dane-users
Threads by month
- ----- 2024 -----
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- 2 participants
- 244 discussions
Summary: The DANE domain count is now 3,924,107 (c.f. 3,912,433 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 23,141,061 (up from 22,903,540 last
month). Thus DANE TLSA is deployed on ~16.95% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today, I count ~3.92 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1330342 one.com 1333382 one.com
300967 hostpoint.ch 299458 hostpoint.ch
205928 infomaniak.ch 203039 infomaniak.ch
171750 transip.nl 171198 transip.nl
168545 mijndomein.nl 168858 mijndomein.nl
151627 jouwweb.nl 146592 jouwweb.nl
144160 argewebhosting.nl 144707 argewebhosting.nl
132421 simply.com 132528 simply.com
111071 hostnet.nl 111147 hostnet.nl
109902 domeneshop.no 109837 domeneshop.no
106030 loopia.se 105606 loopia.se
91275 webhostingserver.nl 91554 webhostingserver.nl
83195 forpsi.com 82952 forpsi.com
77300 zxcs.nl 73635 zxcs.nl
43426 protonmail.ch 42379 protonmail.ch
40528 antagonist.nl 40463 antagonist.nl
39981 active24.com 40012 active24.com
37575 webreus.nl 37765 webreus.nl
30373 pcextreme.nl 30673 pcextreme.nl
28672 xel.nl 28631 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl,
.de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
11375 TOTAL 11268 TOTAL
3553 DE, Germany 3525 DE, Germany
1894 US, United States 1889 NL, Netherlands
1886 NL, Netherlands 1866 US, United States
822 FR, France 825 FR, France
443 CZ, Czechia 444 CZ, Czechia
369 GB, United Kingdom 368 GB, United Kingdom
268 FI, Finland 264 FI, Finland
204 CA, Canada 203 CA, Canada
202 AT, Austria 198 AT, Austria
167 SE, Sweden 160 SE, Sweden
148 CH, Switzerland 149 CH, Switzerland
144 DK, Denmark 143 DK, Denmark
140 AU, Australia 141 AU, Australia
123 SG, Singapore 123 SG, Singapore
92 RU, Russia 85 PL, Poland
90 PL, Poland 84 RU, Russia
65 JP, Japan 65 JP, Japan
50 BR, Brazil 49 NO, Norway
49 NO, Norway 48 BR, Brazil
44 IT, Italy 40 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
8949 TOTAL 8828 TOTAL
3857 NL, Netherlands 3802 NL, Netherlands
2596 DE, Germany 2564 DE, Germany
883 US, United States 847 US, United States
363 FR, France 364 FR, France
190 GB, United Kingdom 183 GB, United Kingdom
176 CZ, Czechia 177 CZ, Czechia
111 FI, Finland 115 FI, Finland
85 CA, Canada 83 CA, Canada
72 AU, Australia 80 SE, Sweden
69 SE, Sweden 72 AU, Australia
62 CH, Switzerland 65 CH, Switzerland
50 SG, Singapore 48 SG, Singapore
48 AT, Austria 48 AT, Austria
41 JP, Japan 43 RU, Russia
30 RU, Russia 42 JP, Japan
30 RO, Romania 30 RO, Romania
27 DK, Denmark 27 DK, Denmark
25 BR, Brazil 24 NO, Norway
23 NO, Norway 19 BR, Brazil
18 UA, Ukraine 18 IE, Ireland
There are 9,398 unique zones (9,324 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 20,884 (20,191 last
month). These cover 21,182 distinct MX hosts (20,488 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 1,048 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 550
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.92 million DANE domains, 14,274 (14,246 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 2180
(1,796 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
183 smtp.domwest.net
150 mx1.systemhaus-ehst.de
139 mx2.dotxs.net
79 vps04.marcus.services
69 mx1.risse.cloud
35 mx1.mdbraber.com
32 relay.csngroep.nl
24 semark.dk
22 fsn1-c04.xemo-net.de
19 web2.sys.ccs-baumann.de
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,357 (1,539 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
963 neostrada.nl 1131 neostrada.nl
93 worldnic.com 94 worldnic.com
65 ebola.cz 65 ebola.cz
39 openprovider.nl 39 openprovider.nl
14 sectigoweb.com 16 dnssrv.nl
13 register.com 15 sectigoweb.com
12 dnssrv.nl 13 register.com
9 ispapi.net 10 ispapi.net
7 vultr.com 8 resolver.domains
7 resolver.domains 8 axc.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at web.de hoogenboezem-nieuwsbrieven.nl
gmx.at westlotto.de huurexpert.nl
vbv.at aeldresagen.dk hz.nl
atmozreunion.be allbuy.dk ikdeburger.nl
boozyshop.be annebrauner.dk inspirerendleven.nl
triodos.be annes-atelier.dk interconnect.nl
vanbreda.be australian-bodycare.dk interim-netwerk.nl
cetelemnegocie.com.br avabeauty.dk jo-lyn.nl
dwvmail.com.br bambustoej.dk kiesrijk.nl
e-negociacao.com.br barons.dk lcrdm.nl
e-renegocie.com.br bigsaver.dk liveatamsterdamsebos.nl
zaaztelecom.com.br bog.dk mail-studio.nl
nic.br buchcopenhagen.dk mailmore.nl
registro.br camillakroeyer.dk mailon.nl
activfitness-news.ch casanova.dk mailplus.nl
blackout-bonusclub.ch computerworld.dk managementboek.nl
gmx.ch damask.dk markteffectmail.nl
hostpoint.ch danielspengetips.dk mcmta.nl
infomaniak.ch danskebank.dk messen.nl
migros-runnwin.ch datafordeler.dk mijndomein.nl
msochrono.ch def.dk minbzk.nl
open.ch densidsteflaske.dk mindef.nl
protonmail.ch dfi.dk mm1.nl
sherlockhomes.ch dk-hostmaster.dk nederweert.nl
sms-gagnant.ch fibianet.dk netpoint.nl
switch.ch foraeldresparring.dk netpointfactoring.nl
simplelogin.co fvst.dk nieuwsservice-rvo.nl
albourne.com gastrotools.dk nmnhevents.nl
anonaddy.com globestudios.dk notbranded.nl
ansigtsyogaonline.com idelig.dk noties.nl
cm.com iphoneopladere.dk ns.nl
collarofsweden.com kodbilen.dk nuudcare.nl
colourfulrebel.com konkurspriser.dk nuwegexclusief.nl
connectsb.com kystfisken.dk otys.nl
danskebank.com labelking.dk ouderportaal.nl
datev.com lacabra.dk overheid.nl
denhaag.com lederstof.dk oxilionhosted.nl
exegy.com lncrew.dk partijvoordedieren.nl
fabfilter.com lysetikloster.dk partnermail.nl
farmergracy.com mobilcovers.dk pipdenhaag.nl
fastware-hosting.com musclehouse.dk podiumcadeaukaart.nl
fromanteel-watches.com netic.dk politie.nl
gmx.com nfinitybeauty.dk pp-prd.nl
groed.com nimara.dk previder.nl
habr.com nordd.dk prorun-mail.nl
highcharts.com nota.dk quicknet.nl
infomaniak.com opdagverden.dk rdw.nl
ingthink.com punktum.dk rijksoverheid.nl
intakt.com seniornews.dk rivm.nl
itskaos.com shapeit.dk rvo.nl
johnbeerens.com skjold-burne.dk sans-mail.nl
joomlapolis.com smoon.dk schuurman-schoenen.nl
jula.com sneakerzone.dk shampoobars.nl
kabayarefashion.com stil.dk shoesme.nl
kheaa.com stpt.dk sietskescholten.nl
kolabnow.com strongcurves.dk sizzthebrand.nl
leszexpertsfle.com thenap.dk smartwatchbanden.nl
librti.com thesneakerstore.dk soclever.nl
mactabeauty.com trueliving.dk sportrusten.nl
mail.com venderbys.dk ssonet.nl
mailzerver.com vin-huset.dk stater.nl
medimeisterschaften.com vind.dk svb.nl
mixx.com yuaiahaircare.dk technicus.nl
mplbeauty.com tilburguniversity.edu telefoonglaasje.nl
nanolearning.com just.ee thealphamen.nl
nine-pine.com maarahvapood.ee toms.nl
offshorecorptalk.com minuvalik.ee transip.nl
one.com rik.ee triodos.nl
orsys.com surveyturtle.ee truetickets.nl
ottobredesign.com turunduslabor.ee tudelft.nl
pieter-pot.com zone.ee uitgeverijpica.nl
polyas.com myownconference.email upcmail.nl
pompomlondon.com spam-filter.email uvt.nl
ppcpcv.com spotler.email uwv.nl
protonmail.com talentech.email vacaturesonline.nl
protonvpn.com nuudcare.es vandale.nl
renworkshops.com triodos.es vimexx.nl
run-motion.com egu.eu vogeldagboek.nl
sankakucomplex.com finesoftware.eu vunzigedeuntjes.nl
scorecloud.com iaccept.eu watchbandjes-shop.nl
serverclienti.com litebit.eu waternet.nl
solvinity.com zone.eu werkzoeken.nl
stasdock.com zonevs.eu ziggo.nl
stater.com danskebank.fi zorgmail.nl
stellarequipment.com handelsbanken.fi zoweg-mail.nl
tcs.com metaburn.fi 8-bits.no
theintercept.com raumanteatteri.fi annabellstefanussen.no
thepcw.com rockdenim.fi babybanden.no
thepcwholesale.com traficom.fi bergengokart.no
thesmmacademy.com ac-strasbourg.fr bull-ski-kajakk.no
triodos.com braceletsmartwatch.fr chillout.no
tutanota.com compagnie-des-sens.fr domeneshop.no
up2staff.com nuudcare.fr dressmykid.no
veganallsorts.com passefranceallemagne.fr frivannsliv.no
vivaldi.com privea.fr godvar.no
webcruiter.com tid.gov.hk guttelus.no
webmailph.com fidesz.hu handelsbanken.no
win-rar.com italiamail.hu hyttefeber.no
workvector.com bluebiz.info idrettenonline.no
xfinity.com eurocontrol.int kashmina.no
xfinityhomesecurity.com infinex.io lagerpriser.no
xfinitymobile.com rootnet.io marikrogshus.no
bncr.fi.cr nuudcare.it mystuff.no
airbank.cz neolink.link nordicprint.no
akce-incomputer.cz anonaddy.me norskgrammatikk.no
balikovna.cz pm.me raskebriller.no
bewooden.cz proton.me rushtrampoline.no
cokoladovnajanek.cz army.mil sillysanta.no
cpost.cz dla.mil smaaungene.no
cro.cz health.mil spillfabrikken.no
csob.cz jten.mil strikkia.no
cuni.cz mail.mil atelkamera.nu
dashofer.cz navy.mil fitnessnu.nu
dedra.cz nga.mil goget.nu
e-kondomy.cz osd.mil lenhud.nu
fio.cz socom.mil aarding.org
gynkrup.cz uscg.mil agirpourlenvironnement.org
hypotecnibanka.cz usmc.mil debian.org
innogy.cz apnic.net freebsd.org
itesco.cz benjaminfulford.net fridaysforfuture.org
kb.cz comcast.net gentoo.org
klenotyaurum.cz ewetel.net ietf.org
klubpevnehozdravi.cz ficbook.net isc.org
ksporting.cz fivem.net mailbox.org
manymail.cz gmx.net mailop.org
mbank.cz graphistepro.net netbsd.org
mfcr.cz habramail.net openssl.org
mkluzkoviny.cz hr-manager.net ozlabs.org
mojedatovaschranka.cz inexio.net postfix.org
mrakyhracek.cz intares.net samba.org
muni.cz mailanyone.net torproject.org
nic.cz masterinter.net biotechnologia.com.pl
o2.cz mijngezondheid.net brebank.com.pl
optimail.cz mpssec.net mobily.com.sa
outlet-alpine.cz procurios.net arbetsformedlingen.se
p-info.cz ripe.net australian-bodycare.se
poptavej.cz riseup.net bearplayshop.se
pre.cz s-qrc.net bilprovningen.se
rozhlas.cz soverin.net du.se
scrptd.cz speedkom.net ecster.se
smtp.cz t-2.net egensajt.se
sparkys.cz amsterdam.nl ellevio.se
stoklasa.cz amsterdamwinefestival.nl fashion-copenhagen.se
tiscali.cz aquastorexl.nl handelsbanken.se
vas-server.cz belastingdienst.nl hellomantle.se
virusfree.cz beterspellen.nl huskvarnafolketspark.se
vitalpoint.cz bewustpuur.nl koreanbeauty.se
vshosting.cz bhosted.nl livlyclothing.se
zafido.cz blushfashionstore.nl lnu.se
zdravestravovani.cz bobo.nl lomervarde.se
zonky.cz body-supplies.nl loopia.se
bayern.de boekwinkeltjes.nl merchsweden.se
brandenburg.de bolerolimonadewinkel.nl minmyndighetspost.se
bund.de boozyshop.nl naprapatlandslaget.se
bundesregierung.de box.nl nordicprint.se
datev.de bruut.nl performcollection.se
deutsch-franzoesischer-freundschaftspass.de burgernet.nl polisen.se
dfn.de caracamilla.nl silverdotter.se
ekom21.de carre.nl skatteverket.se
elster.de casema.nl skolverket.se
ewetel.de cbr.nl snbostader.se
fau.de chello.nl soleplus.se
freenet.de clubplanner.nl svenskhusman.se
gmx.de degros.nl teknikdelar.se
huellen-shop.de deijsvogel.nl theletter.se
jpberlin.de deonlinetandarts.nl websupport.se
lmu.de derooijfotografie.nl agatinsvet.sk
lrz.de desan.nl fio.sk
mail.de dewoningzoeker.nl kadernickyservis.sk
mensa.de dictu.nl lenivakucharka.sk
mpg.de digid.nl mklozkoviny.sk
posteo.de dimehouse.nl rondogo.sk
ruhr-uni-bochum.de dorcas.nl toptop.sk
smartwatcharmbaender.de druten.nl zapardrobnych.sk
stwm.de duo.nl zeit-des-wandels.tv
sys4.de esuals.nl clientnews3.co.uk
tu-darmstadt.de expeditionfestival.nl millieandblake.co.uk
tum.de extinctionrebellion.nl nuudcare.co.uk
tutanota.de ezorg.nl thewordman.co.uk
uni-augsburg.de fivecityspa.nl triodos.co.uk
uni-bielefeld.de haarlem.nl nuudcare.us
uni-erlangen.de hobbygigant.nl quantum-services.us
uni-muenchen.de home.nl ru.ac.za
vicinityclo.de
1
0
Summary: The DANE domain count is now 3,912,433 (c.f. 3,884,225 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 22,903,540 (up from 22,676,526 last
month). Thus DANE TLSA is deployed on ~17.08% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today, I count ~3.91 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1333382 one.com 1324503 one.com
299458 hostpoint.ch 296480 hostpoint.ch
203039 infomaniak.ch 201194 infomaniak.ch
171198 transip.nl 170591 transip.nl
168858 mijndomein.nl 169148 mijndomein.nl
146592 jouwweb.nl 145940 argewebhosting.nl
144707 argewebhosting.nl 142604 jouwweb.nl
132528 simply.com 133765 simply.com
111147 hostnet.nl 111038 hostnet.nl
109837 domeneshop.no 109875 domeneshop.no
105606 loopia.se 105482 loopia.se
91554 webhostingserver.nl 91989 webhostingserver.nl
82952 forpsi.com 82865 forpsi.com
73635 zxcs.nl 72170 zxcs.nl
42379 protonmail.ch 41229 protonmail.ch
40463 antagonist.nl 40369 antagonist.nl
40012 active24.com 40341 active24.com
37765 webreus.nl 37912 webreus.nl
30673 pcextreme.nl 30944 pcextreme.nl
28631 xel.nl 28694 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl,
.de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
11268 TOTAL 11221 TOTAL
3525 DE, Germany 3506 DE, Germany
1889 NL, Netherlands 1883 NL, Netherlands
1866 US, United States 1870 US, United States
825 FR, France 803 FR, France
444 CZ, Czechia 439 CZ, Czechia
368 GB, United Kingdom 368 GB, United Kingdom
264 FI, Finland 260 FI, Finland
203 CA, Canada 207 CA, Canada
198 AT, Austria 204 AT, Austria
160 SE, Sweden 157 SE, Sweden
149 CH, Switzerland 148 CH, Switzerland
143 DK, Denmark 142 DK, Denmark
141 AU, Australia 138 AU, Australia
123 SG, Singapore 123 SG, Singapore
85 PL, Poland 89 PL, Poland
84 RU, Russia 83 RU, Russia
65 JP, Japan 61 JP, Japan
49 NO, Norway 49 NO, Norway
48 BR, Brazil 42 BR, Brazil
40 IT, Italy 41 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
8828 TOTAL 8772 TOTAL
3802 NL, Netherlands 3787 NL, Netherlands
2564 DE, Germany 2551 DE, Germany
847 US, United States 847 US, United States
364 FR, France 360 FR, France
183 GB, United Kingdom 184 CZ, Czechia
177 CZ, Czechia 182 GB, United Kingdom
115 FI, Finland 111 FI, Finland
83 CA, Canada 81 CA, Canada
80 SE, Sweden 73 SE, Sweden
72 AU, Australia 71 AU, Australia
65 CH, Switzerland 60 CH, Switzerland
48 SG, Singapore 49 SG, Singapore
48 AT, Austria 49 AT, Austria
43 RU, Russia 38 JP, Japan
42 JP, Japan 27 DK, Denmark
30 RO, Romania 25 RU, Russia
27 DK, Denmark 25 RO, Romania
24 NO, Norway 24 NO, Norway
19 BR, Brazil 21 UA, Ukraine
18 IE, Ireland 18 IE, Ireland
There are 9,324 unique zones (9,245 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 20,191 (20,077 last
month). These cover 20,488 distinct MX hosts (20,367 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 1,028 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 562
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.91 million DANE domains, 14,246 (14,304 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,796
(1,660 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
148 mx1.systemhaus-ehst.de
138 mx2.dotxs.nl
110 mail.blueconsulting.cz
69 mx1.risse.cloud
35 mx1.mdbraber.com
23 mx1.dtsmail.me
23 fsn1-c04.xemo-net.de
22 semark.dk
19 web2.sys.ccs-baumann.de
18 mail.sig-io.nl
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,539 (1,805 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
1131 neostrada.nl 1312 neostrada.nl
94 worldnic.com 96 worldnic.com
65 ebola.cz 66 ebola.cz
39 openprovider.nl 47 epik.com
16 dnssrv.nl 40 openprovider.nl
15 sectigoweb.com 33 dnssrv.nl
13 register.com 15 sectigoweb.com
10 ispapi.net 14 register.com
8 resolver.domains 10 ispapi.net
8 axc.nl 9 axc.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at vicinityclo.de huurexpert.nl
gmx.at web.de hz.nl
vbv.at westlotto.de ikdeburger.nl
vorsorgekasse.at aeldresagen.dk interconnect.nl
atmozreunion.be allbuy.dk interim-netwerk.nl
boozyshop.be annes-atelier.dk jo-lyn.nl
vanbreda.be australian-bodycare.dk kiesrijk.nl
digsys.bg avabeauty.dk kwo.nl
cetelemnegocie.com.br bambustoej.dk lcrdm.nl
dwvmail.com.br barons.dk lico.nl
e-negociacao.com.br bigsaver.dk liveatamsterdamsebos.nl
e-renegocie.com.br bog.dk luxiez.nl
informativoclicksophia.com.br buchcopenhagen.dk mail-studio.nl
nic.br calisweats.dk mailmore.nl
registro.br camillakroeyer.dk mailon.nl
activfitness-news.ch casanova.dk mailplus.nl
blackout-bonusclub.ch computerworld.dk managementboek.nl
coronavirusensuisse.ch damask.dk markteffectmail.nl
creditum.ch danielspengetips.dk mcmta.nl
gmx.ch danskebank.dk messen.nl
hostpoint.ch datafordeler.dk mijndomein.nl
infomaniak.ch def.dk minbzk.nl
migros-runnwin.ch densidsteflaske.dk mindef.nl
msochrono.ch dfi.dk mm1.nl
open.ch dk-hostmaster.dk nederweert.nl
protonmail.ch eftcentret.dk netpoint.nl
sherlockhomes.ch ens.dk netpointfactoring.nl
sms-gagnant.ch fibianet.dk nieuwsservice-rvo.nl
switch.ch fvst.dk nmnhevents.nl
simplelogin.co gastrotools.dk notbranded.nl
albourne.com globestudios.dk noties.nl
anonaddy.com idelig.dk ns.nl
ansigtsyogaonline.com iphoneopladere.dk nuudcare.nl
aotax.com konkurspriser.dk nuwegexclusief.nl
boozyshop.com kystfisken.dk otys.nl
cm.com labelking.dk ouderenfonds.nl
colourfulrebel.com lacabra.dk ouderportaal.nl
connectsb.com lbst.dk overheid.nl
danskebank.com lederstof.dk oxilionhosted.nl
datev.com lncrew.dk parlement.nl
fabfilter.com lysetikloster.dk partijvoordedieren.nl
farmergracy.com mobilcovers.dk partnermail.nl
fastware-hosting.com mobilepay.dk paypro.nl
fromanteel-watches.com musclehouse.dk pipdenhaag.nl
gmx.com netic.dk podiumcadeaukaart.nl
groed.com nickolinecamille.dk politie.nl
habr.com nimara.dk pp-prd.nl
highcharts.com nordd.dk previder.nl
infomaniak.com nota.dk prorun-mail.nl
ingthink.com opdagverden.dk quicknet.nl
intakt.com punktum.dk rdw.nl
johnbeerens.com seniornews.dk revolt.nl
joomlapolis.com shapeit.dk rijksoverheid.nl
jula.com sitnet.dk rivm.nl
kabayarefashion.com skjold-burne.dk rvo.nl
kolabnow.com smoon.dk sans-mail.nl
librti.com sneakerzone.dk schoudercom.nl
mactabeauty.com stil.dk schuurman-schoenen.nl
mail.com thenap.dk shampoobars.nl
mailzerver.com thesneakerstore.dk shirtbyhand.nl
medimeisterschaften.com trueliving.dk shoesme.nl
mixx.com venderbys.dk sidn.nl
mplbeauty.com vin-huset.dk sietskescholten.nl
nanolearning.com vind.dk sizzthebrand.nl
nine-pine.com yuaiahaircare.dk smartwatchbanden.nl
offshorecorptalk.com tilburguniversity.edu soclever.nl
one.com just.ee sportrusten.nl
orsys.com kohus.ee ssonet.nl
pieter-pot.com rik.ee stater.nl
pompomlondon.com turunduslabor.ee svb.nl
ppcpcv.com myownconference.email technicus.nl
protonmail.com spam-filter.email telefoonglaasje.nl
protonvpn.com spotler.email thealphamen.nl
renworkshops.com talentech.email transip.nl
run-motion.com nuudcare.es truetickets.nl
runbox.com egu.eu tudelft.nl
sankakucomplex.com finesoftware.eu tweedekamer.nl
scorecloud.com iaccept.eu uitgeverijpica.nl
serverclienti.com litebit.eu upcmail.nl
solvinity.com zonevs.eu uvt.nl
speciale-offre.com danskebank.fi uwv.nl
stasdock.com handelsbanken.fi vacaturesonline.nl
stater.com metaburn.fi vimexx.nl
stellarequipment.com raumanteatteri.fi watchbandjes-shop.nl
tcs.com tarjousrinki.fi waternet.nl
theintercept.com traficom.fi werkzoeken.nl
thepcw.com ac-strasbourg.fr ziggo.nl
thepcwholesale.com braceletsmartwatch.fr zorgmail.nl
thesmmacademy.com compagnie-des-sens.fr zoweg-mail.nl
tutanota.com edtm-actu.fr 8-bits.no
up2staff.com nuudcare.fr annabellstefanussen.no
veganallsorts.com oo2.fr babybanden.no
vivaldi.com passefranceallemagne.fr bergengokart.no
webcruiter.com privea.fr bull-ski-kajakk.no
webmailph.com tid.gov.hk chillout.no
win-rar.com fidesz.hu domeneshop.no
workvector.com italiamail.hu frivannsliv.no
xfinity.com bluebiz.info godvar.no
xfinityhomesecurity.com eurocontrol.int guttelus.no
xfinitymobile.com infinex.io handelsbanken.no
bncr.fi.cr rootnet.io helsefysio.no
airbank.cz nuudcare.it hyttefeber.no
akce-incomputer.cz neolink.link idrettenonline.no
avatech.cz anonaddy.me kashmina.no
balikovna.cz pm.me lagerpriser.no
bewooden.cz proton.me marikrogshus.no
cermat.cz army.mil mystuff.no
cokoladovnajanek.cz dla.mil nordicprint.no
cpost.cz health.mil norskgrammatikk.no
csob.cz jten.mil raskebriller.no
cuni.cz mail.mil rushtrampoline.no
dashofer.cz navy.mil sillysanta.no
dedra.cz nga.mil smaaungene.no
e-kondomy.cz osd.mil spillfabrikken.no
fio.cz socom.mil strikkia.no
fishmax.cz uscg.mil atelkamera.nu
gynkrup.cz usmc.mil fitnessnu.nu
hypotecnibanka.cz benjaminfulford.net goget.nu
innogy.cz comcast.net aarding.org
itesco.cz ewetel.net agirpourlenvironnement.org
justice.cz ficbook.net debian.org
kb.cz fivem.net eduroam.org
klenotyaurum.cz gmx.net freebsd.org
klubpevnehozdravi.cz graphistepro.net fridaysforfuture.org
ksporting.cz habramail.net gentoo.org
manymail.cz hr-manager.net ietf.org
mbank.cz mailanyone.net isc.org
mfcr.cz masterinter.net mailbox.org
mkluzkoviny.cz mijngezondheid.net mailop.org
mojedatovaschranka.cz mpssec.net netbsd.org
mrakyhracek.cz procurios.net openssl.org
muni.cz relai-smtp.net ozlabs.org
nic.cz ripe.net postfix.org
o2.cz riseup.net samba.org
optimail.cz soverin.net torproject.org
outlet-alpine.cz speedkom.net biotechnologia.com.pl
p-info.cz t-2.net brebank.com.pl
pivoteka.cz yourdomainprovider.net mobily.com.sa
poptavej.cz amsterdam.nl arbetsformedlingen.se
pre.cz aquastorexl.nl australian-bodycare.se
psp.cz argeweb.nl bearplayshop.se
scrptd.cz belastingdienst.nl bilprovningen.se
senat.cz beterspellen.nl du.se
smtp.cz bewustpuur.nl ecster.se
stoklasa.cz bhosted.nl ellevio.se
tiscali.cz biblionetdrenthe.nl fashion-copenhagen.se
vas-server.cz blushfashionstore.nl handelsbanken.se
virusfree.cz bobo.nl hellomantle.se
vitalpoint.cz body-supplies.nl huskvarnafolketspark.se
vshosting.cz boekwinkeltjes.nl koreanbeauty.se
web4u.cz bolerolimonadewinkel.nl lnu.se
zafido.cz boozyshop.nl lomervarde.se
zdravestravovani.cz box.nl loopia.se
zonky.cz bruut.nl merchsweden.se
bayern.de burgernet.nl minmyndighetspost.se
brandenburg.de caracamilla.nl naprapatlandslaget.se
bund.de carre.nl nordicprint.se
bundesregierung.de casema.nl performcollection.se
datev.de cbr.nl polisen.se
deutsch-franzoesischer-freundschaftspass.de chello.nl silverdotter.se
dfn.de clubplanner.nl skatteverket.se
ekom21.de degros.nl skolverket.se
elster.de deijsvogel.nl snbostader.se
ewetel.de deonlinetandarts.nl soleplus.se
fau.de derooijfotografie.nl sunet.se
fh-rosenheim.de desan.nl svenskhusman.se
freenet.de dewoningzoeker.nl teknikdelar.se
gmx.de dictu.nl theletter.se
huellen-shop.de digid.nl websupport.se
jpberlin.de dimehouse.nl agatinsvet.sk
lmu.de dorcas.nl fio.sk
lrz.de druten.nl kadernickyservis.sk
mail.de duo.nl lenivakucharka.sk
mensa.de eabstest.nl mklozkoviny.sk
mpg.de eduid.nl rondogo.sk
posteo.de esuals.nl satro.sk
ruhr-uni-bochum.de expeditionfestival.nl toptop.sk
smartwatcharmbaender.de extinctionrebellion.nl vyvado.sk
sys4.de ezorg.nl zapardrobnych.sk
telefonseelsorge.de fivecityspa.nl clientnews3.co.uk
th-rosenheim.de glamouryourhair.nl herantapimesra.co.uk
tu-darmstadt.de haarlem.nl millieandblake.co.uk
tum.de hobbygigant.nl nuudcare.co.uk
tutanota.de home.nl thewordman.co.uk
uni-augsburg.de hoogenboezem-nieuwsbrieven.nl nuudcare.us
uni-bielefeld.de hr.nl quantum-services.us
uni-erlangen.de hro.nl ru.ac.za
uni-muenchen.de
1
0
I'm happy to announce that LetsDNS release 1.2.0 is now available
and ready for public use. Version 1.2.0 introduces support for
more TSIG key algorithms for dynamic DNS updates.
Website: https://letsdns.org
GitHub : https://github.com/LetsDNS/letsdns
PyPI : https://pypi.org/project/letsdns/
LetsDNS is a utility to manage DANE TLSA records in DNS servers with
only a few lines of configuration. It supports multiple domains with
multiple TLS certificates each.
LetsDNS can be invoked manually, from cron jobs, or called in hook
functions of ACME clients like dehydrated or certbot. It currently
supports backends via the DNS Update Protocol (RFC 2136), the Hetzner
DNS API, and a generator for nsupdate scripts. Additionally, LetsDNS
is designed be expanded using custom Python modules which are loaded
dynamically during runtime.
I'd appreciate you taking LetsDNS for a leisurely spin, and letting me
know of your experiences. GitHub discussions/issues are preferred, but
you can also send mail to "author at letsdns dot org".
Enjoy.
-Ralph
1
0
There are still ~250 MX hosts with DANE TLSA records that match the
retired X3 or X4 Let's Encrypt CAs. Perhaps also other retired CAs,
but these are the ones I'm tracking at:
https://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Please take care to avoid DANE TLSA records with the below usage,
selector, matching type and associated data combinations:
CA TLSA Records of retired CAs to avoid
X3 2 1 1 60B87575447DCBA2A36B7D11AC09FB24A9DB406FEE12D2CC90180517616E8A18
X4 2 1 1 B111DD8A1C2091A89BD4FD60C57F0716CCE50FEEFF8137CDBEE0326E02CF362B
X3 2 0 1 731D3D9CFAA061487A1D71445A42F67DF0AFCA2A6C2D2F98FF7B3CE112B1F568
X3 2 0 1 25847D668EB4F04FDD40B12B6B0740C567DA7D024308EB6C2C96FE41D9DE218D
X4 2 0 1 5DE9152BED31FA0515DD1FC746133F1327562EF72A84CF2D2403E748A604D0D4
X4 2 0 1 A74B0C32B65B95FE2C4F8F098947A68B695033BED0B51DD8B984ECAE89571BB6
X3 2 1 2 774FAD8C9A6AFC2BDB44FABA8390D213AE592FB0D56C5DFAB152284E334D7CD6ABD05799236E7AA6266EDF81907C60404C57EE54C10A3A82FCC2A9146629B140
X4 2 1 2 A0F5D1333BC90BCEA0B0B5F401160B6E7F28A1256BC5B5D65F04B06B0BB0C96270AA81D8E2726394D385BF3E9EE46EB4AB7548C782D5688CC16D0CDFFEFB8594
X3 2 0 2 5EC5B0783C6E667E0965DF772943A06326768DE0F75DC0BD2FE378F02CCCA7D56C987656174CBE158CC29ECD763F8BDA3454332CC7D47FB934691409C5FB8686
X3 2 0 2 2E1E12DACB350E69317A7F37D769F46F16F437CF8D392319279C93515E5600BAED3D3ACD5DC83B673E8C60CF7FBA0DCE00A4D162A3B966A3EBF72487C376FCA0
X4 2 0 2 74DDAD9F8CDFA0FE6F6B70301B557A63A58B87FC2C17FAE0F65E47D141226C062A74FA14861DC47A720BD8699B99091A06BD695CDDE51222F837B9DECFC270C5
X4 2 0 2 964468A5C685F305AA5865C049D814770B844DF2CF7645F9A4AFAF42957E334BCF1F290BABAAFE020C4E9A68C5689D570E37F11114FFD676C95B17B3D768B932
The reason that there are pairs of "2 0 1" and "2 0 2" records is that
the X3 and X4 CAs were initially signed by DST and later by ISRG. All
certificates issued via "X3" have long expired, and all replacements are
using "R3" or "E1".
And of course if some other CA you've listed and haven't check up on
sinc has since been retired, be sure to delist it as well.
DANE TLSA records are not "deploy and forget", they need to be actively
monitored. Both to make sure that at least one matches, and to not
forget to age out any that no longer match and might be stale.
Leaving monitoring to the DANE survey (https://stats.dnssec-tools.org)
is neither timely nor reliable (~24 hours notification delay, if the
domain is included in the survey and a responsive domain contact can be
found).
--
Viktor.
P.S.
While I have your attention, please also read:
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
and perhaps consider using "danebot":
https://github.com/tlsaware/danebot
1
0
Dear DANE users,
Validating the SMTP DANE setup of, it results in success but the details
show two untrusted certificates:
mx2.molgen.mpg.de (141.14.17.10) [1]:
3, 1, 2 7aad43a0fdff3445[...]49cd4a23db83374c - certificate not
trusted: (27)
molgen.mpg.de (a1241.mx.srv.dfn.de, 194.95.232.62)
3, 0, 1 c613b846076b5503[...]539e7ac79a3f13e9 - certificate not
trusted: (27)
It’d be great if you pointed me into the direction, how to get more
details for these issues.
Kind regards,
Paul
[1]: https://dane.sys4.de/smtp/mx2.molgen.mpg.de
[2]: https://dane.sys4.de/smtp/molgen.mpg.de
4
7
ANN: New mailing list address dane-users@list.sys4.de / termination of old list address dane-users@sys4.de
by Patrick Ben Koetter 31 May '23
by Patrick Ben Koetter 31 May '23
31 May '23
Greetings,
please update your address book. The new address for this list is
dane-users(a)list.sys4.de and the old address will be discontinued
immediately in order to avoid misunderstandings where communication
should take place. We will migrate the existing mailing list archive
within the next weeks.
If you want to configure settings concerning your list membership turn
to the list's homepage
<https://list.sys4.de/postorius/lists/dane-users.list.sys4.de/>,
register an account, verify the mail address you're currently using for
this list and then start changing settings.
*Email Authentication*
All messages from the new address will carry a DKIM signature for
list.sys4.de *and* and ARC signature in case your own message had been
DKIM signed when you sent it to dane-users(a)list.sys4.de.
Messages from list.sys4.de have a dedicated SPF record:
$ dig +short TXT list.sys4.de
"v=spf1 include:_spf.list.sys4.de -all"
$ dig +short TXT _spf.list.sys4.de
"v=spf1 ip4:188.68.34.52 ip6:2a03:4000:10:51d:b8ce:63ff:feca:a5a0 -all"
And they have their own DMARC-policy:
$ dig +short TXT _dmarc.list.sys4.de
"v=DMARC1; p=quarantine; rua=mailto:sys4.de@dmarc.reports.sys4.de,mailto:10ewslq7@ag.eu.dmarcian.com;"
*
*
*TLS / DANE*
Of course list.sys4.de supports DANE in- and outbound as well as
traditional TLS.
Regards,
p@rick
--
[*] sys4 AG
https://sys4.de, +49 (89) 30 90 46 64
Schleißheimer Straße 26/MG,80333 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer, Wolfgang Stief
Aufsichtsratsvorsitzender: Florian Kirstein
1
0
Summary: The DANE domain count is now 3,764,298 (c.f. 3,757,347 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 21,920,074 (up from 21,668,375 last
month). Thus DANE TLSA is deployed on ~17.17% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today, I count ~3.76 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1214014 one.com 1216468 one.com
293253 hostpoint.ch 291651 hostpoint.ch
199295 infomaniak.ch 198402 infomaniak.ch
170621 mijndomein.nl 171386 mijndomein.nl
169316 transip.nl 168662 transip.nl
149043 argewebhosting.nl 150632 argewebhosting.nl
136880 simply.com 132031 simply.com
135485 jouwweb.nl 131058 jouwweb.nl
111153 hostnet.nl 111481 hostnet.nl
109739 domeneshop.no 109384 domeneshop.no
105386 loopia.se 105514 loopia.se
92908 webhostingserver.nl 93365 webhostingserver.nl
82361 forpsi.com 81969 forpsi.com
71933 zxcs.nl 70541 zxcs.nl
41575 active24.com 42507 active24.com
40197 antagonist.nl 40146 antagonist.nl
39401 protonmail.ch 38632 webreus.nl
38308 webreus.nl 38462 protonmail.ch
31629 pcextreme.nl 31898 pcextreme.nl
28965 xel.nl 29021 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
11001 TOTAL 10944 TOTAL
3398 DE, Germany 3373 DE, Germany
1908 NL, Netherlands 1893 NL, Netherlands
1835 US, United States 1881 US, United States
776 FR, France 795 FR, France
431 CZ, Czechia 423 CZ, Czechia
364 GB, United Kingdom 360 GB, United Kingdom
245 FI, Finland 248 FI, Finland
214 CA, Canada 210 CA, Canada
193 AT, Austria 183 AT, Austria
149 SE, Sweden 143 CH, Switzerland
138 DK, Denmark 142 SE, Sweden
138 CH, Switzerland 136 DK, Denmark
136 AU, Australia 133 AU, Australia
118 SG, Singapore 117 SG, Singapore
86 PL, Poland 84 PL, Poland
76 RU, Russia 60 RU, Russia
59 JP, Japan 59 JP, Japan
51 NO, Norway 51 NO, Norway
45 BR, Brazil 42 IT, Italy
42 IT, Italy 41 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
8613 TOTAL 8576 TOTAL
3736 NL, Netherlands 3700 NL, Netherlands
2472 DE, Germany 2466 DE, Germany
855 US, United States 887 US, United States
364 FR, France 374 FR, France
186 CZ, Czechia 173 CZ, Czechia
175 GB, United Kingdom 170 GB, United Kingdom
106 FI, Finland 107 FI, Finland
78 CA, Canada 80 CA, Canada
72 AU, Australia 71 AU, Australia
66 SE, Sweden 65 CH, Switzerland
59 CH, Switzerland 59 SE, Sweden
52 AT, Austria 59 AT, Austria
42 SG, Singapore 43 SG, Singapore
37 JP, Japan 36 JP, Japan
25 NO, Norway 25 DK, Denmark
23 DK, Denmark 24 NO, Norway
22 RO, Romania 21 RO, Romania
21 RU, Russia 19 IE, Ireland
20 IE, Ireland 17 UA, Ukraine
18 UA, Ukraine 15 BR, Brazil
There are 9,124 unique zones (9,085 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 19,650 (19,555 last
month). These cover 19,940 distinct MX hosts (19,853 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 926 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 561
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.76 million DANE domains, 12,942 (12,979 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 3,354
(3,139 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
144 mx1.dotxs.net
141 mx2.solutive.nl
109 mail.blueconsulting.cz
100 mx01.kdmails.de
37 mx1.mdbraber.com
30 mx1.synetcon.net
23 fsn1-c04.xemo-net.de
18 web2.sys.ccs-baumann.de
18 semark.dk
18 mx1.traxion.com
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 2,137 (2,998 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
1633 neostrada.nl 1868 neostrada.nl
101 worldnic.com 117 worldnic.com
82 epik.com 83 epik.com
71 ebola.cz 79 dnssrv.nl
52 dnssrv.nl 71 ebola.cz
43 openprovider.nl 46 openprovider.nl
17 register.com 17 register.com
16 sectigoweb.com 16 sectigoweb.com
11 ispapi.net 12 ispapi.net
10 axc.nl 10 axc.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at australian-bodycare.dk mailmore.nl
gmx.at avabeauty.dk mailon.nl
boozyshop.be barons.dk mailplus.nl
digsys.bg bog.dk managementboek.nl
cetelemnegocie.com.br borgerforslag.dk markteffectmail.nl
e-negociacao.com.br byravn.dk marktnet.nl
e-renegocie.com.br camillakroeyer.dk mcmta.nl
nic.br computerworld.dk messen.nl
registro.br damask.dk mijndomein.nl
20km.ch danielspengetips.dk minbzk.nl
activfitness-news.ch densidsteflaske.dk mindef.nl
blackout-bonusclub.ch dfi.dk mm1.nl
cbd420.ch digst.dk nederweert.nl
coronavirusensuisse.ch dk-hostmaster.dk nieuwsservice-rvo.nl
gmx.ch ens.dk ns.nl
hostpoint.ch fibianet.dk nubeterengels.nl
infomaniak.ch foraeldresparring.dk nuudcare.nl
msochrono.ch fvst.dk orangebag.nl
open.ch gastrotools.dk otys.nl
protonmail.ch gibbu.dk ouderenfonds.nl
sms-gagnant.ch globestudios.dk ouderportaal.nl
switch.ch idelig.dk overheid.nl
santeglobale.club incover.dk oxilion.nl
simplelogin.co kfst.dk oxilionhosted.nl
albourne.com kodbilen.dk parlement.nl
altospam.com konkurspriser.dk partijvoordedieren.nl
anonaddy.com kystfisken.dk partnermail.nl
ansigtsyogaonline.com labelking.dk paypro.nl
aotax.com lacabra.dk petsonline.nl
appliedgo.com localfitness.dk ploegendienst-festival.nl
beaconx.com mobilcovers.dk podiumcadeaukaart.nl
cm.com musclehouse.dk politie.nl
colourfulrebel.com netic.dk pp-prd.nl
connectsb.com nimara.dk previder.nl
cryptowallet.com nordd.dk prorun-mail.nl
datev.com nota.dk pvv.nl
denhaag.com opdagverden.dk quicknet.nl
exegy.com rmc.dk rdw.nl
fabfilter.com seniornews.dk rijksoverheid.nl
farmergracy.com shapeit.dk rivm.nl
fastware-hosting.com skjold-burne.dk rvo.nl
financialafrik.com smoon.dk sans-mail.nl
flaneurhomme.com sneakerzone.dk schoudercom.nl
gmx.com soelvstein.dk schuurman-schoenen.nl
groed.com stil.dk shampoobars.nl
habr.com sundhedspolitisktidsskrift.dk shapeit.nl
highcharts.com themeatclub.dk shoesme.nl
infomaniak.com thenap.dk sizzthebrand.nl
ingthink.com thesneakerstore.dk smartwatchbanden.nl
intakt.com tricommerce.dk soclever.nl
johnbeerens.com trueliving.dk spamservice.nl
joomlapolis.com uni-c.dk sportrusten.nl
jula.com uvm.dk ssonet.nl
kabayarefashion.com venderbys.dk stater.nl
leszexpertsfle.com yuaiahaircare.dk surfspot.nl
librti.com tilburguniversity.edu svb.nl
mactabeauty.com just.ee technishow.nl
mail.com mkm.ee telefoonglaasje.nl
mplbeauty.com turunduslabor.ee thealphamen.nl
nanolearning.com envie.email transip.nl
nine-pine.com myownconference.email triodos.nl
offshorecorptalk.com spam-filter.email truetickets.nl
one.com spike.email tudelft.nl
orsys.com spotler.email tweedekamer.nl
pieter-pot.com talentech.email uitgeverijpica.nl
pompomlondon.com nuudcare.es upcmail.nl
ppcpcv.com triodos.es uvt.nl
protonmail.com egu.eu uwv.nl
protonvpn.com litebit.eu valys.nl
renworkshops.com qard.eu venauto.nl
run-motion.com tbibank.eu vimexx.nl
sankakucomplex.com zonevs.eu vlissingen.nl
schizinfo.com fsol.fi vogeldagboek.nl
scorecloud.com handelsbanken.fi voorschoten.nl
serverclienti.com metaburn.fi vunzigedeuntjes.nl
solvinity.com tarjousrinki.fi wassenaar.nl
speciale-offre.com traficom.fi watchbandjes-shop.nl
stasdock.com ac-strasbourg.fr waternet.nl
stater.com braceletsmartwatch.fr webreus.nl
stellarequipment.com chiens-guides-idf.fr wierden.nl
t-2.com compagnie-des-sens.fr xel.nl
tcs.com edtm-actu.fr ziggo.nl
teamfdm.com nuudcare.fr zorgmail.nl
thalesgroup.com oo2.fr akt.no
theintercept.com privea.fr annabellstefanussen.no
thepcw.com fidesz.hu babybanden.no
thepcwholesale.com italiamail.hu bergengokart.no
thesmmacademy.com mszp.hu bull-ski-kajakk.no
triodos.com eurocontrol.int chillout.no
tutanota.com rootnet.io domeneshop.no
up2staff.com nuudcare.it guttelus.no
veganallsorts.com neolink.link handelsbanken.no
veka.com education.lu hoppin.no
vendiblelabs.com anonaddy.me hyttefeber.no
vivaldi.com pm.me idrettenonline.no
webcruiter.com proton.me kashmina.no
webmailph.com army.mil lagerpriser.no
win-rar.com dla.mil marikrogshus.no
xfinity.com health.mil mystuff.no
xfinityhomesecurity.com jten.mil nordicprint.no
xfinitymobile.com mail.mil norskgrammatikk.no
bncr.fi.cr navy.mil raskebriller.no
airbank.cz nga.mil rushtrampoline.no
akce-incomputer.cz osd.mil sillysanta.no
avatech.cz socom.mil spillfabrikken.no
balikovna.cz uscg.mil storytravel.no
bewooden.cz usmc.mil uib.no
cokoladovnajanek.cz apnic.net webcruitermail.no
cpost.cz benjaminfulford.net atelkamera.nu
csob.cz bleucitron.net goget.nu
cuni.cz comcast.net lenhud.nu
dashofer.cz ewetel.net aegee.org
dedra.cz ficbook.net agirpourlenvironnement.org
e-kondomy.cz fivem.net debian.org
fio.cz gmx.net freebsd.org
fnusa.cz graphistepro.net gentoo.org
gov.cz habramail.net ietf.org
hypotecnibanka.cz hr-manager.net irtf.org
itesco.cz masterinter.net isc.org
jcu.cz mijngezondheid.net mailbox.org
kb.cz mpssec.net mailop.org
klenotyaurum.cz procurios.net netbsd.org
klubpevnehozdravi.cz ripe.net openssl.org
ksporting.cz riseup.net ozlabs.org
manymail.cz soverin.net postfix.org
mbank.cz t-2.net samba.org
mfcr.cz transip.net torproject.org
mkluzkoviny.cz webreus.net biotechnologia.com.pl
mojedatovaschranka.cz yourdomainprovider.net brebank.com.pl
mrakyhracek.cz 4ps.nl holandiajobs.pl
muni.cz amsterdam.nl anacom.pt
nic.cz aquastorexl.nl cm-portimao.pt
o2.cz artsenzorg.nl loopia.rs
optimail.cz bankhoesdiscounter.nl mobily.com.sa
outlet-alpine.cz belastingdienst.nl advania.se
p-info.cz beterinbeleggen.nl arbetsformedlingen.se
poptavej.cz beterspellen.nl bearplayshop.se
pre.cz bewustpuur.nl bilprovningen.se
predplatit.cz bhosted.nl crtzoo.se
scrptd.cz blushfashionstore.nl ecster.se
server4u.cz bobo.nl ellevio.se
shopex.cz body-supplies.nl enkoping.se
smtp.cz boekwinkeltjes.nl fashion-copenhagen.se
stoklasa.cz boksen.nl halmstad.se
tiscali.cz bolerolimonadewinkel.nl handelsbanken.se
vas-server.cz boozyshop.nl hellomantle.se
virusfree.cz box.nl huskvarnafolketspark.se
vshosting.cz bronckhorst.nl jul-troja.se
web4u.cz bruut.nl klasspengar.se
zafido.cz burgernet.nl lnu.se
zdravestravovani.cz camperexpo.nl lomervarde.se
zlate-mince.cz caracamilla.nl loopia.se
zonky.cz casema.nl merchsweden.se
bayern.de cbr.nl minmyndighetspost.se
brandenburg.de chello.nl nordicprint.se
bund.de clubplanner.nl polisen.se
bundesregierung.de degros.nl refitness.se
datev.de deonlinetandarts.nl sillysanta.se
dfn.de derooijfotografie.nl silverdotter.se
elster.de desan.nl skatteverket.se
ewetel.de dictu.nl skolverket.se
fau.de digibtw.nl soleplus.se
fn.de digid.nl spelfabrik.se
freenet.de digitaleverkiezing.nl sunet.se
gmx.de dimehouse.nl teknikdelar.se
huellen-shop.de domain-registry.nl theletter.se
jpberlin.de duo.nl vaccinova.se
lmu.de eabstest.nl websupport.se
lrz.de efactuurdirect.nl fio.sk
mail.de esuals.nl kadernickyservis.sk
mensa.de expeditionfestival.nl mklozkoviny.sk
mpg.de extinctionrebellion.nl pneusvet.sk
posteo.de ezorg.nl rondogo.sk
ruhr-uni-bochum.de fivecityspa.nl satro.sk
smartwatcharmbaender.de hilversum.nl toptop.sk
sys4.de hobbygigant.nl zapardrobnych.sk
tum.de home.nl afinepairofshoes.co.uk
tutanota.de hostingpeople.nl clientnews3.co.uk
uni-augsburg.de hostnet.nl clientnews4.co.uk
uni-bielefeld.de huurexpert.nl handelsbanken.co.uk
uni-erlangen.de interim-netwerk.nl nuudcare.co.uk
uni-muenchen.de kaagenbraassem.nl sanjaya-courirs.co.uk
vicinityclo.de kiesrijk.nl triodos.co.uk
web.de kralingsebosfestival.nl nuudcare.us
westlotto.de ledlichtstunter.nl quantum-services.us
allbuy.dk ledstripxl.nl ru.ac.za
annes-atelier.dk lico.nl stargaze.zone
1
0
Summary: The DANE domain count is now 3,757,347 (c.f. 3,736,374 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 21,668,375 (up from 21,281,794 last
month). Thus DANE TLSA is deployed on ~17.34% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today, I count ~3.76 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1216468 one.com 1215654 one.com
291651 hostpoint.ch 289485 hostpoint.ch
198402 infomaniak.ch 196800 infomaniak.ch
171386 mijndomein.nl 172687 mijndomein.nl
168662 transip.nl 167821 transip.nl
150632 argewebhosting.nl 149959 argewebhosting.nl
132031 simply.com 134211 simply.com
131058 jouwweb.nl 125968 jouwweb.nl
111481 hostnet.nl 111664 hostnet.nl
109384 domeneshop.no 108890 domeneshop.no
105514 loopia.se 105306 loopia.se
93365 webhostingserver.nl 93785 webhostingserver.nl
81969 forpsi.com 81009 forpsi.com
70541 zxcs.nl 69228 zxcs.nl
42507 active24.com 43479 active24.com
40146 antagonist.nl 39825 antagonist.nl
38632 webreus.nl 38913 webreus.nl
38462 protonmail.ch 37357 protonmail.ch
31898 pcextreme.nl 32264 pcextreme.nl
29021 xel.nl 29069 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
10944 TOTAL 10767 TOTAL
3373 DE, Germany 3307 DE, Germany
1893 NL, Netherlands 1878 NL, Netherlands
1881 US, United States 1848 US, United States
795 FR, France 785 FR, France
423 CZ, Czechia 407 CZ, Czechia
360 GB, United Kingdom 352 GB, United Kingdom
248 FI, Finland 244 FI, Finland
210 CA, Canada 212 CA, Canada
183 AT, Austria 172 AT, Austria
143 CH, Switzerland 148 CH, Switzerland
142 SE, Sweden 137 SE, Sweden
136 DK, Denmark 135 DK, Denmark
133 AU, Australia 134 AU, Australia
117 SG, Singapore 117 SG, Singapore
84 PL, Poland 78 PL, Poland
60 RU, Russia 60 RU, Russia
59 JP, Japan 58 JP, Japan
51 NO, Norway 46 NO, Norway
42 IT, Italy 45 IT, Italy
41 BR, Brazil 44 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
8576 TOTAL 8447 TOTAL
3700 NL, Netherlands 3654 NL, Netherlands
2466 DE, Germany 2411 DE, Germany
887 US, United States 863 US, United States
374 FR, France 320 GB, United Kingdom
173 CZ, Czechia 257 FR, France
170 GB, United Kingdom 172 CZ, Czechia
107 FI, Finland 74 FI, Finland
80 CA, Canada 74 AU, Australia
71 AU, Australia 73 CA, Canada
65 CH, Switzerland 68 CH, Switzerland
59 SE, Sweden 62 SE, Sweden
59 AT, Austria 59 AT, Austria
43 SG, Singapore 44 SG, Singapore
36 JP, Japan 36 JP, Japan
25 DK, Denmark 23 NO, Norway
24 NO, Norway 22 DK, Denmark
21 RO, Romania 20 RO, Romania
19 IE, Ireland 19 BR, Brazil
17 UA, Ukraine 18 IE, Ireland
15 BR, Brazil 16 UA, Ukraine
There are 9,085 unique zones (8,914 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 19,555 (19,359 last
month). These cover 19,853 distinct MX hosts (19,653 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 913 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 550
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.76 million DANE domains, 12,979 (12,926 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 3,354
(3,139 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
1780 mail-in.box.nl
110 mail.blueconsulting.cz
38 mail.itcomputers.net
37 mx1.mdbraber.com
31 mx1.synetcon.net
24 cloud.onvori.com
18 semark.dk
18 mx1.traxion.com
16 mx1.iis.se
15 mail.return-path.dk
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 2,998 (3,237 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
1868 neostrada.nl 2064 neostrada.nl
117 worldnic.com 133 worldnic.com
83 epik.com 101 online.net
79 dnssrv.nl 97 dnssrv.nl
71 ebola.cz 88 axc.nl
46 openprovider.nl 84 epik.com
17 register.com 72 ebola.cz
16 sectigoweb.com 60 openprovider.nl
12 ispapi.net 20 register.com
10 axc.nl 17 sectigoweb.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at westlotto.de mailmore.nl
gmx.at allbuy.dk mailon.nl
boozyshop.be annes-atelier.dk mailplus.nl
cetelemnegocie.com.br australian-bodycare.dk managementboek.nl
e-negociacao.com.br avabeauty.dk markteffectmail.nl
e-renegocie.com.br barons.dk marktnet.nl
nic.br bog.dk mcmta.nl
registro.br borgerforslag.dk messen.nl
20km.ch byravn.dk mijndomein.nl
activfitness-news.ch camillakroeyer.dk mijnhypotheekonline.nl
blackout-bonusclub.ch computerworld.dk minbzk.nl
cbd420.ch damask.dk mindef.nl
coronavirusensuisse.ch danielspengetips.dk mm1.nl
gmx.ch dfi.dk netpoint.nl
handy-abovergleich.ch digst.dk netpointfactoring.nl
hostpoint.ch dk-hostmaster.dk nieuwsservice-rvo.nl
infomaniak.ch ens.dk noties.nl
msochrono.ch fibianet.dk ns.nl
open.ch foraeldresparring.dk nuudcare.nl
protonmail.ch gastrotools.dk orangebag.nl
sms-gagnant.ch gibbu.dk otys.nl
switch.ch globestudios.dk ouderenfonds.nl
youcinema.ch idelig.dk ouderportaal.nl
santeglobale.club ixstudioscph.dk overheid.nl
simplelogin.co kfst.dk oxilion.nl
albourne.com kodbilen.dk oxilionhosted.nl
altospam.com konkurspriser.dk parlement.nl
anonaddy.com kystfisken.dk partijvoordedieren.nl
ansigtsyogaonline.com labelking.dk partnermail.nl
aotax.com lacabra.dk paypro.nl
appliedgo.com localfitness.dk petsonline.nl
azgop.com mobilcovers.dk ploegendienst-festival.nl
beaconx.com musclehouse.dk podiumcadeaukaart.nl
cm.com netic.dk politie.nl
colourfulrebel.com nimara.dk pp-prd.nl
connectsb.com nordd.dk previder.nl
cryptowallet.com nota.dk prorun-mail.nl
datev.com opdagverden.dk pvv.nl
denhaag.com peterhald.dk quicknet.nl
exegy.com rmc.dk rdw.nl
fabfilter.com seniornews.dk rechtspraak.nl
farmergracy.com shapeit.dk rijksoverheid.nl
fastware-hosting.com shellcard.dk rivm.nl
financialafrik.com skjold-burne.dk rvo.nl
flaneurhomme.com sneakerzone.dk sans-mail.nl
gmx.com soelvstein.dk schoudercom.nl
groed.com stil.dk schuurman-schoenen.nl
habr.com stori.dk shampoobars.nl
highcharts.com themeatclub.dk shoesme.nl
infomaniak.com thesneakerstore.dk sizzthebrand.nl
ingthink.com tricommerce.dk smartwatchbanden.nl
isistrade.com trueliving.dk soclever.nl
johnbeerens.com uni-c.dk spamservice.nl
joomlapolis.com uvm.dk sportrusten.nl
jula.com venderbys.dk ssonet.nl
kabayarefashion.com yuaiahaircare.dk stater.nl
klbrlive.com tilburguniversity.edu surf.nl
leszexpertsfle.com just.ee surfspot.nl
librti.com turunduslabor.ee susanbijl.nl
mactabeauty.com zone.ee svb.nl
mail.com envie.email teamq14.nl
mplbeauty.com myownconference.email technishow.nl
nanolearning.com spam-filter.email telefoonglaasje.nl
nine-pine.com spike.email thealphamen.nl
offshorecorptalk.com spotler.email tno.nl
one.com talentech.email transip.nl
orsys.com nuudcare.es travelclown.nl
pieter-pot.com triodos.es triodos.nl
pompomlondon.com egu.eu truetickets.nl
ppcpcv.com litebit.eu tudelft.nl
protonmail.com qard.eu tweedekamer.nl
protonvpn.com skhosting.eu uitgeverijpica.nl
renworkshops.com tbibank.eu upcmail.nl
run-motion.com zonevs.eu uvt.nl
sankakucomplex.com fsol.fi uwv.nl
schizinfo.com handelsbanken.fi valys.nl
scorecloud.com metaburn.fi venauto.nl
serverclienti.com tarjousrinki.fi vimexx.nl
solvinity.com ac-strasbourg.fr vogeldagboek.nl
speciale-offre.com braceletsmartwatch.fr voorschoten.nl
stater.com chiens-guides-idf.fr vunzigedeuntjes.nl
stellarequipment.com compagnie-des-sens.fr wassenaar.nl
t-2.com edtm-actu.fr watchbandjes-shop.nl
tcs.com nuudcare.fr waternet.nl
thalesgroup.com oo2.fr webreus.nl
thegreenery.com privea.fr wierden.nl
theintercept.com fidesz.hu ziggo.nl
thepcw.com italiamail.hu zorgmail.nl
thepcwholesale.com mszp.hu akt.no
thesmmacademy.com bluebiz.info babybanden.no
triodos.com eurocontrol.int bergengokart.no
truewaykids.com rootnet.io bull-ski-kajakk.no
tutanota.com nuudcare.it chillout.no
up2staff.com neolink.link domeneshop.no
veganallsorts.com education.lu guttelus.no
veka.com anonaddy.me handelsbanken.no
vendiblelabs.com pm.me hoppin.no
vivaldi.com proton.me hyttefeber.no
webcruiter.com army.mil idrettenonline.no
webmailph.com dla.mil kashmina.no
win-rar.com health.mil lagerpriser.no
xfinity.com jten.mil marikrogshus.no
xfinityhomesecurity.com mail.mil mystuff.no
xfinitymobile.com navy.mil nordicprint.no
bncr.fi.cr osd.mil norskgrammatikk.no
airbank.cz socom.mil raskebriller.no
akce-incomputer.cz uscg.mil rushtrampoline.no
avatech.cz usmc.mil sillysanta.no
bewooden.cz apnic.net spillfabrikken.no
cokoladovnajanek.cz benjaminfulford.net storytravel.no
csob.cz bleucitron.net uib.no
csobstavebni.cz comcast.net viphuset.no
cuni.cz ewetel.net atelkamera.nu
dashofer.cz ficbook.net goget.nu
dedra.cz fivem.net lenhud.nu
e-kondomy.cz gmx.net aegee.org
fio.cz habramail.net debian.org
fnusa.cz hr-manager.net freebsd.org
gov.cz mijngezondheid.net gentoo.org
hypotecnibanka.cz mpssec.net ietf.org
itesco.cz procurios.net irtf.org
jcu.cz ripe.net isc.org
kb.cz riseup.net mailbox.org
klenotyaurum.cz soverin.net mailop.org
klubpevnehozdravi.cz t-2.net netbsd.org
ksporting.cz transip.net openssl.org
manymail.cz webreus.net ozlabs.org
mbank.cz 4ps.nl postfix.org
mfcr.cz amsterdam.nl samba.org
mkluzkoviny.cz aquastorexl.nl torproject.org
mojedatovaschranka.cz artsenzorg.nl brebank.com.pl
mrakyhracek.cz bankhoesdiscounter.nl cm-portimao.pt
muni.cz belastingdienst.nl loopia.rs
mzv.cz beterinbeleggen.nl mobily.com.sa
nic.cz beterspellen.nl arbetsformedlingen.se
o2.cz bewustpuur.nl bearplayshop.se
optimail.cz bhosted.nl bilprovningen.se
outlet-alpine.cz bit.nl bollnas.se
poptavej.cz blushfashionstore.nl crtzoo.se
predplatit.cz bobo.nl ecster.se
scrptd.cz body-supplies.nl ellevio.se
server4u.cz boekwinkeltjes.nl enkoping.se
smtp.cz bolerolimonadewinkel.nl fashion-copenhagen.se
stoklasa.cz boozyshop.nl halmstad.se
sukl.cz bruut.nl handelsbanken.se
tiscali.cz burgernet.nl hellomantle.se
trilimi.cz camperexpo.nl huskvarnafolketspark.se
vas-server.cz caracamilla.nl jul-troja.se
virusfree.cz casema.nl klasspengar.se
web4u.cz cbr.nl lnu.se
zafido.cz chello.nl lomervarde.se
zdravestravovani.cz citisens.nl loopia.se
zonky.cz clubplanner.nl merchsweden.se
bayern.de degros.nl minmyndighetspost.se
brandenburg.de deonlinetandarts.nl nordicprint.se
bund.de derooijfotografie.nl polisen.se
bundesregierung.de desan.nl sillysanta.se
datev.de dictu.nl silverdotter.se
dfn.de digibtw.nl skatteverket.se
elster.de digid.nl skolverket.se
ewetel.de digitaleverkiezing.nl sunet.se
fau.de dimehouse.nl teknikdelar.se
fn.de dorcas.nl theletter.se
freenet.de duo.nl vaccinova.se
gmx.de efactuurdirect.nl websupport.se
huellen-shop.de esuals.nl fio.sk
jpberlin.de expeditionfestival.nl kadernickyservis.sk
lmu.de extinctionrebellion.nl mklozkoviny.sk
lrz.de ezorg.nl naau.sk
mail.de fivecityspa.nl pneusvet.sk
mensa.de haargroeispecialist.nl rondogo.sk
mpg.de hilversum.nl satro.sk
posteo.de hobbygigant.nl toptop.sk
ruhr-uni-bochum.de home.nl zapardrobnych.sk
smartwatcharmbaender.de hostingpeople.nl afinepairofshoes.co.uk
sys4.de hostnet.nl clientnews3.co.uk
tum.de huurexpert.nl clientnews4.co.uk
tutanota.de ijsselstein.nl nuudcare.co.uk
uni-augsburg.de interim-netwerk.nl triodos.co.uk
uni-bielefeld.de kiesrijk.nl nuudcare.us
uni-erlangen.de kralingsebosfestival.nl quantum-services.us
uni-muenchen.de lico.nl ru.ac.za
vicinityclo.de luxiez.nl stargaze.zone
web.de
1
0
Summary: The DANE domain count is now 3,736,374 (c.f. 3,684,357 last
month). [ Thanks again to webreus.nl for promptly restoring
their briefly absent MX host TLSA records. ]
The number of domains that return DNSSEC-validated replies in
response to MX queries is 21,281,794 (up from 21,002,701 last
month). Thus DANE TLSA is deployed on ~17.55% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today, I count ~3.74 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1215654 one.com 1214586 one.com
289485 hostpoint.ch 288282 hostpoint.ch
196800 infomaniak.ch 195874 infomaniak.ch
172687 mijndomein.nl 167120 transip.nl
167821 transip.nl 160940 mijndomein.nl
149959 argewebhosting.nl 153033 argewebhosting.nl
134211 simply.com 136256 simply.com
125968 jouwweb.nl 123192 jouwweb.nl
111664 hostnet.nl 111941 hostnet.nl
108890 domeneshop.no 108874 domeneshop.no
105306 loopia.se 105109 loopia.se
93785 webhostingserver.nl 94171 webhostingserver.nl
81009 forpsi.com 80000 forpsi.com
69228 zxcs.nl 68284 zxcs.nl
43479 active24.com 43363 active24.com
39825 antagonist.nl 39704 antagonist.nl
38913 webreus.nl 37051 protonmail.ch
37357 protonmail.ch 32693 pcextreme.nl
32264 pcextreme.nl 29232 xel.nl
29069 xel.nl 27564 udmedia.de
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
10767 TOTAL 10726 TOTAL
3307 DE, Germany 3284 DE, Germany
1878 NL, Netherlands 1882 NL, Netherlands
1848 US, United States 1856 US, United States
785 FR, France 808 FR, France
407 CZ, Czechia 396 CZ, Czechia
352 GB, United Kingdom 358 GB, United Kingdom
244 FI, Finland 241 FI, Finland
212 CA, Canada 222 CA, Canada
172 AT, Austria 160 AT, Austria
148 CH, Switzerland 137 SE, Sweden
137 SE, Sweden 136 CH, Switzerland
135 DK, Denmark 133 DK, Denmark
134 AU, Australia 128 AU, Australia
117 SG, Singapore 122 SG, Singapore
78 PL, Poland 76 PL, Poland
60 RU, Russia 60 RU, Russia
58 JP, Japan 57 JP, Japan
46 NO, Norway 47 IT, Italy
45 IT, Italy 45 NO, Norway
44 BR, Brazil 42 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
8447 TOTAL 8396 TOTAL
3654 NL, Netherlands 3651 NL, Netherlands
2411 DE, Germany 2312 DE, Germany
863 US, United States 855 US, United States
320 GB, United Kingdom 398 FR, France
257 FR, France 183 CZ, Czechia
172 CZ, Czechia 173 GB, United Kingdom
74 FI, Finland 156 AU, Australia
74 AU, Australia 77 CA, Canada
73 CA, Canada 76 FI, Finland
68 CH, Switzerland 61 CH, Switzerland
62 SE, Sweden 56 AT, Austria
59 AT, Austria 53 SE, Sweden
44 SG, Singapore 46 SG, Singapore
36 JP, Japan 36 JP, Japan
23 NO, Norway 22 DK, Denmark
22 DK, Denmark 21 NO, Norway
20 RO, Romania 19 RO, Romania
19 BR, Brazil 18 IE, Ireland
18 IE, Ireland 17 BR, Brazil
16 UA, Ukraine 14 LT, Lithuania
There are 8,914 unique zones (9,201 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 19,359 (19,488 last
month). These cover 19,653 distinct MX hosts (19,784 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 877 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 543
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.74 million DANE domains, 12,926 (13,046 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 3,139
(1,366 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
1772 mail-in.box.nl
106 mail.blueconsulting.cz
90 securemail.discnetwork.nl
36 mx1.mdbraber.com
31 mx2.synetcon.net
31 mx1.synetcon.net
18 semark.dk
17 mx1.traxion.com
15 artemis.strebsjig.net
14 mx2.traxion.com
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 2,998 (3,237 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
2064 neostrada.nl 2182 neostrada.nl
133 worldnic.com 140 worldnic.com
101 online.net 115 dnssrv.nl
97 dnssrv.nl 102 online.net
88 axc.nl 90 axc.nl
84 epik.com 89 epik.com
72 ebola.cz 73 ebola.cz
60 openprovider.nl 61 openprovider.nl
20 register.com 39 fgov.be
17 sectigoweb.com 20 register.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at posteo.de ijsselstein.nl
gmx.at ruhr-uni-bochum.de interim-netwerk.nl
boozyshop.be smartwatcharmbaender.de kiesrijk.nl
register.bg tum.de kralingsebosfestival.nl
cetelemnegocie.com.br tutanota.de lico.nl
e-negociacao.com.br uni-augsburg.de luxiez.nl
e-renegocie.com.br uni-bielefeld.de mail-studio.nl
nic.br uni-erlangen.de mailmore.nl
registro.br uni-kl.de mailon.nl
20km.ch uni-muenchen.de mailplus.nl
activfitness-news.ch vicinityclo.de managementboek.nl
blackout-bonusclub.ch web.de markteffectmail.nl
cbd420.ch westlotto.de mcmta.nl
docks.ch allbuy.dk messen.nl
escalade.ch annes-atelier.dk mijndomein.nl
gmx.ch attode.dk mijnhypotheekonline.nl
handy-abovergleich.ch australian-bodycare.dk minbzk.nl
hostpoint.ch avabeauty.dk mindef.nl
infomaniak.ch bambustoej.dk mm1.nl
msochrono.ch barons.dk mulderretail.nl
open.ch bog.dk netpoint.nl
protonmail.ch calisweats.dk netpointfactoring.nl
sms-gagnant.ch camillakroeyer.dk nieuwsservice-rvo.nl
switch.ch danielspengetips.dk noties.nl
youcinema.ch dfi.dk ns.nl
santeglobale.club dinhstore.dk nuudcare.nl
bionoble.co dk-hostmaster.dk orangebag.nl
simplelogin.co ens.dk otys.nl
albourne.com fibianet.dk ouderportaal.nl
also.com fitnessudsalg.dk overheid.nl
altospam.com foraeldresparring.dk oxilion.nl
anonaddy.com gastrotools.dk oxilionhosted.nl
appliedgo.com globestudios.dk parlement.nl
azgop.com incover.dk partijvoordedieren.nl
bymalina.com innoliving.dk partnermail.nl
cm.com ixstudioscph.dk paypro.nl
collarofsweden.com juliesandlau.dk petsgifts.nl
colourfulrebel.com kodbilen.dk petsonline.nl
connectsb.com konkurspriser.dk ploegendienst-festival.nl
datev.com kystfisken.dk podiumcadeaukaart.nl
denhaag.com labelking.dk politie.nl
exegy.com lacabra.dk pp-prd.nl
fabfilter.com mobilcovers.dk previder.nl
farmergracy.com musclehouse.dk prorun-mail.nl
fastware-hosting.com netic.dk pvv.nl
financialafrik.com nfinitybeauty.dk quicknet.nl
flaneurhomme.com nimara.dk rdw.nl
frequentis.com nordd.dk rechtspraak.nl
gmx.com nota.dk rijksoverheid.nl
groed.com peterhald.dk rivm.nl
habr.com qknives.dk sans-mail.nl
hedon.com rmc.dk schoudercom.nl
highcharts.com sengefabrikken.dk schuurman-schoenen.nl
imcnig.com seniornews.dk shampoobars.nl
infomaniak.com shapeit.dk shoesme.nl
ingthink.com shellcard.dk sizzthebrand.nl
isistrade.com soelvstein.dk smartwatchbanden.nl
johnbeerens.com stil.dk spamservice.nl
joomlapolis.com stori.dk sportrusten.nl
jula.com themeatclub.dk ssonet.nl
kabayarefashion.com thesneakerstore.dk stater.nl
kantarresearch.com tricommerce.dk surf.nl
klbrlive.com trueliving.dk surfspot.nl
leszexpertsfle.com uvm.dk svb.nl
librti.com venderbys.dk teamq14.nl
liefleven.com wavell.dk telefoonglaasje.nl
mactabeauty.com yuaiahaircare.dk teso.nl
mail.com yummihaircare.dk thealphamen.nl
mailzerver.com tilburguniversity.edu tno.nl
mplbeauty.com zone.ee transip.nl
nanolearning.com myownconference.email travelclown.nl
nine-pine.com spam-filter.email triodos.nl
offshorecorptalk.com spike.email truetickets.nl
one.com spotler.email tudelft.nl
orsys.com talentech.email tweedekamer.nl
pieter-pot.com nuudcare.es uitgeverijpica.nl
pompomlondon.com triodos.es upcmail.nl
ppcpcv.com egu.eu uvt.nl
protonmail.com finesoftware.eu uwv.nl
protonvpn.com litebit.eu valys.nl
renworkshops.com qard.eu vimexx.nl
run-motion.com skhosting.eu vogeldagboek.nl
sankakucomplex.com zone.eu vpo.nl
scorecloud.com zonevs.eu vunzigedeuntjes.nl
serverclienti.com fsol.fi watchbandjes-shop.nl
solvinity.com handelsbanken.fi waternet.nl
stater.com metaburn.fi webreus.nl
stellarequipment.com tarjousrinki.fi wierden.nl
t-2.com traficom.fi winterlake.nl
thalesgroup.com ac-strasbourg.fr woongarantvolmacht.nl
thegreenery.com braceletsmartwatch.fr ziggo.nl
theintercept.com chiens-guides-idf.fr zorgmail.nl
thepcw.com compagnie-des-sens.fr annabellstefanussen.no
thepcwholesale.com edtm-actu.fr babybanden.no
thesmmacademy.com nuudcare.fr bergengokart.no
triodos.com oo2.fr bull-ski-kajakk.no
truewaykids.com privea.fr domeneshop.no
tutanota.com waveisland.fr guttelus.no
unionnearme.com fidesz.hu handelsbanken.no
up2staff.com italiamail.hu hyttefeber.no
veganallsorts.com mszp.hu idrettenonline.no
veka.com pandi.id infinityshop.no
vendiblelabs.com bluebiz.info kashmina.no
vivaldi.com eurocontrol.int lagerpriser.no
webcruiter.com rootnet.io marikrogshus.no
webmailph.com nuudcare.it mystuff.no
win-rar.com neolink.link nordicprint.no
xfinity.com education.lu norskgrammatikk.no
xfinityhomesecurity.com anonaddy.me raskebriller.no
xfinitymobile.com pm.me rushtrampoline.no
your-site.com proton.me spillfabrikken.no
bncr.fi.cr army.mil storytravel.no
airbank.cz dla.mil tickettothemoon.no
akce-incomputer.cz health.mil uib.no
amenit.cz jten.mil viphuset.no
avatech.cz mail.mil atelkamera.nu
bewooden.cz navy.mil goget.nu
cokoladovnajanek.cz osd.mil lenhud.nu
csob.cz socom.mil debian.org
csobstavebni.cz uscg.mil freebsd.org
cuni.cz usmc.mil gentoo.org
dedra.cz bleucitron.net ietf.org
e-kondomy.cz comcast.net irtf.org
fio.cz ewetel.net isc.org
gov.cz ficbook.net mailbox.org
hellspy.cz fivem.net mailop.org
hypotecnibanka.cz gmx.net netbsd.org
itesco.cz habramail.net openssl.org
kb.cz hr-manager.net ozlabs.org
klenotyaurum.cz mijngezondheid.net samba.org
klubpevnehozdravi.cz mpssec.net torproject.org
ksporting.cz procurios.net kemono.party
manymail.cz ripe.net brebank.com.pl
maxmax.cz riseup.net holandiajobs.pl
mbank.cz soverin.net loopia.rs
mfcr.cz t-2.net mobily.com.sa
mkluzkoviny.cz transip.net arbetsformedlingen.se
mojedatovaschranka.cz webreus.net bilprovningen.se
mrakyhracek.cz amsterdam.nl bollnas.se
muni.cz aquastorexl.nl damernasmagasin.se
mzv.cz artsenzorg.nl ecster.se
nic.cz bankhoesdiscounter.nl ellevio.se
o2.cz belastingdienst.nl frederikbagger.se
optimail.cz beterspellen.nl handelsbanken.se
outlet-alpine.cz bhosted.nl hellomantle.se
patentnimedicina.cz bhsupport.nl huskvarnafolketspark.se
poptavej.cz bit.nl innebandy24.se
pre.cz blushfashionstore.nl jul-troja.se
predplatit.cz bobo.nl lnu.se
scrptd.cz body-supplies.nl lomervarde.se
server4u.cz boekwinkeltjes.nl loopia.se
smtp.cz bolerolimonadewinkel.nl merchsweden.se
stoklasa.cz boozyshop.nl minmyndighetspost.se
sukl.cz bratsites-grs.nl nordicprint.se
trilimi.cz bruut.nl polisen.se
vas-server.cz burgernet.nl silverdotter.se
virusfree.cz camperexpo.nl skatteverket.se
web4u.cz caracamilla.nl skolverket.se
zdravestravovani.cz casema.nl teknikdelar.se
zonky.cz cbr.nl theletter.se
bayern.de chello.nl vaccinova.se
brandenburg.de clubplanner.nl websupport.se
bund.de degros.nl fio.sk
bundesregierung.de deonlinetandarts.nl kadernickyservis.sk
datev.de derooijfotografie.nl mklozkoviny.sk
dfn.de desan.nl naau.sk
elster.de digid.nl pneusvet.sk
ewetel.de digitaleverkiezing.nl rondogo.sk
fau.de dorcas.nl satro.sk
fn.de duo.nl toptop.sk
freenet.de efactuurdirect.nl zapardrobnych.sk
gmx.de esuals.nl simpcity.su
hi7.de ezorg.nl afinepairofshoes.co.uk
huellen-shop.de fivecityspa.nl clientnews3.co.uk
jpberlin.de gebruikersnamen.nl handelsbanken.co.uk
knauermann.de haargroeispecialist.nl nuudcare.co.uk
lmu.de healthcheckcenter.nl triodos.co.uk
lrz.de hobbygigant.nl nuudcare.us
mail.de home.nl quantum-services.us
mensa.de hostingpeople.nl ru.ac.za
mpg.de hostnet.nl stargaze.zone
1
0
Summary: The DANE domain count is now 3,684,357 (c.f. 3,733,547 last
month). The drop resulted from a loss of DS records at
webreus.nl (~40k customer domains) and partial migration
to new non-TLSA MX hosts at mijndomein.nl (~22k customer
domains). Perhaps either or both may yet restore their
DS and TLSA records, respectively.
The number of domains that return DNSSEC-validated replies in
response to MX queries is 21,002,701 (up from 20,675,170 last
month). Thus DANE TLSA is deployed on ~17.54% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today, I count ~3.68 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1214586 one.com 1214177 one.com
288282 hostpoint.ch 286784 hostpoint.ch
195874 infomaniak.ch 195060 infomaniak.ch
167120 transip.nl 182438 mijndomein.nl
160940 mijndomein.nl 166314 transip.nl
153033 argewebhosting.nl 154096 argewebhosting.nl
136256 simply.com 134199 simply.com
123192 jouwweb.nl 118030 jouwweb.nl
111941 hostnet.nl 111945 hostnet.nl
108874 domeneshop.no 108682 domeneshop.no
105109 loopia.se 104887 loopia.se
94171 webhostingserver.nl 94600 webhostingserver.nl
80000 forpsi.com 79127 forpsi.com
68284 zxcs.nl 67139 zxcs.nl
43363 active24.com 46886 active24.com
39704 antagonist.nl 39610 webreus.nl
37051 protonmail.ch 39483 antagonist.nl
32693 pcextreme.nl 34977 protonmail.ch
29232 xel.nl 32983 pcextreme.nl
27564 udmedia.de 29297 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
10726 TOTAL 10595 TOTAL
3284 DE, Germany 3209 DE, Germany
1882 NL, Netherlands 1891 NL, Netherlands
1856 US, United States 1833 US, United States
808 FR, France 799 FR, France
396 CZ, Czechia 388 CZ, Czechia
358 GB, United Kingdom 362 GB, United Kingdom
241 FI, Finland 235 FI, Finland
222 CA, Canada 221 CA, Canada
160 AT, Austria 153 AT, Austria
137 SE, Sweden 135 SE, Sweden
136 CH, Switzerland 134 CH, Switzerland
133 DK, Denmark 132 DK, Denmark
128 AU, Australia 122 SG, Singapore
122 SG, Singapore 120 AU, Australia
76 PL, Poland 72 PL, Poland
60 RU, Russia 58 JP, Japan
57 JP, Japan 57 RU, Russia
47 IT, Italy 47 NO, Norway
45 NO, Norway 42 BR, Brazil
42 BR, Brazil 38 IE, Ireland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
8396 TOTAL 8339 TOTAL
3651 NL, Netherlands 3666 NL, Netherlands
2312 DE, Germany 2330 DE, Germany
855 US, United States 860 US, United States
398 FR, France 406 FR, France
183 CZ, Czechia 175 CZ, Czechia
173 GB, United Kingdom 162 GB, United Kingdom
156 AU, Australia 77 CA, Canada
77 CA, Canada 74 FI, Finland
76 FI, Finland 67 AU, Australia
61 CH, Switzerland 64 CH, Switzerland
56 AT, Austria 56 SE, Sweden
53 SE, Sweden 54 AT, Austria
46 SG, Singapore 44 SG, Singapore
36 JP, Japan 36 JP, Japan
22 DK, Denmark 23 EE, Estonia
21 NO, Norway 21 NO, Norway
19 RO, Romania 21 IE, Ireland
18 IE, Ireland 21 DK, Denmark
17 BR, Brazil 17 BR, Brazil
14 LT, Lithuania 15 LT, Lithuania
There are 9,201 unique zones (9,144 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 19,488 (19,380 last
month). These cover 19,784 distinct MX hosts (19,675 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 846 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 530
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.68 million DANE domains, 13,046 (13,107 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,366
(1,320 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
103 mail.blueconsulting.cz
56 vps01.marcus.services
37 mx1.mdbraber.com
31 mx1.synetcon.net
24 fsn1-c04.xemo-net.de
18 semark.dk
17 mx1.traxion.com
17 mx01.xworks.net
16 mail.odissee.net
15 artemis.strebsjig.net
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 3,237 (1,076 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
2182 neostrada.nl 148 swizzonic.ch [promptly fully resolved!]
140 worldnic.com 134 worldnic.com
115 dnssrv.nl 106 epik.com
102 online.net 95 axc.nl
90 axc.nl 73 ebola.cz
89 epik.com 61 openprovider.nl
73 ebola.cz 29 made-easy.ch
61 openprovider.nl 20 register.com
39 fgov.be 18 sectigoweb.com
20 register.com 12 ispapi.net
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just two of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
belgium.be <https://twitter.com/VDukhovni/status/1614455503978889217>
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at lrz.de home.nl
gmx.at mail.de hostingpeople.nl
vbv.at mailstoyou.de hostnet.nl
boozyshop.be mensa.de ijsselstein.nl
register.bg mpg.de interim-netwerk.nl
cetelemnegocie.com.br posteo.de josephinajewelry.nl
e-negociacao.com.br ruhr-uni-bochum.de kiesrijk.nl
e-renegocie.com.br smartwatcharmbaender.de kralingsebosfestival.nl
defesa.gov.br tum.de lico.nl
nic.br tutanota.de luxiez.nl
registro.br uni-augsburg.de mail-studio.nl
activfitness-news.ch uni-bielefeld.de mailmore.nl
blackout-bonusclub.ch uni-erlangen.de mailon.nl
cbd420.ch uni-kl.de mailplus.nl
docks.ch uni-muenchen.de managementboek.nl
empiriconmails.ch vicinityclo.de markteffectmail.nl
escalade.ch web.de mcmta.nl
gmx.ch westlotto.de messen.nl
handy-abovergleich.ch allbuy.dk mijndomein.nl
hostpoint.ch annes-atelier.dk mijnhypotheekonline.nl
infomaniak.ch attode.dk minbzk.nl
msochrono.ch australian-bodycare.dk mindef.nl
open.ch avabeauty.dk mm1.nl
protonmail.ch bambustoej.dk mulderretail.nl
sherlockhomes.ch barons.dk netpoint.nl
sms-gagnant.ch calisweats.dk netpointfactoring.nl
switch.ch danielspengetips.dk nieuwsservice-rvo.nl
youcinema.ch dfi.dk noties.nl
ravenation.club dinhstore.dk ns.nl
santeglobale.club dinvintageshop.dk nuudcare.nl
bionoble.co dk-hostmaster.dk ongehoordnederland.nl
simplelogin.co exoticmix.dk orangebag.nl
3dsmx.com fibianet.dk otys.nl
albourne.com fitnessudsalg.dk ouderenfonds.nl
also.com foraeldresparring.dk ouderportaal.nl
anonaddy.com gastrotools.dk overheid.nl
appliedgo.com globestudios.dk oxilionhosted.nl
azgop.com incover.dk parlement.nl
beaconx.com innoliving.dk partijvoordedieren.nl
bymalina.com ixstudioscph.dk partnermail.nl
cm.com juliesandlau.dk paypro.nl
collarofsweden.com kodbilen.dk petsgifts.nl
colourfulrebel.com konkurspriser.dk petsonline.nl
connectsb.com kystfisken.dk ploegendienst-festival.nl
dailyplaylists.com labelking.dk podiumcadeaukaart.nl
datev.com lacabra.dk politie.nl
exegy.com mobilcovers.dk pp-prd.nl
fabfilter.com musclehouse.dk previder.nl
farmergracy.com netic.dk prorun-mail.nl
fastware-hosting.com nfinitybeauty.dk quicknet.nl
flaneurhomme.com nimara.dk rdw.nl
frequentis.com nordd.dk rechtspraak.nl
gmx.com nota.dk rijksoverheid.nl
goodforme.com opdagverden.dk rivm.nl
groed.com peterhald.dk rvo.nl
habr.com qknives.dk sans-mail.nl
hedon.com rmc.dk schoudercom.nl
highcharts.com sengefabrikken.dk schuurman-schoenen.nl
imcnig.com seniornews.dk shampoobars.nl
infomaniak.com shapeit.dk smartwatchbanden.nl
ingthink.com shellcard.dk sportrusten.nl
isistrade.com soelvstein.dk ssonet.nl
johnbeerens.com stil.dk stater.nl
jula.com stori.dk surf.nl
kabayarefashion.com themeatclub.dk teamq14.nl
kantarresearch.com thesneakerstore.dk telefoonglaasje.nl
klbrlive.com tricommerce.dk teso.nl
leszexpertsfle.com trueliving.dk thealphamen.nl
librti.com uvm.dk tno.nl
liefleven.com venderbys.dk transip.nl
mactabeauty.com wavell.dk travelclown.nl
mail.com yuaiahaircare.dk triodos.nl
mailzerver.com yummihaircare.dk truetickets.nl
migadu.com tilburguniversity.edu tudelft.nl
mplbeauty.com estet.ee tweedekamer.nl
nanolearning.com turunduslabor.ee twinq.nl
nine-pine.com zone.ee uitgeverijpica.nl
one.com myownconference.email upcmail.nl
orsys.com spam-filter.email uvt.nl
orverkiezing.com spotler.email uwv.nl
pieter-pot.com talentech.email valys.nl
pompomlondon.com nuudcare.es vimexx.nl
ppcpcv.com triodos.es voorpositiviteit.nl
protonmail.com egu.eu vpo.nl
protonvpn.com finesoftware.eu vunzigedeuntjes.nl
renworkshops.com litebit.eu watchbandjes-shop.nl
run-motion.com skhosting.eu waternet.nl
sankakucomplex.com tbibank.eu winterlake.nl
scorecloud.com zone.eu woongarantvolmacht.nl
serverclienti.com zonevs.eu ziggo.nl
solvinity.com fsol.fi zorgmail.nl
stasdock.com handelsbanken.fi annabellstefanussen.no
stater.com tarjousrinki.fi bergengokart.no
stellarequipment.com traficom.fi domeneshop.no
t-2.com ac-strasbourg.fr guttelus.no
thalesgroup.com compagnie-des-sens.fr handelsbanken.no
thepcw.com edtm-actu.fr hyttefeber.no
thepcwholesale.com mastouille.fr idrettenonline.no
triodos.com nuudcare.fr infinityshop.no
truewaykids.com oo2.fr lagerpriser.no
tutanota.com privea.fr malestudio.no
unionnearme.com waveisland.fr marikrogshus.no
up2staff.com tid.gov.hk mystuff.no
veganallsorts.com fidesz.hu nordicprint.no
veka.com pandi.id norskgrammatikk.no
vendiblelabs.com bluebiz.info raskebriller.no
vivaldi.com eurocontrol.int rushtrampoline.no
webcruiter.com neolink.link spillfabrikken.no
webmailph.com anonaddy.me storytravel.no
xfinity.com pm.me tickettothemoon.no
xfinityhomesecurity.com proton.me uib.no
xfinitymobile.com army.mil viphuset.no
your-site.com dla.mil atelkamera.nu
bncr.fi.cr health.mil goget.nu
airbank.cz jten.mil lenhud.nu
akce-incomputer.cz mail.mil debian.org
amenit.cz navy.mil freebsd.org
bewooden.cz osd.mil gentoo.org
csob.cz socom.mil ietf.org
csobstavebni.cz uscg.mil irtf.org
cuni.cz usmc.mil isc.org
dedra.cz bleucitron.net mailbox.org
e-kondomy.cz comcast.net mailop.org
fio.cz ewetel.net netbsd.org
hellspy.cz ficbook.net openssl.org
hypotecnibanka.cz fivem.net ozlabs.org
itesco.cz gmx.net p8x.org
kb.cz habramail.net samba.org
klenotyaurum.cz hr-manager.net torproject.org
klubpevnehozdravi.cz jonaharagon.net kemono.party
ksporting.cz mijngezondheid.net brebank.com.pl
manymail.cz mpssec.net mobily.com.sa
maxmax.cz procurios.net arbetsformedlingen.se
mbank.cz ripe.net atlasrock.se
mfcr.cz riseup.net bilprovningen.se
mkluzkoviny.cz t-2.net bollnas.se
mojedatovaschranka.cz 123watches.nl damernasmagasin.se
muni.cz africanfabs.nl ecster.se
mzv.cz amsterdam.nl frederikbagger.se
nic.cz aquastorexl.nl geflemetalfestival.se
o2.cz artsenzorg.nl handelsbanken.se
optimail.cz bankhoesdiscounter.nl hellomantle.se
outlet-alpine.cz belastingdienst.nl innebandy24.se
patentnimedicina.cz beterinbeleggen.nl lansstyrelsen.se
poptavej.cz beterspellen.nl lnu.se
pre.cz bhosted.nl lomervarde.se
predplatit.cz bhsupport.nl loopia.se
scrptd.cz bit.nl merchsweden.se
server4u.cz blushfashionstore.nl minmyndighetspost.se
shopex.cz bobo.nl nordicprint.se
smtp.cz body-supplies.nl polisen.se
stoklasa.cz boekwinkeltjes.nl skatteverket.se
sukl.cz bolerolimonadewinkel.nl skolverket.se
trilimi.cz boozyshop.nl sunet.se
vas-server.cz bratsites-grs.nl teknikdelar.se
vcelka.cz bruut.nl theletter.se
virusfree.cz burgernet.nl vaccinova.se
web4u.cz caracamilla.nl websupport.se
zdravestravovani.cz casema.nl fio.sk
zonky.cz cbr.nl kadernickyservis.sk
123watches.de chello.nl mklozkoviny.sk
bayern.de clubplanner.nl naau.sk
brandenburg.de degros.nl pneusvet.sk
bund.de derooijfotografie.nl rondogo.sk
bundesregierung.de desan.nl satro.sk
datev.de dictu.nl zapardrobnych.sk
dfn.de digid.nl mstdn.social
elster.de dorcas.nl simpcity.su
ewetel.de duo.nl clientnews3.co.uk
fau.de efactuurdirect.nl handelsbanken.co.uk
freenet.de esuals.nl nuudcare.co.uk
gmx.de ezorg.nl triodos.co.uk
hi7.de fivecityspa.nl nuudcare.us
huellen-shop.de gebruikersnamen.nl quantum-services.us
jpberlin.de haargroeispecialist.nl ru.ac.za
knauermann.de healthcheckcenter.nl stargaze.zone
lmu.de hobbygigant.nl
1
1