Update on stats 2022-09
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Oct 1 17:17:55 CEST 2022
Summary: The DANE domain count is now 3,603,343 (c.f. 3,598,975 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 19,588,402 (up from 19,332,285 last
month). Thus DANE TLSA is deployed on ~18.39% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today I count ~3.60 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1229109 one.com 1236565 one.com
282877 hostpoint.ch 281674 hostpoint.ch
193040 infomaniak.ch 190849 infomaniak.ch
185568 mijndomein.nl 185033 mijndomein.nl
164423 transip.nl 163544 transip.nl
155782 argewebhosting.nl 159122 argewebhosting.nl
112118 hostnet.nl 112282 hostnet.nl
109897 jouwweb.nl 108076 domeneshop.no
108431 domeneshop.no 107087 jouwweb.nl
96992 loopia.se 97044 loopia.se
94049 webhostingserver.nl 94545 webhostingserver.nl
78282 forpsi.com 77900 forpsi.com
64627 zxcs.nl 63883 zxcs.nl
47352 active24.com 47339 active24.com
40473 webreus.nl 40371 webreus.nl
39617 antagonist.nl 39576 antagonist.nl
33978 pcextreme.nl 34177 pcextreme.nl
31219 protonmail.ch 30328 protonmail.ch
29050 xel.nl 28469 xel.nl
27608 udmedia.de 27636 udmedia.de
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- -----------
10211 TOTAL 10154 TOTAL
3066 DE, Germany 3062 DE, Germany
1878 NL, Netherlands 1845 NL, Netherlands
1797 US, United States 1780 US, United States
755 FR, France 766 FR, France
369 GB, United Kingdom 355 GB, United Kingdom
351 CZ, Czechia 340 CZ, Czechia
224 FI, Finland 239 FI, Finland
215 CA, Canada 220 CA, Canada
152 AT, Austria 151 AT, Austria
130 CH, Switzerland 128 DK, Denmark
129 DK, Denmark 127 CH, Switzerland
126 SG, Singapore 124 SG, Singapore
121 SE, Sweden 120 SE, Sweden
114 AU, Australia 110 AU, Australia
58 RU, Russia 57 PL, Poland
56 PL, Poland 55 RU, Russia
56 JP, Japan 54 JP, Japan
45 NO, Norway 49 NO, Norway
40 IE, Ireland 38 BR, Brazil
39 BR, Brazil 35 IE, Ireland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
8063 TOTAL 7992 TOTAL
3580 NL, Netherlands 3557 NL, Netherlands
2280 DE, Germany 2264 DE, Germany
825 US, United States 849 US, United States
358 FR, France 341 FR, France
177 CZ, Czechia 180 CZ, Czechia
162 GB, United Kingdom 152 GB, United Kingdom
73 CA, Canada 74 FI, Finland
71 FI, Finland 67 CA, Canada
65 CH, Switzerland 61 CH, Switzerland
58 AU, Australia 50 AU, Australia
47 AT, Austria 47 AT, Austria
46 SE, Sweden 44 SE, Sweden
44 SG, Singapore 38 SG, Singapore
36 JP, Japan 34 JP, Japan
21 NO, Norway 23 NO, Norway
21 IE, Ireland 20 DK, Denmark
20 DK, Denmark 19 IE, Ireland
16 BR, Brazil 17 BR, Brazil
12 RU, Russia 12 LT, Lithuania
12 RO, Romania 11 RO, Romania
There are 8,574 unique zones (8,468 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 18,205 (17,855 last
month). These cover 18,498 distinct MX hosts (18,152 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 725 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 405
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.60 million DANE domains, 13,693 (13,723 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts. While this
protects traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,386
(1,349 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
107 mx.xobit.nl
105 mail.blueconsulting.cz
34 mx2.synetcon.net
26 mail.sig-io.nl
26 fsn1-c04.xemo-net.de
20 mx1.mdbraber.com
17 mx1.traxion.com
15 artemis.strebsjig.net
14 mx2.traxion.com
14 mta9.pointner.at
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,076 (2,068 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
363 worldnic.com 357 worldnic.com
123 axc.nl 134 axc.nl
74 ebola.cz 75 ebola.cz
57 openprovider.nl 60 openprovider.nl
38 epik.com 41 psi-japan.net
32 psi-japan.net 34 active24.cz
32 active24.cz 28 made-easy.ch
28 made-easy.ch 25 ns01.nl
21 register.com 22 register.com
17 sectigoweb.com 18 epik.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains all whose nameservers have broken denial of existence
appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at elster.de expeditionfestival.nl
gmx.at ewetel.de ezorg.nl
cetelemnegocie.com.br fau.de fivecityspa.nl
nic.br freenet.de herinneringenoplinnen.nl
registro.br gmx.de hobbygigant.nl
activfitness-news.ch hi7.de hostnet.nl
cbd420.ch hobart.de hr.nl
englmaier.ch jpberlin.de interconnect.nl
gmx.ch lmu.de interim-netwerk.nl
hostpoint.ch lrz.de jayno.nl
infomaniak.ch mail.de kiesrijk.nl
linsenkontakt.ch mensa.de lico.nl
migros-runnwin.ch mpg.de luxiez.nl
msochrono.ch posteo.de mail-studio.nl
onemillionrun.ch ruhr-uni-bochum.de mailplus.nl
open.ch spacenet.de managementboek.nl
protonmail.ch tum.de markteffectmail.nl
sms-gagnant.ch tutanota.de mcmta.nl
switch.ch uni-augsburg.de mijndomein.nl
simplelogin.co uni-erlangen.de minbzk.nl
402automotive.com uni-muenchen.de mindef.nl
albourne.com vicinityclo.de mm1.nl
anonaddy.com web.de mulderretail.nl
beaconx.com westlotto.de ndt.nl
bymalina.com allbuy.dk netsamen.nl
cm.com dfi.dk nieuwsservice-rvo.nl
connectsb.com dinhstore.dk ns.nl
cryptowallet.com dk-hostmaster.dk orangebag.nl
dailyplaylists.com fibianet.dk otys.nl
datev.com fvst.dk ouderportaal.nl
elementalraiders.com inkpro.dk overheid.nl
fabfilter.com ixstudioscph.dk partijvoordedieren.nl
fastware-hosting.com kompetenceudvikling.dk paypro.nl
flaneurhomme.com labelking.dk ploegendienst-festival.nl
gmx.com lacabra.dk politie.nl
groed.com mobilcovers.dk pp-prd.nl
habr.com netic.dk previder.nl
hoobly.com nordd.dk rdw.nl
hotelsinduitsland.com peterhald.dk rijksoverheid.nl
imcnig.com powerhosting.dk roken.nl
infomaniak.com seniornews.dk rotterdam.nl
ingthink.com shapeit.dk rug.nl
jesuis1as.com shellcard.dk rvo.nl
johnbeerens.com stil.dk sans-mail.nl
joomlapolis.com uvm.dk schoudercom.nl
jula.com wavell.dk schuurman-schoenen.nl
kabayarefashion.com webhosting.dk smartwatchbanden.nl
kantarresearch.com tilburguniversity.edu sportrusten.nl
klbrlive.com holtmail.ee ssonet.nl
leszexpertsfle.com just.ee stater.nl
librti.com rik.ee surfspot.nl
liefleven.com myownconference.email telefoonglaasje.nl
mactabeauty.com spike.email thealphamen.nl
mail.com spotler.email transip.nl
mailfence.com talentech.email travelclown.nl
matilhadobemadestramento.com nuudcare.es triodos.nl
mplbeauty.com triodos.es uitgeverijpica.nl
mx-relay.com uv.es utwente.nl
nine-pine.com egu.eu uvt.nl
one.com litebit.eu uwv.nl
orsys.com skhosting.eu valtifest.nl
orverkiezing.com tbibank.eu valys.nl
pieter-pot.com zone.eu vimexx.nl
polyas.com zonevs.eu visitoost.nl
pompomlondon.com fsol.fi visittwente.nl
ppcpcv.com handelsbanken.fi voorpositiviteit.nl
protonmail.com metaburn.fi vrijevolkfestival.nl
protonvpn.com tarjousrinki.fi wannahavesfashion.nl
run-motion.com ac-strasbourg.fr watchbandjes-shop.nl
runbox.com compagnie-des-sens.fr waternet.nl
sankakucomplex.com edtm-actu.fr xel.nl
scorecloud.com kangouroukids.fr ziggo.nl
serverclienti.com nuudcare.fr zorgmail.nl
solvinity.com oo2.fr annabellstefanussen.no
stater.com privea.fr audi.no
stellarequipment.com nsa.gov derute.no
t-2.com fidesz.hu domeneshop.no
thalesgroup.com mszp.hu guttelus.no
thepcw.com pandi.id hyttefeber.no
thepcwholesale.com bluebiz.info idrettenonline.no
triodos.com netabuse.info mystuff.no
truewaykids.com eurocontrol.int naprapatlandslaget.no
tutanota.com neolink.link nordicprint.no
up2staff.com anonaddy.me norskgrammatikk.no
veganallsorts.com pm.me plukkselv.no
vivaldi.com proton.me rushtrampoline.no
webcruiter.com army.mil spillfabrikken.no
webmailph.com dla.mil uib.no
xfinity.com health.mil analysedanmark.nu
xfinityhomesecurity.com jten.mil atelkamera.nu
xfinitymobile.com mail.mil goget.nu
bncr.fi.cr militaryonesource.mil lenhud.nu
airbank.cz navy.mil debian.org
akce-incomputer.cz nga.mil freebsd.org
amenit.cz osd.mil gentoo.org
atlas.cz socom.mil ietf.org
bewooden.cz uscg.mil isc.org
centrum.cz usmc.mil mailbox.org
csob.cz apnic.net mailop.org
cuni.cz comcast.net netbsd.org
dedra.cz ewetel.net ozlabs.org
directmail-fraus.cz fivem.net samba.org
e-kondomy.cz gmx.net torproject.org
ekokoza.cz habramail.net kemono.party
fio.cz hr-manager.net biotechnologia.com.pl
itesco.cz inexio.net mobily.com.sa
kb.cz mijngezondheid.net bilprovningen.se
klenotyaurum.cz mpssec.net ecster.se
klubpevnehozdravi.cz procurios.net geflemetalfestival.se
ksporting.cz ripe.net handelsbanken.se
manymail.cz riseup.net lomervarde.se
mfcr.cz t-2.net loopia.se
mkluzkoviny.cz transip.net minmyndighetspost.se
mojedatovaschranka.cz 123watches.nl nordicprint.se
muni.cz agriton.nl parksnackan.se
nanospace.cz amsterdam.nl polisen.se
nic.cz aquastorexl.nl silverdotter.se
onebit.cz argeweb.nl skatteverket.se
optimail.cz belastingdienst.nl teknikdelar.se
outlet-alpine.cz beterspellen.nl theletter.se
poptavej.cz blushfashionstore.nl centrum.sk
scrptd.cz bobo.nl dovypredania.sk
server4u.cz boekwinkeltjes.nl e-slovak.sk
smtp.cz boozyshop.nl kadernickyservis.sk
stoklasa.cz bratsites-grs.nl mklozkoviny.sk
tiscali.cz bruut.nl naau.sk
vas-server.cz burgernet.nl pobox.sk
vcelka.cz cbr.nl rondogo.sk
virusfree.cz cbs.nl satro.sk
volny.cz corpoflow.nl teacher.sk
zdravestravovani.cz derooijfotografie.nl zapardrobnych.sk
123watches.de dictu.nl simpcity.su
bayern.de digid.nl adelina.com.ua
brandenburg.de dimehouse.nl triodos.co.uk
bund.de duo.nl govtrack.us
bundesregierung.de eco-logisch.nl quantum-services.us
datev.de edenhotels.nl ru.ac.za
dfn.de esuals.nl
More information about the dane-users
mailing list