As of today I count 137620 domains with correct DANE TLSA records
for SMTP. As expected the bulk of the DANE domains are hosted the
handful of DNS/hosting providers who've enabled DANE support in
bulk for the domains they host. The top 10 MX host providers by
domain count are:
60764 domeneshop.no
43961 transip.nl
15734 udmedia.de
3040 bhosted.nl
1493 nederhost.net
904 ec-elements.com
431 core-networks.de
307 uvt.nl
301 bit.nl
287 omc-mail.com
The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, in particular .de, .nl and .no.
There are 2449 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed. Alternatively, a similar number is seen in the count
(2613) of distinct MX host server certificates that support the
same ~137000 domains.
A related number is 4172 TLSA RRsets found for MX host TCP port 25.
This includes secondary MX hosts and domains none of whose primary
MX hosts have TLSA records.
The number of domains that at some point were listed in Gmail's
email transparency report is now 105 (this is my ad-hoc criterion
for a domain being a large-enough actively used email domain). Of
these, 56 are in recent reports (March 2017):
gmx.at jpberlin.de overheid.nl
nic.br lrz.de pathe.nl
registro.br mail.de wooniezie.nl
gmx.ch posteo.de xs4all.nl
open.ch ruhr-uni-bochum.de domeneshop.no
anubisnetworks.com tum.de webcruitermail.no
gmx.com uni-erlangen.de debian.orgmail.com unitymedia.de domainmail.orgpiratenexus.com web.de freebsd.orgpirateperfection.com enron.email gentoo.orgpre-sustainability.com octopuce.fr ietf.orgt-2.comcomcast.netnetbsd.orgtrashmail.comdd24.netnetcoolusers.orgxfinity.comgmx.netopenssl.org
bayern.de hr-manager.netsamba.org
bund.de t-2.nettorproject.org
elster.de xs4all.net minmyndighetspost.se
fau.de asp4all.nl skatteverket.se
gmx.de ouderportaal.nl
A different metric is how many of the DANE-enabled domains received
email from at least 10 Gmail senders in a recent 8 day interval.
Back in Dec/2016 I reported that ~2200 out of ~105k domains met
that criterion. This month, the number was ~3900 out of ~137k
domains. So it seems that a non-negligible fraction of the increase
is from real domains that receive email, and not just parked domains.
Of the ~137000 domains, 655 have "partial" TLSA records, that cover
only a subset of the MX hosts. While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 96 (~30 are recent additions that may be resolved soon,
the remaining ~60 are the for now stable population of broken
domains). This month I'm posting the list of the 44 underlying MX
hosts that serve these domains and whose TLSA records don't match
reality.
Hall of Shame:
mail.dipietro.id.au www.mtg.de mail.inu.nl
clubeararaquarense.org.br mx1.spamsponge.de mail.jekuiken.nl
mail.antiphishing.ch mail.nonoserver.info mail.myzt.nl
mail.digitalwebpros.com mx.datenknoten.me bounder.steelyard.nl
mail.dnsmadefree.com mx.giesen.me mx.wm.net.nz
demo.liveconfig.commail.castleturing.netbaobrien.orgny-do.pieterpottie.comdatawebb.dafcorp.netsmtp.copi.orgdiablo.sgt.comanubis.delphij.neteumembers.datacentrix.orgtusk.sgt.comdorothy.goldenhairdafo.net smtp2.amadigi.ovh
mx.bels.cz hs.kuzenkov.net webmail.headsite.se
johniez.cz oostergo.net protector.rajmax.si
mail.pksvice.cz ren.warunek.net arch-server.hlfh.space
srv01.101host.de mail.e-rave.nl mail.blackcherry-management.co.uk
mail.cdbm.de mail.hhsk.nl email.themcintyres.us
mail.manima.de box.inpoint-mailt.nl
The number of domains with bad DNSSEC support is 322. The top 10
DNS providers (by broken domain count) are:
52 axc.nl - Slated to be resolved
38 infracom.nl - Slated to be resolved
18 loopia.se
18 active24.cz
14 jsr-it.nl
12 rdw.nl
9 cas-com.net
8 metaregistrar.nl
6 tiscomhosting.nl
6 thednscompany.com
Around 60 of the broken domains have at least one working nameserver,
and so are email-reachable, given enough retries.
--
Viktor.
As of today I count 171460 domains with correct DANE TLSA records
for SMTP. As expected the bulk of the DANE domains are hosted the
handful of DNS/hosting providers who've enabled DANE support in
bulk for the domains they host. The top 10 MX host providers by
domain count are:
69368 domeneshop.no
59835 transip.nl
18351 udmedia.de
6665 bhosted.nl
1820 nederhost.net
1007 ec-elements.com
1001 networking4all.net
514 core-networks.de
375 omc-mail.com
364 yourdomainprovider.net
The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.nl/.de.
There are 2615 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed. Alternatively, a similar number is seen in the count
(2707) of distinct MX host server certificates that support the
same ~171000 domains.
A related number is 3955 TLSA RRsets found for MX host TCP port
25. This includes secondary MX hosts and domains none of whose
primary MX hosts have TLSA records.
The number of domains that at some point were listed in Gmail's
email transparency report is 111 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain). Of
these, 54 are in recent reports:
anubisnetworks.comgmx.net posteo.de
asf.com.pt hr-manager.net registro.br
asp4all.nl ietf.org ruhr-uni-bochum.de
bayern.de isc.orgsamba.org
bund.de jpberlin.de solvinity.comcomcast.net lrz.de t-2.netdd24.netmail.com tilburguniversity.ed
debian.org mail.de torproject.org
domeneshop.no mpssec.nettrashmail.com
elster.de netbsd.org tum.de
enron.email nic.br uni-erlangen.de
fau.de octopuce.fr unitymedia.de
freebsd.org open.ch uvt.nl
gentoo.orgopenssl.org web.de
gmx.at otvi.nl webcruitermail.no
gmx.ch ouderportaal.nl xfinity.comgmx.com overheid.nl xs4all.net
gmx.de pathe.nl xs4all.nl
Of the ~171000 domains, 835 have "partial" TLSA records, that cover
only a subset of the MX hosts. While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 108. Below is a list of the 53 underlying MX hosts that
serve these domains and whose TLSA records don't match reality:
Hall of Shame:
mail.dipietro.id.au mx1.spamsponge.de dorothy.goldenhairdafo.net
eumembers.stansoft.bg smtp2.strotmann.de oostergo.net
catabra.com.br mx.thorko.de cinnamon.nl
mail.pgp.inf.br smtp.flipmail.es mail.e-rave.nl
mail.danmolik.com mail.0pc.eu mail.jekuiken.nl
mail.digitalwebpros.com gamepixel.eu mail.myzt.nl
demo.liveconfig.com mx.quentindavid.fr bounder.steelyard.nl
intranet.nctechcenter.com servmail.fr beerstra.orgny-do.pieterpottie.com mail.nonoserver.info eumembers.datacentrix.orgdiablo.sgt.com mail.bax.is smtp3.amadigi.ovh
tusk.sgt.com mail.lsd.is itaskmanager.ovh
mx1.wittsend.com mail.laukas.lt mail.pasion.ro
mx.bels.cz mx.datenknoten.me mail.lahl.rocks
gaia.nfx.cz mx.giesen.me puggan.se
badf00d.de mail.castleturing.net mail.rostit.se
mail.denniseffing.de mail.culm.net protector.rajmax.si
mail.manima.de datawebb.dafcorp.net email.themcintyres.us
www.mtg.deanubis.delphij.net
The number of domains with bad DNSSEC support is 423. The top 10
DNS providers with problem domains are:
68 jsr-it.nl
53 infracom.nl - Was slated to be resolved in March, delayed...
25 tiscomhosting.nl
25 active24.cz
15 rdw.nl
15 firstfind.nl
11 loopia.se
10 metaregistrar.nl
9 cas-com.net
8 ovh.net
7 ignum.com
Around 50 of the broken domains have at least one working nameserver,
and so are email-reachable, given enough retries. Only 6 of the
DNS-broken domains appear in historical Google Email transparency
reports:
tiviths.com.br
tre-sp.jus.br
trt1.jus.br
trtrj.jus.br
tse.jus.br
rzd.ru
The associated DNS lookup issues are:
_25._tcp.mx.tiviths.com.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.mx.tiviths.com.br/dnssec/
_25._tcp.mx1.trt1.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trt1.jus.br/dnssec/
_25._tcp.mx1.trtrj.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trtrj.jus.br/dnssec/
_25._tcp.dexter.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.dexter.tse.jus.br/dnssec/
_25._tcp.lalavava.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.lalavava.tse.jus.br/dnssec/
_25._tcp.mandark.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.mandark.tse.jus.br/dnssec/
_25._tcp.ims1.rzd.ru. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.ims1.rzd.ru/dnssec/
_25._tcp.ims2.rzd.ru. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.ims2.rzd.ru/dnssec/
[ See <https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08>,
Much of the TLSA non-response issue seems to be related to a
"feature" of Arbor Networks firewalls, that enables droping of
DNS requests for all but the most common RRtypes. Do not make
the mistake of enabling this firewall "feature". ]
The oldest outstanding DNS issue is another SOA signature issue
at truman.edu dating back to Nov/2014:
http://dnsviz.net/d/_25._tcp.barracuda.truman.edu/VGzORw/dnssec/
I hope some day soon they'll start missing email they care about
and take the time to resolve the problem.
--
Viktor.
As of today I count 169812 domains with correct DANE TLSA records
for SMTP. As expected the bulk of the DANE domains are hosted the
handful of DNS/hosting providers who've enabled DANE support in
bulk for the domains they host. The top 10 MX host providers by
domain count are:
69614 domeneshop.no
59404 transip.nl
18372 udmedia.de
6733 bhosted.nl
1831 nederhost.net
997 ec-elements.com
501 core-networks.de
339 bit.nl
334 omc-mail.com
309 uvt.nl
[ The 365 "networking4all.net" domains from last month are
gone, because they got bought by metaregistrar.nl and the
new MX hosts are not in DNSSEC signed zones. Otherwise,
the total would now have been over 170000. ]
The real numbers are surely larger, because I don't have access to
the full zone data for most ccTLDs, especially .no/.nl/.de.
There are 2567 unique zones in which the underlying MX hosts are
found, this counts each of the above providers as just one zone,
so is a measure of the breadth of adoption in terms of servers
deployed. Alternatively, a similar number is seen in the count
(2667) of distinct MX host server certificates that support the
same ~169000 domains.
A related number is 3818 TLSA RRsets found for MX host TCP port
25. This includes secondary MX hosts and domains none of whose
primary MX hosts have TLSA records.
The number of domains that at some point were listed in Gmail's
email transparency report is 108 (this is my ad-hoc criterion for
a domain being a large-enough actively used email domain). Of
these, 54 are in recent reports:
anubisnetworks.com gmx.de posteo.de
asf.com.pt gmx.net registro.br
asp4all.nl hr-manager.net ruhr-uni-bochum.de
bayern.de ietf.orgsamba.org
bhosted.nl isc.orgsolvinity.com
bund.de jpberlin.de t-2.comcomcast.net lrz.de t-2.netdd24.netmail.com t-2.si
debian.org mail.de torproject.org
domeneshop.no netbsd.orgtrashmail.com
elster.de nic.br tum.de
enron.email nic.cz uni-erlangen.de
fau.de octopuce.fr unitymedia.de
freebsd.org open.ch web.de
gentoo.orgopenssl.org webcruitermail.no
gmx.at ouderportaal.nl xfinity.com
gmx.ch overheid.nl xs4all.netgmx.com pathe.nl xs4all.nl
Of the ~169000 domains, 749 have "partial" TLSA records, that cover
only a subset of the MX hosts. While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual
active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to
advertise STARTTLS (even though TLSA records are published) stands
today at 93. The list of the 54 underlying MX hosts that serve
these domains and whose TLSA records don't match reality.
Hall of Shame:
mail.dipietro.id.au mail.enzevalos.de dorothy.goldenhairdafo.ne
eumembers.stansoft.bg hmserver.de hs.kuzenkov.net
catabra.com.br mail.manima.de oostergo.netserver29.prazernavida.comwww.mtg.deren.warunek.net
mail.pgp.inf.br mx1.spamsponge.de cinnamon.nl
my.mai1.ch mail.0pc.eu mail.e-rave.nl
alpaca.attackllama.com gamepixel.eu mail.jekuiken.nl
mail.danmolik.com mx.quentindavid.fr mail.myzt.nl
mail.digitalwebpros.com servmail.fr bounder.steelyard.nl
demo.liveconfig.com mail.nonoserver.info mx.wm.net.nz
ny-do.pieterpottie.com mx.datenknoten.me beerstra.orgdiablo.sgt.com mx.giesen.me smtp.copi.orgtusk.sgt.comsmtp.aechelon.neteumembers.datacentrix.orgmx1.wittsend.commail.castleturing.net smtp3.amadigi.ovh
mx.bels.cz mail.d3fy.net mail.pasion.ro
gaia.nfx.cz datawebb.dafcorp.net mail.lahl.rocks
badf00d.de anubis.delphij.net protector.rajmax.si
mail.denniseffing.de goldenhairdafo.net email.themcintyres.us
The number of domains with bad DNSSEC support is 438. The increase is
due to a comprehensive scan of all 4.6 million DNSSEC domains in the
survey, previously some parts of the survey did not record SERVFAIL
results.
the top 10 DNS providers with problem domains are:
68 jsr-it.nl
58 infracom.nl - Was slated to be resolved in March, delayed...
27 is.nl
24 active24.cz
23 tiscomhosting.nl
18 metaregistrar.nl
15 rdw.nl
10 firstfind.nl
9 cas-com.net
8 loopia.se
Around 50 of the broken domains have at least one working nameserver,
and so are email-reachable, given enough retries. Only 6 of these
DNS-broken domains appear in historical Google Email transparency
reports:
rzd.ru
tse.jus.br
tiviths.com.br
trt1.jus.br
trtrj.jus.br
tjce.jus.br
The associated DNS lookup issues are:
_25._tcp.ims1.rzd.ru. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.ims1.rzd.ru/dnssec/
_25._tcp.ims2.rzd.ru. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.ims2.rzd.ru/dnssec/
_25._tcp.lalavava.tse.jus.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.lalavava.tse.jus.br/dnssec/
_25._tcp.mx.tiviths.com.br. IN TLSA ? ; TLSA non-response: http://dnsviz.net/d/_25._tcp.mx.tiviths.com.br/dnssec/
_25._tcp.mx1.trt1.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trt1.jus.br/dnssec/
_25._tcp.mx1.trtrj.jus.br. IN TLSA ? ; zone signature failure: http://dnsviz.net/d/_25._tcp.mx1.trtrj.jus.br/dnssec/
_25._tcp.mx2.tjce.jus.br. IN TLSA ? ; SOA signature failure: http://dnsviz.net/d/_25._tcp.mx2.tjce.jus.br/dnssec/
[ See <https://tools.ietf.org/html/draft-ietf-dnsop-no-response-issue-08>,
Much of the TLSA non-response issue seems to be related to a
"feature" of Arbor Networks firewalls, that enables droping
of DNS requests for all but the most common RRtypes. Do not
make the mistake of enabling this firewall "feature". ]
The oldest outstanding DNS issue is another SOA signature issue
at truman.edu dating back to Nov/2014:
http://dnsviz.net/d/_25._tcp.barracuda.truman.edu/VGzORw/dnssec/
I hope some day soon they'll start missing email they care about
and take the time to resolve the problem.
--
Viktor.