dane-users

Download

dane-users@list.sys4.de

March 2023

1 participants
1 discussions

Update on stats 2023-02
by Viktor Dukhovni 01 Mar '23

01 Mar '23

Summary: The DANE domain count is now 3,736,374 (c.f. 3,684,357 last month). [ Thanks again to webreus.nl for promptly restoring their briefly absent MX host TLSA records. ] The number of domains that return DNSSEC-validated replies in response to MX queries is 21,281,794 (up from 21,002,701 last month). Thus DANE TLSA is deployed on ~17.55% of domains with DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>. [ See the Credits[0] list below my signature. ] As of today, I count ~3.74 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below. This month Last Month ---------- ---------- 1215654 one.com 1214586 one.com 289485 hostpoint.ch 288282 hostpoint.ch 196800 infomaniak.ch 195874 infomaniak.ch 172687 mijndomein.nl 167120 transip.nl 167821 transip.nl 160940 mijndomein.nl 149959 argewebhosting.nl 153033 argewebhosting.nl 134211 simply.com 136256 simply.com 125968 jouwweb.nl 123192 jouwweb.nl 111664 hostnet.nl 111941 hostnet.nl 108890 domeneshop.no 108874 domeneshop.no 105306 loopia.se 105109 loopia.se 93785 webhostingserver.nl 94171 webhostingserver.nl 81009 forpsi.com 80000 forpsi.com 69228 zxcs.nl 68284 zxcs.nl 43479 active24.com 43363 active24.com 39825 antagonist.nl 39704 antagonist.nl 38913 webreus.nl 37051 protonmail.ch 37357 protonmail.ch 32693 pcextreme.nl 32264 pcextreme.nl 29232 xel.nl 29069 xel.nl 27564 udmedia.de The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be, .pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented). This month Last month ----------- ---------- 10767 TOTAL 10726 TOTAL 3307 DE, Germany 3284 DE, Germany 1878 NL, Netherlands 1882 NL, Netherlands 1848 US, United States 1856 US, United States 785 FR, France 808 FR, France 407 CZ, Czechia 396 CZ, Czechia 352 GB, United Kingdom 358 GB, United Kingdom 244 FI, Finland 241 FI, Finland 212 CA, Canada 222 CA, Canada 172 AT, Austria 160 AT, Austria 148 CH, Switzerland 137 SE, Sweden 137 SE, Sweden 136 CH, Switzerland 135 DK, Denmark 133 DK, Denmark 134 AU, Australia 128 AU, Australia 117 SG, Singapore 122 SG, Singapore 78 PL, Poland 76 PL, Poland 60 RU, Russia 60 RU, Russia 58 JP, Japan 57 JP, Japan 46 NO, Norway 47 IT, Italy 45 IT, Italy 45 NO, Norway 44 BR, Brazil 42 BR, Brazil IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are: This month Last month ---------- ---------- 8447 TOTAL 8396 TOTAL 3654 NL, Netherlands 3651 NL, Netherlands 2411 DE, Germany 2312 DE, Germany 863 US, United States 855 US, United States 320 GB, United Kingdom 398 FR, France 257 FR, France 183 CZ, Czechia 172 CZ, Czechia 173 GB, United Kingdom 74 FI, Finland 156 AU, Australia 74 AU, Australia 77 CA, Canada 73 CA, Canada 76 FI, Finland 68 CH, Switzerland 61 CH, Switzerland 62 SE, Sweden 56 AT, Austria 59 AT, Austria 53 SE, Sweden 44 SG, Singapore 46 SG, Singapore 36 JP, Japan 36 JP, Japan 23 NO, Norway 22 DK, Denmark 22 DK, Denmark 21 NO, Norway 20 RO, Romania 19 RO, Romania 19 BR, Brazil 18 IE, Ireland 18 IE, Ireland 17 BR, Brazil 16 UA, Ukraine 14 LT, Lithuania There are 8,914 unique zones (9,201 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP. The number of published MX host TLSA RRsets found is 19,359 (19,488 last month). These cover 19,653 distinct MX hosts (19,784 last month, some MX hosts share the same TLSA records through CNAMEs). The number of DANE domains that at some point were listed in Gmail's email transparency report is 877 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 543 are in recent (last 90 days of) reports (see [2] below my signature). Of the ~3.74 million DANE domains, 12,926 (13,046 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts. The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 3,139 (1,366 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are: 1772 mail-in.box.nl 106 mail.blueconsulting.cz 90 securemail.discnetwork.nl 36 mx1.mdbraber.com 31 mx2.synetcon.net 31 mx1.synetcon.net 18 semark.dk 17 mx1.traxion.com 15 artemis.strebsjig.net 14 mx2.traxion.com To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See: https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP… https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-… https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4 After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 2,998 (3,237 last month). The top 10 name server operators with problem domains are: This Month Last month ---------- ---------- 2064 neostrada.nl 2182 neostrada.nl 133 worldnic.com 140 worldnic.com 101 online.net 115 dnssrv.nl 97 dnssrv.nl 102 online.net 88 axc.nl 90 axc.nl 84 epik.com 89 epik.com 72 ebola.cz 73 ebola.cz 60 openprovider.nl 61 openprovider.nl 20 register.com 39 fgov.be 17 sectigoweb.com 20 register.com If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible. Just one of the domains whose nameservers have broken denial of existence appears in the last 120 days of Google transparency reports: mailazy.net -- Viktor. [0] Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome. [1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security. [2] DANE domains appearing in last 90 days of Google Email transparency reports: univie.ac.at posteo.de ijsselstein.nl gmx.at ruhr-uni-bochum.de interim-netwerk.nl boozyshop.be smartwatcharmbaender.de kiesrijk.nl register.bg tum.de kralingsebosfestival.nl cetelemnegocie.com.br tutanota.de lico.nl e-negociacao.com.br uni-augsburg.de luxiez.nl e-renegocie.com.br uni-bielefeld.de mail-studio.nl nic.br uni-erlangen.de mailmore.nl registro.br uni-kl.de mailon.nl 20km.ch uni-muenchen.de mailplus.nl activfitness-news.ch vicinityclo.de managementboek.nl blackout-bonusclub.ch web.de markteffectmail.nl cbd420.ch westlotto.de mcmta.nl docks.ch allbuy.dk messen.nl escalade.ch annes-atelier.dk mijndomein.nl gmx.ch attode.dk mijnhypotheekonline.nl handy-abovergleich.ch australian-bodycare.dk minbzk.nl hostpoint.ch avabeauty.dk mindef.nl infomaniak.ch bambustoej.dk mm1.nl msochrono.ch barons.dk mulderretail.nl open.ch bog.dk netpoint.nl protonmail.ch calisweats.dk netpointfactoring.nl sms-gagnant.ch camillakroeyer.dk nieuwsservice-rvo.nl switch.ch danielspengetips.dk noties.nl youcinema.ch dfi.dk ns.nl santeglobale.club dinhstore.dk nuudcare.nl bionoble.co dk-hostmaster.dk orangebag.nl simplelogin.co ens.dk otys.nl albourne.com fibianet.dk ouderportaal.nl also.com fitnessudsalg.dk overheid.nl altospam.com foraeldresparring.dk oxilion.nl anonaddy.com gastrotools.dk oxilionhosted.nl appliedgo.com globestudios.dk parlement.nl azgop.com incover.dk partijvoordedieren.nl bymalina.com innoliving.dk partnermail.nl cm.com ixstudioscph.dk paypro.nl collarofsweden.com juliesandlau.dk petsgifts.nl colourfulrebel.com kodbilen.dk petsonline.nl connectsb.com konkurspriser.dk ploegendienst-festival.nl datev.com kystfisken.dk podiumcadeaukaart.nl denhaag.com labelking.dk politie.nl exegy.com lacabra.dk pp-prd.nl fabfilter.com mobilcovers.dk previder.nl farmergracy.com musclehouse.dk prorun-mail.nl fastware-hosting.com netic.dk pvv.nl financialafrik.com nfinitybeauty.dk quicknet.nl flaneurhomme.com nimara.dk rdw.nl frequentis.com nordd.dk rechtspraak.nl gmx.com nota.dk rijksoverheid.nl groed.com peterhald.dk rivm.nl habr.com qknives.dk sans-mail.nl hedon.com rmc.dk schoudercom.nl highcharts.com sengefabrikken.dk schuurman-schoenen.nl imcnig.com seniornews.dk shampoobars.nl infomaniak.com shapeit.dk shoesme.nl ingthink.com shellcard.dk sizzthebrand.nl isistrade.com soelvstein.dk smartwatchbanden.nl johnbeerens.com stil.dk spamservice.nl joomlapolis.com stori.dk sportrusten.nl jula.com themeatclub.dk ssonet.nl kabayarefashion.com thesneakerstore.dk stater.nl kantarresearch.com tricommerce.dk surf.nl klbrlive.com trueliving.dk surfspot.nl leszexpertsfle.com uvm.dk svb.nl librti.com venderbys.dk teamq14.nl liefleven.com wavell.dk telefoonglaasje.nl mactabeauty.com yuaiahaircare.dk teso.nl mail.com yummihaircare.dk thealphamen.nl mailzerver.com tilburguniversity.edu tno.nl mplbeauty.com zone.ee transip.nl nanolearning.com myownconference.email travelclown.nl nine-pine.com spam-filter.email triodos.nl offshorecorptalk.com spike.email truetickets.nl one.com spotler.email tudelft.nl orsys.com talentech.email tweedekamer.nl pieter-pot.com nuudcare.es uitgeverijpica.nl pompomlondon.com triodos.es upcmail.nl ppcpcv.com egu.eu uvt.nl protonmail.com finesoftware.eu uwv.nl protonvpn.com litebit.eu valys.nl renworkshops.com qard.eu vimexx.nl run-motion.com skhosting.eu vogeldagboek.nl sankakucomplex.com zone.eu vpo.nl scorecloud.com zonevs.eu vunzigedeuntjes.nl serverclienti.com fsol.fi watchbandjes-shop.nl solvinity.com handelsbanken.fi waternet.nl stater.com metaburn.fi webreus.nl stellarequipment.com tarjousrinki.fi wierden.nl t-2.com traficom.fi winterlake.nl thalesgroup.com ac-strasbourg.fr woongarantvolmacht.nl thegreenery.com braceletsmartwatch.fr ziggo.nl theintercept.com chiens-guides-idf.fr zorgmail.nl thepcw.com compagnie-des-sens.fr annabellstefanussen.no thepcwholesale.com edtm-actu.fr babybanden.no thesmmacademy.com nuudcare.fr bergengokart.no triodos.com oo2.fr bull-ski-kajakk.no truewaykids.com privea.fr domeneshop.no tutanota.com waveisland.fr guttelus.no unionnearme.com fidesz.hu handelsbanken.no up2staff.com italiamail.hu hyttefeber.no veganallsorts.com mszp.hu idrettenonline.no veka.com pandi.id infinityshop.no vendiblelabs.com bluebiz.info kashmina.no vivaldi.com eurocontrol.int lagerpriser.no webcruiter.com rootnet.io marikrogshus.no webmailph.com nuudcare.it mystuff.no win-rar.com neolink.link nordicprint.no xfinity.com education.lu norskgrammatikk.no xfinityhomesecurity.com anonaddy.me raskebriller.no xfinitymobile.com pm.me rushtrampoline.no your-site.com proton.me spillfabrikken.no bncr.fi.cr army.mil storytravel.no airbank.cz dla.mil tickettothemoon.no akce-incomputer.cz health.mil uib.no amenit.cz jten.mil viphuset.no avatech.cz mail.mil atelkamera.nu bewooden.cz navy.mil goget.nu cokoladovnajanek.cz osd.mil lenhud.nu csob.cz socom.mil debian.org csobstavebni.cz uscg.mil freebsd.org cuni.cz usmc.mil gentoo.org dedra.cz bleucitron.net ietf.org e-kondomy.cz comcast.net irtf.org fio.cz ewetel.net isc.org gov.cz ficbook.net mailbox.org hellspy.cz fivem.net mailop.org hypotecnibanka.cz gmx.net netbsd.org itesco.cz habramail.net openssl.org kb.cz hr-manager.net ozlabs.org klenotyaurum.cz mijngezondheid.net samba.org klubpevnehozdravi.cz mpssec.net torproject.org ksporting.cz procurios.net kemono.party manymail.cz ripe.net brebank.com.pl maxmax.cz riseup.net holandiajobs.pl mbank.cz soverin.net loopia.rs mfcr.cz t-2.net mobily.com.sa mkluzkoviny.cz transip.net arbetsformedlingen.se mojedatovaschranka.cz webreus.net bilprovningen.se mrakyhracek.cz amsterdam.nl bollnas.se muni.cz aquastorexl.nl damernasmagasin.se mzv.cz artsenzorg.nl ecster.se nic.cz bankhoesdiscounter.nl ellevio.se o2.cz belastingdienst.nl frederikbagger.se optimail.cz beterspellen.nl handelsbanken.se outlet-alpine.cz bhosted.nl hellomantle.se patentnimedicina.cz bhsupport.nl huskvarnafolketspark.se poptavej.cz bit.nl innebandy24.se pre.cz blushfashionstore.nl jul-troja.se predplatit.cz bobo.nl lnu.se scrptd.cz body-supplies.nl lomervarde.se server4u.cz boekwinkeltjes.nl loopia.se smtp.cz bolerolimonadewinkel.nl merchsweden.se stoklasa.cz boozyshop.nl minmyndighetspost.se sukl.cz bratsites-grs.nl nordicprint.se trilimi.cz bruut.nl polisen.se vas-server.cz burgernet.nl silverdotter.se virusfree.cz camperexpo.nl skatteverket.se web4u.cz caracamilla.nl skolverket.se zdravestravovani.cz casema.nl teknikdelar.se zonky.cz cbr.nl theletter.se bayern.de chello.nl vaccinova.se brandenburg.de clubplanner.nl websupport.se bund.de degros.nl fio.sk bundesregierung.de deonlinetandarts.nl kadernickyservis.sk datev.de derooijfotografie.nl mklozkoviny.sk dfn.de desan.nl naau.sk elster.de digid.nl pneusvet.sk ewetel.de digitaleverkiezing.nl rondogo.sk fau.de dorcas.nl satro.sk fn.de duo.nl toptop.sk freenet.de efactuurdirect.nl zapardrobnych.sk gmx.de esuals.nl simpcity.su hi7.de ezorg.nl afinepairofshoes.co.uk huellen-shop.de fivecityspa.nl clientnews3.co.uk jpberlin.de gebruikersnamen.nl handelsbanken.co.uk knauermann.de haargroeispecialist.nl nuudcare.co.uk lmu.de healthcheckcenter.nl triodos.co.uk lrz.de hobbygigant.nl nuudcare.us mail.de home.nl quantum-services.us mensa.de hostingpeople.nl ru.ac.za mpg.de hostnet.nl stargaze.zone

1 0