverkiezing.nl centrum.sk
muni.cz dressuurnatuurlijk.nl kadernickyservis.sk
nanospace.cz duo.nl mklozkoviny.sk
nic.cz eco-logisch.nl pneusvet.sk
omvnovinky.cz edenhotels.nl rondogo.sk
onebit.cz efactuurdirect.nl satro.sk
optimail.cz ezorg.nl toptop.sk
poptavej.cz fidus.nl zapardrobnych.sk
pre.cz gezond.nl triodos.co.uk
predplatit.cz healthcheckcenter.nl govtrack.us
scrptd.cz herinneringenoplinnen.nl quantum-services.us
server4u.cz high5.nl ru.ac.za
More information about the dane-users
mailing list