Update on stats 2022-04

Viktor Dukhovni ietf-dane at dukhovni.org
Sun May 1 07:34:11 CEST 2022

Summary:  The DANE domain count is now 3,197,734 (c.f. 3,172,531 last

          The number of domains that return DNSSEC-validated replies in
          response to MX queries is 18,409,733 (up from 18,166,397 last
          month).  Thus DANE TLSA is deployed on ~17.36% of domains with
          DNSSEC.  For more stats, see <https://stats.dnssec-tools.org/>.
          [ See the Credits[0] list below my signature. ]

As of today I count ~3.20 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1].  As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host.  The top 20 MX host providers
by domain count are below.

  This month                   Last Month
  ----------                   ----------
  1243696 one.com              1222787 one.com             
   277421 hostpoint.ch          276929 hostpoint.ch        
   164315 infomaniak.ch         162459 infomaniak.ch       
   159902 transip.nl            159841 argewebhosting.nl   
   158479 argewebhosting.nl     159047 transip.nl          
   107350 domeneshop.no         107424 domeneshop.no       
    97611 jouwweb.nl             96804 jouwweb.nl          
    96400 loopia.se              96629 webhostingserver.nl 
    96065 webhostingserver.nl    96028 loopia.se           
    75966 forpsi.com             75489 forpsi.com          
    59337 zxcs.nl                57815 zxcs.nl             
    47090 active24.com           47064 active24.com        
    41006 webreus.nl             41338 webreus.nl          
    39296 antagonist.nl          39129 antagonist.nl       
    35099 pcextreme.nl           35339 pcextreme.nl        
    27513 udmedia.de             27537 udmedia.de          
    26802 web4u.cz               26871 web4u.cz            
    25925 webhosting.dk          26105 webhosting.dk       
    25763 vevida.com             26035 vevida.com          
    25515 protonmail.ch          24796 protonmail.ch       

The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).

  This month               Last month
  ----------               ----------
  9944 TOTAL               9827 TOTAL               
  2956 DE, Germany         2919 DE, Germany         
  1844 NL, Netherlands     1827 NL, Netherlands     
  1789 US, United States   1796 US, United States   
   737 FR, France           725 FR, France          
   346 GB, United Kingdom   331 GB, United Kingdom  
   331 CZ, Czechia          315 CZ, Czechia         
   226 FI, Finland          227 FI, Finland         
   213 CA, Canada           212 CA, Canada          
   156 AT, Austria          151 AT, Austria         
   130 SG, Singapore        133 DK, Denmark         
   129 CH, Switzerland      128 SG, Singapore       
   127 DK, Denmark          126 CH, Switzerland     
   110 SE, Sweden           106 SE, Sweden          
   106 AU, Australia        102 AU, Australia       
    59 PL, Poland            59 PL, Poland          
    48 JP, Japan             45 NO, Norway          
    46 RU, Russia            43 RU, Russia          
    46 NO, Norway            43 JP, Japan           
    43 BR, Brazil            43 IE, Ireland         
    40 IE, Ireland           39 IT, Italy           

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:

  This month               Last month
  ----------               ----------
  7816 TOTAL               7726 TOTAL             
  3507 NL, Netherlands     3485 NL, Netherlands   
  2162 DE, Germany         2125 DE, Germany       
   812 US, United States    808 US, United States 
   317 FR, France           314 FR, France        
   187 CZ, Czechia          171 CZ, Czechia       
   158 GB, United Kingdom   139 GB, United Kingdom
    82 FI, Finland           83 FI, Finland       
    63 CA, Canada            65 CA, Canada        
    60 CH, Switzerland       55 CH, Switzerland   
    50 AU, Australia         47 AU, Australia     
    45 AT, Austria           43 SE, Sweden        
    40 SG, Singapore         41 SG, Singapore     
    39 SE, Sweden            37 RU, Russia        
    32 JP, Japan             36 IE, Ireland       
    30 RU, Russia            34 AT, Austria       
    22 IE, Ireland           31 JP, Japan         
    20 DK, Denmark           20 NO, Norway        
    19 NO, Norway            20 DK, Denmark       
    15 BG, Bulgaria          15 UA, Ukraine       
    13 LT, Lithuania         13 BR, Brazil        

There are 8,119 unique zones (8,039 last month) in which the underlying
MX hosts are found.  This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.

The number of published MX host TLSA RRsets found is 17,295 (17,131 last
month).  These cover 17,568 distinct MX hosts (17,403 last month, some
MX hosts share the same TLSA records through CNAMEs).

The number of DANE domains that at some point were listed in Gmail's
email transparency report is 625 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain).  Of these, 369
are in recent (last 90 days of) reports (see [2] below my signature).

Of the ~3.20 million DANE domains, 27,938 (12,731 last month, ~15k new
MX-hosted by onebit.cz) have "partial" TLSA records, that cover only a subset
of the (secondary) MX hosts.  While this protects traffic to some of the MX
hosts, such domains are still vulnerable to the usual active attacks via the
remaining MX hosts.

The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,147
(1,102 last month).  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.  The affected domain counts for the top 10 problem MX hosts are:

  88 vps01.marcus.services
  46 mx2.xarisasp.nl
  19 mx1.mdbraber.com
  16 e-vps.hacktheplanet.nl
  15 web1.ams.dcg.t-host.net
  15 artemis.strebsjig.net
  13 mta11.pointner.at
  13 delos.xs4arabia.com
  12 mail-01.dd24.net
  10 mx01.mykolab.com

To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:



After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,408 (1,181 last
month).  The top 10 name server operators with problem domains are:

  This Month                 Last month
  ----------                 ----------
  563 registrar-servers.com  550 registrar-servers.com
  151 axc.nl                 149 axc.nl               
   90 worldnic.com            80 worldnic.com         
   76 ebola.cz                78 ebola.cz             
   41 epik.com                35 mijndomein.nl        
   39 mijndomein.nl           32 openprovider.nl      
   32 openprovider.nl         31 made-easy.ch         
   31 made-easy.ch            26 ns01.nl              
   27 register.com            25 register.com         
   26 ns01.nl                 17 dotroll.com          

If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.

Five of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:



[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.  Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE.  More data
sources of ccTLD signed delegations welcome.

[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist.  I am not a fan of this type of defence (it can also
impose undue latency on legitimate email).  However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.

[2] DANE domains appearing in last 90 days of Google Email transparency

univie.ac.at                  smtp.cz                   hostingpeople.nl
gmx.at                        sparkys.cz                hr.nl
tip.net.au                    stoklasa.cz               hro.nl
cetelemnegocie.com.br         vas-server.cz             interim-netwerk.nl
clubedohardware.com.br        vcelka.cz                 kralingsebosfestival.nl
e-negociacao.com.br           virusfree.cz              lico.nl
e-renegocie.com.br            volny.cz                  linhard.nl
nic.br                        zdravestravovani.cz       luxiez.nl
registro.br                   bantschowundbantschow.de  mailplus.nl
activfitness-news.ch          bayern.de                 managementboek.nl
cbd420.ch                     brandenburg.de            markteffectmail.nl
erotik-service.ch             bund.de                   mijnuvt.nl
gmx.ch                        bundesregierung.de        minbuza.nl
hostpoint.ch                  datev.de                  minbzk.nl
infomaniak.ch                 dfn.de                    mindef.nl
linsenkontakt.ch              elster.de                 mm1.nl
open.ch                       fau.de                    mulderretail.nl
promorealdeals.ch             freenet.de                nieuwsservice-rvo.nl
protonmail.ch                 gmx.de                    ns.nl
switch.ch                     hi7.de                    orangebag.nl
wog.ch                        jpberlin.de               otys.nl
simplelogin.co                lmu.de                    ouderenfonds.nl
402automotive.com             lrz.de                    ouderportaal.nl
altidev.com                   mail.de                   overheid.nl
altospam.com                  mensa.de                  partijvoordedieren.nl
ansigtsyogaonline.com         mpg.de                    podiumcadeaukaart.nl
brassthistle.com              posteo.de                 politie.nl
cm.com                        ruhr-uni-bochum.de        pp-prd.nl
connectsb.com                 tum.de                    previder.nl
dailyplaylists.com            tutanota.de               publicroam.nl
datev.com                     uni-augsburg.de           rijksoverheid.nl
fabfilter.com                 uni-erlangen.de           rivm.nl
fastware-hosting.com          uni-kl.de                 rotterdam.nl
flaneurhomme.com              uni-muenchen.de           rvo.nl
gmx.com                       vicinityclo.de            sans-mail.nl
habr.com                      web.de                    schoudercom.nl
hoobly.com                    westlotto.de              schuurman-schoenen.nl
hotelsinduitsland.com         dk-hostmaster.dk          sidn.nl
imcnig.com                    fibianet.dk               skyaccess.nl
infomaniak.com                handelsbanken.dk          smartwatchbanden.nl
ingthink.com                  netic.dk                  sportrusten.nl
jula.com                      nota.dk                   ssonet.nl
kantarresearch.com            peterhald.dk              stater.nl
kpn.com                       seniornews.dk             sushipoint.nl
langerhans.com                shapeit.dk                telefoonglaasje.nl
leszexpertsfle.com            shellcard.dk              transip.nl
librti.com                    stil.dk                   triodos.nl
mactabeauty.com               uni-c.dk                  uitgeverijpica.nl
mail.com                      tilburguniversity.edu     utwente.nl
mammoetmail.com               zone.ee                   uvt.nl
matilhadobemadestramento.com  spike.email               uwv.nl
mplbeauty.com                 spotler.email             valys.nl
mx-relay.com                  talentech.email           vimexx.nl
myvillage.com                 rediris.es                vitalize.nl
nanolearning.com              triodos.es                vogeldagboek.nl
nine-pine.com                 uv.es                     voorpositiviteit.nl
one.com                       egu.eu                    vu.nl
orsys.com                     zone.eu                   vvv-venlo.nl
ppcpcv.com                    zonevs.eu                 waternet.nl
protonmail.com                handelsbanken.fi          zorgmail.nl
protonvpn.com                 metaburn.fi               annabellstefanussen.no
renworkshops.com              tarjousrinki.fi           audi.no
run-motion.com                traficom.fi               bergengokart.no
sankakucomplex.com            ac-strasbourg.fr          deldinbil.no
scorecloud.com                compagnie-des-sens.fr     derute.no
serverclienti.com             edtm-actu.fr              domeneshop.no
societe.com                   oo2.fr                    guttelus.no
solvinity.com                 fidesz.hu                 handelsbanken.no
sportnotch.com                bluebiz.info              hyttefeber.no
srsforward.com                neolink.link              idrettenonline.no
stater.com                    pm.me                     mystuff.no
stellarequipment.com          army.mil                  norskgrammatikk.no
t-2.com                       dla.mil                   raskebriller.no
thalesgroup.com               jten.mil                  rushtrampoline.no
thepcw.com                    mail.mil                  spillfabrikken.no
thepcwholesale.com            militaryonesource.mil     tjenestekompaniet.no
theruleofliberty.com          navy.mil                  uib.no
triodos.com                   nga.mil                   viphuset.no
truewaykids.com               osd.mil                   atelkamera.nu
tutanota.com                  socom.mil                 goget.nu
up2staff.com                  uscg.mil                  lenhud.nu
veganallsorts.com             usmc.mil                  debian.org
vitstore.com                  comcast.net               freebsd.org
vivaldi.com                   fivem.net                 gentoo.org
webcruiter.com                gmx.net                   herobrine.org
webmailph.com                 habramail.net             ietf.org
win-rar.com                   hr-manager.net            irtf.org
xfinity.com                   inexio.net                isc.org
xfinityhomesecurity.com       mijngezondheid.net        kindredcircle.org
xfinitymobile.com             mpssec.net                mailbox.org
ymeuniverse.com               procurios.net             mailop.org
bncr.fi.cr                    ripe.net                  netbsd.org
akce-incomputer.cz            riseup.net                oraclegirl.org
amenit.cz                     t-2.net                   ozlabs.org
atlas.cz                      transip.net               registradores.org
bewooden.cz                   xs4all.net                samba.org
centrum.cz                    123watches.nl             torproject.org
csob.cz                       50plusbeurs.nl            biotechnologia.com.pl
cuni.cz                       amsterdam.nl              asf.com.pt
cvut.cz                       belastingdienst.nl        bilprovningen.se
dedra.cz                      bhosted.nl                ecster.se
directmail-fraus.cz           boekwinkeltjes.nl         handelsbanken.se
e-kondomy.cz                  bolerolimonadewinkel.nl   lansstyrelsen.se
ekokoza.cz                    boozyshop.nl              lomervarde.se
fio.cz                        burgernet.nl              loopia.se
itesco.cz                     caracamilla.nl            minmyndighetspost.se
kb.cz                         cbr.nl                    polisen.se
klenotyaurum.cz               corpoflow.nl              racketspecialisten.se
klubpevnehozdravi.cz          derooijfotografie.nl      skatteverket.se
ksporting.cz                  dictu.nl                  teknikdelar.se
manymail.cz                   digid.nl                  theletter.se
mkluzkoviny.cz                digitaleverkiezing.nl     centrum.sk
muni.cz                       dressuurnatuurlijk.nl     kadernickyservis.sk
nanospace.cz                  duo.nl                    mklozkoviny.sk
nic.cz                        eco-logisch.nl            pneusvet.sk
omvnovinky.cz                 edenhotels.nl             rondogo.sk
onebit.cz                     efactuurdirect.nl         satro.sk
optimail.cz                   ezorg.nl                  toptop.sk
poptavej.cz                   fidus.nl                  zapardrobnych.sk
pre.cz                        gezond.nl                 triodos.co.uk
predplatit.cz                 healthcheckcenter.nl      govtrack.us
scrptd.cz                     herinneringenoplinnen.nl  quantum-services.us
server4u.cz                   high5.nl                  ru.ac.za

More information about the dane-users mailing list