dane-users

Download

dane-users@list.sys4.de

July 2022

1 participants
1 discussions

Update on stats 2022-06
by Viktor Dukhovni 01 Jul '22

01 Jul '22

Summary: The DANE domain count is now 3,553,159 (c.f. 3,235,913 last month). Most of the increate is owed to mijndomein.nl enabling DANE SMTP for ~184k domains and hostnet.nl for 113k domains, thank you mijndomain.nl and hostnet.nl! The number of domains that return DNSSEC-validated replies in response to MX queries is 18,845,352 (up from 18,591,690 last month). Thus DANE TLSA is deployed on ~18.85% of domains with DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>. [ See the Credits[0] list below my signature. ] Another milestone, as of today, the .COM TLD now has more than 5 million signed delegations. As of today I count ~3.55 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last Month ---------- ---------- 1241738 one.com 1242988 one.com 279135 hostpoint.ch 278263 hostpoint.ch 184346 mijndomein.nl 165958 infomaniak.ch 176747 infomaniak.ch 160813 transip.nl 162079 transip.nl 158555 argewebhosting.nl 158826 argewebhosting.nl 107363 domeneshop.no 112883 hostnet.nl 98980 jouwweb.nl 107551 domeneshop.no 96757 loopia.se 101152 jouwweb.nl 95704 webhostingserver.nl 96925 loopia.se 76489 forpsi.com 95235 webhostingserver.nl 60790 zxcs.nl 77276 forpsi.com 47127 active24.com 62102 zxcs.nl 40731 webreus.nl 47236 active24.com 39430 antagonist.nl 40429 webreus.nl 34847 pcextreme.nl 39297 antagonist.nl 27612 udmedia.de 34585 pcextreme.nl 26602 protonmail.ch 28545 protonmail.ch 26570 web4u.cz 27627 udmedia.de 25850 webhosting.dk 26577 web4u.cz 25519 vevida.com The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be, .pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ----------- ---------- 10177 TOTAL 10052 TOTAL 2978 DE, Germany 2983 DE, Germany 1890 NL, Netherlands 1864 NL, Netherlands 1811 US, United States 1790 US, United States 763 FR, France 737 FR, France 362 GB, United Kingdom 349 GB, United Kingdom 340 CZ, Czechia 325 CZ, Czechia 236 CA, Canada 228 FI, Finland 232 FI, Finland 225 CA, Canada 154 AT, Austria 159 AT, Austria 130 CH, Switzerland 137 SG, Singapore 126 SG, Singapore 129 DK, Denmark 126 DK, Denmark 129 CH, Switzerland 115 SE, Sweden 109 AU, Australia 108 AU, Australia 107 SE, Sweden 57 PL, Poland 59 PL, Poland 56 JP, Japan 52 JP, Japan 50 RU, Russia 51 RU, Russia 50 HU, Hungary 47 NO, Norway 44 NO, Norway 44 BR, Brazil 42 BR, Brazil 41 IE, Ireland IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 7936 TOTAL 7869 TOTAL 3552 NL, Netherlands 3534 NL, Netherlands 2216 DE, Germany 2202 DE, Germany 801 US, United States 817 US, United States 337 FR, France 322 FR, France 193 CZ, Czechia 191 CZ, Czechia 163 GB, United Kingdom 150 GB, United Kingdom 74 FI, Finland 76 FI, Finland 71 CA, Canada 71 CA, Canada 59 CH, Switzerland 59 CH, Switzerland 53 AU, Australia 51 AU, Australia 45 AT, Austria 42 SE, Sweden 42 SE, Sweden 40 SG, Singapore 39 SG, Singapore 38 AT, Austria 38 JP, Japan 37 JP, Japan 27 RU, Russia 25 NO, Norway 22 IE, Ireland 22 DK, Denmark 19 DK, Denmark 18 IE, Ireland 18 NO, Norway 16 RU, Russia 15 BR, Brazil 15 BR, Brazil 12 LT, Lithuania 12 LT, Lithuania There are 8,342 unique zones (8,234 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 17,639 (17,494 last month). These cover 17,929 distinct MX hosts (17,782 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 694 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 406 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~3.55 million DANE domains, 14,518 (12,258 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1,026 (1,109 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are: 19 mx1.mdbraber.com 15 e-vps.hacktheplanet.nl 15 artemis.strebsjig.net 13 postagrosu.grosu.ro 12 mail.blanketmail.de 12 hf-hosting-02.hf-services.net 10 mail.syngenuity.com 10 mail.ontharen-rotterdam.nl 9 smtp.hoggins.fr 9 mx01.mykolab.com To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP… https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-… https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1,408 (1,181 last month). The top 10 name server operators with problem domains are: This Month Last month ---------- ---------- 591 registrar-servers.com 573 registrar-servers.com 302 worldnic.com 236 mijndomein.nl 245 mijndomein.nl 159 worldnic.com 137 axc.nl 145 axc.nl 79 ebola.cz 85 ebola.cz 46 psi-japan.net 31 openprovider.nl 32 openprovider.nl 31 made-easy.ch 30 made-easy.ch 31 epik.com 30 ispapi.net 26 ns01.nl 27 register.com 24 register.com If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Four of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: greenspot.fi urbtix.hk mailazy.net novathreads.us -- Viktor. [0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at zdravestravovani.cz hostingpeople.nl gmx.at zlate-mince.cz hostnet.nl vbv.at bantschowundbantschow.de hr.nl tip.net.au bayern.de interim-netwerk.nl cetelemnegocie.com.br brandenburg.de jayno.nl e-negociacao.com.br bund.de kiesrijk.nl nic.br bundesregierung.de kralingsebosfestival.nl registro.br datev.de lico.nl 20km.ch dfn.de luxiez.nl activfitness-news.ch elster.de mail-studio.nl cbd420.ch ewetel.de mailplus.nl erotik-service.ch fau.de mailshover.nl gmx.ch freenet.de managementboek.nl hostpoint.ch gmx.de markteffectmail.nl infomaniak.ch jpberlin.de mcmta.nl linsenkontakt.ch lmu.de mijndomein.nl open.ch lrz.de minbzk.nl promorealdeals.ch mail.de mindef.nl protonmail.ch mensa.de mm1.nl sms-gagnant.ch mpg.de mulderretail.nl switch.ch posteo.de nieuwsservice-rvo.nl travailler-en-suisse.ch ruhr-uni-bochum.de ns.nl simplelogin.co tum.de nuudcare.nl 402automotive.com tutanota.de orangebag.nl albourne.com uni-augsburg.de otys.nl altospam.com uni-erlangen.de ouderenfonds.nl ansigtsyogaonline.com uni-kl.de ouderportaal.nl brassthistle.com uni-muenchen.de overheid.nl cm.com vicinityclo.de partijvoordedieren.nl connectsb.com web.de ploegendienst-festival.nl cryptowallet.com westlotto.de politie.nl dailyplaylists.com allbuy.dk pp-prd.nl datev.com borgerforslag.dk previder.nl exegy.com dk-hostmaster.dk rdw.nl fastware-hosting.com egmontpublishing.dk revolt.nl flaneurhomme.com fibianet.dk rijksoverheid.nl gmx.com handelsbanken.dk rivm.nl groed.com juliesandlau.dk rug.nl habr.com netic.dk rvo.nl hoobly.com nota.dk sans-mail.nl hotelsinduitsland.com seniornews.dk schoudercom.nl imcnig.com shapeit.dk schuurman-schoenen.nl infomaniak.com shellcard.dk smartwatchbanden.nl ingthink.com stil.dk sportrusten.nl joomlapolis.com tricommerce.dk ssonet.nl jula.com uvm.dk stater.nl klbrlive.com tilburguniversity.edu telefoonglaasje.nl leszexpertsfle.com just.ee transip.nl librti.com rik.ee travelclown.nl liefleven.com spike.email triodos.nl mactabeauty.com spotler.email uitgeverijpica.nl mail.com nuudcare.es utwente.nl mammoetmail.com rediris.es uvt.nl matilhadobemadestramento.com triodos.es uwv.nl mplbeauty.com uv.es valys.nl mx-relay.com egu.eu venauto.nl nanolearning.com finesoftware.eu vimexx.nl nine-pine.com litebit.eu vitalize.nl nuudcare.com zone.eu vogeldagboek.nl one.com zonevs.eu voorpositiviteit.nl orsys.com fsol.fi vrijevolkfestival.nl pieter-pot.com handelsbanken.fi vu.nl polyas.com metaburn.fi wannahavesfashion.nl pompomlondon.com tarjousrinki.fi watchbandjes-shop.nl ppcpcv.com ac-strasbourg.fr waternet.nl protonmail.com compagnie-des-sens.fr xel.nl protonvpn.com edtm-actu.fr zorgmail.nl renworkshops.com nuudcare.fr audi.no run-motion.com oo2.fr bergengokart.no runbox.com privea.fr deldinbil.no sankakucomplex.com fidesz.hu derute.no scorecloud.com bluebiz.info domeneshop.no serverclienti.com eurocontrol.int guttelus.no societe.com neolink.link handelsbanken.no solvinity.com pm.me hyttefeber.no srsforward.com proton.me idrettenonline.no stater.com army.mil mystuff.no stellarequipment.com dla.mil norskgrammatikk.no t-2.com jten.mil plukkselv.no thalesgroup.com mail.mil raskebriller.no thegreenery.com militaryonesource.mil rushtrampoline.no thepcw.com navy.mil spillfabrikken.no thepcwholesale.com nga.mil tjenestekompaniet.no triodos.com osd.mil uib.no truewaykids.com socom.mil viphuset.no tutanota.com uscg.mil analysedanmark.nu up2staff.com usmc.mil atelkamera.nu veganallsorts.com benjaminfulford.net goget.nu vitstore.com comcast.net lenhud.nu vivaldi.com ewetel.net debian.org webcruiter.com fivem.net freebsd.org webmailph.com gmx.net gentoo.org xfinity.com habramail.net ietf.org xfinityhomesecurity.com hr-manager.net isc.org xfinitymobile.com inexio.net kindredcircle.org bncr.fi.cr mijngezondheid.net mailbox.org akce-incomputer.cz mpssec.net mailop.org amenit.cz procurios.net netbsd.org atlas.cz ripe.net openssl.org bewooden.cz riseup.net oraclegirl.org centrum.cz t-2.net ozlabs.org csob.cz xs4all.net samba.org cuni.cz 123watches.nl torproject.org cvut.cz amsterdam.nl biotechnologia.com.pl dedra.cz aquastorexl.nl asf.com.pt directmail-fraus.cz argeweb.nl mobily.com.sa e-kondomy.cz belastingdienst.nl barons.se ekokoza.cz beterspellen.nl bilprovningen.se fio.cz bhosted.nl ecster.se itesco.cz blushfashionstore.nl handelsbanken.se kb.cz boekwinkeltjes.nl kronofogden.se klenotyaurum.cz bolerolimonadewinkel.nl lansstyrelsen.se klubpevnehozdravi.cz boozyshop.nl lomervarde.se ksporting.cz bratsites-grs.nl loopia.se manymail.cz bruut.nl loopiahosting.se markomat.cz cbr.nl minmyndighetspost.se mfcr.cz corpoflow.nl polisen.se mkluzkoviny.cz derooijfotografie.nl skatteverket.se muni.cz devoorleeshoek.nl teknikdelar.se nanospace.cz dictu.nl theletter.se nic.cz digid.nl websupport.se onebit.cz digitaleverkiezing.nl centrum.sk optimail.cz dimehouse.nl kadernickyservis.sk outlet-alpine.cz duo.nl mklozkoviny.sk poptavej.cz eco-logisch.nl pneusvet.sk pre.cz edenhotels.nl pobox.sk predplatit.cz efactuurdirect.nl rondogo.sk scrptd.cz expeditionfestival.nl satro.sk server4u.cz extinctionrebellion.nl toptop.sk smtp.cz ezorg.nl zapardrobnych.sk sparkys.cz fidus.nl nuudcare.co.uk stoklasa.cz fivecityspa.nl triodos.co.uk vas-server.cz herinneringenoplinnen.nl govtrack.us vcelka.cz high5.nl quantum-services.us virusfree.cz hobbygigant.nl ru.ac.za volny.cz

1 0