dane-users
Threads by month
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
September 2023
- 7 participants
- 5 discussions
As you're may be aware, I actively promote adoption of DANE SMTP, many
thanks to everyone who's moved forward with DANE SMTP deployment!
That said, I also always stress that, when deploying DANE SMTP,
*monitoring* must come first, and publishing of DANE TLSA records
second. If your DANE TLSA deployment is unmonitored, it will some day
fail, with you being the last to know that something is wrong when some
email fails to arrive on time or at all. Unmonitored security is a
ticking time-bomb.
Please implement monitoring of your DANE TLSA records vs. the live
certificate chain through regular probing of your MX hosts (I'd suggest
hourly if not more often for more critical servers). Of course you
also need to have good automation of the certificate rollover process
so that normally TLSA records aren't out sync with the certificates
even during a rollover.
If you don't yet have monitoring in place, the below could be a useful
building block for your monitoring scripts.
The "danesmtp" shell (bash) function can take an optional explicit IP
address to connect to, so you can test each of the IP addresses of a
host in turn:
danesmtp () {
local OPTIND=1 opt
local -a rrs sslopts
local rr i=0 host addr
while getopts a: opt; do
case $opt in
a) addr=$OPTARG
case $addr in *:*) addr="[$addr]";; esac;;
*) printf 'usage: danesmtp [-a addr] host [ssloption ...]\n'
return 1;;
esac
done
shift $((OPTIND - 1))
host=$1
shift
if [[ -z "$addr" ]]; then
addr="$host"
fi
sslopts=(-starttls smtp -connect "$addr:25"
-verify 9 -verify_return_error
-dane_ee_no_namechecks -dane_tlsa_domain "$host")
rrs=( $(dig +short +nosplit -t tlsa "_25._tcp.$host" |
grep -Ei '^[23] [01] [012] [0-9a-f]+$') )
while (( i < ${#rrs[@]} - 3 )); do
rr=${rrs[@]:$i:4}
i=$((i+4))
sslopts=("${sslopts[@]}" "-dane_tlsa_rrdata" "$rr")
done
( sleep 1; printf "QUIT\r\n" ) | openssl s_client -brief "${sslopts[@]}" "$@"
}
--
Viktor.
4
7
Summary: A slow month. The DANE domain count is now 3,923,543
(c.f. 3,924,107 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 23,180,180 (up slightly from 23,141,061
last month). Thus DANE TLSA is deployed on ~16.92% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
A light at the end of the tunnel is that Microsoft are moving
forward with enabling inbound DANE. Though the official
start date is in Q1 2024, the first domain is already live,
with its primary and secondary MX hosts DANE-enabled:
https://twitter.com/VDukhovni/status/1707817430125322421
https://stats.dnssec-tools.org/explore/?digitalcosmos.net
The 3rd and 4th MX hosts aren't yet on the new "mx.microsoft"
platform.
As of today, I count ~3.92 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1322240 one.com 1330342 one.com
302353 hostpoint.ch 300967 hostpoint.ch
209052 infomaniak.ch 205928 infomaniak.ch
171630 transip.nl 171750 transip.nl
168815 mijndomein.nl 168545 mijndomein.nl
156229 jouwweb.nl 151627 jouwweb.nl
141433 argewebhosting.nl 144160 argewebhosting.nl
129838 simply.com 132421 simply.com
111275 hostnet.nl 111071 hostnet.nl
109926 domeneshop.no 109902 domeneshop.no
105948 loopia.se 106030 loopia.se
91048 webhostingserver.nl 91275 webhostingserver.nl
83031 forpsi.com 83195 forpsi.com
81293 zxcs.nl 77300 zxcs.nl
44103 protonmail.ch 43426 protonmail.ch
40754 antagonist.nl 40528 antagonist.nl
39341 active24.com 39981 active24.com
37235 webreus.nl 37575 webreus.nl
30037 pcextreme.nl 30373 pcextreme.nl
28501 xel.nl 28672 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl,
.de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
11403 TOTAL 11375 TOTAL
3586 DE, Germany 3553 DE, Germany
1887 NL, Netherlands 1894 US, United States
1885 US, United States 1886 NL, Netherlands
864 FR, France 822 FR, France
452 CZ, Czechia 443 CZ, Czechia
360 GB, United Kingdom 369 GB, United Kingdom
264 FI, Finland 268 FI, Finland
203 CA, Canada 204 CA, Canada
179 AT, Austria 202 AT, Austria
165 SE, Sweden 167 SE, Sweden
148 CH, Switzerland 148 CH, Switzerland
146 DK, Denmark 144 DK, Denmark
144 AU, Australia 140 AU, Australia
125 SG, Singapore 123 SG, Singapore
90 PL, Poland 92 RU, Russia
85 RU, Russia 90 PL, Poland
65 JP, Japan 65 JP, Japan
55 BR, Brazil 50 BR, Brazil
52 NO, Norway 49 NO, Norway
42 IT, Italy 44 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
9295 TOTAL 8949 TOTAL
4201 NL, Netherlands 3857 NL, Netherlands
2602 DE, Germany 2596 DE, Germany
866 US, United States 883 US, United States
375 FR, France 363 FR, France
178 GB, United Kingdom 190 GB, United Kingdom
178 CZ, Czechia 176 CZ, Czechia
110 FI, Finland 111 FI, Finland
82 CA, Canada 85 CA, Canada
80 SE, Sweden 72 AU, Australia
72 AU, Australia 69 SE, Sweden
65 CH, Switzerland 62 CH, Switzerland
50 SG, Singapore 50 SG, Singapore
49 AT, Austria 48 AT, Austria
41 JP, Japan 41 JP, Japan
30 RU, Russia 30 RU, Russia
28 RO, Romania 30 RO, Romania
27 NO, Norway 27 DK, Denmark
26 BR, Brazil 25 BR, Brazil
24 DK, Denmark 23 NO, Norway
18 IE, Ireland 18 UA, Ukraine
There are 9,391 unique zones (9,398 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 20,808 (20,884 last
month). These cover 21,102 distinct MX hosts (21,182 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 1,062 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 548
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.92 million DANE domains, 14,262 (14,274 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,873
(2,180 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
178 mx2.tkservers.com
133 mx2.solutive.nl
42 mail.itcomputers.net
37 mx04.speicher-werk.de
35 mx1.mdbraber.com
32 relay.csngroep.nl
24 semark.dk
23 smtp2.kruik-it.nl
20 fsn1-c04.xemo-net.de
19 web1.sys.ccs-baumann.de
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,057 (1,357 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
715 neostrada.nl 963 neostrada.nl
70 worldnic.com 93 worldnic.com
60 ebola.cz 65 ebola.cz
32 openprovider.nl 39 openprovider.nl
14 sectigoweb.com 14 sectigoweb.com
13 register.com 13 register.com
10 dnssrv.nl 12 dnssrv.nl
8 ispapi.net 9 ispapi.net
7 vultr.com 7 vultr.com
7 cloudns.net 7 resolver.domains
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at web.de hoogenboezem-nieuwsbrieven.nl
gmx.at westlotto.de huurexpert.nl
vbv.at aeldresagen.dk hz.nl
atmozreunion.be allbuy.dk ikdeburger.nl
boozyshop.be annebrauner.dk inspirerendleven.nl
triodos.be annes-atelier.dk interconnect.nl
vanbreda.be australian-bodycare.dk interim-netwerk.nl
cetelemnegocie.com.br avabeauty.dk jo-lyn.nl
dwvmail.com.br bambustoej.dk kiesrijk.nl
e-negociacao.com.br barons.dk lcrdm.nl
e-renegocie.com.br bigsaver.dk liveatamsterdamsebos.nl
zaaztelecom.com.br bog.dk mail-studio.nl
nic.br buchcopenhagen.dk mailmore.nl
registro.br camillakroeyer.dk mailon.nl
activfitness-news.ch casanova.dk mailplus.nl
blackout-bonusclub.ch computerworld.dk managementboek.nl
gmx.ch damask.dk markteffectmail.nl
hostpoint.ch danielspengetips.dk mcmta.nl
infomaniak.ch danskebank.dk messen.nl
migros-runnwin.ch datafordeler.dk mijndomein.nl
msochrono.ch def.dk minbzk.nl
open.ch densidsteflaske.dk mindef.nl
protonmail.ch dfi.dk mm1.nl
sherlockhomes.ch dk-hostmaster.dk nederweert.nl
sms-gagnant.ch fibianet.dk netpoint.nl
switch.ch foraeldresparring.dk netpointfactoring.nl
simplelogin.co fvst.dk nieuwsservice-rvo.nl
albourne.com gastrotools.dk nmnhevents.nl
anonaddy.com globestudios.dk notbranded.nl
ansigtsyogaonline.com idelig.dk noties.nl
cm.com iphoneopladere.dk ns.nl
collarofsweden.com kodbilen.dk nuudcare.nl
colourfulrebel.com konkurspriser.dk nuwegexclusief.nl
connectsb.com kystfisken.dk otys.nl
danskebank.com labelking.dk ouderportaal.nl
datev.com lacabra.dk overheid.nl
denhaag.com lederstof.dk oxilionhosted.nl
exegy.com lncrew.dk partijvoordedieren.nl
fabfilter.com lysetikloster.dk partnermail.nl
farmergracy.com mobilcovers.dk pipdenhaag.nl
fastware-hosting.com musclehouse.dk podiumcadeaukaart.nl
fromanteel-watches.com netic.dk politie.nl
gmx.com nfinitybeauty.dk pp-prd.nl
habr.com nimara.dk previder.nl
highcharts.com nordd.dk prorun-mail.nl
infomaniak.com nota.dk quicknet.nl
ingthink.com opdagverden.dk rdw.nl
intakt.com punktum.dk rijksoverheid.nl
itskaos.com seniornews.dk rivm.nl
johnbeerens.com shapeit.dk rvo.nl
joomlapolis.com skjold-burne.dk sans-mail.nl
jula.com smoon.dk schuurman-schoenen.nl
kabayarefashion.com sneakerzone.dk shampoobars.nl
kheaa.com stil.dk shoesme.nl
kolabnow.com stpt.dk sietskescholten.nl
leszexpertsfle.com strongcurves.dk sizzthebrand.nl
librti.com thenap.dk smartwatchbanden.nl
mactabeauty.com thesneakerstore.dk sportrusten.nl
mail.com trueliving.dk ssonet.nl
mailzerver.com venderbys.dk stater.nl
medimeisterschaften.com vin-huset.dk svb.nl
mixx.com vind.dk technicus.nl
mplbeauty.com yuaiahaircare.dk telefoonglaasje.nl
nanolearning.com tilburguniversity.edu toms.nl
nine-pine.com just.ee transip.nl
offshorecorptalk.com maarahvapood.ee triodos.nl
one.com minuvalik.ee truetickets.nl
orsys.com rik.ee tudelft.nl
ottobredesign.com surveyturtle.ee uitgeverijpica.nl
pieter-pot.com turunduslabor.ee upcmail.nl
polyas.com zone.ee uvt.nl
pompomlondon.com myownconference.email uwv.nl
protonmail.com spam-filter.email vacaturesonline.nl
protonvpn.com spotler.email vandale.nl
renworkshops.com talentech.email vimexx.nl
run-motion.com nuudcare.es vogeldagboek.nl
sankakucomplex.com triodos.es vunzigedeuntjes.nl
scorecloud.com egu.eu watchbandjes-shop.nl
serverclienti.com finesoftware.eu waternet.nl
solvinity.com iaccept.eu wehkampfinance.nl
stasdock.com litebit.eu werkzoeken.nl
stater.com zone.eu wonenmetlef.nl
stellarequipment.com zonevs.eu ziggo.nl
tcs.com danskebank.fi zorgmail.nl
theintercept.com handelsbanken.fi zoweg-mail.nl
thepcw.com metaburn.fi 8-bits.no
thepcwholesale.com raumanteatteri.fi annabellstefanussen.no
thesmmacademy.com rockdenim.fi babybanden.no
triodos.com traficom.fi bergengokart.no
tutanota.com ac-strasbourg.fr bull-ski-kajakk.no
up2staff.com braceletsmartwatch.fr chillout.no
veganallsorts.com compagnie-des-sens.fr domeneshop.no
vivaldi.com nuudcare.fr dressmykid.no
webcruiter.com passefranceallemagne.fr frivannsliv.no
webmailph.com privea.fr godvar.no
win-rar.com tid.gov.hk guttelus.no
workvector.com fidesz.hu handelsbanken.no
xfinity.com italiamail.hu hyttefeber.no
xfinityhomesecurity.com bluebiz.info idrettenonline.no
xfinitymobile.com eurocontrol.int kashmina.no
bncr.fi.cr infinex.io lagerpriser.no
airbank.cz rootnet.io marikrogshus.no
akce-incomputer.cz nuudcare.it mystuff.no
balikovna.cz neolink.link nordicprint.no
bewooden.cz anonaddy.me norskgrammatikk.no
cokoladovnajanek.cz pm.me raskebriller.no
cpost.cz proton.me rushtrampoline.no
cro.cz army.mil sillysanta.no
csob.cz dla.mil smaaungene.no
cuni.cz health.mil spillfabrikken.no
dashofer.cz jten.mil strikkia.no
dedra.cz mail.mil atelkamera.nu
e-kondomy.cz navy.mil fitnessnu.nu
ecps.cz nga.mil goget.nu
fio.cz osd.mil lenhud.nu
gynkrup.cz socom.mil aarding.org
hypotecnibanka.cz uscg.mil agirpourlenvironnement.org
innogy.cz usmc.mil debian.org
itesco.cz apnic.net freebsd.org
kb.cz benjaminfulford.net fridaysforfuture.org
klenotyaurum.cz comcast.net gentoo.org
klubpevnehozdravi.cz ewetel.net ietf.org
ksporting.cz ficbook.net isc.org
manymail.cz fivem.net mailbox.org
mbank.cz gmx.net netbsd.org
mfcr.cz graphistepro.net openssl.org
mkluzkoviny.cz habramail.net ozlabs.org
mojedatovaschranka.cz hr-manager.net postfix.org
mrakyhracek.cz inexio.net torproject.org
muni.cz intares.net biotechnologia.com.pl
nic.cz mailanyone.net brebank.com.pl
o2.cz masterinter.net mobily.com.sa
optimail.cz mijngezondheid.net arbetsformedlingen.se
outlet-alpine.cz mpssec.net australian-bodycare.se
p-info.cz procurios.net bearplayshop.se
poptavej.cz ripe.net bilprovningen.se
pre.cz riseup.net du.se
rozhlas.cz s-qrc.net ecster.se
scrptd.cz soverin.net egensajt.se
smtp.cz speedkom.net ellevio.se
sparkys.cz t-2.net fashion-copenhagen.se
stoklasa.cz amsterdam.nl handelsbanken.se
tiscali.cz amsterdamwinefestival.nl hellomantle.se
vas-server.cz aquastorexl.nl huskvarnafolketspark.se
virusfree.cz belastingdienst.nl koreanbeauty.se
vitalpoint.cz beterspellen.nl livlyclothing.se
vshosting.cz bewustpuur.nl lnu.se
zafido.cz bhosted.nl lomervarde.se
zdravestravovani.cz blushfashionstore.nl loopia.se
zonky.cz bobo.nl merchsweden.se
bayern.de body-supplies.nl minmyndighetspost.se
brandenburg.de boekwinkeltjes.nl naprapatlandslaget.se
bund.de bolerolimonadewinkel.nl nordicprint.se
bundesregierung.de boozyshop.nl performcollection.se
datev.de box.nl polisen.se
deutsch-franzoesischer-freundschaftspass.de bruut.nl silverdotter.se
dfn.de burgernet.nl skatteverket.se
ekom21.de caracamilla.nl skolverket.se
elster.de carre.nl snbostader.se
ewetel.de casema.nl soleplus.se
fau.de cbr.nl svenskhusman.se
freenet.de chello.nl teknikdelar.se
gmx.de clubplanner.nl theletter.se
huellen-shop.de degros.nl websupport.se
jpberlin.de deijsvogel.nl agatinsvet.sk
lmu.de deonlinetandarts.nl fio.sk
lrz.de derooijfotografie.nl kadernickyservis.sk
mail.de desan.nl lenivakucharka.sk
mensa.de dewoningzoeker.nl mklozkoviny.sk
mpg.de dictu.nl nakupujzdravo.sk
posteo.de digid.nl rondogo.sk
ruhr-uni-bochum.de dimehouse.nl toptop.sk
smartwatcharmbaender.de dorcas.nl zapardrobnych.sk
stwm.de druten.nl zeit-des-wandels.tv
sys4.de duo.nl clientnews3.co.uk
tu-darmstadt.de esuals.nl millieandblake.co.uk
tum.de expeditionfestival.nl nuudcare.co.uk
tutanota.de extinctionrebellion.nl thewordman.co.uk
uni-augsburg.de ezorg.nl triodos.co.uk
uni-bielefeld.de fivecityspa.nl nuudcare.us
uni-erlangen.de haarlem.nl quantum-services.us
uni-muenchen.de hobbygigant.nl ru.ac.za
vicinityclo.de home.nl
1
0
Hi togehter,
one of my s/qmail users has problems with the TLSA/DANE record for the
following domain:
* excalibur.iks-jena.de
Here, I get the settings:
$ dnstlsa excalibur.iks-jena.de
Usage: [2], Selector: [1], Type: [1]
10f34e8f08e446cc26d7d591184b51cb83791c869cef388be5d5cb58e2927f7a
Usage: [2], Selector: [1], Type: [1]
3c9762932ec8e6e52d4b37504f15d90a3fac9930e1058170372b3a4b0e068a43
where the root FP is ok, the MTA's not.
Given the remarks in RFC 7672 section 3.1.2, I feel a bit uncomfortable
about it.
Any opinions? Advices?
Regards.
--eh.
--
Dr. Erwin Hoffmann | www.fehcom.de
PGP key-id: 20FD6E671A94DC1E
PGP key-fingerprint: 8C6B 155B 0FDA 64F1 BCCE A6B9 20FD 6E67 1A94 DC1E
```
6
11
Breaking news, Microsoft is pulling the trigger on DANE next year: Implementing Inbound SMTP DANE with DNSSEC for Exchange Online Mail Flow - Microsoft Community Hub<https://techcommunity.microsoft.com/t5/exchange-team-blog/implementing-inbo…>
Mike
1
0
Summary: The DANE domain count is now 3,924,107 (c.f. 3,912,433 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 23,141,061 (up from 22,903,540 last
month). Thus DANE TLSA is deployed on ~16.95% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today, I count ~3.92 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1330342 one.com 1333382 one.com
300967 hostpoint.ch 299458 hostpoint.ch
205928 infomaniak.ch 203039 infomaniak.ch
171750 transip.nl 171198 transip.nl
168545 mijndomein.nl 168858 mijndomein.nl
151627 jouwweb.nl 146592 jouwweb.nl
144160 argewebhosting.nl 144707 argewebhosting.nl
132421 simply.com 132528 simply.com
111071 hostnet.nl 111147 hostnet.nl
109902 domeneshop.no 109837 domeneshop.no
106030 loopia.se 105606 loopia.se
91275 webhostingserver.nl 91554 webhostingserver.nl
83195 forpsi.com 82952 forpsi.com
77300 zxcs.nl 73635 zxcs.nl
43426 protonmail.ch 42379 protonmail.ch
40528 antagonist.nl 40463 antagonist.nl
39981 active24.com 40012 active24.com
37575 webreus.nl 37765 webreus.nl
30373 pcextreme.nl 30673 pcextreme.nl
28672 xel.nl 28631 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl,
.de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
11375 TOTAL 11268 TOTAL
3553 DE, Germany 3525 DE, Germany
1894 US, United States 1889 NL, Netherlands
1886 NL, Netherlands 1866 US, United States
822 FR, France 825 FR, France
443 CZ, Czechia 444 CZ, Czechia
369 GB, United Kingdom 368 GB, United Kingdom
268 FI, Finland 264 FI, Finland
204 CA, Canada 203 CA, Canada
202 AT, Austria 198 AT, Austria
167 SE, Sweden 160 SE, Sweden
148 CH, Switzerland 149 CH, Switzerland
144 DK, Denmark 143 DK, Denmark
140 AU, Australia 141 AU, Australia
123 SG, Singapore 123 SG, Singapore
92 RU, Russia 85 PL, Poland
90 PL, Poland 84 RU, Russia
65 JP, Japan 65 JP, Japan
50 BR, Brazil 49 NO, Norway
49 NO, Norway 48 BR, Brazil
44 IT, Italy 40 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
8949 TOTAL 8828 TOTAL
3857 NL, Netherlands 3802 NL, Netherlands
2596 DE, Germany 2564 DE, Germany
883 US, United States 847 US, United States
363 FR, France 364 FR, France
190 GB, United Kingdom 183 GB, United Kingdom
176 CZ, Czechia 177 CZ, Czechia
111 FI, Finland 115 FI, Finland
85 CA, Canada 83 CA, Canada
72 AU, Australia 80 SE, Sweden
69 SE, Sweden 72 AU, Australia
62 CH, Switzerland 65 CH, Switzerland
50 SG, Singapore 48 SG, Singapore
48 AT, Austria 48 AT, Austria
41 JP, Japan 43 RU, Russia
30 RU, Russia 42 JP, Japan
30 RO, Romania 30 RO, Romania
27 DK, Denmark 27 DK, Denmark
25 BR, Brazil 24 NO, Norway
23 NO, Norway 19 BR, Brazil
18 UA, Ukraine 18 IE, Ireland
There are 9,398 unique zones (9,324 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 20,884 (20,191 last
month). These cover 21,182 distinct MX hosts (20,488 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 1,048 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 550
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.92 million DANE domains, 14,274 (14,246 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 2180
(1,796 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
183 smtp.domwest.net
150 mx1.systemhaus-ehst.de
139 mx2.dotxs.net
79 vps04.marcus.services
69 mx1.risse.cloud
35 mx1.mdbraber.com
32 relay.csngroep.nl
24 semark.dk
22 fsn1-c04.xemo-net.de
19 web2.sys.ccs-baumann.de
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,357 (1,539 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
963 neostrada.nl 1131 neostrada.nl
93 worldnic.com 94 worldnic.com
65 ebola.cz 65 ebola.cz
39 openprovider.nl 39 openprovider.nl
14 sectigoweb.com 16 dnssrv.nl
13 register.com 15 sectigoweb.com
12 dnssrv.nl 13 register.com
9 ispapi.net 10 ispapi.net
7 vultr.com 8 resolver.domains
7 resolver.domains 8 axc.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at web.de hoogenboezem-nieuwsbrieven.nl
gmx.at westlotto.de huurexpert.nl
vbv.at aeldresagen.dk hz.nl
atmozreunion.be allbuy.dk ikdeburger.nl
boozyshop.be annebrauner.dk inspirerendleven.nl
triodos.be annes-atelier.dk interconnect.nl
vanbreda.be australian-bodycare.dk interim-netwerk.nl
cetelemnegocie.com.br avabeauty.dk jo-lyn.nl
dwvmail.com.br bambustoej.dk kiesrijk.nl
e-negociacao.com.br barons.dk lcrdm.nl
e-renegocie.com.br bigsaver.dk liveatamsterdamsebos.nl
zaaztelecom.com.br bog.dk mail-studio.nl
nic.br buchcopenhagen.dk mailmore.nl
registro.br camillakroeyer.dk mailon.nl
activfitness-news.ch casanova.dk mailplus.nl
blackout-bonusclub.ch computerworld.dk managementboek.nl
gmx.ch damask.dk markteffectmail.nl
hostpoint.ch danielspengetips.dk mcmta.nl
infomaniak.ch danskebank.dk messen.nl
migros-runnwin.ch datafordeler.dk mijndomein.nl
msochrono.ch def.dk minbzk.nl
open.ch densidsteflaske.dk mindef.nl
protonmail.ch dfi.dk mm1.nl
sherlockhomes.ch dk-hostmaster.dk nederweert.nl
sms-gagnant.ch fibianet.dk netpoint.nl
switch.ch foraeldresparring.dk netpointfactoring.nl
simplelogin.co fvst.dk nieuwsservice-rvo.nl
albourne.com gastrotools.dk nmnhevents.nl
anonaddy.com globestudios.dk notbranded.nl
ansigtsyogaonline.com idelig.dk noties.nl
cm.com iphoneopladere.dk ns.nl
collarofsweden.com kodbilen.dk nuudcare.nl
colourfulrebel.com konkurspriser.dk nuwegexclusief.nl
connectsb.com kystfisken.dk otys.nl
danskebank.com labelking.dk ouderportaal.nl
datev.com lacabra.dk overheid.nl
denhaag.com lederstof.dk oxilionhosted.nl
exegy.com lncrew.dk partijvoordedieren.nl
fabfilter.com lysetikloster.dk partnermail.nl
farmergracy.com mobilcovers.dk pipdenhaag.nl
fastware-hosting.com musclehouse.dk podiumcadeaukaart.nl
fromanteel-watches.com netic.dk politie.nl
gmx.com nfinitybeauty.dk pp-prd.nl
groed.com nimara.dk previder.nl
habr.com nordd.dk prorun-mail.nl
highcharts.com nota.dk quicknet.nl
infomaniak.com opdagverden.dk rdw.nl
ingthink.com punktum.dk rijksoverheid.nl
intakt.com seniornews.dk rivm.nl
itskaos.com shapeit.dk rvo.nl
johnbeerens.com skjold-burne.dk sans-mail.nl
joomlapolis.com smoon.dk schuurman-schoenen.nl
jula.com sneakerzone.dk shampoobars.nl
kabayarefashion.com stil.dk shoesme.nl
kheaa.com stpt.dk sietskescholten.nl
kolabnow.com strongcurves.dk sizzthebrand.nl
leszexpertsfle.com thenap.dk smartwatchbanden.nl
librti.com thesneakerstore.dk soclever.nl
mactabeauty.com trueliving.dk sportrusten.nl
mail.com venderbys.dk ssonet.nl
mailzerver.com vin-huset.dk stater.nl
medimeisterschaften.com vind.dk svb.nl
mixx.com yuaiahaircare.dk technicus.nl
mplbeauty.com tilburguniversity.edu telefoonglaasje.nl
nanolearning.com just.ee thealphamen.nl
nine-pine.com maarahvapood.ee toms.nl
offshorecorptalk.com minuvalik.ee transip.nl
one.com rik.ee triodos.nl
orsys.com surveyturtle.ee truetickets.nl
ottobredesign.com turunduslabor.ee tudelft.nl
pieter-pot.com zone.ee uitgeverijpica.nl
polyas.com myownconference.email upcmail.nl
pompomlondon.com spam-filter.email uvt.nl
ppcpcv.com spotler.email uwv.nl
protonmail.com talentech.email vacaturesonline.nl
protonvpn.com nuudcare.es vandale.nl
renworkshops.com triodos.es vimexx.nl
run-motion.com egu.eu vogeldagboek.nl
sankakucomplex.com finesoftware.eu vunzigedeuntjes.nl
scorecloud.com iaccept.eu watchbandjes-shop.nl
serverclienti.com litebit.eu waternet.nl
solvinity.com zone.eu werkzoeken.nl
stasdock.com zonevs.eu ziggo.nl
stater.com danskebank.fi zorgmail.nl
stellarequipment.com handelsbanken.fi zoweg-mail.nl
tcs.com metaburn.fi 8-bits.no
theintercept.com raumanteatteri.fi annabellstefanussen.no
thepcw.com rockdenim.fi babybanden.no
thepcwholesale.com traficom.fi bergengokart.no
thesmmacademy.com ac-strasbourg.fr bull-ski-kajakk.no
triodos.com braceletsmartwatch.fr chillout.no
tutanota.com compagnie-des-sens.fr domeneshop.no
up2staff.com nuudcare.fr dressmykid.no
veganallsorts.com passefranceallemagne.fr frivannsliv.no
vivaldi.com privea.fr godvar.no
webcruiter.com tid.gov.hk guttelus.no
webmailph.com fidesz.hu handelsbanken.no
win-rar.com italiamail.hu hyttefeber.no
workvector.com bluebiz.info idrettenonline.no
xfinity.com eurocontrol.int kashmina.no
xfinityhomesecurity.com infinex.io lagerpriser.no
xfinitymobile.com rootnet.io marikrogshus.no
bncr.fi.cr nuudcare.it mystuff.no
airbank.cz neolink.link nordicprint.no
akce-incomputer.cz anonaddy.me norskgrammatikk.no
balikovna.cz pm.me raskebriller.no
bewooden.cz proton.me rushtrampoline.no
cokoladovnajanek.cz army.mil sillysanta.no
cpost.cz dla.mil smaaungene.no
cro.cz health.mil spillfabrikken.no
csob.cz jten.mil strikkia.no
cuni.cz mail.mil atelkamera.nu
dashofer.cz navy.mil fitnessnu.nu
dedra.cz nga.mil goget.nu
e-kondomy.cz osd.mil lenhud.nu
fio.cz socom.mil aarding.org
gynkrup.cz uscg.mil agirpourlenvironnement.org
hypotecnibanka.cz usmc.mil debian.org
innogy.cz apnic.net freebsd.org
itesco.cz benjaminfulford.net fridaysforfuture.org
kb.cz comcast.net gentoo.org
klenotyaurum.cz ewetel.net ietf.org
klubpevnehozdravi.cz ficbook.net isc.org
ksporting.cz fivem.net mailbox.org
manymail.cz gmx.net mailop.org
mbank.cz graphistepro.net netbsd.org
mfcr.cz habramail.net openssl.org
mkluzkoviny.cz hr-manager.net ozlabs.org
mojedatovaschranka.cz inexio.net postfix.org
mrakyhracek.cz intares.net samba.org
muni.cz mailanyone.net torproject.org
nic.cz masterinter.net biotechnologia.com.pl
o2.cz mijngezondheid.net brebank.com.pl
optimail.cz mpssec.net mobily.com.sa
outlet-alpine.cz procurios.net arbetsformedlingen.se
p-info.cz ripe.net australian-bodycare.se
poptavej.cz riseup.net bearplayshop.se
pre.cz s-qrc.net bilprovningen.se
rozhlas.cz soverin.net du.se
scrptd.cz speedkom.net ecster.se
smtp.cz t-2.net egensajt.se
sparkys.cz amsterdam.nl ellevio.se
stoklasa.cz amsterdamwinefestival.nl fashion-copenhagen.se
tiscali.cz aquastorexl.nl handelsbanken.se
vas-server.cz belastingdienst.nl hellomantle.se
virusfree.cz beterspellen.nl huskvarnafolketspark.se
vitalpoint.cz bewustpuur.nl koreanbeauty.se
vshosting.cz bhosted.nl livlyclothing.se
zafido.cz blushfashionstore.nl lnu.se
zdravestravovani.cz bobo.nl lomervarde.se
zonky.cz body-supplies.nl loopia.se
bayern.de boekwinkeltjes.nl merchsweden.se
brandenburg.de bolerolimonadewinkel.nl minmyndighetspost.se
bund.de boozyshop.nl naprapatlandslaget.se
bundesregierung.de box.nl nordicprint.se
datev.de bruut.nl performcollection.se
deutsch-franzoesischer-freundschaftspass.de burgernet.nl polisen.se
dfn.de caracamilla.nl silverdotter.se
ekom21.de carre.nl skatteverket.se
elster.de casema.nl skolverket.se
ewetel.de cbr.nl snbostader.se
fau.de chello.nl soleplus.se
freenet.de clubplanner.nl svenskhusman.se
gmx.de degros.nl teknikdelar.se
huellen-shop.de deijsvogel.nl theletter.se
jpberlin.de deonlinetandarts.nl websupport.se
lmu.de derooijfotografie.nl agatinsvet.sk
lrz.de desan.nl fio.sk
mail.de dewoningzoeker.nl kadernickyservis.sk
mensa.de dictu.nl lenivakucharka.sk
mpg.de digid.nl mklozkoviny.sk
posteo.de dimehouse.nl rondogo.sk
ruhr-uni-bochum.de dorcas.nl toptop.sk
smartwatcharmbaender.de druten.nl zapardrobnych.sk
stwm.de duo.nl zeit-des-wandels.tv
sys4.de esuals.nl clientnews3.co.uk
tu-darmstadt.de expeditionfestival.nl millieandblake.co.uk
tum.de extinctionrebellion.nl nuudcare.co.uk
tutanota.de ezorg.nl thewordman.co.uk
uni-augsburg.de fivecityspa.nl triodos.co.uk
uni-bielefeld.de haarlem.nl nuudcare.us
uni-erlangen.de hobbygigant.nl quantum-services.us
uni-muenchen.de home.nl ru.ac.za
vicinityclo.de
1
0