I regret to inform you that XS4ALL stopped using DANE, both inbound for xs4all.nl and outbound.
The reason is that the XS4ALL systems are being dismantled, and the customers are moving to KPN, who do not use nor publish DANE records.
If anyone still has "xs4all.nl" in a "strict dane" list, please remove us. I saw a bounce from one.com indicating that possibly one of their systems still expects DANE records for xs4all.nl.
--
Jan-Pieter Cornet <johnpc(a)xs4all.net>
Systeembeheer XS4ALL Internet bv
www.xs4all.nl
Summary: The DANE domain count is now 3,005,393 (up from 2,974,861 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 16,982,372 (up from 16,638,332 last
month). Thus DANE TLSA is deployed on ~17.69% of domains with
DNSSEC. See https://stats.dnssec-tools.org/ for more stats.
[ See the Credits[0] list below my signature. ]
As of today I count ~3.0 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last month
---------- ----------
1230165 one.com 1219713 one.com
272727 hostpoint.ch 270842 hostpoint.ch
154952 transip.nl 154249 transip.nl
154347 infomaniak.ch 152372 infomaniak.ch
149718 argewebhosting.nl 150807 argewebhosting.nl
106004 domeneshop.no 105814 domeneshop.no
98029 webhostingserver.nl 98302 webhostingserver.nl
95100 loopia.se 94851 loopia.se
71946 forpsi.com 71517 forpsi.com
48270 zxcs.nl 46431 active24.com
46581 active24.com 45675 zxcs.nl
42121 webreus.nl 42325 webreus.nl
38213 antagonist.nl 38150 antagonist.nl
36362 pcextreme.nl 36614 pcextreme.nl
27450 vevida.com 27758 vevida.com
26984 udmedia.de 27035 webhosting.dk
26916 webhosting.dk 26937 udmedia.de
26483 web4u.cz 26456 web4u.cz
23612 hosting2go.nl 23884 hosting2go.nl
22118 protonmail.ch 21623 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
9230 TOTAL 9206 TOTAL
2691 DE, Germany 2692 DE, Germany
1781 NL, Netherlands 1768 NL, Netherlands
1710 US, United States 1731 US, United States
697 FR, France 699 FR, France
325 GB, United Kingdom 334 GB, United Kingdom
264 CZ, Czechia 245 CZ, Czechia
206 CA, Canada 208 CA, Canada
204 FI, Finland 203 FI, Finland
131 AT, Austria 127 DK, Denmark
129 DK, Denmark 121 AT, Austria
118 SG, Singapore 120 SG, Singapore
108 CH, Switzerland 107 CH, Switzerland
98 SE, Sweden 100 AU, Australia
93 AU, Australia 98 SE, Sweden
56 PL, Poland 54 PL, Poland
44 NO, Norway 44 RU, Russia
43 RU, Russia 44 NO, Norway
43 IE, Ireland 42 IE, Ireland
38 JP, Japan 41 BR, Brazil
38 BR, Brazil 36 JP, Japan
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7274 TOTAL 7202 TOTAL
3431 NL, Netherlands 3389 NL, Netherlands
1903 DE, Germany 1889 DE, Germany
757 US, United States 767 US, United States
300 FR, France 290 FR, France
156 CZ, Czechia 153 CZ, Czechia
133 GB, United Kingdom 136 GB, United Kingdom
80 FI, Finland 78 FI, Finland
60 CA, Canada 61 CA, Canada
45 CH, Switzerland 42 SG, Singapore
42 SG, Singapore 42 CH, Switzerland
42 SE, Sweden 41 SE, Sweden
38 AU, Australia 40 AU, Australia
31 AT, Austria 37 AT, Austria
28 JP, Japan 24 JP, Japan
26 RU, Russia 22 IE, Ireland
23 IE, Ireland 20 NO, Norway
19 NO, Norway 17 DK, Denmark
18 DK, Denmark 15 BR, Brazil
15 BR, Brazil 14 RU, Russia
13 IN, India 11 SI, Slovenia
There are 7,451 unique zones (7,410 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 16,295 (16,101 last
month). These cover 16,562 distinct MX hosts (16,358 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 557 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 331
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.0 million DANE domains, 12,750 (12,735 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1086
(1802 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
90 beta.itcomputers.eu
44 fsn1-c04.xemo-net.de
19 mx1.mdbraber.com
16 mail.odissee.net
16 e-vps.hacktheplanet.nl
15 web1.ams.dcg.t-host.net
15 artemis.strebsjig.net
13 entrante.svnt.com
12 mail.bi9.de
8 postmark.flame.org
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakeshttps://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…https://mail.sys4.de/pipermail/dane-users/2018-February/000440.htmlhttps://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…https://mail.sys4.de/pipermail/dane-users/2017-August/000417.htmlhttps://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resourceshttps://datatracker.ietf.org/doc/html/rfc7671#section-8.1https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1181 (1148 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
564 registrar-servers.com 553 registrar-servers.com
124 axc.nl 122 axc.nl
88 ebola.cz 87 ebola.cz
33 worldnic.com 33 made-easy.ch
30 mijndomein.nl 32 mijndomein.nl
30 made-easy.ch 30 worldnic.com
16 cloudflare.com 17 cloudflare.com
11 vtx.ch 11 openprovider.nl
11 openprovider.nl 10 vtx.ch
10 register.com 8 register.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Six of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
icv-crew.comtdnewissues.com
urbtix.hk
kprm.gov.pl
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at fau.de herinneringenoplinnen.nl
gmx.at freenet.de hetamsterdamsverbond.nl
tip.net.au gmx.de huizenzoeker.nl
pcug.org.au jpberlin.de interconnect.nl
pictolezen.be lrz.de interim-netwerk.nl
triodos.be mail.de justis.nl
tbibank.bg mpg.de luxiez.nl
cetelemnegocie.com.br mvnet.de mailplus.nl
e-renegocie.com.br neutraler-versand.de mailshover.nl
nic.br posteo.de markteffectmail.nl
registro.br ruhr-uni-bochum.de mijnuvt.nl
ehefueralle.ch tum.de minbuza.nl
gmx.ch tutanota.de minbzk.nl
hostpoint.ch uni-erlangen.de mindef.nl
infomaniak.ch uni-muenchen.de minvenj.nl
linsenkontakt.ch unitymedia.de mm1.nl
open.ch web.de mulderretail.nl
protonmail.ch westlotto.de nieuwsservice-rvo.nl
switch.ch actie.deals ns.nl
travailler-en-suisse.ch dk-hostmaster.dk orangebag.nl
simplelogin.co fibianet.dk ouderenfonds.nl
altospam.com handelsbanken.dk overheid.nl
ansigtsyogaonline.com netic.dk parlement.nl
boekenwereld.com nota.dk partijvoordedieren.nl
bornomail.com nst.dk paypro.nl
cm.com powerhosting.dk podiumcadeaukaart.nl
connectsb.com shapeit.dk politie.nl
dailyplaylists.com shellcard.dk pp-prd.nl
datev.com uvm.dk previder.nl
exegy.com wavell.dk purdey.nl
flaneurhomme.com webhosting.dk rdw.nl
gmx.comtilburguniversity.edu rijksoverheid.nl
habr.com just.ee rivm.nl
hotelsinduitsland.com envie.email rotterdam.nl
imcnig.com spike.email sans-mail.nl
infomaniak.com spotler.email schoudercom.nl
ingthink.com talentech.email schuurman-schoenen.nl
intakt.com rediris.es smartwatchbanden.nl
joomlapolis.com triodos.es sportrusten.nl
jula.com uv.es ssonet.nl
kpn.com egu.eu telefoonglaasje.nl
leszexpertsfle.com glowliving.eu triodos.nl
mail.com zone.eu truetickets.nl
mailfence.com zonevs.eu tweedekamer.nl
mammoetmail.com handelsbanken.fi uitgeverijpica.nl
mantapsurvey.com tarjousrinki.fi utwente.nl
matilhadobemadestramento.com traficom.fi uvt.nl
mx-relay.com ac-strasbourg.fr uwv.nl
nanolearning.com compagnie-des-sens.fr veilinghuispeerdeman.nl
nine-pine.com edtm-actu.fr voorpositiviteit.nl
one.com oo2.fr vu.nl
outsystems.com srci.fr waternet.nl
protonmail.com excelsior.hu werkenbijaldautomotive.nl
protonvpn.com fidesz.hu zorgmail.nl
renworkshops.com gardrobom.hu annabellstefanussen.no
sankakucomplex.com mszp.hu audi.no
schizinfo.com obiserver.hu derute.no
serverclienti.com otthonplus.hu domeneshop.no
societe.com bluebiz.info forbrukslaan.no
solvinity.com interestexplorer.io handelsbanken.no
spareklubbnorge.com neolink.link idrettenonline.no
stellarequipment.com pm.me kapitalkontroll.no
t-2.comarmy.mil leadmail.no
thalesgroup.comdla.mil mystuff.no
thepcw.comjten.mil norskgrammatikk.no
thepcwholesale.commail.mil plukkselv.no
triodos.commilitaryonesource.mil uib.no
tutanota.comnavy.mil viphuset.no
veganallsorts.comosd.mil atelkamera.nu
vitstore.comsocom.mil goget.nu
vivaldi.comuscg.mildebian.orgwebcruiter.comusmc.milexim.orgwebmailph.comcomcast.netfreebsd.orgxfinity.comfivem.netgentoo.orgxfinityhomesecurity.comgmx.netietf.orgxfinitymobile.comhabramail.netisc.org
30tidennivyzva.cz hr-manager.netmailbox.org
akce-incomputer.cz inexio.netmailop.org
cesnet.cz mijngezondheid.netnetbsd.org
csob.cz mpssec.netopenssl.org
cuni.cz procurios.netozlabs.org
cvut.cz prolocation.netsamba.org
ekokoza.cz ripe.nettorproject.org
gigalekarna.cz riseup.netwhatpulse.org
itesco.cz t-2.net psgaz.pl
klenotyaurum.cz transip.net asf.com.pt
klubpevnehozdravi.cz xs4all.net mobily.com.sa
manymail.cz 123watches.nl alterskjaer.se
mkluzkoviny.cz amsterdam.nl axmarin.se
muni.cz argeweb.nl bilprovningen.se
nic.cz artsenzorg.nl boplatssyd-automail.se
omvnovinky.cz awcloud.nl ecster.se
onebit.cz belastingdienst.nl handelsbanken.se
optimail.cz bhosted.nl loopia.se
poptavej.cz bhsupport.nl loopiahosting.se
scrptd.cz bluerail.nl minmyndighetspost.se
server4u.cz boekwinkeltjes.nl racketspecialisten.se
smtp.cz bolerolimonadewinkel.nl skatteverket.se
sparkys.cz boozyshop.nl teknikdelar.se
stoklasa.cz burgernet.nl theletter.se
vas-server.cz cbr.nl websupport.se
virusfree.cz cbs.nl kadernickyservis.sk
zdravestravovani.cz corpoflow.nl mklozkoviny.sk
bayern.de derooijfotografie.nl najlacnejsisport.sk
brandenburg.de digid.nl rondogo.sk
bund.de duo.nl toptop.sk
bundesregierung.de edenhotels.nl triodos.co.uk
datev.de ezorg.nl govtrack.us
dfn.de healthcheckcenter.nl quantum-services.us
dvz-mv.de heilbron.nl ru.ac.za
elster.de
