Update on stats 2022-08
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Sep 1 02:33:46 CEST 2022
Summary: The DANE domain count is now 3,598,975 (c.f. 3,584,050 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 19,332,285 (up from 19,130,407 last
month). Thus DANE TLSA is deployed on ~18.61% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
registrar-servers.com (Namecheap) and mijndomein.nl resolved
all their outstanding TLSA record denial of existence issues,
contributing to a reduction in problem domains from ~2k to ~1k.
As of today I count ~3.60 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1236565 one.com 1236935 one.com
281674 hostpoint.ch 280585 hostpoint.ch
190849 infomaniak.ch 189107 infomaniak.ch
185033 mijndomein.nl 184512 mijndomein.nl
163544 transip.nl 162755 transip.nl
159122 argewebhosting.nl 159073 argewebhosting.nl
112282 hostnet.nl 112570 hostnet.nl
108076 domeneshop.no 107805 domeneshop.no
107087 jouwweb.nl 104255 jouwweb.nl
97044 loopia.se 96819 loopia.se
94545 webhostingserver.nl 94919 webhostingserver.nl
77900 forpsi.com 77692 forpsi.com
63883 zxcs.nl 63160 zxcs.nl
47339 active24.com 47265 active24.com
40371 webreus.nl 40191 webreus.nl
39576 antagonist.nl 39451 antagonist.nl
34177 pcextreme.nl 34401 pcextreme.nl
30328 protonmail.ch 29158 protonmail.ch
28469 xel.nl 27581 udmedia.de
27636 udmedia.de 26543 web4u.cz
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- -----------
10154 TOTAL 10134 TOTAL
3062 DE, Germany 3005 DE, Germany
1845 NL, Netherlands 1894 NL, Netherlands
1780 US, United States 1774 US, United States
766 FR, France 763 FR, France
355 GB, United Kingdom 356 GB, United Kingdom
340 CZ, Czechia 338 CZ, Czechia
239 FI, Finland 235 FI, Finland
220 CA, Canada 224 CA, Canada
151 AT, Austria 156 AT, Austria
128 DK, Denmark 129 CH, Switzerland
127 CH, Switzerland 127 SG, Singapore
124 SG, Singapore 127 DK, Denmark
120 SE, Sweden 110 SE, Sweden
110 AU, Australia 110 AU, Australia
57 PL, Poland 56 PL, Poland
55 RU, Russia 54 RU, Russia
54 JP, Japan 54 JP, Japan
49 NO, Norway 48 NO, Norway
38 BR, Brazil 41 IE, Ireland
35 IE, Ireland 40 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7992 TOTAL 7968 TOTAL
3557 NL, Netherlands 3557 NL, Netherlands
2264 DE, Germany 2241 DE, Germany
849 US, United States 831 US, United States
341 FR, France 347 FR, France
180 CZ, Czechia 172 CZ, Czechia
152 GB, United Kingdom 149 GB, United Kingdom
74 FI, Finland 77 CH, Switzerland
67 CA, Canada 76 FI, Finland
61 CH, Switzerland 65 CA, Canada
50 AU, Australia 54 AU, Australia
47 AT, Austria 43 SE, Sweden
44 SE, Sweden 36 SG, Singapore
38 SG, Singapore 36 JP, Japan
34 JP, Japan 35 AT, Austria
23 NO, Norway 24 RU, Russia
20 DK, Denmark 21 NO, Norway
19 IE, Ireland 20 DK, Denmark
17 BR, Brazil 19 IE, Ireland
12 LT, Lithuania 16 BR, Brazil
11 RO, Romania 12 LT, Lithuania
There are 8,468 unique zones (8,375 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 17,855 (17,725 last
month). These cover 18,152 distinct MX hosts (18,019 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 714 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 405
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.60 million DANE domains, 13,723 (13,921 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts. While this
protects traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,349
(2,442 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
105 mail.blueconsulting.cz
87 vps01.marcus.services
85 beta.itcomputers.eu
34 mx2.synetcon.net
18 mx3.hug.info
18 mx1.mdbraber.com
17 mx1.traxion.com
15 artemis.strebsjig.net
14 mx2.traxion.com
13 postagrosu.grosu.ro
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,076 (2,068 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
357 worldnic.com 593 registrar-servers.com
134 axc.nl 402 worldnic.com
75 ebola.cz 249 mijndomein.nl
60 openprovider.nl 138 axc.nl
41 psi-japan.net 77 ebola.cz
34 active24.cz 60 openprovider.nl
28 made-easy.ch 55 zihlmann.net
25 ns01.nl 41 psi-japan.net
22 register.com 29 made-easy.ch
18 epik.com 26 ns01.nl
[ Many thanks to Namecheap and Mijndomein for resolving all issues for their
customer domains. ]
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Three of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
urbtix.hk
mailazy.net
kprm.gov.pl
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at bayern.de fivecityspa.nl
gmx.at brandenburg.de herinneringenoplinnen.nl
vbv.at bund.de hobbygigant.nl
tip.net.au bundesregierung.de hostnet.nl
cetelemnegocie.com.br datev.de hr.nl
e-negociacao.com.br dfn.de interconnect.nl
nic.br elster.de interim-netwerk.nl
registro.br ewetel.de jayno.nl
activfitness-news.ch fau.de kiesrijk.nl
cbd420.ch freenet.de lico.nl
englmaier.ch gmx.de luxiez.nl
gmx.ch jpberlin.de mail-studio.nl
hostpoint.ch lmu.de mailplus.nl
infomaniak.ch lrz.de managementboek.nl
linsenkontakt.ch mail.de markteffectmail.nl
migros-runnwin.ch mpg.de mcmta.nl
onemillionrun.ch posteo.de mijndomein.nl
open.ch ruhr-uni-bochum.de minbzk.nl
protonmail.ch spacenet.de mindef.nl
sms-gagnant.ch tum.de mm1.nl
switch.ch tutanota.de mulderretail.nl
simplelogin.co uni-augsburg.de ndt.nl
402automotive.com uni-erlangen.de netsamen.nl
albourne.com uni-muenchen.de nieuwsservice-rvo.nl
also.com vicinityclo.de ns.nl
altospam.com web.de orangebag.nl
beaconx.com westlotto.de otys.nl
bymalina.com allbuy.dk ouderportaal.nl
cm.com dk-hostmaster.dk overheid.nl
connectsb.com fibianet.dk partijvoordedieren.nl
cryptowallet.com fvst.dk ploegendienst-festival.nl
dailyplaylists.com inkpro.dk politie.nl
datev.com juliesandlau.dk pp-prd.nl
elementalraiders.com kompetenceudvikling.dk previder.nl
fabfilter.com labelking.dk rdw.nl
fastware-hosting.com netic.dk rijksoverheid.nl
flaneurhomme.com nordd.dk roken.nl
gmx.com nota.dk rotterdam.nl
groed.com peterhald.dk rug.nl
habr.com powerhosting.dk rvo.nl
hoobly.com seniornews.dk sans-mail.nl
hotelsinduitsland.com shapeit.dk schoudercom.nl
imcnig.com shellcard.dk schuurman-schoenen.nl
infomaniak.com stil.dk smartwatchbanden.nl
ingthink.com uvm.dk sportrusten.nl
johnbeerens.com webhosting.dk ssonet.nl
joomlapolis.com tilburguniversity.edu stater.nl
jula.com holtmail.ee telefoonglaasje.nl
kabayarefashion.com just.ee thealphamen.nl
klbrlive.com rik.ee transip.nl
leszexpertsfle.com myownconference.email travelclown.nl
librti.com spike.email triodos.nl
liefleven.com spotler.email uitgeverijpica.nl
mactabeauty.com talentech.email utwente.nl
mail.com nuudcare.es uvt.nl
mailfence.com rediris.es uwv.nl
matilhadobemadestramento.com triodos.es valys.nl
mplbeauty.com uv.es vimexx.nl
mx-relay.com egu.eu visitoost.nl
nanolearning.com finesoftware.eu visittwente.nl
nine-pine.com skhosting.eu voorpositiviteit.nl
one.com tbibank.eu vrijevolkfestival.nl
orsys.com zone.eu wannahavesfashion.nl
orverkiezing.com zonevs.eu watchbandjes-shop.nl
pieter-pot.com fsol.fi waternet.nl
polyas.com handelsbanken.fi xel.nl
pompomlondon.com metaburn.fi ziggo.nl
ppcpcv.com tarjousrinki.fi zorgmail.nl
protonmail.com ac-strasbourg.fr annabellstefanussen.no
protonvpn.com compagnie-des-sens.fr audi.no
renworkshops.com edtm-actu.fr derute.no
run-motion.com kangouroukids.fr domeneshop.no
runbox.com nuudcare.fr guttelus.no
sankakucomplex.com oo2.fr handelsbanken.no
scorecloud.com privea.fr hyttefeber.no
serverclienti.com fidesz.hu idrettenonline.no
societe.com pandi.id mystuff.no
solvinity.com bluebiz.info naprapatlandslaget.no
stater.com eurocontrol.int nordicprint.no
stellarequipment.com neolink.link norskgrammatikk.no
t-2.com anonaddy.me plukkselv.no
thalesgroup.com pm.me rushtrampoline.no
thepcw.com proton.me spillfabrikken.no
thepcwholesale.com army.mil uib.no
triodos.com dla.mil analysedanmark.nu
truewaykids.com health.mil atelkamera.nu
tutanota.com jten.mil goget.nu
up2staff.com mail.mil lenhud.nu
veganallsorts.com militaryonesource.mil debian.org
vivaldi.com navy.mil freebsd.org
webcruiter.com nga.mil gentoo.org
webmailph.com osd.mil ietf.org
xfinity.com socom.mil isc.org
xfinityhomesecurity.com uscg.mil mailbox.org
xfinitymobile.com usmc.mil mailop.org
bncr.fi.cr comcast.net netbsd.org
airbank.cz ewetel.net openssl.org
akce-incomputer.cz fivem.net oraclegirl.org
amenit.cz gmx.net ozlabs.org
atlas.cz habramail.net samba.org
bewooden.cz hr-manager.net torproject.org
centrum.cz inexio.net biotechnologia.com.pl
csob.cz mijngezondheid.net mobily.com.sa
cuni.cz mpssec.net barons.se
dedra.cz procurios.net bilprovningen.se
directmail-fraus.cz ripe.net ecster.se
e-kondomy.cz riseup.net geflemetalfestival.se
ekokoza.cz t-2.net handelsbanken.se
fio.cz transip.net lomervarde.se
itesco.cz 123watches.nl loopia.se
itnetwork.cz agriton.nl minmyndighetspost.se
kb.cz amsterdam.nl nordicprint.se
klenotyaurum.cz aquastorexl.nl parksnackan.se
klubpevnehozdravi.cz belastingdienst.nl polisen.se
ksporting.cz beterspellen.nl silverdotter.se
manymail.cz blushfashionstore.nl skatteverket.se
mfcr.cz bobo.nl teknikdelar.se
mkluzkoviny.cz boekwinkeltjes.nl theletter.se
muni.cz boozyshop.nl centrum.sk
nanospace.cz bratsites-grs.nl dovypredania.sk
nic.cz bruut.nl e-slovak.sk
onebit.cz burgernet.nl kadernickyservis.sk
optimail.cz cbr.nl mklozkoviny.sk
outlet-alpine.cz cbs.nl naau.sk
poptavej.cz corpoflow.nl pneusvet.sk
predplatit.cz derooijfotografie.nl pobox.sk
scrptd.cz dictu.nl rondogo.sk
server4u.cz digid.nl satro.sk
smtp.cz dimehouse.nl teacher.sk
stoklasa.cz duo.nl zapardrobnych.sk
vas-server.cz eco-logisch.nl adelina.com.ua
virusfree.cz edenhotels.nl triodos.co.uk
volny.cz esuals.nl govtrack.us
zdravestravovani.cz expeditionfestival.nl quantum-services.us
123watches.de ezorg.nl ru.ac.za
More information about the dane-users
mailing list