Update on stats 2023-03
Viktor Dukhovni
ietf-dane at dukhovni.org
Sat Apr 1 06:28:46 CEST 2023
Summary: The DANE domain count is now 3,757,347 (c.f. 3,736,374 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 21,668,375 (up from 21,281,794 last
month). Thus DANE TLSA is deployed on ~17.34% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today, I count ~3.76 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1216468 one.com 1215654 one.com
291651 hostpoint.ch 289485 hostpoint.ch
198402 infomaniak.ch 196800 infomaniak.ch
171386 mijndomein.nl 172687 mijndomein.nl
168662 transip.nl 167821 transip.nl
150632 argewebhosting.nl 149959 argewebhosting.nl
132031 simply.com 134211 simply.com
131058 jouwweb.nl 125968 jouwweb.nl
111481 hostnet.nl 111664 hostnet.nl
109384 domeneshop.no 108890 domeneshop.no
105514 loopia.se 105306 loopia.se
93365 webhostingserver.nl 93785 webhostingserver.nl
81969 forpsi.com 81009 forpsi.com
70541 zxcs.nl 69228 zxcs.nl
42507 active24.com 43479 active24.com
40146 antagonist.nl 39825 antagonist.nl
38632 webreus.nl 38913 webreus.nl
38462 protonmail.ch 37357 protonmail.ch
31898 pcextreme.nl 32264 pcextreme.nl
29021 xel.nl 29069 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
10944 TOTAL 10767 TOTAL
3373 DE, Germany 3307 DE, Germany
1893 NL, Netherlands 1878 NL, Netherlands
1881 US, United States 1848 US, United States
795 FR, France 785 FR, France
423 CZ, Czechia 407 CZ, Czechia
360 GB, United Kingdom 352 GB, United Kingdom
248 FI, Finland 244 FI, Finland
210 CA, Canada 212 CA, Canada
183 AT, Austria 172 AT, Austria
143 CH, Switzerland 148 CH, Switzerland
142 SE, Sweden 137 SE, Sweden
136 DK, Denmark 135 DK, Denmark
133 AU, Australia 134 AU, Australia
117 SG, Singapore 117 SG, Singapore
84 PL, Poland 78 PL, Poland
60 RU, Russia 60 RU, Russia
59 JP, Japan 58 JP, Japan
51 NO, Norway 46 NO, Norway
42 IT, Italy 45 IT, Italy
41 BR, Brazil 44 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
8576 TOTAL 8447 TOTAL
3700 NL, Netherlands 3654 NL, Netherlands
2466 DE, Germany 2411 DE, Germany
887 US, United States 863 US, United States
374 FR, France 320 GB, United Kingdom
173 CZ, Czechia 257 FR, France
170 GB, United Kingdom 172 CZ, Czechia
107 FI, Finland 74 FI, Finland
80 CA, Canada 74 AU, Australia
71 AU, Australia 73 CA, Canada
65 CH, Switzerland 68 CH, Switzerland
59 SE, Sweden 62 SE, Sweden
59 AT, Austria 59 AT, Austria
43 SG, Singapore 44 SG, Singapore
36 JP, Japan 36 JP, Japan
25 DK, Denmark 23 NO, Norway
24 NO, Norway 22 DK, Denmark
21 RO, Romania 20 RO, Romania
19 IE, Ireland 19 BR, Brazil
17 UA, Ukraine 18 IE, Ireland
15 BR, Brazil 16 UA, Ukraine
There are 9,085 unique zones (8,914 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 19,555 (19,359 last
month). These cover 19,853 distinct MX hosts (19,653 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 913 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 550
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.76 million DANE domains, 12,979 (12,926 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 3,354
(3,139 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
1780 mail-in.box.nl
110 mail.blueconsulting.cz
38 mail.itcomputers.net
37 mx1.mdbraber.com
31 mx1.synetcon.net
24 cloud.onvori.com
18 semark.dk
18 mx1.traxion.com
16 mx1.iis.se
15 mail.return-path.dk
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 2,998 (3,237 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
1868 neostrada.nl 2064 neostrada.nl
117 worldnic.com 133 worldnic.com
83 epik.com 101 online.net
79 dnssrv.nl 97 dnssrv.nl
71 ebola.cz 88 axc.nl
46 openprovider.nl 84 epik.com
17 register.com 72 ebola.cz
16 sectigoweb.com 60 openprovider.nl
12 ispapi.net 20 register.com
10 axc.nl 17 sectigoweb.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at westlotto.de mailmore.nl
gmx.at allbuy.dk mailon.nl
boozyshop.be annes-atelier.dk mailplus.nl
cetelemnegocie.com.br australian-bodycare.dk managementboek.nl
e-negociacao.com.br avabeauty.dk markteffectmail.nl
e-renegocie.com.br barons.dk marktnet.nl
nic.br bog.dk mcmta.nl
registro.br borgerforslag.dk messen.nl
20km.ch byravn.dk mijndomein.nl
activfitness-news.ch camillakroeyer.dk mijnhypotheekonline.nl
blackout-bonusclub.ch computerworld.dk minbzk.nl
cbd420.ch damask.dk mindef.nl
coronavirusensuisse.ch danielspengetips.dk mm1.nl
gmx.ch dfi.dk netpoint.nl
handy-abovergleich.ch digst.dk netpointfactoring.nl
hostpoint.ch dk-hostmaster.dk nieuwsservice-rvo.nl
infomaniak.ch ens.dk noties.nl
msochrono.ch fibianet.dk ns.nl
open.ch foraeldresparring.dk nuudcare.nl
protonmail.ch gastrotools.dk orangebag.nl
sms-gagnant.ch gibbu.dk otys.nl
switch.ch globestudios.dk ouderenfonds.nl
youcinema.ch idelig.dk ouderportaal.nl
santeglobale.club ixstudioscph.dk overheid.nl
simplelogin.co kfst.dk oxilion.nl
albourne.com kodbilen.dk oxilionhosted.nl
altospam.com konkurspriser.dk parlement.nl
anonaddy.com kystfisken.dk partijvoordedieren.nl
ansigtsyogaonline.com labelking.dk partnermail.nl
aotax.com lacabra.dk paypro.nl
appliedgo.com localfitness.dk petsonline.nl
azgop.com mobilcovers.dk ploegendienst-festival.nl
beaconx.com musclehouse.dk podiumcadeaukaart.nl
cm.com netic.dk politie.nl
colourfulrebel.com nimara.dk pp-prd.nl
connectsb.com nordd.dk previder.nl
cryptowallet.com nota.dk prorun-mail.nl
datev.com opdagverden.dk pvv.nl
denhaag.com peterhald.dk quicknet.nl
exegy.com rmc.dk rdw.nl
fabfilter.com seniornews.dk rechtspraak.nl
farmergracy.com shapeit.dk rijksoverheid.nl
fastware-hosting.com shellcard.dk rivm.nl
financialafrik.com skjold-burne.dk rvo.nl
flaneurhomme.com sneakerzone.dk sans-mail.nl
gmx.com soelvstein.dk schoudercom.nl
groed.com stil.dk schuurman-schoenen.nl
habr.com stori.dk shampoobars.nl
highcharts.com themeatclub.dk shoesme.nl
infomaniak.com thesneakerstore.dk sizzthebrand.nl
ingthink.com tricommerce.dk smartwatchbanden.nl
isistrade.com trueliving.dk soclever.nl
johnbeerens.com uni-c.dk spamservice.nl
joomlapolis.com uvm.dk sportrusten.nl
jula.com venderbys.dk ssonet.nl
kabayarefashion.com yuaiahaircare.dk stater.nl
klbrlive.com tilburguniversity.edu surf.nl
leszexpertsfle.com just.ee surfspot.nl
librti.com turunduslabor.ee susanbijl.nl
mactabeauty.com zone.ee svb.nl
mail.com envie.email teamq14.nl
mplbeauty.com myownconference.email technishow.nl
nanolearning.com spam-filter.email telefoonglaasje.nl
nine-pine.com spike.email thealphamen.nl
offshorecorptalk.com spotler.email tno.nl
one.com talentech.email transip.nl
orsys.com nuudcare.es travelclown.nl
pieter-pot.com triodos.es triodos.nl
pompomlondon.com egu.eu truetickets.nl
ppcpcv.com litebit.eu tudelft.nl
protonmail.com qard.eu tweedekamer.nl
protonvpn.com skhosting.eu uitgeverijpica.nl
renworkshops.com tbibank.eu upcmail.nl
run-motion.com zonevs.eu uvt.nl
sankakucomplex.com fsol.fi uwv.nl
schizinfo.com handelsbanken.fi valys.nl
scorecloud.com metaburn.fi venauto.nl
serverclienti.com tarjousrinki.fi vimexx.nl
solvinity.com ac-strasbourg.fr vogeldagboek.nl
speciale-offre.com braceletsmartwatch.fr voorschoten.nl
stater.com chiens-guides-idf.fr vunzigedeuntjes.nl
stellarequipment.com compagnie-des-sens.fr wassenaar.nl
t-2.com edtm-actu.fr watchbandjes-shop.nl
tcs.com nuudcare.fr waternet.nl
thalesgroup.com oo2.fr webreus.nl
thegreenery.com privea.fr wierden.nl
theintercept.com fidesz.hu ziggo.nl
thepcw.com italiamail.hu zorgmail.nl
thepcwholesale.com mszp.hu akt.no
thesmmacademy.com bluebiz.info babybanden.no
triodos.com eurocontrol.int bergengokart.no
truewaykids.com rootnet.io bull-ski-kajakk.no
tutanota.com nuudcare.it chillout.no
up2staff.com neolink.link domeneshop.no
veganallsorts.com education.lu guttelus.no
veka.com anonaddy.me handelsbanken.no
vendiblelabs.com pm.me hoppin.no
vivaldi.com proton.me hyttefeber.no
webcruiter.com army.mil idrettenonline.no
webmailph.com dla.mil kashmina.no
win-rar.com health.mil lagerpriser.no
xfinity.com jten.mil marikrogshus.no
xfinityhomesecurity.com mail.mil mystuff.no
xfinitymobile.com navy.mil nordicprint.no
bncr.fi.cr osd.mil norskgrammatikk.no
airbank.cz socom.mil raskebriller.no
akce-incomputer.cz uscg.mil rushtrampoline.no
avatech.cz usmc.mil sillysanta.no
bewooden.cz apnic.net spillfabrikken.no
cokoladovnajanek.cz benjaminfulford.net storytravel.no
csob.cz bleucitron.net uib.no
csobstavebni.cz comcast.net viphuset.no
cuni.cz ewetel.net atelkamera.nu
dashofer.cz ficbook.net goget.nu
dedra.cz fivem.net lenhud.nu
e-kondomy.cz gmx.net aegee.org
fio.cz habramail.net debian.org
fnusa.cz hr-manager.net freebsd.org
gov.cz mijngezondheid.net gentoo.org
hypotecnibanka.cz mpssec.net ietf.org
itesco.cz procurios.net irtf.org
jcu.cz ripe.net isc.org
kb.cz riseup.net mailbox.org
klenotyaurum.cz soverin.net mailop.org
klubpevnehozdravi.cz t-2.net netbsd.org
ksporting.cz transip.net openssl.org
manymail.cz webreus.net ozlabs.org
mbank.cz 4ps.nl postfix.org
mfcr.cz amsterdam.nl samba.org
mkluzkoviny.cz aquastorexl.nl torproject.org
mojedatovaschranka.cz artsenzorg.nl brebank.com.pl
mrakyhracek.cz bankhoesdiscounter.nl cm-portimao.pt
muni.cz belastingdienst.nl loopia.rs
mzv.cz beterinbeleggen.nl mobily.com.sa
nic.cz beterspellen.nl arbetsformedlingen.se
o2.cz bewustpuur.nl bearplayshop.se
optimail.cz bhosted.nl bilprovningen.se
outlet-alpine.cz bit.nl bollnas.se
poptavej.cz blushfashionstore.nl crtzoo.se
predplatit.cz bobo.nl ecster.se
scrptd.cz body-supplies.nl ellevio.se
server4u.cz boekwinkeltjes.nl enkoping.se
smtp.cz bolerolimonadewinkel.nl fashion-copenhagen.se
stoklasa.cz boozyshop.nl halmstad.se
sukl.cz bruut.nl handelsbanken.se
tiscali.cz burgernet.nl hellomantle.se
trilimi.cz camperexpo.nl huskvarnafolketspark.se
vas-server.cz caracamilla.nl jul-troja.se
virusfree.cz casema.nl klasspengar.se
web4u.cz cbr.nl lnu.se
zafido.cz chello.nl lomervarde.se
zdravestravovani.cz citisens.nl loopia.se
zonky.cz clubplanner.nl merchsweden.se
bayern.de degros.nl minmyndighetspost.se
brandenburg.de deonlinetandarts.nl nordicprint.se
bund.de derooijfotografie.nl polisen.se
bundesregierung.de desan.nl sillysanta.se
datev.de dictu.nl silverdotter.se
dfn.de digibtw.nl skatteverket.se
elster.de digid.nl skolverket.se
ewetel.de digitaleverkiezing.nl sunet.se
fau.de dimehouse.nl teknikdelar.se
fn.de dorcas.nl theletter.se
freenet.de duo.nl vaccinova.se
gmx.de efactuurdirect.nl websupport.se
huellen-shop.de esuals.nl fio.sk
jpberlin.de expeditionfestival.nl kadernickyservis.sk
lmu.de extinctionrebellion.nl mklozkoviny.sk
lrz.de ezorg.nl naau.sk
mail.de fivecityspa.nl pneusvet.sk
mensa.de haargroeispecialist.nl rondogo.sk
mpg.de hilversum.nl satro.sk
posteo.de hobbygigant.nl toptop.sk
ruhr-uni-bochum.de home.nl zapardrobnych.sk
smartwatcharmbaender.de hostingpeople.nl afinepairofshoes.co.uk
sys4.de hostnet.nl clientnews3.co.uk
tum.de huurexpert.nl clientnews4.co.uk
tutanota.de ijsselstein.nl nuudcare.co.uk
uni-augsburg.de interim-netwerk.nl triodos.co.uk
uni-bielefeld.de kiesrijk.nl nuudcare.us
uni-erlangen.de kralingsebosfestival.nl quantum-services.us
uni-muenchen.de lico.nl ru.ac.za
vicinityclo.de luxiez.nl stargaze.zone
web.de
More information about the dane-users
mailing list