Update on stats 2022-08

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Sep 1 02:33:46 CEST 2022

Summary:  The DANE domain count is now 3,598,975 (c.f. 3,584,050 last

          The number of domains that return DNSSEC-validated replies in
          response to MX queries is 19,332,285 (up from 19,130,407 last
          month).  Thus DANE TLSA is deployed on ~18.61% of domains with
          DNSSEC.  For more stats, see <https://stats.dnssec-tools.org/>.
          [ See the Credits[0] list below my signature. ]

          registrar-servers.com (Namecheap) and mijndomein.nl resolved
          all their outstanding TLSA record denial of existence issues,
          contributing to a reduction in problem domains from ~2k to ~1k.

As of today I count ~3.60 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1].  As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host.  The top 20 MX host providers
by domain count are below.

  This month                   Last Month
  ----------                   ----------
  1236565 one.com              1236935 one.com             
   281674 hostpoint.ch          280585 hostpoint.ch        
   190849 infomaniak.ch         189107 infomaniak.ch       
   185033 mijndomein.nl         184512 mijndomein.nl       
   163544 transip.nl            162755 transip.nl          
   159122 argewebhosting.nl     159073 argewebhosting.nl   
   112282 hostnet.nl            112570 hostnet.nl          
   108076 domeneshop.no         107805 domeneshop.no       
   107087 jouwweb.nl            104255 jouwweb.nl          
    97044 loopia.se              96819 loopia.se           
    94545 webhostingserver.nl    94919 webhostingserver.nl 
    77900 forpsi.com             77692 forpsi.com          
    63883 zxcs.nl                63160 zxcs.nl             
    47339 active24.com           47265 active24.com        
    40371 webreus.nl             40191 webreus.nl          
    39576 antagonist.nl          39451 antagonist.nl       
    34177 pcextreme.nl           34401 pcextreme.nl        
    30328 protonmail.ch          29158 protonmail.ch       
    28469 xel.nl                 27581 udmedia.de          
    27636 udmedia.de             26543 web4u.cz            

The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk.  Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat

  This month                Last month
  -----------               -----------
  10154 TOTAL               10134 TOTAL              
   3062 DE, Germany          3005 DE, Germany        
   1845 NL, Netherlands      1894 NL, Netherlands    
   1780 US, United States    1774 US, United States  
    766 FR, France            763 FR, France         
    355 GB, United Kingdom    356 GB, United Kingdom 
    340 CZ, Czechia           338 CZ, Czechia        
    239 FI, Finland           235 FI, Finland        
    220 CA, Canada            224 CA, Canada         
    151 AT, Austria           156 AT, Austria        
    128 DK, Denmark           129 CH, Switzerland    
    127 CH, Switzerland       127 SG, Singapore      
    124 SG, Singapore         127 DK, Denmark        
    120 SE, Sweden            110 SE, Sweden         
    110 AU, Australia         110 AU, Australia      
     57 PL, Poland             56 PL, Poland         
     55 RU, Russia             54 RU, Russia         
     54 JP, Japan              54 JP, Japan          
     49 NO, Norway             48 NO, Norway         
     38 BR, Brazil             41 IE, Ireland        
     35 IE, Ireland            40 BR, Brazil         

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:

  This month               Last month
  ----------               ----------
  7992 TOTAL               7968 TOTAL               
  3557 NL, Netherlands     3557 NL, Netherlands     
  2264 DE, Germany         2241 DE, Germany         
   849 US, United States    831 US, United States   
   341 FR, France           347 FR, France          
   180 CZ, Czechia          172 CZ, Czechia         
   152 GB, United Kingdom   149 GB, United Kingdom  
    74 FI, Finland           77 CH, Switzerland     
    67 CA, Canada            76 FI, Finland         
    61 CH, Switzerland       65 CA, Canada          
    50 AU, Australia         54 AU, Australia       
    47 AT, Austria           43 SE, Sweden          
    44 SE, Sweden            36 SG, Singapore       
    38 SG, Singapore         36 JP, Japan           
    34 JP, Japan             35 AT, Austria         
    23 NO, Norway            24 RU, Russia          
    20 DK, Denmark           21 NO, Norway          
    19 IE, Ireland           20 DK, Denmark         
    17 BR, Brazil            19 IE, Ireland         
    12 LT, Lithuania         16 BR, Brazil          
    11 RO, Romania           12 LT, Lithuania       

There are 8,468 unique zones (8,375 last month) in which the underlying
MX hosts are found.  This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.

The number of published MX host TLSA RRsets found is 17,855 (17,725 last
month).  These cover 18,152 distinct MX hosts (18,019 last month, some
MX hosts share the same TLSA records through CNAMEs).

The number of DANE domains that at some point were listed in Gmail's
email transparency report is 714 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain).  Of these, 405
are in recent (last 90 days of) reports (see [2] below my signature).

Of the ~3.60 million DANE domains, 13,723 (13,921 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.  While this
protects traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,349
(2,442 last month).  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.  The affected domain counts for the top 10 problem MX hosts are:

  105   mail.blueconsulting.cz
   87   vps01.marcus.services 
   85   beta.itcomputers.eu   
   34   mx2.synetcon.net      
   18   mx3.hug.info          
   18   mx1.mdbraber.com      
   17   mx1.traxion.com       
   15   artemis.strebsjig.net 
   14   mx2.traxion.com       
   13   postagrosu.grosu.ro   

To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:



After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,076 (2,068 last
month).  The top 10 name server operators with problem domains are:

  This Month                 Last month
  ----------                 ----------
  357 worldnic.com           593 registrar-servers.com
  134 axc.nl                 402 worldnic.com         
   75 ebola.cz               249 mijndomein.nl        
   60 openprovider.nl        138 axc.nl               
   41 psi-japan.net           77 ebola.cz             
   34 active24.cz             60 openprovider.nl      
   28 made-easy.ch            55 zihlmann.net         
   25 ns01.nl                 41 psi-japan.net        
   22 register.com            29 made-easy.ch         
   18 epik.com                26 ns01.nl              

   [ Many thanks to Namecheap and Mijndomein for resolving all issues for their
     customer domains. ]

If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.

Three of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:



[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.  Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE.  More data
sources of ccTLD signed delegations welcome.

[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist.  I am not a fan of this type of defence (it can also
impose undue latency on legitimate email).  However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.

[2] DANE domains appearing in last 90 days of Google Email transparency

univie.ac.at                  bayern.de               fivecityspa.nl
gmx.at                        brandenburg.de          herinneringenoplinnen.nl
vbv.at                        bund.de                 hobbygigant.nl
tip.net.au                    bundesregierung.de      hostnet.nl
cetelemnegocie.com.br         datev.de                hr.nl
e-negociacao.com.br           dfn.de                  interconnect.nl
nic.br                        elster.de               interim-netwerk.nl
registro.br                   ewetel.de               jayno.nl
activfitness-news.ch          fau.de                  kiesrijk.nl
cbd420.ch                     freenet.de              lico.nl
englmaier.ch                  gmx.de                  luxiez.nl
gmx.ch                        jpberlin.de             mail-studio.nl
hostpoint.ch                  lmu.de                  mailplus.nl
infomaniak.ch                 lrz.de                  managementboek.nl
linsenkontakt.ch              mail.de                 markteffectmail.nl
migros-runnwin.ch             mpg.de                  mcmta.nl
onemillionrun.ch              posteo.de               mijndomein.nl
open.ch                       ruhr-uni-bochum.de      minbzk.nl
protonmail.ch                 spacenet.de             mindef.nl
sms-gagnant.ch                tum.de                  mm1.nl
switch.ch                     tutanota.de             mulderretail.nl
simplelogin.co                uni-augsburg.de         ndt.nl
402automotive.com             uni-erlangen.de         netsamen.nl
albourne.com                  uni-muenchen.de         nieuwsservice-rvo.nl
also.com                      vicinityclo.de          ns.nl
altospam.com                  web.de                  orangebag.nl
beaconx.com                   westlotto.de            otys.nl
bymalina.com                  allbuy.dk               ouderportaal.nl
cm.com                        dk-hostmaster.dk        overheid.nl
connectsb.com                 fibianet.dk             partijvoordedieren.nl
cryptowallet.com              fvst.dk                 ploegendienst-festival.nl
dailyplaylists.com            inkpro.dk               politie.nl
datev.com                     juliesandlau.dk         pp-prd.nl
elementalraiders.com          kompetenceudvikling.dk  previder.nl
fabfilter.com                 labelking.dk            rdw.nl
fastware-hosting.com          netic.dk                rijksoverheid.nl
flaneurhomme.com              nordd.dk                roken.nl
gmx.com                       nota.dk                 rotterdam.nl
groed.com                     peterhald.dk            rug.nl
habr.com                      powerhosting.dk         rvo.nl
hoobly.com                    seniornews.dk           sans-mail.nl
hotelsinduitsland.com         shapeit.dk              schoudercom.nl
imcnig.com                    shellcard.dk            schuurman-schoenen.nl
infomaniak.com                stil.dk                 smartwatchbanden.nl
ingthink.com                  uvm.dk                  sportrusten.nl
johnbeerens.com               webhosting.dk           ssonet.nl
joomlapolis.com               tilburguniversity.edu   stater.nl
jula.com                      holtmail.ee             telefoonglaasje.nl
kabayarefashion.com           just.ee                 thealphamen.nl
klbrlive.com                  rik.ee                  transip.nl
leszexpertsfle.com            myownconference.email   travelclown.nl
librti.com                    spike.email             triodos.nl
liefleven.com                 spotler.email           uitgeverijpica.nl
mactabeauty.com               talentech.email         utwente.nl
mail.com                      nuudcare.es             uvt.nl
mailfence.com                 rediris.es              uwv.nl
matilhadobemadestramento.com  triodos.es              valys.nl
mplbeauty.com                 uv.es                   vimexx.nl
mx-relay.com                  egu.eu                  visitoost.nl
nanolearning.com              finesoftware.eu         visittwente.nl
nine-pine.com                 skhosting.eu            voorpositiviteit.nl
one.com                       tbibank.eu              vrijevolkfestival.nl
orsys.com                     zone.eu                 wannahavesfashion.nl
orverkiezing.com              zonevs.eu               watchbandjes-shop.nl
pieter-pot.com                fsol.fi                 waternet.nl
polyas.com                    handelsbanken.fi        xel.nl
pompomlondon.com              metaburn.fi             ziggo.nl
ppcpcv.com                    tarjousrinki.fi         zorgmail.nl
protonmail.com                ac-strasbourg.fr        annabellstefanussen.no
protonvpn.com                 compagnie-des-sens.fr   audi.no
renworkshops.com              edtm-actu.fr            derute.no
run-motion.com                kangouroukids.fr        domeneshop.no
runbox.com                    nuudcare.fr             guttelus.no
sankakucomplex.com            oo2.fr                  handelsbanken.no
scorecloud.com                privea.fr               hyttefeber.no
serverclienti.com             fidesz.hu               idrettenonline.no
societe.com                   pandi.id                mystuff.no
solvinity.com                 bluebiz.info            naprapatlandslaget.no
stater.com                    eurocontrol.int         nordicprint.no
stellarequipment.com          neolink.link            norskgrammatikk.no
t-2.com                       anonaddy.me             plukkselv.no
thalesgroup.com               pm.me                   rushtrampoline.no
thepcw.com                    proton.me               spillfabrikken.no
thepcwholesale.com            army.mil                uib.no
triodos.com                   dla.mil                 analysedanmark.nu
truewaykids.com               health.mil              atelkamera.nu
tutanota.com                  jten.mil                goget.nu
up2staff.com                  mail.mil                lenhud.nu
veganallsorts.com             militaryonesource.mil   debian.org
vivaldi.com                   navy.mil                freebsd.org
webcruiter.com                nga.mil                 gentoo.org
webmailph.com                 osd.mil                 ietf.org
xfinity.com                   socom.mil               isc.org
xfinityhomesecurity.com       uscg.mil                mailbox.org
xfinitymobile.com             usmc.mil                mailop.org
bncr.fi.cr                    comcast.net             netbsd.org
airbank.cz                    ewetel.net              openssl.org
akce-incomputer.cz            fivem.net               oraclegirl.org
amenit.cz                     gmx.net                 ozlabs.org
atlas.cz                      habramail.net           samba.org
bewooden.cz                   hr-manager.net          torproject.org
centrum.cz                    inexio.net              biotechnologia.com.pl
csob.cz                       mijngezondheid.net      mobily.com.sa
cuni.cz                       mpssec.net              barons.se
dedra.cz                      procurios.net           bilprovningen.se
directmail-fraus.cz           ripe.net                ecster.se
e-kondomy.cz                  riseup.net              geflemetalfestival.se
ekokoza.cz                    t-2.net                 handelsbanken.se
fio.cz                        transip.net             lomervarde.se
itesco.cz                     123watches.nl           loopia.se
itnetwork.cz                  agriton.nl              minmyndighetspost.se
kb.cz                         amsterdam.nl            nordicprint.se
klenotyaurum.cz               aquastorexl.nl          parksnackan.se
klubpevnehozdravi.cz          belastingdienst.nl      polisen.se
ksporting.cz                  beterspellen.nl         silverdotter.se
manymail.cz                   blushfashionstore.nl    skatteverket.se
mfcr.cz                       bobo.nl                 teknikdelar.se
mkluzkoviny.cz                boekwinkeltjes.nl       theletter.se
muni.cz                       boozyshop.nl            centrum.sk
nanospace.cz                  bratsites-grs.nl        dovypredania.sk
nic.cz                        bruut.nl                e-slovak.sk
onebit.cz                     burgernet.nl            kadernickyservis.sk
optimail.cz                   cbr.nl                  mklozkoviny.sk
outlet-alpine.cz              cbs.nl                  naau.sk
poptavej.cz                   corpoflow.nl            pneusvet.sk
predplatit.cz                 derooijfotografie.nl    pobox.sk
scrptd.cz                     dictu.nl                rondogo.sk
server4u.cz                   digid.nl                satro.sk
smtp.cz                       dimehouse.nl            teacher.sk
stoklasa.cz                   duo.nl                  zapardrobnych.sk
vas-server.cz                 eco-logisch.nl          adelina.com.ua
virusfree.cz                  edenhotels.nl           triodos.co.uk
volny.cz                      esuals.nl               govtrack.us
zdravestravovani.cz           expeditionfestival.nl   quantum-services.us
123watches.de                 ezorg.nl                ru.ac.za

More information about the dane-users mailing list