dane-users

Download

dane-users@list.sys4.de

September 2022

1 participants
1 discussions

Update on stats 2022-08
by Viktor Dukhovni 01 Sep '22

01 Sep '22

Summary: The DANE domain count is now 3,598,975 (c.f. 3,584,050 last month). The number of domains that return DNSSEC-validated replies in response to MX queries is 19,332,285 (up from 19,130,407 last month). Thus DANE TLSA is deployed on ~18.61% of domains with DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>. [ See the Credits[0] list below my signature. ] registrar-servers.com (Namecheap) and mijndomein.nl resolved all their outstanding TLSA record denial of existence issues, contributing to a reduction in problem domains from ~2k to ~1k. As of today I count ~3.60 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last Month ---------- ---------- 1236565 one.com 1236935 one.com 281674 hostpoint.ch 280585 hostpoint.ch 190849 infomaniak.ch 189107 infomaniak.ch 185033 mijndomein.nl 184512 mijndomein.nl 163544 transip.nl 162755 transip.nl 159122 argewebhosting.nl 159073 argewebhosting.nl 112282 hostnet.nl 112570 hostnet.nl 108076 domeneshop.no 107805 domeneshop.no 107087 jouwweb.nl 104255 jouwweb.nl 97044 loopia.se 96819 loopia.se 94545 webhostingserver.nl 94919 webhostingserver.nl 77900 forpsi.com 77692 forpsi.com 63883 zxcs.nl 63160 zxcs.nl 47339 active24.com 47265 active24.com 40371 webreus.nl 40191 webreus.nl 39576 antagonist.nl 39451 antagonist.nl 34177 pcextreme.nl 34401 pcextreme.nl 30328 protonmail.ch 29158 protonmail.ch 28469 xel.nl 27581 udmedia.de 27636 udmedia.de 26543 web4u.cz The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be, .pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ----------- ----------- 10154 TOTAL 10134 TOTAL 3062 DE, Germany 3005 DE, Germany 1845 NL, Netherlands 1894 NL, Netherlands 1780 US, United States 1774 US, United States 766 FR, France 763 FR, France 355 GB, United Kingdom 356 GB, United Kingdom 340 CZ, Czechia 338 CZ, Czechia 239 FI, Finland 235 FI, Finland 220 CA, Canada 224 CA, Canada 151 AT, Austria 156 AT, Austria 128 DK, Denmark 129 CH, Switzerland 127 CH, Switzerland 127 SG, Singapore 124 SG, Singapore 127 DK, Denmark 120 SE, Sweden 110 SE, Sweden 110 AU, Australia 110 AU, Australia 57 PL, Poland 56 PL, Poland 55 RU, Russia 54 RU, Russia 54 JP, Japan 54 JP, Japan 49 NO, Norway 48 NO, Norway 38 BR, Brazil 41 IE, Ireland 35 IE, Ireland 40 BR, Brazil IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 7992 TOTAL 7968 TOTAL 3557 NL, Netherlands 3557 NL, Netherlands 2264 DE, Germany 2241 DE, Germany 849 US, United States 831 US, United States 341 FR, France 347 FR, France 180 CZ, Czechia 172 CZ, Czechia 152 GB, United Kingdom 149 GB, United Kingdom 74 FI, Finland 77 CH, Switzerland 67 CA, Canada 76 FI, Finland 61 CH, Switzerland 65 CA, Canada 50 AU, Australia 54 AU, Australia 47 AT, Austria 43 SE, Sweden 44 SE, Sweden 36 SG, Singapore 38 SG, Singapore 36 JP, Japan 34 JP, Japan 35 AT, Austria 23 NO, Norway 24 RU, Russia 20 DK, Denmark 21 NO, Norway 19 IE, Ireland 20 DK, Denmark 17 BR, Brazil 19 IE, Ireland 12 LT, Lithuania 16 BR, Brazil 11 RO, Romania 12 LT, Lithuania There are 8,468 unique zones (8,375 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 17,855 (17,725 last month). These cover 18,152 distinct MX hosts (18,019 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 714 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 405 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~3.60 million DANE domains, 13,723 (13,921 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1,349 (2,442 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are: 105 mail.blueconsulting.cz 87 vps01.marcus.services 85 beta.itcomputers.eu 34 mx2.synetcon.net 18 mx3.hug.info 18 mx1.mdbraber.com 17 mx1.traxion.com 15 artemis.strebsjig.net 14 mx2.traxion.com 13 postagrosu.grosu.ro To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP… https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-… https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1,076 (2,068 last month). The top 10 name server operators with problem domains are: This Month Last month ---------- ---------- 357 worldnic.com 593 registrar-servers.com 134 axc.nl 402 worldnic.com 75 ebola.cz 249 mijndomein.nl 60 openprovider.nl 138 axc.nl 41 psi-japan.net 77 ebola.cz 34 active24.cz 60 openprovider.nl 28 made-easy.ch 55 zihlmann.net 25 ns01.nl 41 psi-japan.net 22 register.com 29 made-easy.ch 18 epik.com 26 ns01.nl [ Many thanks to Namecheap and Mijndomein for resolving all issues for their customer domains. ] If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Three of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports: urbtix.hk mailazy.net kprm.gov.pl -- Viktor. [0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at bayern.de fivecityspa.nl gmx.at brandenburg.de herinneringenoplinnen.nl vbv.at bund.de hobbygigant.nl tip.net.au bundesregierung.de hostnet.nl cetelemnegocie.com.br datev.de hr.nl e-negociacao.com.br dfn.de interconnect.nl nic.br elster.de interim-netwerk.nl registro.br ewetel.de jayno.nl activfitness-news.ch fau.de kiesrijk.nl cbd420.ch freenet.de lico.nl englmaier.ch gmx.de luxiez.nl gmx.ch jpberlin.de mail-studio.nl hostpoint.ch lmu.de mailplus.nl infomaniak.ch lrz.de managementboek.nl linsenkontakt.ch mail.de markteffectmail.nl migros-runnwin.ch mpg.de mcmta.nl onemillionrun.ch posteo.de mijndomein.nl open.ch ruhr-uni-bochum.de minbzk.nl protonmail.ch spacenet.de mindef.nl sms-gagnant.ch tum.de mm1.nl switch.ch tutanota.de mulderretail.nl simplelogin.co uni-augsburg.de ndt.nl 402automotive.com uni-erlangen.de netsamen.nl albourne.com uni-muenchen.de nieuwsservice-rvo.nl also.com vicinityclo.de ns.nl altospam.com web.de orangebag.nl beaconx.com westlotto.de otys.nl bymalina.com allbuy.dk ouderportaal.nl cm.com dk-hostmaster.dk overheid.nl connectsb.com fibianet.dk partijvoordedieren.nl cryptowallet.com fvst.dk ploegendienst-festival.nl dailyplaylists.com inkpro.dk politie.nl datev.com juliesandlau.dk pp-prd.nl elementalraiders.com kompetenceudvikling.dk previder.nl fabfilter.com labelking.dk rdw.nl fastware-hosting.com netic.dk rijksoverheid.nl flaneurhomme.com nordd.dk roken.nl gmx.com nota.dk rotterdam.nl groed.com peterhald.dk rug.nl habr.com powerhosting.dk rvo.nl hoobly.com seniornews.dk sans-mail.nl hotelsinduitsland.com shapeit.dk schoudercom.nl imcnig.com shellcard.dk schuurman-schoenen.nl infomaniak.com stil.dk smartwatchbanden.nl ingthink.com uvm.dk sportrusten.nl johnbeerens.com webhosting.dk ssonet.nl joomlapolis.com tilburguniversity.edu stater.nl jula.com holtmail.ee telefoonglaasje.nl kabayarefashion.com just.ee thealphamen.nl klbrlive.com rik.ee transip.nl leszexpertsfle.com myownconference.email travelclown.nl librti.com spike.email triodos.nl liefleven.com spotler.email uitgeverijpica.nl mactabeauty.com talentech.email utwente.nl mail.com nuudcare.es uvt.nl mailfence.com rediris.es uwv.nl matilhadobemadestramento.com triodos.es valys.nl mplbeauty.com uv.es vimexx.nl mx-relay.com egu.eu visitoost.nl nanolearning.com finesoftware.eu visittwente.nl nine-pine.com skhosting.eu voorpositiviteit.nl one.com tbibank.eu vrijevolkfestival.nl orsys.com zone.eu wannahavesfashion.nl orverkiezing.com zonevs.eu watchbandjes-shop.nl pieter-pot.com fsol.fi waternet.nl polyas.com handelsbanken.fi xel.nl pompomlondon.com metaburn.fi ziggo.nl ppcpcv.com tarjousrinki.fi zorgmail.nl protonmail.com ac-strasbourg.fr annabellstefanussen.no protonvpn.com compagnie-des-sens.fr audi.no renworkshops.com edtm-actu.fr derute.no run-motion.com kangouroukids.fr domeneshop.no runbox.com nuudcare.fr guttelus.no sankakucomplex.com oo2.fr handelsbanken.no scorecloud.com privea.fr hyttefeber.no serverclienti.com fidesz.hu idrettenonline.no societe.com pandi.id mystuff.no solvinity.com bluebiz.info naprapatlandslaget.no stater.com eurocontrol.int nordicprint.no stellarequipment.com neolink.link norskgrammatikk.no t-2.com anonaddy.me plukkselv.no thalesgroup.com pm.me rushtrampoline.no thepcw.com proton.me spillfabrikken.no thepcwholesale.com army.mil uib.no triodos.com dla.mil analysedanmark.nu truewaykids.com health.mil atelkamera.nu tutanota.com jten.mil goget.nu up2staff.com mail.mil lenhud.nu veganallsorts.com militaryonesource.mil debian.org vivaldi.com navy.mil freebsd.org webcruiter.com nga.mil gentoo.org webmailph.com osd.mil ietf.org xfinity.com socom.mil isc.org xfinityhomesecurity.com uscg.mil mailbox.org xfinitymobile.com usmc.mil mailop.org bncr.fi.cr comcast.net netbsd.org airbank.cz ewetel.net openssl.org akce-incomputer.cz fivem.net oraclegirl.org amenit.cz gmx.net ozlabs.org atlas.cz habramail.net samba.org bewooden.cz hr-manager.net torproject.org centrum.cz inexio.net biotechnologia.com.pl csob.cz mijngezondheid.net mobily.com.sa cuni.cz mpssec.net barons.se dedra.cz procurios.net bilprovningen.se directmail-fraus.cz ripe.net ecster.se e-kondomy.cz riseup.net geflemetalfestival.se ekokoza.cz t-2.net handelsbanken.se fio.cz transip.net lomervarde.se itesco.cz 123watches.nl loopia.se itnetwork.cz agriton.nl minmyndighetspost.se kb.cz amsterdam.nl nordicprint.se klenotyaurum.cz aquastorexl.nl parksnackan.se klubpevnehozdravi.cz belastingdienst.nl polisen.se ksporting.cz beterspellen.nl silverdotter.se manymail.cz blushfashionstore.nl skatteverket.se mfcr.cz bobo.nl teknikdelar.se mkluzkoviny.cz boekwinkeltjes.nl theletter.se muni.cz boozyshop.nl centrum.sk nanospace.cz bratsites-grs.nl dovypredania.sk nic.cz bruut.nl e-slovak.sk onebit.cz burgernet.nl kadernickyservis.sk optimail.cz cbr.nl mklozkoviny.sk outlet-alpine.cz cbs.nl naau.sk poptavej.cz corpoflow.nl pneusvet.sk predplatit.cz derooijfotografie.nl pobox.sk scrptd.cz dictu.nl rondogo.sk server4u.cz digid.nl satro.sk smtp.cz dimehouse.nl teacher.sk stoklasa.cz duo.nl zapardrobnych.sk vas-server.cz eco-logisch.nl adelina.com.ua virusfree.cz edenhotels.nl triodos.co.uk volny.cz esuals.nl govtrack.us zdravestravovani.cz expeditionfestival.nl quantum-services.us 123watches.de ezorg.nl ru.ac.za

1 0