dane-users
Threads by month
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
December 2023
- 1 participants
- 5 discussions
The DANE survey (https://stat.dnssec-tools.org) turns up a few domains
a day that botch their cert rollovers or fail to offer STARTTLS despite
publishing DANE TLSA records.
I try to send notices to the relevant contacts, but sometimes they
shoot themselves in the foot:
- Private WHOIS
- No contact data at the website
- Published contacts don't work (no such user, ...).
- Reject earnest notices of technical problems as spam
Yesterday, for the first time, I ran into someone whose MTA stopped
offering STARTTLS, despite the TLSA records still being in place, but
attempts to deliver a notice are rejected:
posttls-finger: < 220-mail.<censored>.dk ESMTP Postcow
... brief pause...
posttls-finger: < 220 mail.<censored>.dk ESMTP Postcow
posttls-finger: > EHLO <...>
posttls-finger: < 250-mail.<censored>.dk
posttls-finger: < 250-PIPELINING
posttls-finger: < 250-SIZE 104857600
posttls-finger: < 250-ETRN
posttls-finger: < 250-AUTH PLAIN LOGIN CRAM-MD5
posttls-finger: < 250-AUTH=PLAIN LOGIN CRAM-MD5
posttls-finger: < 250-ENHANCEDSTATUSCODES
posttls-finger: < 250-8BITMIME
posttls-finger: < 250-DSN
posttls-finger: < 250 CHUNKING
posttls-finger: > QUIT
posttls-finger: < 221 2.0.0 Bye
The notice bounced with:
550 5.7.1 Session encryption is required (in reply to RCPT TO command)
As commendable as it may be to encourage use of TLS, it is not a good
practice to outright refuse cleartext mail.
--
Viktor.
4
3
As you're may be aware, I actively promote adoption of DANE SMTP, many
thanks to everyone who's moved forward with DANE SMTP deployment!
That said, I also always stress that, when deploying DANE SMTP,
*monitoring* must come first, and publishing of DANE TLSA records
second. If your DANE TLSA deployment is unmonitored, it will some day
fail, with you being the last to know that something is wrong when some
email fails to arrive on time or at all. Unmonitored security is a
ticking time-bomb.
Please implement monitoring of your DANE TLSA records vs. the live
certificate chain through regular probing of your MX hosts (I'd suggest
hourly if not more often for more critical servers). Of course you
also need to have good automation of the certificate rollover process
so that normally TLSA records aren't out sync with the certificates
even during a rollover.
If you don't yet have monitoring in place, the below could be a useful
building block for your monitoring scripts.
The "danesmtp" shell (bash) function can take an optional explicit IP
address to connect to, so you can test each of the IP addresses of a
host in turn:
danesmtp () {
local OPTIND=1 opt
local -a rrs sslopts
local rr i=0 host addr
while getopts a: opt; do
case $opt in
a) addr=$OPTARG
case $addr in *:*) addr="[$addr]";; esac;;
*) printf 'usage: danesmtp [-a addr] host [ssloption ...]\n'
return 1;;
esac
done
shift $((OPTIND - 1))
host=$1
shift
if [[ -z "$addr" ]]; then
addr="$host"
fi
sslopts=(-starttls smtp -connect "$addr:25"
-verify 9 -verify_return_error
-dane_ee_no_namechecks -dane_tlsa_domain "$host")
rrs=( $(dig +short +nosplit -t tlsa "_25._tcp.$host" |
grep -Ei '^[23] [01] [012] [0-9a-f]+$') )
while (( i < ${#rrs[@]} - 3 )); do
rr=${rrs[@]:$i:4}
i=$((i+4))
sslopts=("${sslopts[@]}" "-dane_tlsa_rrdata" "$rr")
done
( sleep 1; printf "QUIT\r\n" ) | openssl s_client -brief "${sslopts[@]}" "$@"
}
--
Viktor.
4
7
TAKE NOTE: "2 1 1" TLSA records vs. apparent change of Let's Encrypt default certificate chain
by Viktor Dukhovni 10 Jun '24
by Viktor Dukhovni 10 Jun '24
10 Jun '24
The DANE/DNSSEC survey (<https://stats.dnssec-tools.org>) has seen a
recent spike in the number of MX hosts whose "2 1 1" TLSA records no
longer match their certificate chain. The records in question all
shar the same digest value, for various TLSA base domains:
_25._tcp.mx1.example. IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3
I was initially puzzled as to why this might be happening, but then
it occurred to me that the reason why is clear.
The above hash is the hash of the ISRG X1 root CA key, but it is also of
course the key hash of its outdated **cross-certificate** issued by DST.
That DST cross cert was needed for compatability with some old Android
systems that did not get root CA updates (or updates of any kind).
It must be that Let's Encrypt finally stopped by default including that
cross certificate in their chains. So instead of a chain that looks
like:
- depth 0: EE (server) certificate
- depth 1: Let's Encrypt R3/E1 issuer CA
- depth 2: ISRG X1 cross cert issued by DT
with the certificate at depth 2 matching the TLSA record, they now
generate just:
- depth 0: EE (server) certificate
- depth 1: Let's Encrypt R3/E1 issuer CA
with the ISRG (now standalone) root CA not included in the chain!
Leaving out the root CA works fine for WebPKI, where clients need to
have a locally trusted copy of the root, but not for certificate usage
DANE-TA(2), which does not rely on any local CA store:
https://dane.sys4.de/common_mistakes#4
https://datatracker.ietf.org/doc/html/rfc7672#section-3.1.2
Bottom line, if you're relying on that "2 1 1" record matching the ISRG
root to match your Let's Encrypt chain, you're about to be disappointed,
if you aren't already. See:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
for better alternatives, or switch to "3 1 1", perhaps with the aid of
"danebot" (still hoping some early adopters will pitch in to further
improve it, to support some additional workflows):
<https://github.com/tlsaware/danebot>
--
Viktor.
2
6
Summary: The DANE domain count is now 3,988,988 (3,987,641 last month,
3,733,547 a year ago).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 23,098,096 (23,197,449 last month,
20,675,170 a year ago). Thus DANE TLSA is deployed on ~17.26%
of domains with DNSSEC. For more stats, see
<https://stats.dnssec-tools.org/>.
[ The credits[0] list is below my signature. ]
Reminder: If you're relying on trust-anchor (usage DANE-TA(2)) TLSA records
matching a Let's Encrypt issuing CA, please note important upcoming
changes in Let's Encrypt certificate issuance:
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/HESAY6…
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/GLRVY2…
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/X4SS2E…
As of today, I count ~3.99 million domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last Month Last year
---------- ---------- ---------
1306568 one.com 1314010 one.com 1214177 one.com
306621 hostpoint.ch 305329 hostpoint.ch 286784 hostpoint.ch
219246 infomaniak.ch 216411 infomaniak.ch 195060 infomaniak.ch
172777 transip.nl 172489 transip.nl 182438 mijndomein.nl
172069 jouwweb.nl 170058 mijndomein.nl 166314 transip.nl
170317 mijndomein.nl 166814 jouwweb.nl 154096 argewebhosting.nl
137375 argewebhosting.nl 138337 argewebhosting.nl 134199 simply.com
130652 simply.com 132653 simply.com 118030 jouwweb.nl
111485 hostnet.nl 111533 hostnet.nl 111945 hostnet.nl
109779 domeneshop.no 109976 domeneshop.no 108682 domeneshop.no
106544 loopia.se 106479 loopia.se 104887 loopia.se
89264 webhostingserver.nl 89713 webhostingserver.nl 94600 webhostingserver.nl
82634 forpsi.com 83026 forpsi.com 79127 forpsi.com
81475 zxcs.nl 81215 zxcs.nl 67139 zxcs.nl
47296 protonmail.ch 46191 protonmail.ch 46886 active24.com
41179 antagonist.nl 41111 antagonist.nl 39610 webreus.nl
38161 active24.com 38611 active24.com 39483 antagonist.nl
36259 webreus.nl 36576 webreus.nl 34977 protonmail.ch
28643 pcextreme.nl 29196 pcextreme.nl 32983 pcextreme.nl
28102 xel.nl 28283 xel.nl 29297 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl,
.de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month Last year
----------- ---------- ---------
12019 TOTAL 11870 TOTAL 10595 TOTAL
3819 DE, Germany 3785 DE, Germany 3209 DE, Germany
1948 NL, The Netherlands 1942 NL, The Netherlands 1891 NL, Netherlands
1929 US, United States 1883 US, United States 1833 US, United States
905 FR, France 921 FR, France 799 FR, France
481 CZ, Czechia 479 CZ, Czechia 388 CZ, Czechia
380 GB, United Kingdom 366 GB, United Kingdom 362 GB, United Kingdom
287 FI, Finland 272 FI, Finland 235 FI, Finland
212 CA, Canada 214 CA, Canada 221 CA, Canada
199 CH, Switzerland 187 CH, Switzerland 153 AT, Austria
186 AT, Austria 183 AT, Austria 135 SE, Sweden
176 SE, Sweden 169 SE, Sweden 134 CH, Switzerland
160 DK, Denmark 152 DK, Denmark 132 DK, Denmark
148 AU, Australia 145 AU, Australia 122 SG, Singapore
117 SG, Singapore 119 SG, Singapore 120 AU, Australia
103 RU, Russia 102 RU, Russia 72 PL, Poland
93 PL, Poland 89 PL, Poland 58 JP, Japan
67 NO, Norway 63 NO, Norway 57 RU, Russia
57 JP, Japan 61 JP, Japan 47 NO, Norway
49 IT, Italy 50 BR, Brazil 42 BR, Brazil
49 BR, Brazil 43 IT, Italy 38 IE, Ireland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month Last year
---------- ---------- ---------
9592 TOTAL 9515 TOTAL 8339 TOTAL
4210 NL, The Netherlands 4229 NL, The Netherlands 3666 NL, Netherlands
2791 DE, Germany 2724 DE, Germany 2330 DE, Germany
888 US, United States 868 US, United States 860 US, United States
390 FR, France 401 FR, France 406 FR, France
202 CZ, Czechia 198 CZ, Czechia 175 CZ, Czechia
185 GB, United Kingdom 183 GB, United Kingdom 162 GB, United Kingdom
113 FI, Finland 112 FI, Finland 77 CA, Canada
86 CA, Canada 83 CA, Canada 74 FI, Finland
80 SE, Sweden 78 SE, Sweden 67 AU, Australia
75 AU, Australia 76 AU, Australia 64 CH, Switzerland
72 CH, Switzerland 74 CH, Switzerland 56 SE, Sweden
50 AT, Austria 52 AT, Austria 54 AT, Austria
44 SG, Singapore 46 SG, Singapore 44 SG, Singapore
39 JP, Japan 39 JP, Japan 36 JP, Japan
31 RU, Russia 32 RU, Russia 23 EE, Estonia
31 NO, Norway 29 RO, Romania 21 NO, Norway
29 RO, Romania 28 NO, Norway 21 IE, Ireland
29 BR, Brazil 28 BR, Brazil 21 DK, Denmark
26 DK, Denmark 22 DK, Denmark 17 BR, Brazil
16 IE, Ireland 17 IE, Ireland 15 LT, Lithuania
There are 10,449 unique zones (10,192 last month, 9,144 last year) in
which the underlying MX hosts are found. This counts each of the above
providers as just one zone, so is a measure of the breadth of adoption
in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 21,169 (20,854 last
month, 19,380 last year). These cover 21,466 distinct MX hosts (21,158
last month, 19,380 last year, some MX hosts share the same TLSA records
through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 1,173 (841 last year, this is my ad-hoc
criterion for a domain being a large-enough actively used email domain).
Of these, 674 (525 last year) are in recent (last 90 days of) reports
(see [2] below my signature).
Of the ~3.99 million DANE domains, 14,456 (14,431 last month, 13,107
last year) have "partial" TLSA records, that cover only a subset of the
(secondary) MX hosts. While this protects traffic to some of the MX
hosts, such domains are still vulnerable to the usual active attacks via
the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,862
(1,655 last month, 1,320 last year). Some of these have additional MX
hosts that don't have broken TLSA records, so mail can still arrive via
the remaining MX hosts. The affected domain counts for the top 10
problem MX hosts are:
172 mx2.tkservers.com
48 mail.caop.nl
35 mx1.mdbraber.com
32 mx01.speicher-werk.de
31 mail-03.eu-central-1.aorta.space
26 mail.orionpanel.nl
23 smtp2.kruik-it.nl
23 mail.spreadity.com
22 mail.exot.cz
15 mail.nationaalarchief.nl
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 838 (901 last
month, 1,076 last year). The top 10 name server operators with problem
domains are:
This Month Last month Last year
---------- ---------- ----------
528 neostrada.nl 608 neostrada.nl 148 swizzonic.ch
60 worldnic.com 61 worldnic.com 134 worldnic.com
22 openprovider.nl 22 openprovider.nl 106 epik.com
21 active24.cz 14 sectigoweb.com 95 axc.nl
14 sectigoweb.com 13 register.com 73 ebola.cz
13 register.com 8 ispapi.net 61 openprovider.nl
7 vultr.com 8 dnssrv.nl 29 made-easy.ch
7 dnssrv.nl 7 vultr.com 20 register.com
6 resolver.domains 6 resolver.domains 18 sectigoweb.com
6 ispapi.net 6 forpsi.net 12 ispapi.net
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits:
Hosting for the DANE/DNSSEC project is donated by isi.edu (Wes Hardaker and
team). Wes also hosts and maintains the https://stats.dnssec-tools.org
website. Thanks go to ICANN for sponsoring acquisition of the server hardware.
Coverage of DNSSEC domains continues to improve with ongoing data
support from Chris Mikkelson from domaintools.com. Credits also due to
ICANN providing gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
vbv.ag uni-augsburg.de kiesrijk.nl
univie.ac.at uni-bielefeld.de liveatamsterdamsebos.nl
gmx.at uni-erlangen.de maastrichtuniversity.nl
vbv.at uni-muenchen.de mailmore.nl
boozyshop.be vicinityclo.de mailon.nl
eos-contentia.be web.de mailplus.nl
triodos.be westlotto.de managementboek.nl
nra.bg aeldresagen.dk markteffectmail.nl
register.bg allbuy.dk mcmta.nl
dwvmail.com.br anna-hjorth.dk mijndomein.nl
e-negociacao.com.br annebrauner.dk mijnmagazines.nl
e-renegocie.com.br anodyne.dk minbzk.nl
pn1.com.br australian-bodycare.dk mindef.nl
zaaztelecom.com.br avabeauty.dk mm1.nl
defesa.gov.br bambustoej.dk mulderretail.nl
nic.br barons.dk nefkens.nl
registro.br bigsaver.dk netpoint.nl
activfitness-news.ch bisgaardshoes.dk netpointfactoring.nl
blackout-bonusclub.ch boblberg.dk nieuwsservice-rvo.nl
creditum.ch bog.dk notbranded.nl
escalade.ch borgerforslag.dk noties.nl
gmx.ch bymelanie.dk ns.nl
handy-abovergleich.ch camillakroeyer.dk nuudcare.nl
hostpoint.ch casanova.dk nuwegexclusief.nl
infomaniak.ch champagneklubben.dk okki.nl
kalender-win.ch cillouettes.dk oomverzekeringen.nl
msochrono.ch computerworld.dk opnaarwonderland.nl
open.ch damask.dk otys.nl
protonmail.ch danielspengetips.dk ouderenfonds.nl
sherlockhomes.ch danskebank.dk ouderportaal.nl
sms-gagnant.ch densidsteflaske.dk outlawevents.nl
wog.ch dfi.dk overheid.nl
bionoble.co dressforsuccess.dk oxilionhosted.nl
simplelogin.co ejvinds.dk partijvoordedieren.nl
aim-care.com fibianet.dk partnermail.nl
albourne.com fletkurven.dk podiumcadeaukaart.nl
also.com foraeldresparring.dk politie.nl
anonaddy.com frisorenogbaronen.dk pp-prd.nl
ansigtsyogaonline.com gasolinegrill.dk previder.nl
boozyshop.com gastrotools.dk proefdiervrij.nl
buroventures.com globestudios.dk prorun-mail.nl
canva-facile.com hook-up.dk pvv.nl
cm.com hostedsepo.dk quicknet.nl
collarofsweden.com idelig.dk ranzijn.nl
connectsb.com inkpro.dk rdw.nl
conscience-et-realites.com iphoneopladere.dk rijksoverheid.nl
cornerstoneplatform.com ixstudioscph.dk rivm.nl
danskebank.com kagegrisen.dk rotterdam.nl
datev.com kisserpaludan.dk rvig.nl
denhaag.com kk.dk rvo.nl
detectiveforaday.com kodbilen.dk sans-mail.nl
eliteincomesociety.com konkurspriser.dk schuurman-schoenen.nl
explorer-hotels.com kystfisken.dk scorion.nl
fabfilter.com lacabra.dk shampoobars.nl
farmergracy.com lammeskindet.dk shapeit.nl
fastware-hosting.com lederstof.dk shoesme.nl
flaneurhomme.com legekammeraten.dk sietskescholten.nl
fromanteel-watches.com mobilcovers.dk sizzthebrand.nl
getpaidopportunities.com modstroem.dk smartwatchbanden.nl
gmx.com musclehouse.dk snowbass.nl
goodforme.com naturhandel.dk spamservice.nl
habitamat.com netic.dk sportrusten.nl
habr.com nexsmart.dk ssonet.nl
hannahbarrettyoga.com nfinitybeauty.dk stage-app.nl
headachecalendar.com nimara.dk stater.nl
hedon.com nordd.dk steunactie.nl
highcharts.com nordicsheep.dk svb.nl
imcnig.com nota.dk svr.nl
infomaniak.com online-mode.dk technicus.nl
ingthink.com pengeogfrihed.dk telefoonglaasje.nl
intakt.com perfectjeans.dk thealphamen.nl
itskaos.com qookware.dk thefightcompany.nl
johnbeerens.com sengefabrikken.dk transip.nl
joomlapolis.com seniornews.dk triodos.nl
jula.com shapeit.dk truetickets.nl
justpadel.com sillysanta.dk tudelft.nl
kabayarefashion.com skjold-burne.dk uitgeverijpica.nl
kheaa.com smoon.dk upcmail.nl
leszexpertsfle.com sneakerzone.dk uvt.nl
librti.com stil.dk uwv.nl
luvrefranco.com sygeforsikring.dk vacaturesonline.nl
mail.com thenap.dk valys.nl
maileroo.com thesneakerstore.dk vandale.nl
mailzerver.com trueliving.dk vimexx.nl
marsblade.com viggo.dk vluchtelingenwerk.nl
meriamecouture.com vin-huset.dk vpo.nl
mplbeauty.com vind.dk vunzigedeuntjes.nl
nanolearning.com yuaiahaircare.dk vvv-venlo.nl
nautisme-pratique.com tilburguniversity.edu watchbandjes-shop.nl
nine-pine.com biotheka.ee waternet.nl
novashops.com holt.ee werkzoeken.nl
offshorecorptalk.com maarahvapood.ee woongarantvolmacht.nl
one.com minuvalik.ee ziggo.nl
orsys.com surveyturtle.ee zorgmail.nl
ottobredesign.com turunduslabor.ee ankerstjerne.no
pieter-pot.com myownconference.email annabellstefanussen.no
pompomlondon.com spam-filter.email babybanden.no
ppcpcv.com spotler.email bergengokart.no
protonmail.com talentech.email bull-ski-kajakk.no
run-motion.com nuudcare.es chillout.no
runbox.com triodos.es day-et.no
sankakucomplex.com egu.eu dinholdning.no
scienceshepherd.com finesoftware.eu domeneshop.no
scorecloud.com mailplatform.eu dressmykid.no
serverclienti.com qard.eu godvar.no
sisuknitwear.com rybarik.eu guttelus.no
sneakerjeans.com zerolime.eu handelsbanken.no
solvinity.com zone.eu hoppin.no
speciale-offre.com zonevs.eu hyttefeber.no
sportnotch.com danskebank.fi idrettenonline.no
stasdock.com f-solutions.fi kashmina.no
stater.com fsol.fi lagerpriser.no
stellarequipment.com handelsbanken.fi marikrogshus.no
tcs.com io-tech.fi modostore.no
the-vfl.com metaburn.fi mystuff.no
theintercept.com raumanteatteri.fi nordiskbylien.no
thelabelmachine.com sillysanta.fi norskgrammatikk.no
thepcw.com ac-strasbourg.fr raskebriller.no
thepcwholesale.com boozyshop.fr rushtrampoline.no
thingsilikethingsilove.com braceletsmartwatch.fr smaaungene.no
trainwithlov.com compagnie-des-sens.fr spillfabrikken.no
triodos.com nuudcare.fr stilshoppen.no
tutanota.com oo2.fr strikkia.no
up2staff.com passefranceallemagne.fr suksessmednetthandel.no
vivaldi.com privea.fr svippr.no
webcruiter.com fvap.gov tickettothemoon.no
win-rar.com nsa.gov veronicalill.no
xfinity.com tid.gov.hk analysedanmark.nu
xfinityhomesecurity.com fidesz.hu atelkamera.nu
xfinitymobile.com italiamail.hu goget.nu
bncr.fi.cr marathonlife.hu hallbarhalsa.nu
airbank.cz nyirbatorvaroskartya.hu lenhud.nu
akce-incomputer.cz zsibvasar.hu skjutsgruppen.nu
amenit.cz bluebiz.info agirpourlenvironnement.org
balikovna.cz eurocontrol.int calyxinstitute.org
bewooden.cz infinex.io debian.org
cd.cz simplelogin.io freebsd.org
cinemax.cz nuudcare.it fridaysforfuture.org
cokoladovnajanek.cz neolink.link gentoo.org
cpost.cz etat.lu ietf.org
creammy.cz anonaddy.me isc.org
csob.cz pm.me mailbox.org
csobstavebni.cz proton.me mailop.org
cuni.cz army.mil netbsd.org
dashofer.cz dla.mil ozlabs.org
dedra.cz dma.mil postfix.org
e-kondomy.cz health.mil samba.org
ecps.cz jten.mil torproject.org
ekokoza.cz mail.mil biotechnologia.com.pl
fio.cz navy.mil asf.com.pt
gov.cz nga.mil pinnbet.rs
hobynaradi.cz osd.mil mobily.com.sa
hypotecnibanka.cz socom.mil arbetsformedlingen.se
innogy.cz spaceforce.mil australian-bodycare.se
itesco.cz uscg.mil bearplay.se
jumpfamily.cz usmc.mil bearplayshop.se
kb.cz comcast.net bidflow.se
klenotyaurum.cz ewetel.net bilprovningen.se
klubpevnehozdravi.cz ficbook.net crtzoo.se
ksporting.cz fivem.net egensajt.se
manymail.cz gmx.net ellevio.se
mbank.cz graphistepro.net epochtimes-mejl.se
mfcr.cz habramail.net fotproffsen.se
mindsoft.cz hr-manager.net handelsbanken.se
mkluzkoviny.cz intares.net hellomantle.se
mojedatovaschranka.cz mailanyone.net innebandy24.se
mojemincovna.cz masterinter.net jaramba.se
mrakyhracek.cz mijngezondheid.net jul-troja.se
muni.cz mpssec.net klasspengar.se
nic.cz octopoos.net koreanbeauty.se
nilia.cz procurios.net kth.se
o2.cz ripe.net kulturaktiebolaget.se
opravdovezlociny.cz riseup.net livlyclothing.se
optimail.cz s-qrc.net lnu.se
outlet-alpine.cz soverin.net lomervarde.se
p-info.cz space.net loopia.se
pivoteka.cz t-2.net malarfabriken.se
poptavej.cz amsterdam.nl merchsweden.se
scrptd.cz aquastorexl.nl metaburn.se
server4u.cz bankhoesdiscounter.nl minmyndighetspost.se
shopex.cz belastingdienst.nl nordd.se
smtp.cz beterinbeleggen.nl nordicsheep.se
sparkys.cz beterspellen.nl polisen.se
stoklasa.cz bewustpuur.nl samblamail.se
tefal.cz bhosted.nl sillysanta.se
thinline.cz blushfashionstore.nl silverdotter.se
vas-server.cz bobo.nl skatteverket.se
vitalpoint.cz body-supplies.nl skolverket.se
vshosting.cz bolerolimonadewinkel.nl snbostader.se
zafido.cz boozyshop.nl soleplus.se
zdravestravovani.cz box.nl spelfabrik.se
zlocinozrouti.cz bruut.nl svenskhusman.se
zonky.cz burgernet.nl teeshoppen.se
bayern.de carre.nl teknikdelar.se
brandenburg.de casema.nl theletter.se
bund.de cbr.nl websupport.se
datev.de chello.nl agatinsvet.sk
deutsch-franzoesischer-freundschaftspass.de clubplanner.nl bewooden.sk
dfn.de csvjongholland.nl coopka.sk
elster.de degros.nl edirect.sk
ewetel.de derooijfotografie.nl fio.sk
fau.de desan.nl gravirovane.sk
freenet.de dewebmakers.nl hecht.sk
gmx.de dictu.nl mamaaja.sk
hi7.de digid.nl mklozkoviny.sk
huellen-shop.de dimehouse.nl mnforce-panel.sk
jpberlin.de domain-registry.nl nakupujzdravo.sk
knauermann.de dorcas.nl nlp-akademia.sk
lmu.de duo.nl partner.sk
lrz.de efactuurdirect.nl penzionmara.sk
mail.de esuals.nl poziadavka.sk
mail2many.de extinctionrebellion.nl rondogo.sk
mensa.de ezorg.nl travelmail.sk
mindline-analytics.de fivecityspa.nl zapardrobnych.sk
mpg.de frfc1908.nl zeit-des-wandels.tv
posteo.de glamouryourhair.nl afinepairofshoes.co.uk
ruhr-uni-bochum.de hobbygigant.nl clientnews3.co.uk
sifjakobs.de home.nl millieandblake.co.uk
sillysanta.de hostingpeople.nl nuudcare.co.uk
smartwatcharmbaender.de hostnet.nl thewordman.co.uk
sys4.de huurexpert.nl triodos.co.uk
taures.de ikdeburger.nl nuudcare.us
tu-darmstadt.de inspirerendleven.nl quantum-services.us
tum.de interim-netwerk.nl ru.ac.za
tutanota.de josephinajewelry.nl
1
0
Summary: The DANE domain count is now 3,987,641 (3,949,527 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 23,197,449 (up slightly from 23,173,417
last month). Thus DANE TLSA is deployed on ~17.18% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>. [
See the Credits[0] list below my signature. ]
Reminder: If you're relying on trust-anchor (usage DANE-TA(2)) TLSA records
matching a Let's Encrypt issuing CA, please note important upcoming
changes in Let's Encrypt certificate issuance:
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/HESAY6…
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/GLRVY2…
As of today, I count ~3.99 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1314010 one.com 1314953 one.com
305329 hostpoint.ch 303663 hostpoint.ch
216411 infomaniak.ch 212629 infomaniak.ch
172489 transip.nl 172311 transip.nl
170058 mijndomein.nl 169592 mijndomein.nl
166814 jouwweb.nl 161972 jouwweb.nl
138337 argewebhosting.nl 139685 argewebhosting.nl
132653 simply.com 131004 simply.com
111533 hostnet.nl 111235 hostnet.nl
109976 domeneshop.no 109839 domeneshop.no
106479 loopia.se 106090 loopia.se
89713 webhostingserver.nl 90348 webhostingserver.nl
83026 forpsi.com 83074 forpsi.com
81215 zxcs.nl 81323 zxcs.nl
46191 protonmail.ch 44928 protonmail.ch
41111 antagonist.nl 40974 antagonist.nl
38611 active24.com 39102 active24.com
36576 webreus.nl 36892 webreus.nl
29196 pcextreme.nl 29674 pcextreme.nl
28283 xel.nl 28404 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl,
.de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
11870 TOTAL 11663 TOTAL
3785 DE, Germany 3687 DE, Germany
1942 NL, The Netherlands 1932 NL, Netherlands
1883 US, United States 1888 US, United States
921 FR, France 883 FR, France
479 CZ, Czechia 458 CZ, Czechia
366 GB, United Kingdom 364 GB, United Kingdom
272 FI, Finland 267 FI, Finland
214 CA, Canada 213 CA, Canada
187 CH, Switzerland 176 AT, Austria
183 AT, Austria 171 CH, Switzerland
169 SE, Sweden 161 SE, Sweden
152 DK, Denmark 147 DK, Denmark
145 AU, Australia 141 AU, Australia
119 SG, Singapore 123 SG, Singapore
102 RU, Russia 107 RU, Russia
89 PL, Poland 88 PL, Poland
63 NO, Norway 64 JP, Japan
61 JP, Japan 60 NO, Norway
50 BR, Brazil 51 BR, Brazil
43 IT, Italy 47 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
9515 TOTAL 9445 TOTAL
4229 NL, The Netherlands 4224 NL, Netherlands
2724 DE, Germany 2659 DE, Germany
868 US, United States 881 US, United States
401 FR, France 389 FR, France
198 CZ, Czechia 189 CZ, Czechia
183 GB, United Kingdom 177 GB, United Kingdom
112 FI, Finland 110 FI, Finland
83 CA, Canada 87 CA, Canada
78 SE, Sweden 81 SE, Sweden
76 AU, Australia 72 AU, Australia
74 CH, Switzerland 68 CH, Switzerland
52 AT, Austria 49 SG, Singapore
46 SG, Singapore 47 AT, Austria
39 JP, Japan 43 RU, Russia
32 RU, Russia 39 JP, Japan
29 RO, Romania 30 BR, Brazil
28 NO, Norway 28 RO, Romania
28 BR, Brazil 26 NO, Norway
22 DK, Denmark 23 DK, Denmark
17 IE, Ireland 18 LT, Lithuania
There are 10,192 unique zones (9,773 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 20,854 (20,781 last
month). These cover 21,158 distinct MX hosts (21,077 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 1,135 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 614
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.99 million DANE domains, 14,431 (14,236 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,655
(1,873 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
172 mx2.tkservers.com
40 svr3.it-df.net
35 mx1.mdbraber.com
27 mail.orionpanel.nl
23 smtp2.kruik-it.nl
19 web1.sys.ccs-baumann.de
19 fsn1-c04.xemo-net.de
15 mail.nationaalarchief.nl
15 artemis.strebsjig.net
13 smtp.philinnon.net
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 838 (901 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
608 neostrada.nl 665 neostrada.nl
61 worldnic.com 62 worldnic.com
22 openprovider.nl 24 openprovider.nl
14 sectigoweb.com 14 sectigoweb.com
13 register.com 13 register.com
8 ispapi.net 9 dnssrv.nl
8 dnssrv.nl 8 ispapi.net
7 vultr.com 7 vultr.com
6 resolver.domains 6 resolver.domains
6 forpsi.net 6 forpsi.net
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
vbv.ag tutanota.de hro.nl
univie.ac.at uni-augsburg.de huurexpert.nl
gmx.at uni-bielefeld.de ikdeburger.nl
vbv.at uni-erlangen.de inspirerendleven.nl
boozyshop.be uni-muenchen.de interconnect.nl
eos-contentia.be vicinityclo.de interim-netwerk.nl
triodos.be web.de josephinajewelry.nl
nra.bg westlotto.de kiesrijk.nl
cetelemnegocie.com.br aeldresagen.dk maastrichtuniversity.nl
dwvmail.com.br allbuy.dk mailmore.nl
e-negociacao.com.br anna-hjorth.dk mailon.nl
e-renegocie.com.br annebrauner.dk mailplus.nl
pn1.com.br australian-bodycare.dk managementboek.nl
zaaztelecom.com.br avabeauty.dk markteffectmail.nl
defesa.gov.br bambustoej.dk mcmta.nl
nic.br barons.dk mijndomein.nl
registro.br bigsaver.dk minbzk.nl
activfitness-news.ch bisgaardshoes.dk mindef.nl
blackout-bonusclub.ch bog.dk mm1.nl
creditum.ch borgerforslag.dk nieuwsservice-rvo.nl
escalade.ch bymelanie.dk notbranded.nl
gmx.ch camillakroeyer.dk noties.nl
handy-abovergleich.ch casanova.dk ns.nl
hostpoint.ch champagneklubben.dk nuudcare.nl
infomaniak.ch cillouettes.dk nuwegexclusief.nl
msochrono.ch computerworld.dk opnaarwonderland.nl
open.ch damask.dk ouderenfonds.nl
protonmail.ch danielspengetips.dk ouderportaal.nl
sherlockhomes.ch danskebank.dk overheid.nl
sms-gagnant.ch denmentalekriger.dk oxilionhosted.nl
wog.ch densidsteflaske.dk partijvoordedieren.nl
simplelogin.co dfi.dk partnermail.nl
aim-care.com dressforsuccess.dk podiumcadeaukaart.nl
albourne.com ens.dk politie.nl
also.com fibianet.dk pp-prd.nl
anonaddy.com foraeldresparring.dk previder.nl
ansigtsyogaonline.com gastrotools.dk prorun-mail.nl
boozyshop.com globestudios.dk pvv.nl
canva-facile.com hook-up.dk quicknet.nl
cm.com hostedsepo.dk rdw.nl
collarofsweden.com idelig.dk rijksoverheid.nl
connectsb.com iphoneopladere.dk rvig.nl
danskebank.com ixstudioscph.dk rvo.nl
datev.com kagegrisen.dk sans-mail.nl
denhaag.com kisserpaludan.dk schuurman-schoenen.nl
explorer-hotels.com kk.dk scorion.nl
fabfilter.com kodbilen.dk shampoobars.nl
farmergracy.com konkurspriser.dk shapeit.nl
fastware-hosting.com kystfisken.dk shoesme.nl
flaneurhomme.com lacabra.dk sietskescholten.nl
fromanteel-watches.com lammeskindet.dk sizzthebrand.nl
getpaidopportunities.com lederstof.dk smartwatchbanden.nl
gmx.com mobilcovers.dk snowbass.nl
goodforme.com musclehouse.dk spamservice.nl
habr.com netic.dk sportrusten.nl
headachecalendar.com nexsmart.dk ssonet.nl
highcharts.com nfinitybeauty.dk stater.nl
infomaniak.com nimara.dk svb.nl
ingthink.com nordd.dk svr.nl
intakt.com nordicsheep.dk technicus.nl
itskaos.com nota.dk telefoonglaasje.nl
johnbeerens.com online-mode.dk thealphamen.nl
joomlapolis.com opdagverden.dk transip.nl
jula.com pengeogfrihed.dk triodos.nl
kabayarefashion.com perfectjeans.dk truetickets.nl
kae-cosmetici.com qookware.dk tudelft.nl
kantarresearch.com sengefabrikken.dk uitgeverijpica.nl
kheaa.com seniornews.dk upcmail.nl
leszexpertsfle.com shapeit.dk uvt.nl
librti.com skjold-burne.dk uwv.nl
mail.com smoon.dk vacaturesonline.nl
mailzerver.com sneakerzone.dk vandale.nl
marsblade.com stil.dk vimexx.nl
meriamecouture.com sygeforsikring.dk vluchtelingenwerk.nl
mixx.com thenap.dk vunzigedeuntjes.nl
mplbeauty.com thesneakerstore.dk watchbandjes-shop.nl
nanolearning.com trueliving.dk waternet.nl
nine-pine.com viggo.dk wehkampfinance.nl
novashops.com vin-huset.dk werkzoeken.nl
offshorecorptalk.com vind.dk ziggo.nl
one.com yuaiahaircare.dk zorgmail.nl
orsys.com tilburguniversity.edu ankerstjerne.no
ottobredesign.com biotheka.ee annabellstefanussen.no
pieter-pot.com holt.ee babybanden.no
pompomlondon.com maarahvapood.ee bergengokart.no
protonmail.com minuvalik.ee bull-ski-kajakk.no
run-motion.com turunduslabor.ee chillout.no
runbox.com myownconference.email day-et.no
sankakucomplex.com spam-filter.email domeneshop.no
scorecloud.com spotler.email dressmykid.no
serverclienti.com nuudcare.es godvar.no
sisuknitwear.com triodos.es guttelus.no
sneakerjeans.com egu.eu handelsbanken.no
solvinity.com finesoftware.eu hoppin.no
speciale-offre.com iaccept.eu hyttefeber.no
sportnotch.com litebit.eu idrettenonline.no
stasdock.com mailplatform.eu kashmina.no
stater.com zerolime.eu lagerpriser.no
stellarequipment.com zonevs.eu marikrogshus.no
tcs.com danskebank.fi modostore.no
the-vfl.com fsol.fi mystuff.no
theintercept.com handelsbanken.fi nordiskbylien.no
thepcw.com metaburn.fi norskgrammatikk.no
thepcwholesale.com sillysanta.fi raskebriller.no
thesmmacademy.com ac-strasbourg.fr rushtrampoline.no
thingsilikethingsilove.com boozyshop.fr smaaungene.no
triodos.com braceletsmartwatch.fr spillfabrikken.no
tutanota.com compagnie-des-sens.fr strikkia.no
up2staff.com edtm-actu.fr suksessmednetthandel.no
veganallsorts.com nuudcare.fr svippr.no
vivaldi.com oo2.fr veronicalill.no
webcruiter.com passefranceallemagne.fr analysedanmark.nu
win-rar.com privea.fr atelkamera.nu
xfinity.com fvap.gov goget.nu
xfinityhomesecurity.com nsa.gov hallbarhalsa.nu
xfinitymobile.com tid.gov.hk lenhud.nu
bncr.fi.cr fidesz.hu agirpourlenvironnement.org
airbank.cz italiamail.hu checkmyads.org
akce-incomputer.cz bluebiz.info debian.org
amenit.cz eurocontrol.int freebsd.org
balikovna.cz infinex.io fridaysforfuture.org
bewooden.cz nuudcare.it gentoo.org
cd.cz neolink.link ietf.org
cokoladovnajanek.cz etat.lu isc.org
cpost.cz nic.lv mailbox.org
creammy.cz anonaddy.me mailop.org
csob.cz pm.me netbsd.org
csobstavebni.cz proton.me ozlabs.org
cuni.cz army.mil postfix.org
dashofer.cz dla.mil samba.org
dedra.cz dma.mil torproject.org
e-kondomy.cz health.mil biotechnologia.com.pl
ecps.cz jten.mil asf.com.pt
ekokoza.cz mail.mil mobily.com.sa
fio.cz navy.mil arbetsformedlingen.se
hobynaradi.cz nga.mil australian-bodycare.se
hypotecnibanka.cz osd.mil bearplay.se
innogy.cz socom.mil bearplayshop.se
itesco.cz spaceforce.mil bidflow.se
kb.cz uscg.mil bilprovningen.se
klenotyaurum.cz usmc.mil crtzoo.se
klubpevnehozdravi.cz comcast.net ecster.se
ksporting.cz ewetel.net egensajt.se
manymail.cz ficbook.net ellevio.se
maxmax.cz fivem.net epochtimes-mejl.se
mbank.cz gmx.net fashion-copenhagen.se
mfcr.cz habramail.net handelsbanken.se
mindsoft.cz hr-manager.net hellomantle.se
mkluzkoviny.cz inexio.net innebandy24.se
mojedatovaschranka.cz mailanyone.net jaramba.se
mrakyhracek.cz masterinter.net klasspengar.se
muni.cz mijngezondheid.net koreanbeauty.se
nic.cz mpssec.net kulturaktiebolaget.se
nilia.cz octopoos.net livlyclothing.se
nku.cz procurios.net lnu.se
o2.cz ripe.net lomervarde.se
opravdovezlociny.cz riseup.net loopia.se
optimail.cz s-qrc.net malarfabriken.se
outlet-alpine.cz soverin.net merchsweden.se
p-info.cz t-2.net minmyndighetspost.se
pivoteka.cz amsterdam.nl nordicsheep.se
poptavej.cz amsterdamwinefestival.nl performcollection.se
scrptd.cz aquastorexl.nl polisen.se
server4u.cz bankhoesdiscounter.nl refitness.se
shopex.cz belastingdienst.nl samblamail.se
smtp.cz beterinbeleggen.nl sillysanta.se
sparkys.cz beterspellen.nl silverdotter.se
stoklasa.cz bewustpuur.nl skatteverket.se
tefal.cz bhosted.nl skolverket.se
thinline.cz blushfashionstore.nl snbostader.se
vas-server.cz bobo.nl soleplus.se
vitalpoint.cz body-supplies.nl teeshoppen.se
vshosting.cz bolerolimonadewinkel.nl teknikdelar.se
zafido.cz boozyshop.nl theletter.se
zdravestravovani.cz box.nl websupport.se
zlocinozrouti.cz bruut.nl agatinsvet.sk
zonky.cz burgernet.nl bewooden.sk
bayern.de carre.nl coopka.sk
brandenburg.de casema.nl edirect.sk
bund.de cbr.nl fio.sk
bundesregierung.de chello.nl gravirovane.sk
datev.de clubplanner.nl hecht.sk
dfn.de csvjongholland.nl lenivakucharka.sk
elster.de degros.nl mamaaja.sk
ewetel.de derooijfotografie.nl mklozkoviny.sk
fau.de desan.nl mnforce-panel.sk
freenet.de dewebmakers.nl nakupujzdravo.sk
gmx.de dictu.nl nlp-akademia.sk
hi7.de digibtw.nl partner.sk
huellen-shop.de digid.nl penzionmara.sk
jpberlin.de dimehouse.nl poziadavka.sk
lmu.de domain-registry.nl rondogo.sk
lrz.de dorcas.nl travelmail.sk
mail.de duo.nl zapardrobnych.sk
mensa.de eabstest.nl zeit-des-wandels.tv
mindline-analytics.de efactuurdirect.nl afinepairofshoes.co.uk
mpg.de esuals.nl clientnews3.co.uk
posteo.de extinctionrebellion.nl millieandblake.co.uk
ruhr-uni-bochum.de ezorg.nl nuudcare.co.uk
sifjakobs.de frfc1908.nl thewordman.co.uk
smartwatcharmbaender.de hobbygigant.nl triodos.co.uk
sys4.de home.nl nuudcare.us
taures.de hostingpeople.nl quantum-services.us
tu-darmstadt.de hostnet.nl ru.ac.za
tum.de hr.nl
1
0