dane-users

Download

dane-users@list.sys4.de

December 2022

1 participants
2 discussions

Update on stats 2022-12
by Viktor Dukhovni 01 Jan '23

01 Jan '23

Summary: The DANE domain count is now 3,733,547 (c.f. 3,720,888 last month and 2,998,143 this time last year). The number of domains that return DNSSEC-validated replies in response to MX queries is 20,675,170 (up from 20,310,165 last month and 17,263,168 this time last year). Thus DANE TLSA is deployed on ~18.05% of domains with DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>. [ See the Credits[0] list below my signature. ] As of today, I count ~3.73 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last Month Last Year ---------- ---------- ---------- 1214177 one.com 1214759 one.com 1214915 one.com 286784 hostpoint.ch 285701 hostpoint.ch 273907 hostpoint.ch 195060 infomaniak.ch 194398 infomaniak.ch 156065 infomaniak.ch 182438 mijndomein.nl 185672 mijndomein.nl 155803 transip.nl 166314 transip.nl 165714 transip.nl 150793 argewebhosting.nl 154096 argewebhosting.nl 155508 argewebhosting.nl 106219 domeneshop.no 134199 simply.com 124416 simply.com 97607 webhostingserver.nl 118030 jouwweb.nl 114928 jouwweb.nl 95145 loopia.se 111945 hostnet.nl 112051 hostnet.nl 72612 forpsi.com 108682 domeneshop.no 108214 domeneshop.no 50892 zxcs.nl 104887 loopia.se 105216 loopia.se 46657 active24.com 94600 webhostingserver.nl 95288 webhostingserver.nl 41634 webreus.nl 79127 forpsi.com 78911 forpsi.com 38388 antagonist.nl 67139 zxcs.nl 66428 zxcs.nl 36106 pcextreme.nl 46886 active24.com 47492 active24.com 27209 udmedia.de 39610 webreus.nl 39822 webreus.nl 27073 vevida.com 39483 antagonist.nl 39658 antagonist.nl 26765 webhosting.dk 34977 protonmail.ch 33391 pcextreme.nl 26430 web4u.cz 32983 pcextreme.nl 33350 protonmail.ch 23331 hosting2go.nl 29297 xel.nl 29153 xel.nl 22745 protonmail.ch The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be, .pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month Last Year ----------- ---------- ------------ 10595 TOTAL 10447 TOTAL 9262 TOTAL 3209 DE, Germany 3145 DE, Germany 2704 DE, Germany 1891 NL, Netherlands 1900 NL, Netherlands 1785 NL, Netherlands 1833 US, United States 1791 US, United States 1723 US, United States 799 FR, France 779 FR, France 674 FR, France 388 CZ, Czechia 372 GB, United Kingdom 338 GB, United Kingdom 362 GB, United Kingdom 369 CZ, Czechia 275 CZ, Czechia 235 FI, Finland 233 FI, Finland 202 FI, Finland 221 CA, Canada 229 CA, Canada 199 CA, Canada 153 AT, Austria 153 AT, Austria 132 DK, Denmark 135 SE, Sweden 131 SE, Sweden 132 AT, Austria 134 CH, Switzerland 131 DK, Denmark 114 SG, Singapore 132 DK, Denmark 128 CH, Switzerland 113 CH, Switzerland 122 SG, Singapore 127 SG, Singapore 99 SE, Sweden 120 AU, Australia 123 AU, Australia 99 AU, Australia 72 PL, Poland 68 PL, Poland 54 PL, Poland 58 JP, Japan 57 RU, Russia 46 RU, Russia 57 RU, Russia 57 JP, Japan 42 IE, Ireland 47 NO, Norway 46 NO, Norway 41 NO, Norway 42 BR, Brazil 41 IE, Ireland 39 JP, Japan 38 IE, Ireland 41 BR, Brazil 37 BR, Brazil IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month Last Year ---------- ---------- ---------- 8339 TOTAL 8246 TOTAL 7177 TOTAL 3666 NL, Netherlands 3650 NL, Netherlands 3323 NL, Netherlands 2330 DE, Germany 2334 DE, Germany 1926 DE, Germany 860 US, United States 837 US, United States 759 US, United States 406 FR, France 359 FR, France 288 FR, France 175 CZ, Czechia 172 GB, United Kingdom 164 CZ, Czechia 162 GB, United Kingdom 166 CZ, Czechia 144 GB, United Kingdom 77 CA, Canada 81 CA, Canada 82 FI, Finland 74 FI, Finland 75 FI, Finland 60 CA, Canada 67 AU, Australia 66 AU, Australia 44 CH, Switzerland 64 CH, Switzerland 62 CH, Switzerland 43 SE, Sweden 56 SE, Sweden 56 SE, Sweden 42 AU, Australia 54 AT, Austria 45 SG, Singapore 40 SG, Singapore 44 SG, Singapore 40 AT, Austria 32 AT, Austria 36 JP, Japan 34 JP, Japan 28 JP, Japan 23 EE, Estonia 21 IE, Ireland 23 IE, Ireland 21 NO, Norway 21 DK, Denmark 18 NO, Norway 21 IE, Ireland 20 RU, Russia 16 BR, Brazil 21 DK, Denmark 20 NO, Norway 15 DK, Denmark 17 BR, Brazil 19 BR, Brazil 12 IN, India 15 LT, Lithuania 16 LT, Lithuania 11 PL, Poland There are 9,144 unique zones (8,914 last month and 7,482 this time last year) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 19,380 (18,619 last month and 16,403 this time last year). These cover 19,675 distinct MX hosts (18,915 last month and 16,670 this time last year, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 841 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 525 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~3.73 million DANE domains, 13,107 (13,265 last month and 12,621 this time last year) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1,320 (1,507 last month and 1,225 this time last year). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are: 103 mail.blueconsulting.cz 37 mx1.mdbraber.com 33 mx1.synetcon.net 30 mail.behindthemars.de 20 mx1.logging.ch 18 semark.dk 17 mx1.traxion.com 17 mx01.xworks.net 16 mail.odissee.net 15 artemis.strebsjig.net To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP… https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-… https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1,076 (2,068 last month). The top 10 name server operators with problem domains are: This Month Last month ---------- ---------- 148 swizzonic.ch 115 worldnic.com 134 worldnic.com 114 axc.nl 106 epik.com 81 epik.com 95 axc.nl 73 ebola.cz 73 ebola.cz 64 openprovider.nl 61 openprovider.nl 32 active24.cz 29 made-easy.ch 29 made-easy.ch 20 register.com 18 sectigoweb.com 18 sectigoweb.com 15 netcup.net 12 ispapi.net 12 ispapi.net If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Just two of the domains all whose nameservers have broken denial of existence appears in the last 120 days of Google transparency reports: calyxinstitute.org mailazy.net -- Viktor. [0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at mail.de fivecityspa.nl gmx.at mailstoyou.de gebruikersnamen.nl vbv.at marburger-bund-zeitung.de haargroeispecialist.nl boozyshop.be mensa.de healthcheckcenter.nl register.bg mpg.de hobbygigant.nl cetelemnegocie.com.br posteo.de home.nl e-negociacao.com.br ruhr-uni-bochum.de hostingpeople.nl defesa.gov.br schlittermann.de hostnet.nl nic.br smartwatcharmbaender.de interim-netwerk.nl registro.br tum.de josephinajewelry.nl activfitness-news.ch tutanota.de kralingsebosfestival.nl blackout-bonusclub.ch uni-augsburg.de lico.nl cbd420.ch uni-bielefeld.de luxiez.nl docks.ch uni-erlangen.de mail-studio.nl empiriconmails.ch uni-kl.de mailmore.nl escalade.ch uni-muenchen.de mailon.nl gmx.ch vicinityclo.de mailplus.nl hostpoint.ch web.de managementboek.nl infomaniak.ch westlotto.de markteffectmail.nl msochrono.ch allbuy.dk mcmta.nl open.ch attode.dk messen.nl protonmail.ch australian-bodycare.dk mijndomein.nl sherlockhomes.ch avabeauty.dk minbzk.nl sms-gagnant.ch bambustoej.dk mindef.nl switch.ch barons.dk mm1.nl ravenation.club calisweats.dk mulderretail.nl santeglobale.club danielspengetips.dk nieuwsservice-rvo.nl bionoble.co dfi.dk noties.nl simplelogin.co dinhstore.dk ns.nl 3dsmx.com dinvintageshop.dk nuudcare.nl addymail.com dk-hostmaster.dk ongehoordnederland.nl albourne.com exoticmix.dk orangebag.nl also.com fibianet.dk otys.nl anonaddy.com fitnessudsalg.dk ouderenfonds.nl appliedgo.com foraeldresparring.dk ouderportaal.nl azgop.com gastrotools.dk overheid.nl beaconx.com globestudios.dk oxilionhosted.nl bymalina.com incover.dk parlement.nl cm.com innoliving.dk partijvoordedieren.nl collarofsweden.com ixstudioscph.dk partnermail.nl colourfulrebel.com juliesandlau.dk paypro.nl connectsb.com kodbilen.dk petsgifts.nl dailyplaylists.com konkurspriser.dk petsonline.nl datev.com kystfisken.dk ploegendienst-festival.nl exegy.com labelking.dk podiumcadeaukaart.nl fabfilter.com lacabra.dk politie.nl farmergracy.com mobilcovers.dk pp-prd.nl fastware-hosting.com musclehouse.dk previder.nl flaneurhomme.com netic.dk prorun-mail.nl frequentis.com nfinitybeauty.dk quicknet.nl gmx.com nimara.dk rdw.nl goodforme.com nordd.dk rijksoverheid.nl groed.com nota.dk rivm.nl habr.com opdagverden.dk rug.nl hedon.com peterhald.dk rvo.nl highcharts.com qknives.dk sans-mail.nl imcnig.com sengefabrikken.dk schoudercom.nl infomaniak.com seniornews.dk schuurman-schoenen.nl ingthink.com shapeit.dk shampoobars.nl johnbeerens.com shellcard.dk smartwatchbanden.nl joomlapolis.com smoon.dk sportrusten.nl jula.com soelvstein.dk ssonet.nl kabayarefashion.com stil.dk stater.nl kantarresearch.com stori.dk telefoonglaasje.nl klbrlive.com themeatclub.dk teso.nl leszexpertsfle.com thesneakerstore.dk thealphamen.nl librti.com tricommerce.dk transip.nl liefleven.com trueliving.dk travelclown.nl mactabeauty.com uvm.dk triodos.nl mail.com venderbys.dk truetickets.nl mailzerver.com wavell.dk tudelft.nl matilhadobemadestramento.com yuaiahaircare.dk tweedekamer.nl migadu.com yummihaircare.dk twinq.nl mplbeauty.com tilburguniversity.edu uitgeverijpica.nl nanolearning.com estet.ee upcmail.nl nine-pine.com holtmail.ee uvt.nl one.com turunduslabor.ee uwv.nl orsys.com blueits.email valys.nl orverkiezing.com myownconference.email vimexx.nl pieter-pot.com spam-filter.email voorpositiviteit.nl pompomlondon.com spike.email vpo.nl ppcpcv.com spotler.email watchbandjes-shop.nl protonmail.com nuudcare.es winterlake.nl protonvpn.com triodos.es woongarantvolmacht.nl renworkshops.com egu.eu ziggo.nl run-motion.com finesoftware.eu zorgmail.nl sankakucomplex.com litebit.eu annabellstefanussen.no scorecloud.com qard.eu bergengokart.no serverclienti.com skhosting.eu bilflipp.no solvinity.com tbibank.eu domeneshop.no stasdock.com zone.eu guttelus.no stater.com zonevs.eu handelsbanken.no stellarequipment.com fsol.fi hyttefeber.no t-2.com handelsbanken.fi idrettenonline.no thalesgroup.com tarjousrinki.fi infinityshop.no thepcw.com traficom.fi malestudio.no thepcwholesale.com ac-strasbourg.fr marikrogshus.no triodos.com compagnie-des-sens.fr mystuff.no truewaykids.com edtm-actu.fr nordicprint.no tutanota.com mastouille.fr norskgrammatikk.no unionnearme.com nuudcare.fr raskebriller.no up2staff.com oo2.fr rushtrampoline.no veganallsorts.com privea.fr spillfabrikken.no veka.com waveisland.fr storytravel.no vendiblelabs.com tid.gov.hk tickettothemoon.no vivaldi.com fidesz.hu uib.no webcruiter.com pandi.id atelkamera.nu webmailph.com bluebiz.info goget.nu xfinity.com eurocontrol.int lenhud.nu xfinityhomesecurity.com neolink.link aegee.org xfinitymobile.com anonaddy.me debian.org your-site.com pm.me exim.org bncr.fi.cr proton.me freebsd.org airbank.cz army.mil gentoo.org akce-incomputer.cz dla.mil ietf.org amenit.cz health.mil irtf.org bewooden.cz jten.mil isc.org centrum.cz mail.mil mailbox.org csob.cz navy.mil mailop.org cuni.cz osd.mil netbsd.org dedra.cz socom.mil openssl.org e-kondomy.cz uscg.mil ozlabs.org fio.cz usmc.mil p8x.org hellspy.cz comcast.net samba.org hypotecnibanka.cz ewetel.net torproject.org itesco.cz ficbook.net kemono.party kb.cz fivem.net biotechnologia.com.pl klenotyaurum.cz gmx.net brebank.com.pl klubpevnehozdravi.cz habramail.net mobily.com.sa ksporting.cz hr-manager.net arbetsformedlingen.se manymail.cz jonaharagon.net atlasrock.se maxmax.cz mijngezondheid.net bilprovningen.se mbank.cz mpssec.net damernasmagasin.se mfcr.cz procurios.net ecster.se mkluzkoviny.cz ripe.net frederikbagger.se mojedatovaschranka.cz riseup.net geflemetalfestival.se muni.cz s-qrc.net handelsbanken.se mzv.cz t-2.net hellomantle.se nic.cz 123watches.nl innebandy24.se o2.cz africanfabs.nl lansstyrelsen.se optimail.cz amsterdam.nl lnu.se outlet-alpine.cz aquastorexl.nl lomervarde.se patentnimedicina.cz artsenzorg.nl loopia.se poptavej.cz bankhoesdiscounter.nl merchsweden.se pre.cz belastingdienst.nl minmyndighetspost.se predplatit.cz beterinbeleggen.nl nordicprint.se scrptd.cz beterspellen.nl polisen.se server4u.cz bhosted.nl silverdotter.se shopex.cz bhsupport.nl skatteverket.se smtp.cz bibliotheekdenhaag.nl skolverket.se stoklasa.cz bit.nl sunet.se trilimi.cz blushfashionstore.nl teknikdelar.se vas-server.cz bobo.nl theletter.se vcelka.cz body-supplies.nl vaccinova.se virusfree.cz boekwinkeltjes.nl websupport.se web4u.cz bolerolimonadewinkel.nl centrum.sk zdravestravovani.cz boozyshop.nl fio.sk 123watches.de bratsites-grs.nl kadernickyservis.sk bayern.de bruut.nl mklozkoviny.sk brandenburg.de burgernet.nl naau.sk bund.de caracamilla.nl pneusvet.sk bundesregierung.de casema.nl pobox.sk datev.de cbr.nl rondogo.sk dfn.de chello.nl satro.sk elster.de clubplanner.nl zapardrobnych.sk ewetel.de denhaag.nl mstdn.social fau.de derooijfotografie.nl simpcity.su freenet.de desan.nl clientnews3.co.uk gmx.de dictu.nl handelsbanken.co.uk hi7.de digid.nl nuudcare.co.uk huellen-shop.de dorcas.nl triodos.co.uk jpberlin.de duo.nl nuudcare.us knauermann.de efactuurdirect.nl quantum-services.us lmu.de esuals.nl ru.ac.za lrz.de ezorg.nl stargaze.zone

1 0

Update on stats 2022-11
by Viktor Dukhovni 01 Dec '22

01 Dec '22

Summary: The DANE domain count is now 3,720,888 (c.f. 3,701,200 last month). The number of domains that return DNSSEC-validated replies in response to MX queries is 20,310,165 (up from 20,041,659 last month). Thus DANE TLSA is deployed on ~18.32% of domains with DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>. [ See the Credits[0] list below my signature. ] As of today I count ~3.72 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last Month ---------- ---------- 1214759 one.com 1224541 one.com 285701 hostpoint.ch 284142 hostpoint.ch 194398 infomaniak.ch 194132 infomaniak.ch 185672 mijndomein.nl 186459 mijndomein.nl 165714 transip.nl 164902 transip.nl 155508 argewebhosting.nl 154681 argewebhosting.nl 124416 simply.com 126469 simply.com 114928 jouwweb.nl 112645 jouwweb.nl 112051 hostnet.nl 111958 hostnet.nl 108214 domeneshop.no 108448 domeneshop.no 105216 loopia.se 104708 loopia.se 95288 webhostingserver.nl 93613 webhostingserver.nl 78911 forpsi.com 78681 forpsi.com 66428 zxcs.nl 65510 zxcs.nl 47492 active24.com 47461 active24.com 39822 webreus.nl 40154 webreus.nl 39658 antagonist.nl 39645 antagonist.nl 33391 pcextreme.nl 33729 pcextreme.nl 33350 protonmail.ch 32031 protonmail.ch 29153 xel.nl 29009 xel.nl The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be, .pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ----------- ----------- 10447 TOTAL 10358 TOTAL 3145 DE, Germany 3116 DE, Germany 1900 NL, Netherlands 1867 NL, Netherlands 1791 US, United States 1811 US, United States 779 FR, France 770 FR, France 372 GB, United Kingdom 376 GB, United Kingdom 369 CZ, Czechia 360 CZ, Czechia 233 FI, Finland 229 FI, Finland 229 CA, Canada 221 CA, Canada 153 AT, Austria 155 AT, Austria 131 SE, Sweden 132 CH, Switzerland 131 DK, Denmark 130 DK, Denmark 128 CH, Switzerland 129 SE, Sweden 127 SG, Singapore 128 SG, Singapore 123 AU, Australia 115 AU, Australia 68 PL, Poland 63 PL, Poland 57 RU, Russia 58 RU, Russia 57 JP, Japan 57 JP, Japan 46 NO, Norway 47 NO, Norway 41 IE, Ireland 45 BR, Brazil 41 BR, Brazil 41 IE, Ireland IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 8246 TOTAL 8162 TOTAL 3650 NL, Netherlands 3584 NL, Netherlands 2334 DE, Germany 2317 DE, Germany 837 US, United States 851 US, United States 359 FR, France 358 FR, France 172 GB, United Kingdom 176 CZ, Czechia 166 CZ, Czechia 164 GB, United Kingdom 81 CA, Canada 77 CA, Canada 75 FI, Finland 71 FI, Finland 66 AU, Australia 63 CH, Switzerland 62 CH, Switzerland 58 AU, Australia 56 SE, Sweden 50 SE, Sweden 45 SG, Singapore 47 SG, Singapore 40 AT, Austria 47 AT, Austria 34 JP, Japan 33 JP, Japan 21 IE, Ireland 26 RU, Russia 21 DK, Denmark 21 IE, Ireland 20 RU, Russia 20 NO, Norway 20 NO, Norway 19 DK, Denmark 19 BR, Brazil 18 BR, Brazil 16 LT, Lithuania 13 LT, Lithuania There are 8,914 unique zones (8,763 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 18,619 (18,205 last month). These cover 18,915 distinct MX hosts (18,501 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 793 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 478 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~3.72 million DANE domains, 13,265 (13,370 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1,507 (1,310 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are: 104 mail.blueconsulting.cz 66 beta.itcomputers.eu 34 mx1.mdbraber.com 33 mx[12].synetcon.net 18 semark.dk 17 mx[12].traxion.com 15 artemis.strebsjig.net 14 mta9.pointner.at 13 postagrosu.grosu.ro 10 mail.ontharen-rotterdam.nl To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP… https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-… https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1,076 (2,068 last month). The top 10 name server operators with problem domains are: This Month Last month ---------- ---------- 115 worldnic.com 147 online.net 114 axc.nl 124 worldnic.com 81 epik.com 117 axc.nl 73 ebola.cz 73 ebola.cz 64 openprovider.nl 57 openprovider.nl 32 active24.cz 39 epik.com 29 made-easy.ch 32 active24.cz 18 sectigoweb.com 28 made-easy.ch 15 netcup.net 21 renault.fr 12 ispapi.net 21 register.com If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Just one of the domains all whose nameservers have broken denial of existence appears in the last 120 days of Google transparency reports: mailazy.net -- Viktor. [0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at mail.de haargroeispecialist.nl gmx.at mailstoyou.de hobbygigant.nl vbv.at marburger-bund-zeitung.de home.nl boozyshop.be mensa.de hostnet.nl aarquiteta.com.br mpg.de hr.nl cetelemnegocie.com.br posteo.de interconnect.nl e-negociacao.com.br ruhr-uni-bochum.de interim-netwerk.nl defesa.gov.br schlittermann.de jayno.nl nic.br smartwatcharmbaender.de josephinajewelry.nl registro.br tum.de kralingsebosfestival.nl activfitness-news.ch tutanota.de lico.nl cbd420.ch uni-augsburg.de luxiez.nl docks.ch uni-bielefeld.de mail-studio.nl empiriconmails.ch uni-erlangen.de mailmore.nl gmx.ch uni-muenchen.de mailon.nl hostpoint.ch vicinityclo.de mailplus.nl infomaniak.ch web.de managementboek.nl linsenkontakt.ch westlotto.de markteffectmail.nl msochrono.ch allbuy.dk mcmta.nl open.ch australian-bodycare.dk mijndomein.nl protonmail.ch avabeauty.dk minbzk.nl sherlockhomes.ch barons.dk mindef.nl sms-gagnant.ch danielspengetips.dk mm1.nl switch.ch dfi.dk mulderretail.nl ravenation.club dinhstore.dk nieuwsservice-rvo.nl santeglobale.club dinvintageshop.dk ns.nl bionoble.co dk-hostmaster.dk nuudcare.nl simplelogin.co exoticmix.dk ongehoordnederland.nl 3dsmx.com fibianet.dk orangebag.nl 402automotive.com gastrotools.dk otys.nl addymail.com ixstudioscph.dk ouderenfonds.nl albourne.com kodbilen.dk ouderportaal.nl also.com konkurspriser.dk overheid.nl anonaddy.com labelking.dk oxilionhosted.nl beaconx.com lacabra.dk parlement.nl bymalina.com mobilcovers.dk partijvoordedieren.nl cm.com musclehouse.dk partnermail.nl colourfulrebel.com netic.dk paypro.nl connectsb.com nimara.dk petsonline.nl dailyplaylists.com nordd.dk ploegendienst-festival.nl datev.com nota.dk podiumcadeaukaart.nl fabfilter.com opdagverden.dk politie.nl farmergracy.com perfectjeans.dk pp-prd.nl fastware-hosting.com peterhald.dk previder.nl flaneurhomme.com sengefabrikken.dk quicknet.nl gmx.com seniornews.dk rdw.nl goodforme.com shapeit.dk rijksoverheid.nl groed.com shellcard.dk rivm.nl habr.com smoon.dk rug.nl imcnig.com stil.dk rvo.nl infomaniak.com stori.dk sans-mail.nl ingthink.com teeshoppen.dk schoudercom.nl jesuis1as.com themeatclub.dk schuurman-schoenen.nl johnbeerens.com thesneakerstore.dk smartwatchbanden.nl jula.com tricommerce.dk sportrusten.nl kabayarefashion.com trueliving.dk ssonet.nl kantarresearch.com uvm.dk stater.nl klbrlive.com wavell.dk surfspot.nl leszexpertsfle.com yummihaircare.dk telefoonglaasje.nl librti.com tilburguniversity.edu teso.nl liefleven.com estet.ee thealphamen.nl mactabeauty.com holtmail.ee transip.nl mail.com turunduslabor.ee travelclown.nl matilhadobemadestramento.com myownconference.email triodos.nl migadu.com spam-filter.email tudelft.nl mplbeauty.com spike.email tweedekamer.nl nanolearning.com spotler.email twinq.nl nine-pine.com talentech.email uitgeverijpica.nl one.com nuudcare.es upcmail.nl orsys.com triodos.es uvt.nl orverkiezing.com egu.eu uwv.nl pieter-pot.com finesoftware.eu valtifest.nl pompomlondon.com litebit.eu valys.nl ppcpcv.com qard.eu vimexx.nl protonmail.com skhosting.eu voorpositiviteit.nl protonvpn.com tbibank.eu wannahavesfashion.nl renworkshops.com zone.eu watchbandjes-shop.nl run-motion.com zonevs.eu waternet.nl runbox.com fsol.fi xel.nl sankakucomplex.com handelsbanken.fi ziggo.nl scorecloud.com tarjousrinki.fi zorgmail.nl serverclienti.com traficom.fi annabellstefanussen.no solvinity.com ac-strasbourg.fr audi.no stasdock.com compagnie-des-sens.fr domeneshop.no stater.com edtm-actu.fr guttelus.no stellarequipment.com mastouille.fr handelsbanken.no t-2.com nuudcare.fr hyttefeber.no thalesgroup.com oo2.fr idrettenonline.no thepcw.com privea.fr infinityshop.no thepcwholesale.com nsa.gov malestudio.no triodos.com tid.gov.hk mystuff.no truewaykids.com fidesz.hu nordicprint.no tutanota.com mszp.hu norskgrammatikk.no up2staff.com bluebiz.info rushtrampoline.no veganallsorts.com netabuse.info spillfabrikken.no veka.com eurocontrol.int uib.no vendiblelabs.com neolink.link atelkamera.nu vivaldi.com anonaddy.me goget.nu webcruiter.com pm.me lenhud.nu webmailph.com proton.me aegee.org xfinity.com army.mil debian.org xfinityhomesecurity.com dla.mil exim.org xfinitymobile.com health.mil freebsd.org bncr.fi.cr jten.mil gentoo.org airbank.cz mail.mil ietf.org akce-incomputer.cz navy.mil irtf.org bewooden.cz osd.mil isc.org centrum.cz socom.mil mailbox.org csob.cz uscg.mil mailop.org cuni.cz usmc.mil netbsd.org dedra.cz apnic.net openssl.org e-kondomy.cz comcast.net ozlabs.org fio.cz ewetel.net p8x.org itesco.cz fivem.net samba.org kb.cz gmx.net torproject.org klenotyaurum.cz habramail.net kemono.party klubpevnehozdravi.cz hr-manager.net biotechnologia.com.pl ksporting.cz jonaharagon.net mobily.com.sa manymail.cz mijngezondheid.net atlasrock.se maxmax.cz mpssec.net bilprovningen.se mfcr.cz procurios.net damernasmagasin.se mkluzkoviny.cz ripe.net ecster.se mojedatovaschranka.cz riseup.net geflemetalfestival.se muni.cz s-qrc.net handelsbanken.se nic.cz t-2.net hellomantle.se o2.cz 123watches.nl innebandy24.se optimail.cz africanfabs.nl lansstyrelsen.se outlet-alpine.cz amsterdam.nl lnu.se poptavej.cz aquastorexl.nl lomervarde.se pre.cz argeweb.nl loopia.se predplatit.cz belastingdienst.nl merchsweden.se scrptd.cz beterinbeleggen.nl minmyndighetspost.se server4u.cz beterspellen.nl nordicprint.se shopex.cz bhosted.nl parksnackan.se smtp.cz bhsupport.nl polisen.se stoklasa.cz bibliotheekdenhaag.nl silverdotter.se tiscali.cz blushfashionstore.nl skatteverket.se trilimi.cz bobo.nl skolverket.se vas-server.cz body-supplies.nl sunet.se vcelka.cz boekwinkeltjes.nl teknikdelar.se virusfree.cz bolerolimonadewinkel.nl theletter.se web4u.cz boozyshop.nl websupport.se zdravestravovani.cz bratsites-grs.nl centrum.sk 123watches.de bruut.nl fio.sk bayern.de burgernet.nl kadernickyservis.sk brandenburg.de casema.nl mklozkoviny.sk bund.de cbr.nl pneusvet.sk bundesregierung.de chello.nl pobox.sk datev.de clubplanner.nl rondogo.sk dfn.de denhaag.nl satro.sk elster.de derooijfotografie.nl zapardrobnych.sk ewetel.de desan.nl mstdn.social fau.de dictu.nl simpcity.su freenet.de digid.nl nuudcare.co.uk gmx.de dimehouse.nl triodos.co.uk hi7.de duo.nl govtrack.us huellen-shop.de esuals.nl nuudcare.us jpberlin.de expeditionfestival.nl quantum-services.us lmu.de ezorg.nl ru.ac.za lrz.de

1 0