dane-users
Threads by month
- ----- 2025 -----
- June
- May
- April
- March
- February
- January
- ----- 2024 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- 1 participants
- 245 discussions
Summary: The DANE domain count is now 3,235,913 (c.f. 3,197,734 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 18,591,690 (up from 18,409,733 last
month). Thus DANE TLSA is deployed on ~17.40% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
Another milestone, as of today, the .COM TLD now has more than
5 million signed delegations.
As of today I count ~3.24 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1242988 one.com 1243696 one.com
278263 hostpoint.ch 277421 hostpoint.ch
165958 infomaniak.ch 164315 infomaniak.ch
160813 transip.nl 159902 transip.nl
158555 argewebhosting.nl 158479 argewebhosting.nl
107363 domeneshop.no 107350 domeneshop.no
98980 jouwweb.nl 97611 jouwweb.nl
96757 loopia.se 96400 loopia.se
95704 webhostingserver.nl 96065 webhostingserver.nl
76489 forpsi.com 75966 forpsi.com
60790 zxcs.nl 59337 zxcs.nl
47127 active24.com 47090 active24.com
40731 webreus.nl 41006 webreus.nl
39430 antagonist.nl 39296 antagonist.nl
34847 pcextreme.nl 35099 pcextreme.nl
27612 udmedia.de 27513 udmedia.de
26602 protonmail.ch 26802 web4u.cz
26570 web4u.cz 25925 webhosting.dk
25850 webhosting.dk 25763 vevida.com
25519 vevida.com 25515 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
----------- ----------
10052 TOTAL 9944 TOTAL
2983 DE, Germany 2956 DE, Germany
1864 NL, Netherlands 1844 NL, Netherlands
1790 US, United States 1789 US, United States
737 FR, France 737 FR, France
349 GB, United Kingdom 346 GB, United Kingdom
325 CZ, Czechia 331 CZ, Czechia
228 FI, Finland 226 FI, Finland
225 CA, Canada 213 CA, Canada
159 AT, Austria 156 AT, Austria
137 SG, Singapore 130 SG, Singapore
129 DK, Denmark 129 CH, Switzerland
129 CH, Switzerland 127 DK, Denmark
109 AU, Australia 110 SE, Sweden
107 SE, Sweden 106 AU, Australia
59 PL, Poland 59 PL, Poland
52 JP, Japan 48 JP, Japan
51 RU, Russia 46 RU, Russia
47 NO, Norway 46 NO, Norway
44 BR, Brazil 43 BR, Brazil
41 IE, Ireland 40 IE, Ireland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7869 TOTAL 7816 TOTAL
3534 NL, Netherlands 3507 NL, Netherlands
2202 DE, Germany 2162 DE, Germany
817 US, United States 812 US, United States
322 FR, France 317 FR, France
191 CZ, Czechia 187 CZ, Czechia
150 GB, United Kingdom 158 GB, United Kingdom
76 FI, Finland 82 FI, Finland
71 CA, Canada 63 CA, Canada
59 CH, Switzerland 60 CH, Switzerland
51 AU, Australia 50 AU, Australia
42 SE, Sweden 45 AT, Austria
40 SG, Singapore 40 SG, Singapore
38 AT, Austria 39 SE, Sweden
37 JP, Japan 32 JP, Japan
25 NO, Norway 30 RU, Russia
22 DK, Denmark 22 IE, Ireland
18 IE, Ireland 20 DK, Denmark
16 RU, Russia 19 NO, Norway
15 BR, Brazil 15 BG, Bulgaria
12 LT, Lithuania 13 LT, Lithuania
There are 8,234 unique zones (8,119 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 17,494 (17,295 last
month). These cover 17,782 distinct MX hosts (17,568 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 643 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 387
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.24 million DANE domains, 12,258 (27,938 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts. While this
protects traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,109
(1,147 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
85 beta.itcomputers.eu
19 mx1.mdbraber.com
16 e-vps.hacktheplanet.nl
15 mail.nationaalarchief.nl
15 mail.gregdouglas.net
15 artemis.strebsjig.net
11 mail.ontharen-rotterdam.nl
9 mx1.digi.nl
9 mx01.mykolab.com
9 mail.qusign.net
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,408 (1,181 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
573 registrar-servers.com 563 registrar-servers.com
236 mijndomein.nl 151 axc.nl
159 worldnic.com 90 worldnic.com
145 axc.nl 76 ebola.cz
85 ebola.cz 41 epik.com
31 openprovider.nl 39 mijndomein.nl
31 made-easy.ch 32 openprovider.nl
31 epik.com 31 made-easy.ch
26 ns01.nl 27 register.com
24 register.com 26 ns01.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Four of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
mailazy.net
kprm.gov.pl
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
123watches.nl ietf.org revolt.nl
402automotive.com imcnig.com rijksoverheid.nl
ac-strasbourg.fr inexio.net ripe.net
activfitness-news.ch infomaniak.ch riseup.net
akce-incomputer.cz infomaniak.com rivm.nl
altidev.com ingthink.com rondogo.sk
altospam.com interim-netwerk.nl rotterdam.nl
amenit.cz isc.org ru.ac.za
amsterdam.nl itesco.cz ruhr-uni-bochum.de
analysedanmark.nu joomlapolis.com run-motion.com
ansigtsyogaonline.com jpberlin.de runbox.com
argeweb.nl jten.mil rushtrampoline.no
army.mil jula.com rvo.nl
asf.com.pt kadernickyservis.sk samba.org
atelkamera.nu kantarresearch.com sankakucomplex.com
atlas.cz kb.cz sans-mail.nl
audi.no kindredcircle.org satro.sk
bantschowundbantschow.de klbrlive.com schoudercom.nl
bayern.de klenotyaurum.cz schuurman-schoenen.nl
belastingdienst.nl klubpevnehozdravi.cz scorecloud.com
benjaminfulford.net kpn.com scrptd.cz
bergengokart.no kralingsebosfestival.nl seniornews.dk
beterspellen.nl kronofogden.se server4u.cz
bewooden.cz ksporting.cz serverclienti.com
bhosted.nl lansstyrelsen.se shapeit.dk
bilprovningen.se leszexpertsfle.com shellcard.dk
biotechnologia.com.pl librti.com sidn.nl
bluebiz.info lico.nl simplelogin.co
bncr.fi.cr linhard.nl skatteverket.se
boekwinkeltjes.nl linsenkontakt.ch skyaccess.nl
bolerolimonadewinkel.nl litebit.eu smartwatchbanden.nl
boozyshop.nl lmu.de smtp.cz
borgerforslag.dk loopia.se societe.com
brandenburg.de loopiahosting.se socom.mil
brassthistle.com lrz.de solvinity.com
bratsites-grs.nl luxiez.nl spamservice.nl
bund.de mactabeauty.com sparkys.cz
bundesregierung.de mail-studio.nl spike.email
burgernet.nl mail.com spillfabrikken.no
caracamilla.nl mail.de sportrusten.nl
cbd420.ch mail.mil spotler.email
cbr.nl mailbox.org srsforward.com
centrum.cz mailop.org ssonet.nl
centrum.sk mailplus.nl stater.com
cetelemnegocie.com.br mailshover.nl stater.nl
cm.com mammoetmail.com stellarequipment.com
comcast.net managementboek.nl stil.dk
compagnie-des-sens.fr manymail.cz stoklasa.cz
connectsb.com markomat.cz switch.ch
corpoflow.nl markteffectmail.nl t-2.com
csob.cz matilhadobemadestramento.com t-2.net
cuni.cz mensa.de talentech.email
cvut.cz metaburn.fi tarjousrinki.fi
dailyplaylists.com mijngezondheid.net teknikdelar.se
datev.com mijnuvt.nl telefoonglaasje.nl
datev.de militaryonesource.mil thalesgroup.com
debian.org minbuza.nl thegreenery.com
dedra.cz minbzk.nl theletter.se
deldinbil.no mindef.nl thepcw.com
derooijfotografie.nl minmyndighetspost.se thepcwholesale.com
derute.no mklozkoviny.sk theruleofliberty.com
dfn.de mkluzkoviny.cz tilburguniversity.edu
dictu.nl mm1.nl tjenestekompaniet.no
digid.nl mobily.com.sa toptop.sk
digitaleverkiezing.nl mpg.de torproject.org
directmail-fraus.cz mplbeauty.com traficom.fi
dk-hostmaster.dk mpssec.net transip.nl
dla.mil mulderretail.nl travailler-en-suisse.ch
domeneshop.no muni.cz tricommerce.dk
dressuurnatuurlijk.nl mx-relay.com triodos.co.uk
duo.nl mystuff.no triodos.com
e-kondomy.cz myvillage.com triodos.es
e-negociacao.com.br nanolearning.com triodos.nl
eco-logisch.nl nanospace.cz truewaykids.com
ecster.se navy.mil tum.de
edenhotels.nl neolink.link tutanota.com
edtm-actu.fr netbsd.org tutanota.de
efactuurdirect.nl netic.dk uib.no
egmontpublishing.dk nic.br uitgeverijpica.nl
egu.eu nic.cz uni-augsburg.de
ekokoza.cz nieuwsservice-rvo.nl uni-c.dk
elster.de nine-pine.com uni-erlangen.de
erotik-service.ch norskgrammatikk.no uni-kl.de
exegy.com ns.nl uni-muenchen.de
extinctionrebellion.nl one.com univie.ac.at
ezorg.nl onebit.cz up2staff.com
fabfilter.com oo2.fr uscg.mil
fastware-hosting.com open.ch usmc.mil
fau.de openssl.org utwente.nl
fibianet.dk optimail.cz uv.es
fidesz.hu oraclegirl.org uvt.nl
fidus.nl orangebag.nl uwv.nl
finesoftware.eu orsys.com valys.nl
fio.cz osd.mil vas-server.cz
fivem.net otys.nl vcelka.cz
flaneurhomme.com ouderenfonds.nl veganallsorts.com
freebsd.org ouderportaal.nl venauto.nl
freenet.de outlet-alpine.cz vicinityclo.de
fsol.fi overheid.nl vimexx.nl
gentoo.org ozlabs.org viphuset.no
gezond.nl partijvoordedieren.nl virusfree.cz
gmx.at peterhald.dk vitalize.nl
gmx.ch pieter-pot.com vitstore.com
gmx.com pm.me vivaldi.com
gmx.de pobox.sk vogeldagboek.nl
gmx.net podiumcadeaukaart.nl volny.cz
goget.nu polisen.se voorpositiviteit.nl
govtrack.us politie.nl vu.nl
guttelus.no pompomlondon.com waternet.nl
habr.com poptavej.cz web.de
habramail.net posteo.de webcruiter.com
handelsbanken.dk pp-prd.nl webmailph.com
handelsbanken.fi ppcpcv.com websupport.se
handelsbanken.no pre.cz westlotto.de
handelsbanken.se predplatit.cz win-rar.com
healthcheckcenter.nl previder.nl wog.ch
herinneringenoplinnen.nl procurios.net xel.nl
herobrine.org promorealdeals.ch xfinity.com
hi7.de proton.me xfinityhomesecurity.com
high5.nl protonmail.ch xfinitymobile.com
hobbygigant.nl protonmail.com xs4all.net
hoobly.com protonvpn.com ymeuniverse.com
hostingpeople.nl publicroam.nl zapardrobnych.sk
hostpoint.ch pvv.nl zdravestravovani.cz
hotelsinduitsland.com quantum-services.us zlate-mince.cz
hr-manager.net raskebriller.no zone.ee
hr.nl rediris.es zone.eu
hyttefeber.no registro.br zonevs.eu
idrettenonline.no renworkshops.com zorgmail.nl
1
0
FYI Microsoft recently enabled outbound DANE verification by default for all Exchange Online customers: https://docs.microsoft.com/en-us/microsoft-365/compliance/how-smtp-dane-wor…
For other DANE implementations, usage stats etc. see: https://github.com/baknu/DANE-for-SMTP/wiki
--
Best regards,
Bart Knubben
Netherlands Standardisation Forum
https://forumstandaardisatie.nl/netherlands-standardisation-forum
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
4
6
Summary: The DANE domain count is now 3,197,734 (c.f. 3,172,531 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 18,409,733 (up from 18,166,397 last
month). Thus DANE TLSA is deployed on ~17.36% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today I count ~3.20 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1243696 one.com 1222787 one.com
277421 hostpoint.ch 276929 hostpoint.ch
164315 infomaniak.ch 162459 infomaniak.ch
159902 transip.nl 159841 argewebhosting.nl
158479 argewebhosting.nl 159047 transip.nl
107350 domeneshop.no 107424 domeneshop.no
97611 jouwweb.nl 96804 jouwweb.nl
96400 loopia.se 96629 webhostingserver.nl
96065 webhostingserver.nl 96028 loopia.se
75966 forpsi.com 75489 forpsi.com
59337 zxcs.nl 57815 zxcs.nl
47090 active24.com 47064 active24.com
41006 webreus.nl 41338 webreus.nl
39296 antagonist.nl 39129 antagonist.nl
35099 pcextreme.nl 35339 pcextreme.nl
27513 udmedia.de 27537 udmedia.de
26802 web4u.cz 26871 web4u.cz
25925 webhosting.dk 26105 webhosting.dk
25763 vevida.com 26035 vevida.com
25515 protonmail.ch 24796 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
9944 TOTAL 9827 TOTAL
2956 DE, Germany 2919 DE, Germany
1844 NL, Netherlands 1827 NL, Netherlands
1789 US, United States 1796 US, United States
737 FR, France 725 FR, France
346 GB, United Kingdom 331 GB, United Kingdom
331 CZ, Czechia 315 CZ, Czechia
226 FI, Finland 227 FI, Finland
213 CA, Canada 212 CA, Canada
156 AT, Austria 151 AT, Austria
130 SG, Singapore 133 DK, Denmark
129 CH, Switzerland 128 SG, Singapore
127 DK, Denmark 126 CH, Switzerland
110 SE, Sweden 106 SE, Sweden
106 AU, Australia 102 AU, Australia
59 PL, Poland 59 PL, Poland
48 JP, Japan 45 NO, Norway
46 RU, Russia 43 RU, Russia
46 NO, Norway 43 JP, Japan
43 BR, Brazil 43 IE, Ireland
40 IE, Ireland 39 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7816 TOTAL 7726 TOTAL
3507 NL, Netherlands 3485 NL, Netherlands
2162 DE, Germany 2125 DE, Germany
812 US, United States 808 US, United States
317 FR, France 314 FR, France
187 CZ, Czechia 171 CZ, Czechia
158 GB, United Kingdom 139 GB, United Kingdom
82 FI, Finland 83 FI, Finland
63 CA, Canada 65 CA, Canada
60 CH, Switzerland 55 CH, Switzerland
50 AU, Australia 47 AU, Australia
45 AT, Austria 43 SE, Sweden
40 SG, Singapore 41 SG, Singapore
39 SE, Sweden 37 RU, Russia
32 JP, Japan 36 IE, Ireland
30 RU, Russia 34 AT, Austria
22 IE, Ireland 31 JP, Japan
20 DK, Denmark 20 NO, Norway
19 NO, Norway 20 DK, Denmark
15 BG, Bulgaria 15 UA, Ukraine
13 LT, Lithuania 13 BR, Brazil
There are 8,119 unique zones (8,039 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 17,295 (17,131 last
month). These cover 17,568 distinct MX hosts (17,403 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 625 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 369
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.20 million DANE domains, 27,938 (12,731 last month, ~15k new
MX-hosted by onebit.cz) have "partial" TLSA records, that cover only a subset
of the (secondary) MX hosts. While this protects traffic to some of the MX
hosts, such domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,147
(1,102 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
88 vps01.marcus.services
46 mx2.xarisasp.nl
19 mx1.mdbraber.com
16 e-vps.hacktheplanet.nl
15 web1.ams.dcg.t-host.net
15 artemis.strebsjig.net
13 mta11.pointner.at
13 delos.xs4arabia.com
12 mail-01.dd24.net
10 mx01.mykolab.com
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,408 (1,181 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
563 registrar-servers.com 550 registrar-servers.com
151 axc.nl 149 axc.nl
90 worldnic.com 80 worldnic.com
76 ebola.cz 78 ebola.cz
41 epik.com 35 mijndomein.nl
39 mijndomein.nl 32 openprovider.nl
32 openprovider.nl 31 made-easy.ch
31 made-easy.ch 26 ns01.nl
27 register.com 25 register.com
26 ns01.nl 17 dotroll.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Five of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
urbtix.hk
mailazy.net
kprm.gov.pl
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at smtp.cz hostingpeople.nl
gmx.at sparkys.cz hr.nl
tip.net.au stoklasa.cz hro.nl
cetelemnegocie.com.br vas-server.cz interim-netwerk.nl
clubedohardware.com.br vcelka.cz kralingsebosfestival.nl
e-negociacao.com.br virusfree.cz lico.nl
e-renegocie.com.br volny.cz linhard.nl
nic.br zdravestravovani.cz luxiez.nl
registro.br bantschowundbantschow.de mailplus.nl
activfitness-news.ch bayern.de managementboek.nl
cbd420.ch brandenburg.de markteffectmail.nl
erotik-service.ch bund.de mijnuvt.nl
gmx.ch bundesregierung.de minbuza.nl
hostpoint.ch datev.de minbzk.nl
infomaniak.ch dfn.de mindef.nl
linsenkontakt.ch elster.de mm1.nl
open.ch fau.de mulderretail.nl
promorealdeals.ch freenet.de nieuwsservice-rvo.nl
protonmail.ch gmx.de ns.nl
switch.ch hi7.de orangebag.nl
wog.ch jpberlin.de otys.nl
simplelogin.co lmu.de ouderenfonds.nl
402automotive.com lrz.de ouderportaal.nl
altidev.com mail.de overheid.nl
altospam.com mensa.de partijvoordedieren.nl
ansigtsyogaonline.com mpg.de podiumcadeaukaart.nl
brassthistle.com posteo.de politie.nl
cm.com ruhr-uni-bochum.de pp-prd.nl
connectsb.com tum.de previder.nl
dailyplaylists.com tutanota.de publicroam.nl
datev.com uni-augsburg.de rijksoverheid.nl
fabfilter.com uni-erlangen.de rivm.nl
fastware-hosting.com uni-kl.de rotterdam.nl
flaneurhomme.com uni-muenchen.de rvo.nl
gmx.com vicinityclo.de sans-mail.nl
habr.com web.de schoudercom.nl
hoobly.com westlotto.de schuurman-schoenen.nl
hotelsinduitsland.com dk-hostmaster.dk sidn.nl
imcnig.com fibianet.dk skyaccess.nl
infomaniak.com handelsbanken.dk smartwatchbanden.nl
ingthink.com netic.dk sportrusten.nl
jula.com nota.dk ssonet.nl
kantarresearch.com peterhald.dk stater.nl
kpn.com seniornews.dk sushipoint.nl
langerhans.com shapeit.dk telefoonglaasje.nl
leszexpertsfle.com shellcard.dk transip.nl
librti.com stil.dk triodos.nl
mactabeauty.com uni-c.dk uitgeverijpica.nl
mail.com tilburguniversity.edu utwente.nl
mammoetmail.com zone.ee uvt.nl
matilhadobemadestramento.com spike.email uwv.nl
mplbeauty.com spotler.email valys.nl
mx-relay.com talentech.email vimexx.nl
myvillage.com rediris.es vitalize.nl
nanolearning.com triodos.es vogeldagboek.nl
nine-pine.com uv.es voorpositiviteit.nl
one.com egu.eu vu.nl
orsys.com zone.eu vvv-venlo.nl
ppcpcv.com zonevs.eu waternet.nl
protonmail.com handelsbanken.fi zorgmail.nl
protonvpn.com metaburn.fi annabellstefanussen.no
renworkshops.com tarjousrinki.fi audi.no
run-motion.com traficom.fi bergengokart.no
sankakucomplex.com ac-strasbourg.fr deldinbil.no
scorecloud.com compagnie-des-sens.fr derute.no
serverclienti.com edtm-actu.fr domeneshop.no
societe.com oo2.fr guttelus.no
solvinity.com fidesz.hu handelsbanken.no
sportnotch.com bluebiz.info hyttefeber.no
srsforward.com neolink.link idrettenonline.no
stater.com pm.me mystuff.no
stellarequipment.com army.mil norskgrammatikk.no
t-2.com dla.mil raskebriller.no
thalesgroup.com jten.mil rushtrampoline.no
thepcw.com mail.mil spillfabrikken.no
thepcwholesale.com militaryonesource.mil tjenestekompaniet.no
theruleofliberty.com navy.mil uib.no
triodos.com nga.mil viphuset.no
truewaykids.com osd.mil atelkamera.nu
tutanota.com socom.mil goget.nu
up2staff.com uscg.mil lenhud.nu
veganallsorts.com usmc.mil debian.org
vitstore.com comcast.net freebsd.org
vivaldi.com fivem.net gentoo.org
webcruiter.com gmx.net herobrine.org
webmailph.com habramail.net ietf.org
win-rar.com hr-manager.net irtf.org
xfinity.com inexio.net isc.org
xfinityhomesecurity.com mijngezondheid.net kindredcircle.org
xfinitymobile.com mpssec.net mailbox.org
ymeuniverse.com procurios.net mailop.org
bncr.fi.cr ripe.net netbsd.org
akce-incomputer.cz riseup.net oraclegirl.org
amenit.cz t-2.net ozlabs.org
atlas.cz transip.net registradores.org
bewooden.cz xs4all.net samba.org
centrum.cz 123watches.nl torproject.org
csob.cz 50plusbeurs.nl biotechnologia.com.pl
cuni.cz amsterdam.nl asf.com.pt
cvut.cz belastingdienst.nl bilprovningen.se
dedra.cz bhosted.nl ecster.se
directmail-fraus.cz boekwinkeltjes.nl handelsbanken.se
e-kondomy.cz bolerolimonadewinkel.nl lansstyrelsen.se
ekokoza.cz boozyshop.nl lomervarde.se
fio.cz burgernet.nl loopia.se
itesco.cz caracamilla.nl minmyndighetspost.se
kb.cz cbr.nl polisen.se
klenotyaurum.cz corpoflow.nl racketspecialisten.se
klubpevnehozdravi.cz derooijfotografie.nl skatteverket.se
ksporting.cz dictu.nl teknikdelar.se
manymail.cz digid.nl theletter.se
mkluzkoviny.cz digitaleverkiezing.nl centrum.sk
muni.cz dressuurnatuurlijk.nl kadernickyservis.sk
nanospace.cz duo.nl mklozkoviny.sk
nic.cz eco-logisch.nl pneusvet.sk
omvnovinky.cz edenhotels.nl rondogo.sk
onebit.cz efactuurdirect.nl satro.sk
optimail.cz ezorg.nl toptop.sk
poptavej.cz fidus.nl zapardrobnych.sk
pre.cz gezond.nl triodos.co.uk
predplatit.cz healthcheckcenter.nl govtrack.us
scrptd.cz herinneringenoplinnen.nl quantum-services.us
server4u.cz high5.nl ru.ac.za
1
0
I'm happy to announce that LetsDNS release 1.0 is now available and
ready for public use.
Website: https://letsdns.org
GitHub : https://github.com/LetsDNS/letsdns
PyPI : https://pypi.org/project/letsdns/
LetsDNS is a utility to manage DANE TLSA records in DNS servers with
only a few lines of configuration. It supports multiple domains with
multiple TLS certificates each.
LetsDNS can be invoked manually, from cron jobs, or called in hook
functions of ACME clients like dehydrated or certbot. It currently
supports backends via the DNS Update Protocol (RFC 2136), the Hetzner
DNS API, and a generator for nsupdate scripts. Additionally, LetsDNS
is designed be expanded using custom Python modules which are loaded
dynamically during runtime.
I'd appreciate you taking LetsDNS for a leisurely spin, and letting me
know of your experiences. GitHub discussions/issues are preferred, but
you can also send mail to "author at letsdns dot org".
Enjoy.
-Ralph
2
3
08 Apr '22
Hello list members,
I'd like to introduce "LetsDNS", a utility to manage DANE TLSA records
in DNS servers with only a few lines of configuration. It supports
multiple domains with multiple TLS certificates each.
LetsDNS can be invoked manually, from cron jobs, or called in hook
functions of ACME clients like "dehydrated" or "certbot". It currently
supports backends via the DNS Update Protocol (RFC 2136), the Hetzner
DNS API, and a generator for "nsupdate" scripts. Additionally, LetsDNS
is designed be expanded using custom Python modules which are loaded
dynamically during runtime.
LetsDNS has reached a level of maturity at which I feel comfortable
to ask for volunteers who would like to test the software. For more
information, please visit the project's homepage at https://letsdns.org .
I appreciate your feedback.
-Ralph
1
0
Summary: The DANE domain count is now 3,172,531 (c.f. 3,171,233 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 18,166,397 (up from 17,945,028 last
month). Thus DANE TLSA is deployed on ~17.46% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
Milestones:
- Over 18 million DNSSEC-signed zones
- .ORG over 4% signed
- .COM over 3% signed
- Over 8,000 DANE MX host zones
As of today I count ~3.17 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1222787 one.com 1239857 one.com
276929 hostpoint.ch 276109 hostpoint.ch
162459 infomaniak.ch 160146 infomaniak.ch
159841 argewebhosting.nl 157827 transip.nl
159047 transip.nl 150199 argewebhosting.nl
107424 domeneshop.no 107297 domeneshop.no
96804 jouwweb.nl 97131 webhostingserver.nl
96629 webhostingserver.nl 95810 loopia.se
96028 loopia.se 95176 jouwweb.nl
75489 forpsi.com 74648 forpsi.com
57815 zxcs.nl 55862 zxcs.nl
47064 active24.com 47053 active24.com
41338 webreus.nl 41756 webreus.nl
39129 antagonist.nl 39085 antagonist.nl
35339 pcextreme.nl 35599 pcextreme.nl
27537 udmedia.de 27485 udmedia.de
26871 web4u.cz 26856 web4u.cz
26105 webhosting.dk 26320 vevida.com
26035 vevida.com 26289 webhosting.dk
24796 protonmail.ch 24182 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
9827 TOTAL 9660 TOTAL
2919 DE, Germany 2843 DE, Germany
1827 NL, Netherlands 1828 NL, Netherlands
1796 US, United States 1766 US, United States
725 FR, France 712 FR, France
331 GB, United Kingdom 337 GB, United Kingdom
315 CZ, Czechia 296 CZ, Czechia
227 FI, Finland 214 CA, Canada
212 CA, Canada 213 FI, Finland
151 AT, Austria 150 AT, Austria
133 DK, Denmark 135 DK, Denmark
128 SG, Singapore 128 SG, Singapore
126 CH, Switzerland 124 CH, Switzerland
106 SE, Sweden 109 SE, Sweden
102 AU, Australia 107 AU, Australia
59 PL, Poland 59 PL, Poland
45 NO, Norway 45 RU, Russia
43 RU, Russia 45 NO, Norway
43 JP, Japan 41 JP, Japan
43 IE, Ireland 41 IE, Ireland
39 IT, Italy 36 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7726 TOTAL 7636 TOTAL
3485 NL, Netherlands 3492 NL, Netherlands
2125 DE, Germany 2105 DE, Germany
808 US, United States 799 US, United States
314 FR, France 299 FR, France
171 CZ, Czechia 158 CZ, Czechia
139 GB, United Kingdom 151 GB, United Kingdom
83 FI, Finland 82 FI, Finland
65 CA, Canada 63 CA, Canada
55 CH, Switzerland 57 CH, Switzerland
47 AU, Australia 49 AU, Australia
43 SE, Sweden 45 SE, Sweden
41 SG, Singapore 42 SG, Singapore
37 RU, Russia 33 AT, Austria
36 IE, Ireland 32 JP, Japan
34 AT, Austria 25 RU, Russia
31 JP, Japan 21 IE, Ireland
20 NO, Norway 19 NO, Norway
20 DK, Denmark 19 DK, Denmark
15 UA, Ukraine 14 BR, Brazil
13 BR, Brazil 11 SI, Slovenia
There are 8,039 unique zones (7,895 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 17,131 (16,959 last
month). These cover 17,403 distinct MX hosts (17,222 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 607 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 346
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.17 million DANE domains, 12,731 (12,742 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1102
(1136 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
86 beta.itcomputers.eu
65 arachne.itcomputers.cz
29 mx.2u2.nu
20 mail.itcomputers.net
19 mx1.mdbraber.com
16 e-vps.hacktheplanet.nl
15 artemis.strebsjig.net
14 web1.ams.dcg.t-host.net
13 dolifarm2.cap-networks.com
10 mx01.mykolab.com
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1181 (1148 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
550 registrar-servers.com 569 registrar-servers.com
149 axc.nl 152 axc.nl
80 worldnic.com 82 ebola.cz
78 ebola.cz 56 worldnic.com
35 mijndomein.nl 38 mijndomein.nl
32 openprovider.nl 30 ns01.nl
31 made-easy.ch 29 made-easy.ch
26 ns01.nl 26 hostline.fr
25 register.com 20 register.com
17 dotroll.com 18 cloudflare.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Six of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
icv-crew.com
urbtix.hk
mailazy.net
kprm.gov.pl
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at virusfree.cz herinneringenoplinnen.nl
gmx.at zdravestravovani.cz high5.nl
tip.net.au bayern.de hr.nl
cetelemnegocie.com.br brandenburg.de hro.nl
clubedohardware.com.br bund.de interim-netwerk.nl
e-negociacao.com.br bundesregierung.de lico.nl
e-renegocie.com.br datev.de linhard.nl
nic.br dfn.de luxiez.nl
registro.br elster.de mailplus.nl
activfitness-news.ch fau.de mijnhypotheekonline.nl
cbd420.ch freenet.de mijnsalon.nl
gmx.ch gmx.de mijnuvt.nl
hostpoint.ch hi7.de minbuza.nl
infomaniak.ch jpberlin.de minbzk.nl
linsenkontakt.ch lmu.de mindef.nl
open.ch lrz.de mm1.nl
protonmail.ch mail.de nieuwsservice-rvo.nl
switch.ch mensa.de ns.nl
wog.ch mpg.de orangebag.nl
simplelogin.co posteo.de otys.nl
402automotive.com ruhr-uni-bochum.de ouderportaal.nl
altidev.com tum.de overheid.nl
ansigtsyogaonline.com tutanota.de partijvoordedieren.nl
anubisnetworks.com uni-augsburg.de podiumcadeaukaart.nl
cm.com uni-erlangen.de politie.nl
connectsb.com uni-kl.de pp-prd.nl
dailyplaylists.com uni-muenchen.de previder.nl
datev.com unitymedia.de publicroam.nl
fabfilter.com vicinityclo.de rijksoverheid.nl
fastware-hosting.com web.de rivm.nl
flaneurhomme.com westlotto.de rotterdam.nl
gmx.com actie.deals rvo.nl
habr.com dk-hostmaster.dk sans-mail.nl
hoobly.com fibianet.dk schoudercom.nl
hotelsinduitsland.com handelsbanken.dk schuurman-schoenen.nl
imcnig.com netic.dk sidn.nl
infomaniak.com nota.dk skyaccess.nl
ingthink.com peterhald.dk smartwatchbanden.nl
joomlapolis.com seniornews.dk sportrusten.nl
jula.com shapeit.dk ssonet.nl
kantarresearch.com shellcard.dk stater.nl
kpn.com stil.dk sushipoint.nl
langerhans.com uni-c.dk telefoonglaasje.nl
leszexpertsfle.com tilburguniversity.edu transip.nl
librti.com zone.ee triodos.nl
mactabeauty.com spike.email uitgeverijpica.nl
mail.com spotler.email utwente.nl
mammoetmail.com talentech.email uvt.nl
matilhadobemadestramento.com rediris.es uwv.nl
mplbeauty.com triodos.es vantilburg.nl
mx-relay.com uv.es vimexx.nl
nanolearning.com egu.eu vogeldagboek.nl
nine-pine.com zone.eu voorpositiviteit.nl
one.com zonevs.eu vpo.nl
ppcpcv.com handelsbanken.fi vu.nl
protonmail.com metaburn.fi vvv-venlo.nl
protonvpn.com tarjousrinki.fi waternet.nl
renworkshops.com traficom.fi woongarantvolmacht.nl
run-motion.com ac-strasbourg.fr zorgmail.nl
sankakucomplex.com compagnie-des-sens.fr annabellstefanussen.no
serverclienti.com homeserve.fr audi.no
societe.com kangouroukids.fr bergengokart.no
solvinity.com oo2.fr derute.no
sportnotch.com fidesz.hu domeneshop.no
stater.com bluebiz.info guttelus.no
stellarequipment.com neolink.link hyttefeber.no
t-2.com pm.me idrettenonline.no
thalesgroup.com army.mil malestudio.no
theruleofliberty.com dla.mil mystuff.no
triodos.com jten.mil norskgrammatikk.no
tutanota.com mail.mil rushtrampoline.no
up2staff.com militaryonesource.mil uib.no
veganallsorts.com navy.mil viphuset.no
vitstore.com nga.mil atelkamera.nu
vivaldi.com osd.mil goget.nu
webcruiter.com socom.mil lenhud.nu
webmailph.com uscg.mil debian.org
win-rar.com usmc.mil freebsd.org
xfinity.com comcast.net gentoo.org
xfinityhomesecurity.com fivem.net herobrine.org
xfinitymobile.com gmx.net ietf.org
ymeuniverse.com habramail.net irtf.org
bncr.fi.cr hr-manager.net isc.org
akce-incomputer.cz inexio.net mailbox.org
amenit.cz mijngezondheid.net mailop.org
bewooden.cz mpssec.net netbsd.org
csob.cz procurios.net oraclegirl.org
cuni.cz ripe.net ozlabs.org
cvut.cz riseup.net samba.org
dedra.cz t-2.net torproject.org
directmail-fraus.cz transip.net asf.com.pt
e-kondomy.cz xs4all.net mobily.com.sa
ekokoza.cz 123watches.nl bilprovningen.se
fio.cz 50plusbeurs.nl ecster.se
itesco.cz amsterdam.nl handelsbanken.se
kb.cz belastingdienst.nl lomervarde.se
klenotyaurum.cz bhsupport.nl loopia.se
klubpevnehozdravi.cz boekwinkeltjes.nl minmyndighetspost.se
ksporting.cz bolerolimonadewinkel.nl polisen.se
manymail.cz boozyshop.nl racketspecialisten.se
mkluzkoviny.cz burgernet.nl skatteverket.se
muni.cz caracamilla.nl teknikdelar.se
nanospace.cz cbr.nl theletter.se
omvnovinky.cz corpoflow.nl voteit.se
onebit.cz derooijfotografie.nl kadernickyservis.sk
optimail.cz dictu.nl mklozkoviny.sk
poptavej.cz digid.nl pneusvet.sk
pre.cz dressuurnatuurlijk.nl rondogo.sk
predplatit.cz duo.nl satro.sk
scrptd.cz eco-logisch.nl toptop.sk
server4u.cz edenhotels.nl zapardrobnych.sk
smtp.cz ezorg.nl triodos.co.uk
sparkys.cz fidus.nl govtrack.us
stoklasa.cz gezond.nl quantum-services.us
vas-server.cz healthcheckcenter.nl ru.ac.za
vcelka.cz
1
0
Summary: The DANE domain count is now 3,171,233 (c.f. 3,153,006 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 17,945,028 (up from 17,670,769 last
month). Thus DANE TLSA is deployed on ~17.67% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today I count ~3.17 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1239857 one.com 1235173 one.com
276109 hostpoint.ch 275090 hostpoint.ch
160146 infomaniak.ch 158083 infomaniak.ch
157827 transip.nl 156876 transip.nl
150199 argewebhosting.nl 150857 argewebhosting.nl
107297 domeneshop.no 106966 domeneshop.no
97131 webhostingserver.nl 97403 webhostingserver.nl
95810 loopia.se 95392 loopia.se
95176 jouwweb.nl 92990 jouwweb.nl
74648 forpsi.com 73745 forpsi.com
55862 zxcs.nl 53390 zxcs.nl
47053 active24.com 46913 active24.com
41756 webreus.nl 41099 webreus.nl
39085 antagonist.nl 38881 antagonist.nl
35599 pcextreme.nl 35846 pcextreme.nl
27485 udmedia.de 27214 udmedia.de
26856 web4u.cz 26766 web4u.cz
26320 vevida.com 26679 vevida.com
26289 webhosting.dk 26497 webhosting.dk
24182 protonmail.ch 23458 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
9660 TOTAL 9425 TOTAL
2843 DE, Germany 2763 DE, Germany
1828 NL, Netherlands 1810 NL, Netherlands
1766 US, United States 1723 US, United States
712 FR, France 692 FR, France
337 GB, United Kingdom 336 GB, United Kingdom
296 CZ, Czechia 280 CZ, Czechia
214 CA, Canada 208 FI, Finland
213 FI, Finland 207 CA, Canada
150 AT, Austria 135 AT, Austria
135 DK, Denmark 134 DK, Denmark
128 SG, Singapore 121 SG, Singapore
124 CH, Switzerland 119 CH, Switzerland
109 SE, Sweden 108 SE, Sweden
107 AU, Australia 105 AU, Australia
59 PL, Poland 58 PL, Poland
45 RU, Russia 46 RU, Russia
45 NO, Norway 44 IE, Ireland
41 JP, Japan 43 NO, Norway
41 IE, Ireland 40 BR, Brazil
36 BR, Brazil 39 JP, Japan
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7636 TOTAL 7480 TOTAL
3492 NL, Netherlands 3484 NL, Netherlands
2105 DE, Germany 1987 DE, Germany
799 US, United States 771 US, United States
299 FR, France 298 FR, France
158 CZ, Czechia 165 CZ, Czechia
151 GB, United Kingdom 144 GB, United Kingdom
82 FI, Finland 82 FI, Finland
63 CA, Canada 61 CA, Canada
57 CH, Switzerland 50 CH, Switzerland
49 AU, Australia 46 AU, Australia
45 SE, Sweden 44 SE, Sweden
42 SG, Singapore 41 SG, Singapore
33 AT, Austria 32 RU, Russia
32 JP, Japan 32 AT, Austria
25 RU, Russia 28 JP, Japan
21 IE, Ireland 22 IE, Ireland
19 NO, Norway 19 NO, Norway
19 DK, Denmark 19 DK, Denmark
14 BR, Brazil 17 BR, Brazil
11 SI, Slovenia 11 SI, Slovenia
There are 7,895 unique zones (7,618 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 16,959 (16,571 last
month). These cover 17,222 distinct MX hosts (16,838 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 593 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 326
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.17 million DANE domains, 12,742 (12,666 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1136
(1191 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
87 beta.itcomputers.eu
19 mx1.mdbraber.com
18 mx3.ski-bergtouren.ch
16 e-vps.hacktheplanet.nl
15 web1.ams.dcg.t-host.net
15 artemis.strebsjig.net
11 sfo-exc03.corp.sfo.ch
11 mx01.mykolab.com
10 mail.campana.email
9 urmail.space
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1181 (1148 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
569 registrar-servers.com 596 registrar-servers.com
152 axc.nl 171 axc.nl
82 ebola.cz 83 ebola.cz
56 worldnic.com 42 worldnic.com
38 mijndomein.nl 31 mijndomein.nl
30 ns01.nl 30 ns01.nl
29 made-easy.ch 28 made-easy.ch
26 hostline.fr 18 cloudflare.com
20 register.com 15 register.com
18 cloudflare.com 15 epik.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Six of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
icv-crew.com
urbtix.hk
mailazy.net
kprm.gov.pl
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at bund.de hro.nl
gmx.at bundesregierung.de interim-netwerk.nl
tip.net.au datev.de lico.nl
boozyshop.be dfn.de luxiez.nl
triodos.be elster.de mailplus.nl
clubedohardware.com.br emailn.de mailshover.nl
e-negociacao.com.br fau.de mijnhypotheekonline.nl
e-renegocie.com.br freenet.de mijnsalon.nl
nic.br gmx.de mijnuvt.nl
registro.br jpberlin.de minbuza.nl
activfitness-news.ch lmu.de minbzk.nl
gmx.ch lrz.de mindef.nl
hostpoint.ch mail.de mm1.nl
infomaniak.ch mensa.de nieuwsservice-rvo.nl
linsenkontakt.ch mpg.de ns.nl
open.ch posteo.de orangebag.nl
protonmail.ch ruhr-uni-bochum.de otys.nl
switch.ch tum.de ouderportaal.nl
simplelogin.co tutanota.de overheid.nl
402automotive.com uni-augsburg.de partijvoordedieren.nl
anubisnetworks.com uni-erlangen.de plusticket.nl
cm.com uni-kl.de politie.nl
connectsb.com uni-muenchen.de pp-prd.nl
dailyplaylists.com unitymedia.de previder.nl
datev.com web.de rdw.nl
fabfilter.com westlotto.de rijksoverheid.nl
fastware-hosting.com actie.deals rivm.nl
flaneurhomme.com exoticmix.dk rotterdam.nl
gmx.com fibianet.dk rvo.nl
habr.com handelsbanken.dk sans-mail.nl
hoobly.com jule-sweaters.dk schoudercom.nl
hotelsinduitsland.com juliesandlau.dk schuurman-schoenen.nl
imcnig.com netic.dk sportrusten.nl
infomaniak.com nota.dk ssonet.nl
ingthink.com seniornews.dk stater.nl
joomlapolis.com shapeit.dk sushipoint.nl
jula.com shellcard.dk telefoonglaasje.nl
kpn.com stil.dk transip.nl
langerhans.com wavell.dk triodos.nl
leszexpertsfle.com tilburguniversity.edu utwente.nl
librti.com spike.email uvt.nl
mail.com spotler.email uwv.nl
mammoetmail.com talentech.email vimexx.nl
matilhadobemadestramento.com rediris.es voorpositiviteit.nl
mplbeauty.com triodos.es vpo.nl
mx-relay.com uv.es vu.nl
nanolearning.com egu.eu vvv-venlo.nl
nine-pine.com zone.eu waternet.nl
one.com zonevs.eu woongarantvolmacht.nl
protonmail.com handelsbanken.fi zorgmail.nl
protonvpn.com tarjousrinki.fi annabellstefanussen.no
renworkshops.com traficom.fi audi.no
run-motion.com ac-strasbourg.fr bergengokart.no
sankakucomplex.com compagnie-des-sens.fr derute.no
serverclienti.com kangouroukids.fr domeneshop.no
societe.com oo2.fr guttelus.no
solvinity.com fidesz.hu handelsbanken.no
sportnotch.com neolink.link idrettenonline.no
stater.com pm.me malestudio.no
stellarequipment.com army.mil mystuff.no
t-2.com dla.mil norskgrammatikk.no
thalesgroup.com jten.mil rushtrampoline.no
thepcw.com mail.mil uib.no
thepcwholesale.com militaryonesource.mil viphuset.no
triodos.com navy.mil atelkamera.nu
tutanota.com nga.mil goget.nu
up2staff.com osd.mil lenhud.nu
veganallsorts.com socom.mil aegee.org
vitstore.com uscg.mil calyxinstitute.org
vivaldi.com usmc.mil debian.org
webcruiter.com comcast.net freebsd.org
webmailph.com fivem.net gentoo.org
xfinity.com gmx.net ietf.org
xfinityhomesecurity.com habramail.net irtf.org
xfinitymobile.com hr-manager.net isc.org
ymeuniverse.com inexio.net mailbox.org
bncr.fi.cr mijngezondheid.net mailop.org
akce-incomputer.cz mpssec.net netbsd.org
bewooden.cz procurios.net oraclegirl.org
csob.cz ripe.net ozlabs.org
cuni.cz riseup.net samba.org
cvut.cz t-2.net torproject.org
e-kondomy.cz transip.net asf.com.pt
ekokoza.cz xs4all.net mobily.com.sa
fio.cz 123watches.nl bilprovningen.se
itesco.cz amsterdam.nl ecster.se
kb.cz argeweb.nl handelsbanken.se
klenotyaurum.cz belastingdienst.nl lomervarde.se
klubpevnehozdravi.cz bhsupport.nl loopia.se
ksporting.cz bluerail.nl minmyndighetspost.se
manymail.cz bolerolimonadewinkel.nl polisen.se
mkluzkoviny.cz boozyshop.nl racketspecialisten.se
muni.cz burgernet.nl skatteverket.se
nanospace.cz caracamilla.nl teknikdelar.se
onebit.cz cbr.nl theletter.se
optimail.cz corpoflow.nl voteit.se
poptavej.cz derooijfotografie.nl dovypredania.sk
pre.cz dictu.nl mastersport.sk
predplatit.cz digid.nl mklozkoviny.sk
scrptd.cz duo.nl pneusvet.sk
server4u.cz eco-logisch.nl rondogo.sk
smtp.cz edenhotels.nl satro.sk
sparkys.cz ezorg.nl toptop.sk
stoklasa.cz fidus.nl zapardrobnych.sk
vas-server.cz haibu.nl triodos.co.uk
virusfree.cz healthcheckcenter.nl govtrack.us
zdravestravovani.cz herinneringenoplinnen.nl quantum-services.us
bayern.de high5.nl ru.ac.za
brandenburg.de hr.nl
1
0
Summary: The DANE domain count is now 3,153,006 (c.f. 2,998,143 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 17,670,769 (up from 17,263,168 last
month). Thus DANE TLSA is deployed on ~17.84% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today I count ~3.15 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1235173 one.com 1214915 one.com
275090 hostpoint.ch 273907 hostpoint.ch
158083 infomaniak.ch 156065 infomaniak.ch
156876 transip.nl 155803 transip.nl
150857 argewebhosting.nl 150793 argewebhosting.nl
106966 domeneshop.no 106219 domeneshop.no
97403 webhostingserver.nl 97607 webhostingserver.nl
95392 loopia.se 95145 loopia.se
92990 jouwweb.nl 72612 forpsi.com
73745 forpsi.com 50892 zxcs.nl
53390 zxcs.nl 46657 active24.com
46913 active24.com 41634 webreus.nl
41099 webreus.nl 38388 antagonist.nl
38881 antagonist.nl 36106 pcextreme.nl
35846 pcextreme.nl 27209 udmedia.de
27214 udmedia.de 27073 vevida.com
26766 web4u.cz 26765 webhosting.dk
26679 vevida.com 26430 web4u.cz
26497 webhosting.dk 23331 hosting2go.nl
23458 protonmail.ch 22745 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
9425 TOTAL 9262 TOTAL
2763 DE, Germany 2704 DE, Germany
1810 NL, Netherlands 1785 NL, Netherlands
1723 US, United States 1723 US, United States
692 FR, France 674 FR, France
336 GB, United Kingdom 338 GB, United Kingdom
280 CZ, Czechia 275 CZ, Czechia
208 FI, Finland 202 FI, Finland
207 CA, Canada 199 CA, Canada
135 AT, Austria 132 DK, Denmark
134 DK, Denmark 132 AT, Austria
121 SG, Singapore 114 SG, Singapore
119 CH, Switzerland 113 CH, Switzerland
108 SE, Sweden 99 SE, Sweden
105 AU, Australia 99 AU, Australia
58 PL, Poland 54 PL, Poland
46 RU, Russia 46 RU, Russia
44 IE, Ireland 42 IE, Ireland
43 NO, Norway 41 NO, Norway
40 BR, Brazil 39 JP, Japan
39 JP, Japan 37 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7480 TOTAL 7177 TOTAL
3484 NL, Netherlands 3323 NL, Netherlands
1987 DE, Germany 1926 DE, Germany
771 US, United States 759 US, United States
298 FR, France 288 FR, France
165 CZ, Czechia 164 CZ, Czechia
144 GB, United Kingdom 144 GB, United Kingdom
82 FI, Finland 82 FI, Finland
61 CA, Canada 60 CA, Canada
50 CH, Switzerland 44 CH, Switzerland
46 AU, Australia 43 SE, Sweden
44 SE, Sweden 42 AU, Australia
41 SG, Singapore 40 SG, Singapore
32 RU, Russia 32 AT, Austria
32 AT, Austria 28 JP, Japan
28 JP, Japan 23 IE, Ireland
22 IE, Ireland 18 NO, Norway
19 NO, Norway 16 BR, Brazil
19 DK, Denmark 15 DK, Denmark
17 BR, Brazil 12 IN, India
11 SI, Slovenia 11 PL, Poland
There are 7,618 unique zones (7,482 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 16,571 (16,403 last
month). These cover 16,838 distinct MX hosts (16,670 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 580 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 327
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.15 million DANE domains, 12,666 (12,621 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1191
(1225 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
88 beta.itcomputers.eu
20 mx1.exegy.com
19 mx1.mdbraber.com
17 mx1.digi.nl
16 e-vps.hacktheplanet.nl
15 web1.ams.dcg.t-host.net
15 smtp.meninodoporto.com.pt
15 artemis.strebsjig.net
12 mail.bi9.de
11 mx01.mykolab.com
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1181 (1148 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
596 registrar-servers.com 579 registrar-servers.com
171 axc.nl 164 axc.nl
83 ebola.cz 87 ebola.cz
42 worldnic.com 39 worldnic.com
31 mijndomein.nl 32 mijndomein.nl
30 ns01.nl 29 ns01.nl
28 made-easy.ch 29 made-easy.ch
18 cloudflare.com 17 cloudflare.com
15 register.com 14 register.com
15 epik.com 11 epik.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Four of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
icv-crew.com
urbtix.hk
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at elster.de mailplus.nl
gmx.at emailn.de mailshover.nl
vbv.at fau.de markteffectmail.nl
tip.net.au freenet.de mijnhypotheekonline.nl
pcug.org.au gmx.de mijnsalon.nl
boozyshop.be jpberlin.de mijnuvt.nl
triodos.be lmu.de minbuza.nl
e-negociacao.com.br lrz.de mindef.nl
e-renegocie.com.br mail.de minvenj.nl
nic.br mpg.de mm1.nl
registro.br neutraler-versand.de mulderretail.nl
activfitness-news.ch posteo.de nieuwsservice-rvo.nl
gmx.ch ruhr-uni-bochum.de ns.nl
hostpoint.ch tum.de orangebag.nl
infomaniak.ch tutanota.de ouderportaal.nl
linsenkontakt.ch uni-augsburg.de overheid.nl
open.ch uni-erlangen.de parlement.nl
protonmail.ch uni-muenchen.de partijvoordedieren.nl
switch.ch unitymedia.de plusticket.nl
simplelogin.co web.de politie.nl
ansigtsyogaonline.com westlotto.de pp-prd.nl
anubisnetworks.com actie.deals previder.nl
boekenwereld.com exoticmix.dk rdw.nl
cm.com fibianet.dk rijksoverheid.nl
connectsb.com handelsbanken.dk rivm.nl
dailyplaylists.com jule-sweaters.dk rotterdam.nl
datev.com juliesandlau.dk sans-mail.nl
fabfilter.com netic.dk schoudercom.nl
fastware-hosting.com nota.dk schuurman-schoenen.nl
flaneurhomme.com nst.dk smartwatchbanden.nl
gmx.com seniornews.dk sportrusten.nl
habr.com shapeit.dk stater.nl
hoobly.com shellcard.dk telefoonglaasje.nl
hotelsinduitsland.com stil.dk transip.nl
imcnig.com uvm.dk triodos.nl
infomaniak.com wavell.dk tweedekamer.nl
ingthink.com tilburguniversity.edu utwente.nl
joomlapolis.com spike.email uvt.nl
jula.com spotler.email uwv.nl
kpn.com talentech.email voorpositiviteit.nl
leszexpertsfle.com rediris.es vpo.nl
librti.com triodos.es vu.nl
mail.com uv.es wasstraatdewalvis.nl
mammoetmail.com egu.eu waternet.nl
mantapsurvey.com glowliving.eu woongarantvolmacht.nl
matilhadobemadestramento.com zone.eu zorgmail.nl
mplbeauty.com zonevs.eu annabellstefanussen.no
mx-relay.com handelsbanken.fi audi.no
nanolearning.com tarjousrinki.fi derute.no
nine-pine.com traficom.fi domeneshop.no
one.com ac-strasbourg.fr forbrukslaan.no
protonmail.com compagnie-des-sens.fr guttelus.no
protonvpn.com kangouroukids.fr handelsbanken.no
renworkshops.com oo2.fr idrettenonline.no
sankakucomplex.com srci.fr kapitalkontroll.no
serverclienti.com fidesz.hu mystuff.no
societe.com mszp.hu norskgrammatikk.no
solvinity.com neolink.link plukkselv.no
stater.com pm.me rushtrampoline.no
stellarequipment.com army.mil uib.no
thalesgroup.com dla.mil viphuset.no
thepcw.com jten.mil atelkamera.nu
thepcwholesale.com mail.mil goget.nu
triodos.com militaryonesource.mil aegee.org
tutanota.com navy.mil calyxinstitute.org
up2staff.com osd.mil debian.org
veganallsorts.com socom.mil freebsd.org
vitstore.com uscg.mil gentoo.org
vivaldi.com usmc.mil ietf.org
webmailph.com comcast.net isc.org
xfinity.com fivem.net mailbox.org
xfinityhomesecurity.com gmx.net mailop.org
xfinitymobile.com habramail.net netbsd.org
ymeuniverse.com hr-manager.net openssl.org
akce-incomputer.cz inexio.net oraclegirl.org
cesnet.cz mijngezondheid.net ozlabs.org
csob.cz mpssec.net samba.org
cuni.cz procurios.net torproject.org
cvut.cz ripe.net whatpulse.org
ekokoza.cz riseup.net psgaz.pl
fio.cz t-2.net asf.com.pt
gigalekarna.cz transip.net mobily.com.sa
itesco.cz xs4all.net axmarin.se
kb.cz 123watches.nl bilprovningen.se
klenotyaurum.cz amsterdam.nl boplatssyd-automail.se
klubpevnehozdravi.cz argeweb.nl ecster.se
manymail.cz belastingdienst.nl handelsbanken.se
mkluzkoviny.cz bhsupport.nl lomervarde.se
muni.cz bluerail.nl loopia.se
nanospace.cz boekwinkeltjes.nl loopiahosting.se
nic.cz bolerolimonadewinkel.nl minmyndighetspost.se
onebit.cz boozyshop.nl polisen.se
optimail.cz burgernet.nl racketspecialisten.se
poptavej.cz cbr.nl skatteverket.se
predplatit.cz derooijfotografie.nl teknikdelar.se
scrptd.cz digid.nl theletter.se
server4u.cz duo.nl voteit.se
smtp.cz eco-logisch.nl websupport.se
sparkys.cz edenhotels.nl dovypredania.sk
stoklasa.cz ezorg.nl kadernickyservis.sk
vas-server.cz fidus.nl mastersport.sk
virusfree.cz haibu.nl mklozkoviny.sk
zdravestravovani.cz healthcheckcenter.nl rondogo.sk
bayern.de heilbron.nl toptop.sk
brandenburg.de herinneringenoplinnen.nl zapardrobnych.sk
bund.de interim-netwerk.nl triodos.co.uk
bundesregierung.de justis.nl govtrack.us
datev.de lico.nl quantum-services.us
dfn.de luxiez.nl ru.ac.za
1
0
Starting this month through May 2022, Microsoft will incrementally
roll out outbound DANE support (*enabled by default*) for all hosted
Exchange Online domains:
https://m365admin.handsontek.net/upcoming-release-outbound-smtp-dane-and-dn…
> As previously announced in the blog post Support of DANE and DNSSEC in Office 365 Exchange Online, we will be adding support for SMTP DANE and DNSSEC to Exchange Online (EXO). DANE combined with DNSSEC is the state-of-the-art for securing email, and to optimize its effectiveness both standards will be enabled by default at the system level for all EXO customers.
If your cert rollover practices are sloppy, with transient certificate
chain validation failures after each key/cert rollover, as stale TLSA
records age out from caches or are only updated after problem reports,
then this is a good time to either up your game, or stop publishing TLSA
records. Having stale TLSA records that delay or break email delivery
does neither you nor the people sending you email any good.
Please follow best-practice and pre-publish matching TLSA records for
the upcoming certs a few TTLs before certificate deployment. If that's
too hard, disable DANE until you can implement a more robust rollover
process.
--
Viktor.
2
1
Summary: The DANE domain count is now 2,998,143 (c.f. 3,005,393
last month and 2,522,820 this time last year).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 17,263,168 (up from 16,982,372 last
month and 13,559,686 this time last year). Thus DANE TLSA is
deployed on ~17.36% of domains with DNSSEC. For more stats,
see <https://stats.dnssec-tools.org/>. [ See the Credits[0]
list below my signature. ]
As of today I count ~3.0 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month Last year
---------- ---------- ---------
1214915 one.com 1230165 one.com 1197409 one.com
273907 hostpoint.ch 272727 hostpoint.ch 146757 transip.nl
156065 infomaniak.ch 154952 transip.nl 146041 argewebhosting.nl
155803 transip.nl 154347 infomaniak.ch 103374 domeneshop.no
150793 argewebhosting.nl 149718 argewebhosting.nl 98861 webhostingserver.nl
106219 domeneshop.no 106004 domeneshop.no 96166 infomaniak.ch
97607 webhostingserver.nl 98029 webhostingserver.nl 92051 loopia.se
95145 loopia.se 95100 loopia.se 66772 forpsi.com
72612 forpsi.com 71946 forpsi.com 41264 webreus.nl
50892 zxcs.nl 48270 zxcs.nl 40642 active24.com
46657 active24.com 46581 active24.com 39895 pcextreme.nl
41634 webreus.nl 42121 webreus.nl 35523 antagonist.nl
38388 antagonist.nl 38213 antagonist.nl 31194 zxcs.nl
36106 pcextreme.nl 36362 pcextreme.nl 30096 vevida.com
27209 udmedia.de 27450 vevida.com 27456 webhosting.dk
27073 vevida.com 26984 udmedia.de 26566 web4u.cz
26765 webhosting.dk 26916 webhosting.dk 25718 udmedia.de
26430 web4u.cz 26483 web4u.cz 18487 bhosted.nl
23331 hosting2go.nl 23612 hosting2go.nl 14530 protonmail.ch
22745 protonmail.ch 22118 protonmail.ch 14434 onebit.cz
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month Last year
---------- ---------- ---------
9262 TOTAL 9230 TOTAL 7799 TOTAL
2704 DE, Germany 2691 DE, Germany 2390 DE, Germany
1785 NL, Netherlands 1781 NL, Netherlands 1497 US, United States
1723 US, United States 1710 US, United States 1437 NL, Netherlands
674 FR, France 697 FR, France 637 FR, France
338 GB, United Kingdom 325 GB, United Kingdom 279 GB, United Kingdom
275 CZ, Czechia 264 CZ, Czechia 227 CZ, Czechia
202 FI, Finland 206 CA, Canada 170 CA, Canada
199 CA, Canada 204 FI, Finland 123 FI, Finland
132 DK, Denmark 131 AT, Austria 113 DK, Denmark
132 AT, Austria 129 DK, Denmark 109 SG, Singapore
114 SG, Singapore 118 SG, Singapore 99 CH, Switzerland
113 CH, Switzerland 108 CH, Switzerland 88 SE, Sweden
99 SE, Sweden 98 SE, Sweden 63 AU, Australia
99 AU, Australia 93 AU, Australia 62 AT, Austria
54 PL, Poland 56 PL, Poland 42 IE, Ireland
46 RU, Russia 44 NO, Norway 40 BR, Brazil
42 IE, Ireland 43 RU, Russia 38 IN, India
41 NO, Norway 43 IE, Ireland 34 JP, Japan
39 JP, Japan 38 JP, Japan 33 PL, Poland
37 BR, Brazil 38 BR, Brazil 30 RU, Russia
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month Last year
---------- ---------- ---------
7177 TOTAL 7274 TOTAL 6378 TOTAL
3323 NL, Netherlands 3431 NL, Netherlands 3183 NL, Netherlands
1926 DE, Germany 1903 DE, Germany 1587 DE, Germany
759 US, United States 757 US, United States 606 US, United States
288 FR, France 300 FR, France 287 FR, France
164 CZ, Czechia 156 CZ, Czechia 136 CZ, Czechia
144 GB, United Kingdom 133 GB, United Kingdom 112 GB, United Kingdom
82 FI, Finland 80 FI, Finland 48 CA, Canada
60 CA, Canada 60 CA, Canada 44 CH, Switzerland
44 CH, Switzerland 45 CH, Switzerland 42 AT, Austria
43 SE, Sweden 42 SG, Singapore 38 SG, Singapore
42 AU, Australia 42 SE, Sweden 36 SE, Sweden
40 SG, Singapore 38 AU, Australia 27 RU, Russia
32 AT, Austria 31 AT, Austria 22 IE, Ireland
28 JP, Japan 28 JP, Japan 19 UA, Ukraine
23 IE, Ireland 26 RU, Russia 19 JP, Japan
18 NO, Norway 23 IE, Ireland 18 AU, Australia
16 BR, Brazil 19 NO, Norway 17 NO, Norway
15 DK, Denmark 18 DK, Denmark 17 FI, Finland
12 IN, India 15 BR, Brazil 17 DK, Denmark
11 PL, Poland 13 IN, India 14 BR, Brazil
There are 7,482 unique zones (7,451 last month and 6,291 this time last
year) in which the underlying MX hosts are found. This counts each of
the above providers as just one zone, so is a measure of the breadth of
adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 16,403 (16,295 last
month and 14,130 this time last year). These cover 16,670 distinct MX
hosts (16,562 last month and 14,328 this time last year, some MX hosts
share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 575 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 330
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.0 million DANE domains, 12,621 (12,750 last month and 13,070
this time last year) have "partial" TLSA records, that cover only a
subset of the (secondary) MX hosts. While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual active
attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1225
(1086 last month and 1155 this time last year). Some of these have
additional MX hosts that don't have broken TLSA records, so mail can
still arrive via the remaining MX hosts. The affected domain counts for
the top 10 problem MX hosts are:
90 beta.itcomputers.eu
44 smtp.meninadoporto.shop
32 node1.4spam.nl
19 mx1.mdbraber.com
16 mail.odissee.net
16 e-vps.hacktheplanet.nl
15 web1.ams.dcg.t-host.net
15 smtp.meninodoporto.com.pt
15 artemis.strebsjig.net
12 mail.bi9.de
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1181 (1148 last
month). The top 10 name server operators with problem domains are:
This Month Last month Last year
---------- ---------- ---------
579 registrar-servers.com 564 registrar-servers.com 325 registrar-servers.com
164 axc.nl 124 axc.nl 116 movenext.nl
87 ebola.cz 88 ebola.cz 86 ebola.cz
39 worldnic.com 33 worldnic.com 25 tiscomhosting.nl
32 mijndomein.nl 30 mijndomein.nl 24 epik.com
29 ns01.nl 30 made-easy.ch 23 eatserver.nl
29 made-easy.ch 16 cloudflare.com 17 infracom.nl
17 cloudflare.com 11 vtx.ch 14 ns01.nl
14 register.com 11 openprovider.nl 12 renault.fr
11 epik.com 10 register.com 11 nrdns.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Six of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
tjap.jus.br
icv-crew.com
bncr.fi.cr
urbtix.hk
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
123watches.nl ingthink.com quantum-services.us
30tidennivyzva.cz interestexplorer.io racketspecialisten.se
ac-strasbourg.fr interim-netwerk.nl rdw.nl
actie.deals isc.org rediris.es
activfitness-news.ch itesco.cz registro.br
aegee.org joomlapolis.com rijksoverheid.nl
akce-incomputer.cz jpberlin.de ripe.net
amsterdam.nl jten.mil riseup.net
annabellstefanussen.no jula.com rivm.nl
ansigtsyogaonline.com jule-sweaters.dk rondogo.sk
argeweb.nl juliesandlau.dk rotterdam.nl
army.mil just.ee ruhr-uni-bochum.de
artsenzorg.nl justis.nl rushtrampoline.no
asf.com.pt kadernickyservis.sk samba.org
atelkamera.nu kapitalkontroll.no sankakucomplex.com
audi.no kb.cz sans-mail.nl
axmarin.se klenotyaurum.cz schizinfo.com
bayern.de klubpevnehozdravi.cz schoudercom.nl
belastingdienst.nl kpn.com schuurman-schoenen.nl
bhsupport.nl leszexpertsfle.com scrptd.cz
bilprovningen.se librti.com seniornews.dk
bluebiz.info linsenkontakt.ch server4u.cz
bluerail.nl lomervarde.se serverclienti.com
boekenwereld.com loopia.se shapeit.dk
boekwinkeltjes.nl loopiahosting.se shellcard.dk
bolerolimonadewinkel.nl lrz.de simplelogin.co
boozyshop.be luxiez.nl skatteverket.se
boozyshop.nl mail.com smartwatchbanden.nl
boplatssyd-automail.se mail.de smtp.cz
brandenburg.de mail.mil societe.com
bund.de mailbox.org socom.mil
bundesregierung.de mailop.org solvinity.com
burgernet.nl mailplus.nl spareklubbnorge.com
calyxinstitute.org mailshover.nl sparkys.cz
cbr.nl mammoetmail.com spike.email
cbs.nl mantapsurvey.com sportrusten.nl
cesnet.cz manymail.cz spotler.email
cetelemnegocie.com.br markteffectmail.nl srci.fr
cm.com mastersport.sk ssonet.nl
comcast.net matilhadobemadestramento.com stellarequipment.com
compagnie-des-sens.fr mijngezondheid.net stoklasa.cz
connectsb.com mijnuvt.nl switch.ch
corpoflow.nl militaryonesource.mil t-2.net
csob.cz minbuza.nl talentech.email
cuni.cz minbzk.nl tarjousrinki.fi
cvut.cz mindef.nl teknikdelar.se
dailyplaylists.com minmyndighetspost.se telefoonglaasje.nl
datev.com minvenj.nl thalesgroup.com
datev.de mklozkoviny.sk theletter.se
debian.org mkluzkoviny.cz thepcw.com
derooijfotografie.nl mm1.nl thepcwholesale.com
derute.no mobily.com.sa tilburguniversity.edu
dfn.de mpg.de tip.net.au
digid.nl mplbeauty.com toptop.sk
dla.mil mpssec.net torproject.org
domeneshop.no mszp.hu traficom.fi
dovypredania.sk mulderretail.nl transip.net
duo.nl muni.cz travailler-en-suisse.ch
e-renegocie.com.br mvnet.de triodos.be
eco-logisch.nl mx-relay.com triodos.co.uk
ecster.se mystuff.no triodos.com
edenhotels.nl najlacnejsisport.sk triodos.es
edtm-actu.fr nanolearning.com triodos.nl
egu.eu nanospace.cz tum.de
ekokoza.cz navy.mil tutanota.com
elster.de netbsd.org tutanota.de
emailn.de netic.dk tweedekamer.nl
envie.email neutraler-versand.de uib.no
exegy.com nic.br uitgeverijpica.nl
exoticmix.dk nic.cz uni-augsburg.de
ezorg.nl nieuwsservice-rvo.nl uni-erlangen.de
fabfilter.com nine-pine.com uni-muenchen.de
fau.de norskgrammatikk.no unitymedia.de
fibianet.dk nota.dk univie.ac.at
fidesz.hu ns.nl uscg.mil
fivem.net nst.dk usmc.mil
flaneurhomme.com one.com utwente.nl
forbrukslaan.no onebit.cz uv.es
freebsd.org oo2.fr uvm.dk
freenet.de open.ch uvt.nl
gentoo.org openssl.org uwv.nl
gigalekarna.cz optimail.cz vas-server.cz
glowliving.eu orangebag.nl vbv.at
gmx.at osd.mil veganallsorts.com
gmx.ch ouderenfonds.nl viphuset.no
gmx.com ouderportaal.nl virusfree.cz
gmx.de outsystems.com vitstore.com
gmx.net overheid.nl vivaldi.com
goget.nu ozlabs.org voorpositiviteit.nl
govtrack.us parlement.nl vpo.nl
habr.com partijvoordedieren.nl vu.nl
habramail.net paypro.nl waternet.nl
handelsbanken.dk pcug.org.au wavell.dk
handelsbanken.fi pictolezen.be web.de
handelsbanken.no plukkselv.no webcruiter.com
handelsbanken.se plusticket.nl webhosting.dk
healthcheckcenter.nl pm.me webmailph.com
heilbron.nl podiumcadeaukaart.nl websupport.se
herinneringenoplinnen.nl politie.nl westlotto.de
hoobly.com poptavej.cz whatpulse.org
hostpoint.ch posteo.de woongarantvolmacht.nl
hotelsinduitsland.com powerhosting.dk xfinity.com
hr-manager.net pp-prd.nl xfinityhomesecurity.com
huizenzoeker.nl previder.nl xfinitymobile.com
idrettenonline.no procurios.net xs4all.net
ietf.org protonmail.ch ymeuniverse.com
imcnig.com protonmail.com zdravestravovani.cz
inexio.net protonvpn.com zone.eu
infomaniak.ch psgaz.pl zonevs.eu
infomaniak.com purdey.nl zorgmail.nl
1
0