The DANE survey continues to observe a "long tail" of MX hosts with TLSA
records that match the retired "X3" and/or "X4" Let's Encrypt issuer Cas.
If you're publishing TLSA records with Let's Encrypt issuer CA hashes,
the "X3" and "X4" CAs should no longer appear in your TLSA RRset. Also
be sure to use "2 1 1" and not "2 0 1" or "2 0 2" TLSA parameters.
For details see:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
The MX host counts for the various LE CAs are:
# | CA
------+----
538 | X3
248 | X4
1133 | R3
436 | R4
483 | E1
396 | E2
* The counts for X3 and X4 should by now be 0.
* Every MX host that publishes R3 should also publish R4.
* Every MX host publishing E1 should also publish E2.
* The simplest strategy is to publish all four of R3,R4,E1 and E2
--
Viktor.
Summary: The DANE domain count is now 2,779,500 (up from 2,653,718 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 16,107,719 (up from 15,663,538 last
month). Thus DANE TLSA is deployed on ~17.26% of domains with
DNSSEC. See https://stats.dnssec-tools.org/ for more stats.
[ A major part of the increase in both DNSSEC and DANE domains is
a result of a significant expansion of use of DNSSEC among .CH
domains, particularly at hostpoint.ch and infomaniak.ch.
Congratulations and thanks to both and also switch.ch.
The .CH TLD is now the 9th largest by count of signed
delegations in the survey dataset, just behind .NO, perhaps
not for long, if the present growth rate holds up. ]
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,779,500 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last month
---------- ----------
1225124 one.com 1227184 one.com
152779 transip.nl 151493 transip.nl
150719 argewebhosting.nl 150376 argewebhosting.nl
148426 infomaniak.ch 114457 infomaniak.ch
105493 domeneshop.no 105236 domeneshop.no
98765 webhostingserver.nl 98871 webhostingserver.nl
94403 loopia.se 94187 loopia.se
86961 hostpoint.ch 70345 forpsi.com
70606 forpsi.com 42190 active24.com
46019 active24.com 39057 zxcs.nl
40474 zxcs.nl 38973 webreus.nl
40396 webreus.nl 37753 antagonist.nl
37911 antagonist.nl 37509 pcextreme.nl
37226 pcextreme.nl 28712 vevida.com
28411 vevida.com 27550 webhosting.dk
27416 webhosting.dk 26580 web4u.cz
26691 udmedia.de 26555 udmedia.de
26509 web4u.cz 24671 hosting2go.nl
24443 hosting2go.nl 19910 protonmail.ch
20574 protonmail.ch 18975 bhosted.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
8890 TOTAL 8815 TOTAL
2655 DE, Germany 2631 DE, Germany
1715 US, United States 1693 US, United States
1686 NL, Netherlands 1676 NL, Netherlands
654 FR, France 662 FR, France
330 GB, United Kingdom 313 GB, United Kingdom
226 CZ, Czechia 226 CZ, Czechia
202 CA, Canada 206 CA, Canada
185 FI, Finland 174 FI, Finland
125 DK, Denmark 124 DK, Denmark
114 SG, Singapore 122 SG, Singapore
107 CH, Switzerland 106 CH, Switzerland
99 SE, Sweden 102 SE, Sweden
88 AU, Australia 84 AU, Australia
84 AT, Austria 76 AT, Austria
44 PL, Poland 41 RU, Russia
43 IE, Ireland 41 PL, Poland
40 RU, Russia 41 IE, Ireland
40 BR, Brazil 40 NO, Norway
39 NO, Norway 40 BR, Brazil
35 IT, Italy 38 JP, Japan
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7009 TOTAL 6948 TOTAL
3336 NL, Netherlands 3301 NL, Netherlands
1826 DE, Germany 1810 DE, Germany
714 US, United States 710 US, United States
290 FR, France 297 FR, France
145 CZ, Czechia 154 CZ, Czechia
136 GB, United Kingdom 137 GB, United Kingdom
74 FI, Finland 71 FI, Finland
59 CA, Canada 61 CA, Canada
47 CH, Switzerland 44 SG, Singapore
44 SE, Sweden 43 SE, Sweden
42 SG, Singapore 42 CH, Switzerland
30 AU, Australia 32 AU, Australia
29 AT, Austria 29 AT, Austria
26 RU, Russia 27 JP, Japan
23 JP, Japan 20 IE, Ireland
21 IE, Ireland 17 RU, Russia
17 DK, Denmark 17 DK, Denmark
16 NO, Norway 16 NO, Norway
14 BR, Brazil 14 BR, Brazil
11 SI, Slovenia 12 IN, India
There are 7,242 unique zones (7,168 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 15,791 (15,673 last
month). These cover 16,039 distinct MX hosts (15,908 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 517 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 301
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.78 million DANE domains, 12,794 (12,719 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1298
(1187 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakeshttps://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…https://mail.sys4.de/pipermail/dane-users/2018-February/000440.htmlhttps://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…https://mail.sys4.de/pipermail/dane-users/2017-August/000417.htmlhttps://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resourceshttp://tools.ietf.org/html/rfc7671#section-8.1http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1298 (1329 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
542 registrar-servers.com 548 registrar-servers.com
119 axc.nl 119 axc.nl
89 ebola.cz 88 ebola.cz
59 westgatehosting.com 48 epik.com
49 netcup.net 28 made-easy.ch
46 epik.com 27 mijndomein.nl
30 made-easy.ch 26 3zy.de
27 mijndomein.nl 24 tiscomhosting.nl
19 cloudflare.com 22 netcup.net
15 worldnic.com 20 cloudflare.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Five of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
icv-crew.com
bncr.fi.cr
pedulilindungi.id
novathreads.us
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at followerpilot.de healthcheckcenter.nl
gmx.at freenet.de herinneringenoplinnen.nl
triodos.be gmx.de hetamsterdamsverbond.nl
cetelemnegocie.com.br jpberlin.de hostingpeople.nl
clubedohardware.com.br lmu.de interconnect.nl
corridaeaventura.com.br lrz.de interim-netwerk.nl
nic.br mail.de luxiez.nl
registro.br mensa.de mailplus.nl
pdac.ca mpg.de markteffectmail.nl
gmx.ch neutraler-versand.de mijnuvt.nl
hostpoint.ch posteo.de minbuza.nl
infomaniak.ch ruhr-uni-bochum.de minbzk.nl
linsenkontakt.ch tum.de mindef.nl
open.ch tutanota.de mkbbelangen.nl
protonmail.ch uni-erlangen.de mm1.nl
switch.ch uni-muenchen.de mulderretail.nl
travailler-en-suisse.ch unitymedia.de nieuwsservice-rvo.nl
wog.ch web.de ns.nl
simplelogin.co westlotto.de ouderportaal.nl
beaconx.com actie.deals overheid.nl
connectsb.com fibianet.dk parlement.nl
coremultichain.com fvst.dk partijvoordedieren.nl
dailyplaylists.com handelsbanken.dk paypro.nl
datev.com netic.dk politie.nl
flaneurhomme.com peterhald.dk powerslim.nl
gmx.com shapeit.dk pp-prd.nl
habr.com shellcard.dk previder.nl
hotelsinduitsland.com stil.dk purdey.nl
imcnig.comtilburguniversity.edu rijksoverheid.nl
infomaniak.com just.ee rotterdam.nl
ingthink.com rik.ee sans-mail.nl
intakt.com spam-filter.email schoudercom.nl
joomlapolis.com spike.email schuurman-schoenen.nl
jula.com spotler.email sportrusten.nl
kpn.com rediris.es ssonet.nl
leszexpertsfle.com triodos.es telefoonglaasje.nl
mail.com uv.es triodos.nl
mammoetmail.com egu.eu truetickets.nl
matilhadobemadestramento.com qard.eu tweedekamer.nl
mx-relay.com transadvise.eu uitgeverijpica.nl
mychildlebensborn.com zone.eu utwente.nl
nine-pine.com zonevs.eu uvt.nl
one.com handelsbanken.fi uwv.nl
outsystems.com tarjousrinki.fi veilinghuispeerdeman.nl
protonmail.com ac-strasbourg.fr vogeldagboek.nl
protonvpn.com compagnie-des-sens.fr voorpositiviteit.nl
sanderrossel.com edtm-actu.fr vu.nl
sankakucomplex.com oo2.fr waternet.nl
societe.com fidesz.hu xs4all.nl
solvinity.com gardrobom.hu zorgmail.nl
spareklubbnorge.com mindigbutor.hu annabellstefanussen.no
stellarequipment.com mszp.hu audi.no
t-2.com popfilm.hu bergengokart.no
thalesgroup.com pandi.id derute.no
thepcw.com interestexplorer.io domeneshop.no
thepcwholesale.com pm.me handelsbanken.no
triodos.comarmy.mil idrettenonline.no
tutanota.comdla.mil norskgrammatikk.no
veganallsorts.comjten.mil rushtrampoline.no
veoliasophos.commail.mil uib.no
vitstore.commilitaryonesource.mil viphuset.no
webcruiter.comnavy.mil atelkamera.nu
xfinity.comnga.mil goget.nu
xfinityhomesecurity.comosd.mildebian.orgxfinitymobile.comsocom.milfreebsd.org
30tidennivyzva.cz uscg.milgentoo.org
active24.cz comcast.netietf.org
akce-incomputer.cz fivem.netisc.org
cuni.cz gmx.netmailbox.org
ekokoza.cz habramail.netmailop.org
gigalekarna.cz hr-manager.netnetbsd.org
itesco.cz inexio.netopenssl.org
klenotyaurum.cz mijngezondheid.netozlabs.org
klubpevnehozdravi.cz mpssec.netsamba.org
manymail.cz procurios.nettorproject.org
mkluzkoviny.cz riseup.netwhatpulse.org
nic.cz s-qrc.net psgaz.pl
omvnovinky.cz t-2.net asf.com.pt
onebit.cz transip.net mobily.com.sa
optimail.cz xs4all.net bilprovningen.se
poptavej.cz 123watches.nl boplatssyd-automail.se
reserved.cz amsterdam.nl ecster.se
scrptd.cz awcloud.nl handelsbanken.se
server4u.cz belastingdienst.nl loopia.se
smtp.cz bhosted.nl loopiahosting.se
stoklasa.cz bluerail.nl minmyndighetspost.se
toplist.cz boekwinkeltjes.nl personligalmanacka.se
vas-server.cz bolerolimonadewinkel.nl skatteverket.se
vcelka.cz boozyshop.nl teknikdelar.se
virusfree.cz burgernet.nl theletter.se
zdravestravovani.cz cbr.nl websupport.se
123watches.de cbs.nl flagranti.sk
bayern.de citrusveiling.nl najlacnejsisport.sk
brandenburg.de corpoflow.nl rondogo.sk
bund.de derooijfotografie.nl toptop.sk
bundesregierung.de digid.nl triodos.co.uk
datev.de duo.nl xepay.co.uk
dfn.de edenhotels.nl govtrack.us
ekom21.de efactuurdirect.nl quantum-services.us
elster.de ezorg.nl ru.ac.za
fau.de
