Update on stats 2023-01
Viktor Dukhovni
ietf-dane at dukhovni.org
Wed Feb 1 05:13:09 CET 2023
Summary: The DANE domain count is now 3,684,357 (c.f. 3,733,547 last
month). The drop resulted from a loss of DS records at
webreus.nl (~40k customer domains) and partial migration
to new non-TLSA MX hosts at mijndomein.nl (~22k customer
domains). Perhaps either or both may yet restore their
DS and TLSA records, respectively.
The number of domains that return DNSSEC-validated replies in
response to MX queries is 21,002,701 (up from 20,675,170 last
month). Thus DANE TLSA is deployed on ~17.54% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today, I count ~3.68 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1214586 one.com 1214177 one.com
288282 hostpoint.ch 286784 hostpoint.ch
195874 infomaniak.ch 195060 infomaniak.ch
167120 transip.nl 182438 mijndomein.nl
160940 mijndomein.nl 166314 transip.nl
153033 argewebhosting.nl 154096 argewebhosting.nl
136256 simply.com 134199 simply.com
123192 jouwweb.nl 118030 jouwweb.nl
111941 hostnet.nl 111945 hostnet.nl
108874 domeneshop.no 108682 domeneshop.no
105109 loopia.se 104887 loopia.se
94171 webhostingserver.nl 94600 webhostingserver.nl
80000 forpsi.com 79127 forpsi.com
68284 zxcs.nl 67139 zxcs.nl
43363 active24.com 46886 active24.com
39704 antagonist.nl 39610 webreus.nl
37051 protonmail.ch 39483 antagonist.nl
32693 pcextreme.nl 34977 protonmail.ch
29232 xel.nl 32983 pcextreme.nl
27564 udmedia.de 29297 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
10726 TOTAL 10595 TOTAL
3284 DE, Germany 3209 DE, Germany
1882 NL, Netherlands 1891 NL, Netherlands
1856 US, United States 1833 US, United States
808 FR, France 799 FR, France
396 CZ, Czechia 388 CZ, Czechia
358 GB, United Kingdom 362 GB, United Kingdom
241 FI, Finland 235 FI, Finland
222 CA, Canada 221 CA, Canada
160 AT, Austria 153 AT, Austria
137 SE, Sweden 135 SE, Sweden
136 CH, Switzerland 134 CH, Switzerland
133 DK, Denmark 132 DK, Denmark
128 AU, Australia 122 SG, Singapore
122 SG, Singapore 120 AU, Australia
76 PL, Poland 72 PL, Poland
60 RU, Russia 58 JP, Japan
57 JP, Japan 57 RU, Russia
47 IT, Italy 47 NO, Norway
45 NO, Norway 42 BR, Brazil
42 BR, Brazil 38 IE, Ireland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
8396 TOTAL 8339 TOTAL
3651 NL, Netherlands 3666 NL, Netherlands
2312 DE, Germany 2330 DE, Germany
855 US, United States 860 US, United States
398 FR, France 406 FR, France
183 CZ, Czechia 175 CZ, Czechia
173 GB, United Kingdom 162 GB, United Kingdom
156 AU, Australia 77 CA, Canada
77 CA, Canada 74 FI, Finland
76 FI, Finland 67 AU, Australia
61 CH, Switzerland 64 CH, Switzerland
56 AT, Austria 56 SE, Sweden
53 SE, Sweden 54 AT, Austria
46 SG, Singapore 44 SG, Singapore
36 JP, Japan 36 JP, Japan
22 DK, Denmark 23 EE, Estonia
21 NO, Norway 21 NO, Norway
19 RO, Romania 21 IE, Ireland
18 IE, Ireland 21 DK, Denmark
17 BR, Brazil 17 BR, Brazil
14 LT, Lithuania 15 LT, Lithuania
There are 9,201 unique zones (9,144 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 19,488 (19,380 last
month). These cover 19,784 distinct MX hosts (19,675 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 846 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 530
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.68 million DANE domains, 13,046 (13,107 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,366
(1,320 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
103 mail.blueconsulting.cz
56 vps01.marcus.services
37 mx1.mdbraber.com
31 mx1.synetcon.net
24 fsn1-c04.xemo-net.de
18 semark.dk
17 mx1.traxion.com
17 mx01.xworks.net
16 mail.odissee.net
15 artemis.strebsjig.net
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 3,237 (1,076 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
2182 neostrada.nl 148 swizzonic.ch [promptly fully resolved!]
140 worldnic.com 134 worldnic.com
115 dnssrv.nl 106 epik.com
102 online.net 95 axc.nl
90 axc.nl 73 ebola.cz
89 epik.com 61 openprovider.nl
73 ebola.cz 29 made-easy.ch
61 openprovider.nl 20 register.com
39 fgov.be 18 sectigoweb.com
20 register.com 12 ispapi.net
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just two of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
belgium.be <https://twitter.com/VDukhovni/status/1614455503978889217>
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at lrz.de home.nl
gmx.at mail.de hostingpeople.nl
vbv.at mailstoyou.de hostnet.nl
boozyshop.be mensa.de ijsselstein.nl
register.bg mpg.de interim-netwerk.nl
cetelemnegocie.com.br posteo.de josephinajewelry.nl
e-negociacao.com.br ruhr-uni-bochum.de kiesrijk.nl
e-renegocie.com.br smartwatcharmbaender.de kralingsebosfestival.nl
defesa.gov.br tum.de lico.nl
nic.br tutanota.de luxiez.nl
registro.br uni-augsburg.de mail-studio.nl
activfitness-news.ch uni-bielefeld.de mailmore.nl
blackout-bonusclub.ch uni-erlangen.de mailon.nl
cbd420.ch uni-kl.de mailplus.nl
docks.ch uni-muenchen.de managementboek.nl
empiriconmails.ch vicinityclo.de markteffectmail.nl
escalade.ch web.de mcmta.nl
gmx.ch westlotto.de messen.nl
handy-abovergleich.ch allbuy.dk mijndomein.nl
hostpoint.ch annes-atelier.dk mijnhypotheekonline.nl
infomaniak.ch attode.dk minbzk.nl
msochrono.ch australian-bodycare.dk mindef.nl
open.ch avabeauty.dk mm1.nl
protonmail.ch bambustoej.dk mulderretail.nl
sherlockhomes.ch barons.dk netpoint.nl
sms-gagnant.ch calisweats.dk netpointfactoring.nl
switch.ch danielspengetips.dk nieuwsservice-rvo.nl
youcinema.ch dfi.dk noties.nl
ravenation.club dinhstore.dk ns.nl
santeglobale.club dinvintageshop.dk nuudcare.nl
bionoble.co dk-hostmaster.dk ongehoordnederland.nl
simplelogin.co exoticmix.dk orangebag.nl
3dsmx.com fibianet.dk otys.nl
albourne.com fitnessudsalg.dk ouderenfonds.nl
also.com foraeldresparring.dk ouderportaal.nl
anonaddy.com gastrotools.dk overheid.nl
appliedgo.com globestudios.dk oxilionhosted.nl
azgop.com incover.dk parlement.nl
beaconx.com innoliving.dk partijvoordedieren.nl
bymalina.com ixstudioscph.dk partnermail.nl
cm.com juliesandlau.dk paypro.nl
collarofsweden.com kodbilen.dk petsgifts.nl
colourfulrebel.com konkurspriser.dk petsonline.nl
connectsb.com kystfisken.dk ploegendienst-festival.nl
dailyplaylists.com labelking.dk podiumcadeaukaart.nl
datev.com lacabra.dk politie.nl
exegy.com mobilcovers.dk pp-prd.nl
fabfilter.com musclehouse.dk previder.nl
farmergracy.com netic.dk prorun-mail.nl
fastware-hosting.com nfinitybeauty.dk quicknet.nl
flaneurhomme.com nimara.dk rdw.nl
frequentis.com nordd.dk rechtspraak.nl
gmx.com nota.dk rijksoverheid.nl
goodforme.com opdagverden.dk rivm.nl
groed.com peterhald.dk rvo.nl
habr.com qknives.dk sans-mail.nl
hedon.com rmc.dk schoudercom.nl
highcharts.com sengefabrikken.dk schuurman-schoenen.nl
imcnig.com seniornews.dk shampoobars.nl
infomaniak.com shapeit.dk smartwatchbanden.nl
ingthink.com shellcard.dk sportrusten.nl
isistrade.com soelvstein.dk ssonet.nl
johnbeerens.com stil.dk stater.nl
jula.com stori.dk surf.nl
kabayarefashion.com themeatclub.dk teamq14.nl
kantarresearch.com thesneakerstore.dk telefoonglaasje.nl
klbrlive.com tricommerce.dk teso.nl
leszexpertsfle.com trueliving.dk thealphamen.nl
librti.com uvm.dk tno.nl
liefleven.com venderbys.dk transip.nl
mactabeauty.com wavell.dk travelclown.nl
mail.com yuaiahaircare.dk triodos.nl
mailzerver.com yummihaircare.dk truetickets.nl
migadu.com tilburguniversity.edu tudelft.nl
mplbeauty.com estet.ee tweedekamer.nl
nanolearning.com turunduslabor.ee twinq.nl
nine-pine.com zone.ee uitgeverijpica.nl
one.com myownconference.email upcmail.nl
orsys.com spam-filter.email uvt.nl
orverkiezing.com spotler.email uwv.nl
pieter-pot.com talentech.email valys.nl
pompomlondon.com nuudcare.es vimexx.nl
ppcpcv.com triodos.es voorpositiviteit.nl
protonmail.com egu.eu vpo.nl
protonvpn.com finesoftware.eu vunzigedeuntjes.nl
renworkshops.com litebit.eu watchbandjes-shop.nl
run-motion.com skhosting.eu waternet.nl
sankakucomplex.com tbibank.eu winterlake.nl
scorecloud.com zone.eu woongarantvolmacht.nl
serverclienti.com zonevs.eu ziggo.nl
solvinity.com fsol.fi zorgmail.nl
stasdock.com handelsbanken.fi annabellstefanussen.no
stater.com tarjousrinki.fi bergengokart.no
stellarequipment.com traficom.fi domeneshop.no
t-2.com ac-strasbourg.fr guttelus.no
thalesgroup.com compagnie-des-sens.fr handelsbanken.no
thepcw.com edtm-actu.fr hyttefeber.no
thepcwholesale.com mastouille.fr idrettenonline.no
triodos.com nuudcare.fr infinityshop.no
truewaykids.com oo2.fr lagerpriser.no
tutanota.com privea.fr malestudio.no
unionnearme.com waveisland.fr marikrogshus.no
up2staff.com tid.gov.hk mystuff.no
veganallsorts.com fidesz.hu nordicprint.no
veka.com pandi.id norskgrammatikk.no
vendiblelabs.com bluebiz.info raskebriller.no
vivaldi.com eurocontrol.int rushtrampoline.no
webcruiter.com neolink.link spillfabrikken.no
webmailph.com anonaddy.me storytravel.no
xfinity.com pm.me tickettothemoon.no
xfinityhomesecurity.com proton.me uib.no
xfinitymobile.com army.mil viphuset.no
your-site.com dla.mil atelkamera.nu
bncr.fi.cr health.mil goget.nu
airbank.cz jten.mil lenhud.nu
akce-incomputer.cz mail.mil debian.org
amenit.cz navy.mil freebsd.org
bewooden.cz osd.mil gentoo.org
csob.cz socom.mil ietf.org
csobstavebni.cz uscg.mil irtf.org
cuni.cz usmc.mil isc.org
dedra.cz bleucitron.net mailbox.org
e-kondomy.cz comcast.net mailop.org
fio.cz ewetel.net netbsd.org
hellspy.cz ficbook.net openssl.org
hypotecnibanka.cz fivem.net ozlabs.org
itesco.cz gmx.net p8x.org
kb.cz habramail.net samba.org
klenotyaurum.cz hr-manager.net torproject.org
klubpevnehozdravi.cz jonaharagon.net kemono.party
ksporting.cz mijngezondheid.net brebank.com.pl
manymail.cz mpssec.net mobily.com.sa
maxmax.cz procurios.net arbetsformedlingen.se
mbank.cz ripe.net atlasrock.se
mfcr.cz riseup.net bilprovningen.se
mkluzkoviny.cz t-2.net bollnas.se
mojedatovaschranka.cz 123watches.nl damernasmagasin.se
muni.cz africanfabs.nl ecster.se
mzv.cz amsterdam.nl frederikbagger.se
nic.cz aquastorexl.nl geflemetalfestival.se
o2.cz artsenzorg.nl handelsbanken.se
optimail.cz bankhoesdiscounter.nl hellomantle.se
outlet-alpine.cz belastingdienst.nl innebandy24.se
patentnimedicina.cz beterinbeleggen.nl lansstyrelsen.se
poptavej.cz beterspellen.nl lnu.se
pre.cz bhosted.nl lomervarde.se
predplatit.cz bhsupport.nl loopia.se
scrptd.cz bit.nl merchsweden.se
server4u.cz blushfashionstore.nl minmyndighetspost.se
shopex.cz bobo.nl nordicprint.se
smtp.cz body-supplies.nl polisen.se
stoklasa.cz boekwinkeltjes.nl skatteverket.se
sukl.cz bolerolimonadewinkel.nl skolverket.se
trilimi.cz boozyshop.nl sunet.se
vas-server.cz bratsites-grs.nl teknikdelar.se
vcelka.cz bruut.nl theletter.se
virusfree.cz burgernet.nl vaccinova.se
web4u.cz caracamilla.nl websupport.se
zdravestravovani.cz casema.nl fio.sk
zonky.cz cbr.nl kadernickyservis.sk
123watches.de chello.nl mklozkoviny.sk
bayern.de clubplanner.nl naau.sk
brandenburg.de degros.nl pneusvet.sk
bund.de derooijfotografie.nl rondogo.sk
bundesregierung.de desan.nl satro.sk
datev.de dictu.nl zapardrobnych.sk
dfn.de digid.nl mstdn.social
elster.de dorcas.nl simpcity.su
ewetel.de duo.nl clientnews3.co.uk
fau.de efactuurdirect.nl handelsbanken.co.uk
freenet.de esuals.nl nuudcare.co.uk
gmx.de ezorg.nl triodos.co.uk
hi7.de fivecityspa.nl nuudcare.us
huellen-shop.de gebruikersnamen.nl quantum-services.us
jpberlin.de haargroeispecialist.nl ru.ac.za
knauermann.de healthcheckcenter.nl stargaze.zone
lmu.de hobbygigant.nl
More information about the dane-users
mailing list