From ietf-dane at dukhovni.org Wed Feb 1 05:13:09 2023 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Tue, 31 Jan 2023 23:13:09 -0500 Subject: Update on stats 2023-01 Message-ID: Summary: The DANE domain count is now 3,684,357 (c.f. 3,733,547 last month). The drop resulted from a loss of DS records at webreus.nl (~40k customer domains) and partial migration to new non-TLSA MX hosts at mijndomein.nl (~22k customer domains). Perhaps either or both may yet restore their DS and TLSA records, respectively. The number of domains that return DNSSEC-validated replies in response to MX queries is 21,002,701 (up from 20,675,170 last month). Thus DANE TLSA is deployed on ~17.54% of domains with DNSSEC. For more stats, see . [ See the Credits[0] list below my signature. ] As of today, I count ~3.68 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last Month ---------- ---------- 1214586 one.com 1214177 one.com 288282 hostpoint.ch 286784 hostpoint.ch 195874 infomaniak.ch 195060 infomaniak.ch 167120 transip.nl 182438 mijndomein.nl 160940 mijndomein.nl 166314 transip.nl 153033 argewebhosting.nl 154096 argewebhosting.nl 136256 simply.com 134199 simply.com 123192 jouwweb.nl 118030 jouwweb.nl 111941 hostnet.nl 111945 hostnet.nl 108874 domeneshop.no 108682 domeneshop.no 105109 loopia.se 104887 loopia.se 94171 webhostingserver.nl 94600 webhostingserver.nl 80000 forpsi.com 79127 forpsi.com 68284 zxcs.nl 67139 zxcs.nl 43363 active24.com 46886 active24.com 39704 antagonist.nl 39610 webreus.nl 37051 protonmail.ch 39483 antagonist.nl 32693 pcextreme.nl 34977 protonmail.ch 29232 xel.nl 32983 pcextreme.nl 27564 udmedia.de 29297 xel.nl The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be, .pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ----------- ---------- 10726 TOTAL 10595 TOTAL 3284 DE, Germany 3209 DE, Germany 1882 NL, Netherlands 1891 NL, Netherlands 1856 US, United States 1833 US, United States 808 FR, France 799 FR, France 396 CZ, Czechia 388 CZ, Czechia 358 GB, United Kingdom 362 GB, United Kingdom 241 FI, Finland 235 FI, Finland 222 CA, Canada 221 CA, Canada 160 AT, Austria 153 AT, Austria 137 SE, Sweden 135 SE, Sweden 136 CH, Switzerland 134 CH, Switzerland 133 DK, Denmark 132 DK, Denmark 128 AU, Australia 122 SG, Singapore 122 SG, Singapore 120 AU, Australia 76 PL, Poland 72 PL, Poland 60 RU, Russia 58 JP, Japan 57 JP, Japan 57 RU, Russia 47 IT, Italy 47 NO, Norway 45 NO, Norway 42 BR, Brazil 42 BR, Brazil 38 IE, Ireland IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 8396 TOTAL 8339 TOTAL 3651 NL, Netherlands 3666 NL, Netherlands 2312 DE, Germany 2330 DE, Germany 855 US, United States 860 US, United States 398 FR, France 406 FR, France 183 CZ, Czechia 175 CZ, Czechia 173 GB, United Kingdom 162 GB, United Kingdom 156 AU, Australia 77 CA, Canada 77 CA, Canada 74 FI, Finland 76 FI, Finland 67 AU, Australia 61 CH, Switzerland 64 CH, Switzerland 56 AT, Austria 56 SE, Sweden 53 SE, Sweden 54 AT, Austria 46 SG, Singapore 44 SG, Singapore 36 JP, Japan 36 JP, Japan 22 DK, Denmark 23 EE, Estonia 21 NO, Norway 21 NO, Norway 19 RO, Romania 21 IE, Ireland 18 IE, Ireland 21 DK, Denmark 17 BR, Brazil 17 BR, Brazil 14 LT, Lithuania 15 LT, Lithuania There are 9,201 unique zones (9,144 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 19,488 (19,380 last month). These cover 19,784 distinct MX hosts (19,675 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 846 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 530 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~3.68 million DANE domains, 13,046 (13,107 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1,366 (1,320 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are: 103 mail.blueconsulting.cz 56 vps01.marcus.services 37 mx1.mdbraber.com 31 mx1.synetcon.net 24 fsn1-c04.xemo-net.de 18 semark.dk 17 mx1.traxion.com 17 mx01.xworks.net 16 mail.odissee.net 15 artemis.strebsjig.net To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17 https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 3,237 (1,076 last month). The top 10 name server operators with problem domains are: This Month Last month ---------- ---------- 2182 neostrada.nl 148 swizzonic.ch [promptly fully resolved!] 140 worldnic.com 134 worldnic.com 115 dnssrv.nl 106 epik.com 102 online.net 95 axc.nl 90 axc.nl 73 ebola.cz 89 epik.com 61 openprovider.nl 73 ebola.cz 29 made-easy.ch 61 openprovider.nl 20 register.com 39 fgov.be 18 sectigoweb.com 20 register.com 12 ispapi.net If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Just two of the domains whose nameservers have broken denial of existence appears in the last 120 days of Google transparency reports: belgium.be mailazy.net -- Viktor. [0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at lrz.de home.nl gmx.at mail.de hostingpeople.nl vbv.at mailstoyou.de hostnet.nl boozyshop.be mensa.de ijsselstein.nl register.bg mpg.de interim-netwerk.nl cetelemnegocie.com.br posteo.de josephinajewelry.nl e-negociacao.com.br ruhr-uni-bochum.de kiesrijk.nl e-renegocie.com.br smartwatcharmbaender.de kralingsebosfestival.nl defesa.gov.br tum.de lico.nl nic.br tutanota.de luxiez.nl registro.br uni-augsburg.de mail-studio.nl activfitness-news.ch uni-bielefeld.de mailmore.nl blackout-bonusclub.ch uni-erlangen.de mailon.nl cbd420.ch uni-kl.de mailplus.nl docks.ch uni-muenchen.de managementboek.nl empiriconmails.ch vicinityclo.de markteffectmail.nl escalade.ch web.de mcmta.nl gmx.ch westlotto.de messen.nl handy-abovergleich.ch allbuy.dk mijndomein.nl hostpoint.ch annes-atelier.dk mijnhypotheekonline.nl infomaniak.ch attode.dk minbzk.nl msochrono.ch australian-bodycare.dk mindef.nl open.ch avabeauty.dk mm1.nl protonmail.ch bambustoej.dk mulderretail.nl sherlockhomes.ch barons.dk netpoint.nl sms-gagnant.ch calisweats.dk netpointfactoring.nl switch.ch danielspengetips.dk nieuwsservice-rvo.nl youcinema.ch dfi.dk noties.nl ravenation.club dinhstore.dk ns.nl santeglobale.club dinvintageshop.dk nuudcare.nl bionoble.co dk-hostmaster.dk ongehoordnederland.nl simplelogin.co exoticmix.dk orangebag.nl 3dsmx.com fibianet.dk otys.nl albourne.com fitnessudsalg.dk ouderenfonds.nl also.com foraeldresparring.dk ouderportaal.nl anonaddy.com gastrotools.dk overheid.nl appliedgo.com globestudios.dk oxilionhosted.nl azgop.com incover.dk parlement.nl beaconx.com innoliving.dk partijvoordedieren.nl bymalina.com ixstudioscph.dk partnermail.nl cm.com juliesandlau.dk paypro.nl collarofsweden.com kodbilen.dk petsgifts.nl colourfulrebel.com konkurspriser.dk petsonline.nl connectsb.com kystfisken.dk ploegendienst-festival.nl dailyplaylists.com labelking.dk podiumcadeaukaart.nl datev.com lacabra.dk politie.nl exegy.com mobilcovers.dk pp-prd.nl fabfilter.com musclehouse.dk previder.nl farmergracy.com netic.dk prorun-mail.nl fastware-hosting.com nfinitybeauty.dk quicknet.nl flaneurhomme.com nimara.dk rdw.nl frequentis.com nordd.dk rechtspraak.nl gmx.com nota.dk rijksoverheid.nl goodforme.com opdagverden.dk rivm.nl groed.com peterhald.dk rvo.nl habr.com qknives.dk sans-mail.nl hedon.com rmc.dk schoudercom.nl highcharts.com sengefabrikken.dk schuurman-schoenen.nl imcnig.com seniornews.dk shampoobars.nl infomaniak.com shapeit.dk smartwatchbanden.nl ingthink.com shellcard.dk sportrusten.nl isistrade.com soelvstein.dk ssonet.nl johnbeerens.com stil.dk stater.nl jula.com stori.dk surf.nl kabayarefashion.com themeatclub.dk teamq14.nl kantarresearch.com thesneakerstore.dk telefoonglaasje.nl klbrlive.com tricommerce.dk teso.nl leszexpertsfle.com trueliving.dk thealphamen.nl librti.com uvm.dk tno.nl liefleven.com venderbys.dk transip.nl mactabeauty.com wavell.dk travelclown.nl mail.com yuaiahaircare.dk triodos.nl mailzerver.com yummihaircare.dk truetickets.nl migadu.com tilburguniversity.edu tudelft.nl mplbeauty.com estet.ee tweedekamer.nl nanolearning.com turunduslabor.ee twinq.nl nine-pine.com zone.ee uitgeverijpica.nl one.com myownconference.email upcmail.nl orsys.com spam-filter.email uvt.nl orverkiezing.com spotler.email uwv.nl pieter-pot.com talentech.email valys.nl pompomlondon.com nuudcare.es vimexx.nl ppcpcv.com triodos.es voorpositiviteit.nl protonmail.com egu.eu vpo.nl protonvpn.com finesoftware.eu vunzigedeuntjes.nl renworkshops.com litebit.eu watchbandjes-shop.nl run-motion.com skhosting.eu waternet.nl sankakucomplex.com tbibank.eu winterlake.nl scorecloud.com zone.eu woongarantvolmacht.nl serverclienti.com zonevs.eu ziggo.nl solvinity.com fsol.fi zorgmail.nl stasdock.com handelsbanken.fi annabellstefanussen.no stater.com tarjousrinki.fi bergengokart.no stellarequipment.com traficom.fi domeneshop.no t-2.com ac-strasbourg.fr guttelus.no thalesgroup.com compagnie-des-sens.fr handelsbanken.no thepcw.com edtm-actu.fr hyttefeber.no thepcwholesale.com mastouille.fr idrettenonline.no triodos.com nuudcare.fr infinityshop.no truewaykids.com oo2.fr lagerpriser.no tutanota.com privea.fr malestudio.no unionnearme.com waveisland.fr marikrogshus.no up2staff.com tid.gov.hk mystuff.no veganallsorts.com fidesz.hu nordicprint.no veka.com pandi.id norskgrammatikk.no vendiblelabs.com bluebiz.info raskebriller.no vivaldi.com eurocontrol.int rushtrampoline.no webcruiter.com neolink.link spillfabrikken.no webmailph.com anonaddy.me storytravel.no xfinity.com pm.me tickettothemoon.no xfinityhomesecurity.com proton.me uib.no xfinitymobile.com army.mil viphuset.no your-site.com dla.mil atelkamera.nu bncr.fi.cr health.mil goget.nu airbank.cz jten.mil lenhud.nu akce-incomputer.cz mail.mil debian.org amenit.cz navy.mil freebsd.org bewooden.cz osd.mil gentoo.org csob.cz socom.mil ietf.org csobstavebni.cz uscg.mil irtf.org cuni.cz usmc.mil isc.org dedra.cz bleucitron.net mailbox.org e-kondomy.cz comcast.net mailop.org fio.cz ewetel.net netbsd.org hellspy.cz ficbook.net openssl.org hypotecnibanka.cz fivem.net ozlabs.org itesco.cz gmx.net p8x.org kb.cz habramail.net samba.org klenotyaurum.cz hr-manager.net torproject.org klubpevnehozdravi.cz jonaharagon.net kemono.party ksporting.cz mijngezondheid.net brebank.com.pl manymail.cz mpssec.net mobily.com.sa maxmax.cz procurios.net arbetsformedlingen.se mbank.cz ripe.net atlasrock.se mfcr.cz riseup.net bilprovningen.se mkluzkoviny.cz t-2.net bollnas.se mojedatovaschranka.cz 123watches.nl damernasmagasin.se muni.cz africanfabs.nl ecster.se mzv.cz amsterdam.nl frederikbagger.se nic.cz aquastorexl.nl geflemetalfestival.se o2.cz artsenzorg.nl handelsbanken.se optimail.cz bankhoesdiscounter.nl hellomantle.se outlet-alpine.cz belastingdienst.nl innebandy24.se patentnimedicina.cz beterinbeleggen.nl lansstyrelsen.se poptavej.cz beterspellen.nl lnu.se pre.cz bhosted.nl lomervarde.se predplatit.cz bhsupport.nl loopia.se scrptd.cz bit.nl merchsweden.se server4u.cz blushfashionstore.nl minmyndighetspost.se shopex.cz bobo.nl nordicprint.se smtp.cz body-supplies.nl polisen.se stoklasa.cz boekwinkeltjes.nl skatteverket.se sukl.cz bolerolimonadewinkel.nl skolverket.se trilimi.cz boozyshop.nl sunet.se vas-server.cz bratsites-grs.nl teknikdelar.se vcelka.cz bruut.nl theletter.se virusfree.cz burgernet.nl vaccinova.se web4u.cz caracamilla.nl websupport.se zdravestravovani.cz casema.nl fio.sk zonky.cz cbr.nl kadernickyservis.sk 123watches.de chello.nl mklozkoviny.sk bayern.de clubplanner.nl naau.sk brandenburg.de degros.nl pneusvet.sk bund.de derooijfotografie.nl rondogo.sk bundesregierung.de desan.nl satro.sk datev.de dictu.nl zapardrobnych.sk dfn.de digid.nl mstdn.social elster.de dorcas.nl simpcity.su ewetel.de duo.nl clientnews3.co.uk fau.de efactuurdirect.nl handelsbanken.co.uk freenet.de esuals.nl nuudcare.co.uk gmx.de ezorg.nl triodos.co.uk hi7.de fivecityspa.nl nuudcare.us huellen-shop.de gebruikersnamen.nl quantum-services.us jpberlin.de haargroeispecialist.nl ru.ac.za knauermann.de healthcheckcenter.nl stargaze.zone lmu.de hobbygigant.nl From ietf-dane at dukhovni.org Wed Feb 1 23:25:42 2023 From: ietf-dane at dukhovni.org (Viktor Dukhovni) Date: Wed, 1 Feb 2023 17:25:42 -0500 Subject: Update on stats 2023-01 In-Reply-To: References: Message-ID: On Tue, Jan 31, 2023 at 11:13:10PM -0500, Viktor Dukhovni wrote: > Summary: The DANE domain count is now 3,684,357 (c.f. 3,733,547 last > month). The drop resulted from a loss of DS records at > webreus.nl (~40k customer domains) and partial migration > to new non-TLSA MX hosts at mijndomein.nl (~22k customer > domains). Perhaps either or both may yet restore their > DS and TLSA records, respectively. Just 24 hours later, both providers are back in full force, with the DS records restored and TLSA records added as appropriate. The DANE domain count today is 3,743,844 or 17.82% of the total number of DNSSEC-siged eTLD+1 domains. -- Viktor.