Update on stats 2022-10
Viktor Dukhovni
ietf-dane at dukhovni.org
Mon Oct 31 23:56:56 CET 2022
News: New milestone crossed this month: the number of DNSSEC-signed
delegations tracked by the DANE survey has crossed 20 million.
Many thanks to simply.com for signing ~200k .DK domains, of
which ~100k support DANE SMTP.
Summary: The DANE domain count is now 3,701,200 (c.f. 3,603,343 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 20,041,659 (up from 19,588,402 last
month). Thus DANE TLSA is deployed on ~18.46% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today I count ~3.70 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1224541 one.com 1229109 one.com
284142 hostpoint.ch 282877 hostpoint.ch
194132 infomaniak.ch 193040 infomaniak.ch
186459 mijndomein.nl 185568 mijndomein.nl
164902 transip.nl 164423 transip.nl
154681 argewebhosting.nl 155782 argewebhosting.nl
126469 simply.com 112118 hostnet.nl
112645 jouwweb.nl 109897 jouwweb.nl
111958 hostnet.nl 108431 domeneshop.no
108448 domeneshop.no 96992 loopia.se
104708 loopia.se 94049 webhostingserver.nl
93613 webhostingserver.nl 78282 forpsi.com
78681 forpsi.com 64627 zxcs.nl
65510 zxcs.nl 47352 active24.com
47461 active24.com 40473 webreus.nl
40154 webreus.nl 39617 antagonist.nl
39645 antagonist.nl 33978 pcextreme.nl
33729 pcextreme.nl 31219 protonmail.ch
32031 protonmail.ch 29050 xel.nl
29009 xel.nl 27608 udmedia.de
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- -----------
10358 TOTAL 10211 TOTAL
3116 DE, Germany 3066 DE, Germany
1867 NL, Netherlands 1878 NL, Netherlands
1811 US, United States 1797 US, United States
770 FR, France 755 FR, France
376 GB, United Kingdom 369 GB, United Kingdom
360 CZ, Czechia 351 CZ, Czechia
229 FI, Finland 224 FI, Finland
221 CA, Canada 215 CA, Canada
155 AT, Austria 152 AT, Austria
132 CH, Switzerland 130 CH, Switzerland
130 DK, Denmark 129 DK, Denmark
129 SE, Sweden 126 SG, Singapore
128 SG, Singapore 121 SE, Sweden
115 AU, Australia 114 AU, Australia
63 PL, Poland 58 RU, Russia
58 RU, Russia 56 PL, Poland
57 JP, Japan 56 JP, Japan
47 NO, Norway 45 NO, Norway
45 BR, Brazil 40 IE, Ireland
41 IE, Ireland 39 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
8162 TOTAL 8063 TOTAL
3584 NL, Netherlands 3580 NL, Netherlands
2317 DE, Germany 2280 DE, Germany
851 US, United States 825 US, United States
358 FR, France 358 FR, France
176 CZ, Czechia 177 CZ, Czechia
164 GB, United Kingdom 162 GB, United Kingdom
77 CA, Canada 73 CA, Canada
71 FI, Finland 71 FI, Finland
63 CH, Switzerland 65 CH, Switzerland
58 AU, Australia 58 AU, Australia
50 SE, Sweden 47 AT, Austria
47 SG, Singapore 46 SE, Sweden
47 AT, Austria 44 SG, Singapore
33 JP, Japan 36 JP, Japan
26 RU, Russia 21 NO, Norway
21 IE, Ireland 21 IE, Ireland
20 NO, Norway 20 DK, Denmark
19 DK, Denmark 16 BR, Brazil
18 BR, Brazil 12 RU, Russia
13 LT, Lithuania 12 RO, Romania
There are 8,763 unique zones (8,574 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 18,205 (same as last
month). These cover 18,501 distinct MX hosts (18,498 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 753 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 421
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.70 million DANE domains, 13,370 (13,693 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts. While this
protects traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1310
(1,386 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
104 mail.blueconsulting.cz
65 beta.itcomputers.eu
40 smtp.jkkn.net
33 mx2.synetcon.net
21 mail.mxx.dk
20 mx1.mdbraber.com
17 mx1.traxion.com
15 artemis.strebsjig.net
14 mx2.traxion.com
14 mta9.pointner.at
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,076 (2,068 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
147 online.net [*] 363 worldnic.com
124 worldnic.com 123 axc.nl
117 axc.nl 74 ebola.cz
73 ebola.cz 57 openprovider.nl
57 openprovider.nl 38 epik.com
39 epik.com 32 psi-japan.net
32 active24.cz 32 active24.cz
28 made-easy.ch 28 made-easy.ch
21 renault.fr 21 register.com
21 register.com 17 sectigoweb.com
[*] Notified and acknowledged.
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains all whose nameservers have broken denial of existence
appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at jpberlin.de esuals.nl
gmx.at lmu.de expeditionfestival.nl
aarquiteta.com.br lrz.de ezorg.nl
cetelemnegocie.com.br mail.de fivecityspa.nl
nic.br marburger-bund-zeitung.de hobbygigant.nl
registro.br mensa.de home.nl
activfitness-news.ch mpg.de hr.nl
cbd420.ch posteo.de interconnect.nl
englmaier.ch ruhr-uni-bochum.de interim-netwerk.nl
gmx.ch schlittermann.de jayno.nl
hostpoint.ch tum.de kiesrijk.nl
infomaniak.ch tutanota.de lico.nl
linsenkontakt.ch uni-augsburg.de luxiez.nl
msochrono.ch uni-erlangen.de mail-studio.nl
open.ch uni-muenchen.de mailmore.nl
protonmail.ch vicinityclo.de mailon.nl
sms-gagnant.ch web.de mailplus.nl
switch.ch westlotto.de managementboek.nl
simplelogin.co allbuy.dk markteffectmail.nl
402automotive.com australian-bodycare.dk mcmta.nl
addymail.com barons.dk mijndomein.nl
albourne.com dfi.dk minbzk.nl
anonaddy.com dinhstore.dk mindef.nl
beaconx.com dk-hostmaster.dk mm1.nl
bymalina.com exoticmix.dk mulderretail.nl
colourfulrebel.com fibianet.dk nieuwsservice-rvo.nl
connectsb.com fvst.dk ns.nl
dailyplaylists.com gastrotools.dk orangebag.nl
datev.com ixstudioscph.dk otys.nl
elementalraiders.com kompetenceudvikling.dk ouderenfonds.nl
fabfilter.com konkurspriser.dk ouderportaal.nl
farmergracy.com labelking.dk overheid.nl
fastware-hosting.com lacabra.dk partijvoordedieren.nl
flaneurhomme.com mobilcovers.dk paypro.nl
gmx.com musclehouse.dk ploegendienst-festival.nl
groed.com netic.dk podiumcadeaukaart.nl
habr.com nimara.dk politie.nl
hoobly.com nordd.dk pp-prd.nl
hotelsinduitsland.com nota.dk previder.nl
imcnig.com oddsprofit.dk quicknet.nl
infomaniak.com perfectjeans.dk rijksoverheid.nl
ingthink.com peterhald.dk rotterdam.nl
jesuis1as.com seniornews.dk rug.nl
johnbeerens.com shapeit.dk rvo.nl
joomlapolis.com shellcard.dk sans-mail.nl
jula.com smoon.dk schoudercom.nl
kabayarefashion.com stil.dk schuurman-schoenen.nl
kantarresearch.com stori.dk smartwatchbanden.nl
klbrlive.com teeshoppen.dk sportrusten.nl
leszexpertsfle.com thesneakerstore.dk ssonet.nl
librti.com tricommerce.dk stater.nl
liefleven.com trueliving.dk surfspot.nl
mactabeauty.com uvm.dk telefoonglaasje.nl
mail.com wavell.dk thealphamen.nl
matilhadobemadestramento.com yummihaircare.dk transip.nl
mplbeauty.com tilburguniversity.edu travelclown.nl
nanolearning.com holtmail.ee triodos.nl
nine-pine.com myownconference.email upcmail.nl
one.com spike.email uvt.nl
orsys.com spotler.email uwv.nl
orverkiezing.com talentech.email valtifest.nl
pieter-pot.com nuudcare.es vimexx.nl
pompomlondon.com triodos.es voorpositiviteit.nl
ppcpcv.com egu.eu wannahavesfashion.nl
protonmail.com litebit.eu watchbandjes-shop.nl
protonvpn.com qard.eu waternet.nl
run-motion.com skhosting.eu xel.nl
runbox.com tbibank.eu ziggo.nl
sankakucomplex.com zone.eu zorgmail.nl
scorecloud.com zonevs.eu annabellstefanussen.no
serverclienti.com handelsbanken.fi audi.no
solvinity.com metaburn.fi domeneshop.no
stasdock.com tarjousrinki.fi guttelus.no
stater.com traficom.fi handelsbanken.no
stellarequipment.com ac-strasbourg.fr hyttefeber.no
t-2.com compagnie-des-sens.fr idrettenonline.no
thalesgroup.com edtm-actu.fr mystuff.no
thepcw.com nuudcare.fr naprapatlandslaget.no
thepcwholesale.com oo2.fr nordicprint.no
triodos.com privea.fr norskgrammatikk.no
truewaykids.com nsa.gov rushtrampoline.no
tutanota.com fidesz.hu spillfabrikken.no
up2staff.com mszp.hu uib.no
veganallsorts.com pandi.id atelkamera.nu
veka.com bluebiz.info goget.nu
vendiblelabs.com netabuse.info lenhud.nu
vivaldi.com eurocontrol.int aegee.org
webcruiter.com neolink.link debian.org
webmailph.com anonaddy.me exim.org
xfinity.com pm.me freebsd.org
xfinityhomesecurity.com proton.me gentoo.org
xfinitymobile.com army.mil ietf.org
bncr.fi.cr dla.mil isc.org
airbank.cz health.mil mailbox.org
akce-incomputer.cz jten.mil mailop.org
amenit.cz mail.mil netbsd.org
bewooden.cz militaryonesource.mil openssl.org
csob.cz navy.mil ozlabs.org
cuni.cz nga.mil samba.org
dedra.cz osd.mil torproject.org
e-kondomy.cz socom.mil kemono.party
fio.cz uscg.mil biotechnologia.com.pl
itesco.cz usmc.mil mobily.com.sa
kb.cz apnic.net bilprovningen.se
klenotyaurum.cz comcast.net damernasmagasin.se
klubpevnehozdravi.cz ewetel.net ecster.se
ksporting.cz fivem.net geflemetalfestival.se
manymail.cz gmx.net handelsbanken.se
mfcr.cz habramail.net lnu.se
mkluzkoviny.cz hr-manager.net loopia.se
mojedatovaschranka.cz mijngezondheid.net merchsweden.se
muni.cz mpssec.net minmyndighetspost.se
nic.cz procurios.net nordicprint.se
optimail.cz ripe.net parksnackan.se
outlet-alpine.cz riseup.net polisen.se
poptavej.cz s-qrc.net silverdotter.se
predplatit.cz t-2.net skatteverket.se
scrptd.cz transip.net teknikdelar.se
server4u.cz 123watches.nl theletter.se
smtp.cz amsterdam.nl websupport.se
stoklasa.cz aquastorexl.nl centrum.sk
tiscali.cz argeweb.nl dovypredania.sk
vas-server.cz belastingdienst.nl e-slovak.sk
vcelka.cz beterspellen.nl fio.sk
virusfree.cz bibliotheekdenhaag.nl kadernickyservis.sk
volny.cz blushfashionstore.nl mklozkoviny.sk
zdravestravovani.cz boekwinkeltjes.nl naau.sk
123watches.de boozyshop.nl pneusvet.sk
bayern.de bratsites-grs.nl pobox.sk
brandenburg.de bruut.nl rondogo.sk
bund.de burgernet.nl satro.sk
bundesregierung.de casema.nl teacher.sk
datev.de cbr.nl zapardrobnych.sk
dfn.de chello.nl simpcity.su
elster.de denhaag.nl adelina.com.ua
ewetel.de derooijfotografie.nl triodos.co.uk
fau.de dictu.nl govtrack.us
freenet.de digid.nl nuudcare.us
gmx.de dimehouse.nl quantum-services.us
hi7.de duo.nl ru.ac.za
huellen-shop.de
More information about the dane-users
mailing list