dane-users
Threads by month
- ----- 2024 -----
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- 2 participants
- 244 discussions
NOTE: When using NSEC3 to sign your domain, please make sure your iteration
count is not needlessly large (above ~25). For details see:
https://mail.sys4.de/pipermail/dane-users/2021-March/000594.html
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-00
Summary: The DANE domain count is now 2,638,525 (up from 2,623,358 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 15,118,039 (up from 14,890,975 last
month). Thus DANE TLSA is deployed on ~17.45% of domains with
DNSSEC. See https://stats.dnssec-tools.org/ for more stats.
The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has
taken place, and all previously issued X3-issued certificates
are now expired. If you're still publishing the X3 hash in
your TLSA RRSet, it is best removed:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,638,525 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last month
---------- ----------
1228949 one.com 1227082 one.com
150486 transip.nl 150090 transip.nl
150288 argewebhosting.nl 149333 argewebhosting.nl
110793 infomaniak.ch 108672 infomaniak.ch
104816 domeneshop.no 104762 domeneshop.no
99494 webhostingserver.nl 99669 webhostingserver.nl
93948 loopia.se 93660 loopia.se
69464 forpsi.com 68752 forpsi.com
41882 active24.com 41710 active24.com
39617 webreus.nl 39907 webreus.nl
38179 pcextreme.nl 38426 pcextreme.nl
37449 antagonist.nl 37231 antagonist.nl
37023 zxcs.nl 35720 zxcs.nl
29200 vevida.com 29296 vevida.com
27706 webhosting.dk 27736 webhosting.dk
26564 web4u.cz 26588 web4u.cz
26255 udmedia.de 25968 udmedia.de
25168 hosting2go.nl 25447 hosting2go.nl
18914 bhosted.nl 18827 bhosted.nl
18594 protonmail.ch 17855 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
8677 TOTAL 8579 TOTAL
2631 DE, Germany 2595 DE, Germany
1664 US, United States 1650 US, United States
1644 NL, Netherlands 1648 NL, Netherlands
636 FR, France 631 FR, France
328 GB, United Kingdom 313 GB, United Kingdom
224 CZ, Czechia 226 CZ, Czechia
201 CA, Canada 197 CA, Canada
167 FI, Finland 165 FI, Finland
124 DK, Denmark 125 DK, Denmark
120 SG, Singapore 116 SG, Singapore
100 SE, Sweden 95 SE, Sweden
98 CH, Switzerland 95 CH, Switzerland
79 AU, Australia 75 AU, Australia
73 AT, Austria 70 AT, Austria
44 PL, Poland 45 PL, Poland
41 IE, Ireland 39 NO, Norway
39 NO, Norway 39 BR, Brazil
37 BR, Brazil 38 JP, Japan
36 JP, Japan 37 IE, Ireland
35 RU, Russia 36 IN, India
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
6851 TOTAL 6806 TOTAL
3253 NL, Netherlands 3268 NL, Netherlands
1802 DE, Germany 1782 DE, Germany
664 US, United States 659 US, United States
296 FR, France 299 FR, France
145 CZ, Czechia 147 GB, United Kingdom
142 GB, United Kingdom 134 CZ, Czechia
76 FI, Finland 52 CA, Canada
58 CA, Canada 46 SG, Singapore
45 SG, Singapore 46 SE, Sweden
44 CH, Switzerland 46 CH, Switzerland
43 SE, Sweden 42 RU, Russia
29 AT, Austria 33 FI, Finland
28 AU, Australia 26 AU, Australia
27 RU, Russia 26 AT, Austria
26 JP, Japan 24 JP, Japan
17 NO, Norway 17 NO, Norway
17 IE, Ireland 17 DK, Denmark
17 DK, Denmark 16 IE, Ireland
14 BR, Brazil 14 BR, Brazil
12 PL, Poland 10 SI, Slovenia
There are 7,053 unique zones (6,934 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 15,479 (15,467 last
month). These cover 15,711 distinct MX hosts (15,701 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 475 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 291
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.64 million domains, 12,757 (12,852 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1976
(1999 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1295 (1298 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
509 registrar-servers.com 485 registrar-servers.com
122 axc.nl 119 axc.nl
93 ebola.cz 94 ebola.cz
45 epik.com 48 yourict.net
32 mijndomein.nl 45 epik.com
29 made-easy.ch 29 mijndomein.nl
24 tiscomhosting.nl 29 made-easy.ch
22 cloudflare.com 25 tiscomhosting.nl
18 movenext.nl 18 movenext.nl
17 openprovider.nl 17 infracom.nl
17 WORLDNIC.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Four of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
frontmta.com.br
bncr.fi.cr
sauditelecom.com.sa
kmutt.ac.th
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at gmx.de duo.nl
gmx.at jpberlin.de expeditionfestival.nl
idec.at kabelmail.de ezorg.nl
triodos.be lrz.de herinneringenoplinnen.nl
clubedohardware.com.br mail.de hr.nl
contactflex.com.br mensa.de huizenzoeker.nl
corridaeaventura.com.br mpg.de interim-netwerk.nl
nic.br posteo.de mailplus.nl
registro.br ruhr-uni-bochum.de mailshover.nl
gmx.ch tum.de markteffectmail.nl
hostpoint.ch uni-erlangen.de mijnsalon.nl
infomaniak.ch uni-muenchen.de mijnuvt.nl
open.ch unitymedia.de minbuza.nl
protonmail.ch web.de minbzk.nl
switch.ch westlotto.de mindef.nl
travailler-en-suisse.ch actie.deals mkbbelangen.nl
simplelogin.co bridgewalking.dk mm1.nl
ansigtsyogaonline.com dfi.dk ns.nl
connectsb.com dk-hostmaster.dk ongehoordnederland.nl
dailyplaylists.com fibianet.dk ouderportaal.nl
datev.com handelsbanken.dk overheid.nl
digitalelections.com netic.dk partijvoordedieren.nl
ecstase.com shapeit.dk politie.nl
exegy.com stil.dk powerslim.nl
flaneurhomme.com uni-c.dk pp-prd.nl
gmx.com uvm.dk previder.nl
habr.com tilburguniversity.edu provalue.nl
horagames.com emta.ee rijksoverheid.nl
hotelsinduitsland.com holt.ee rivm.nl
imcnig.com just.ee rotterdam.nl
infomaniak.com lugeja.ee rvo.nl
ingthink.com riigikogu.ee sans-mail.nl
jula.com rmit.ee schoudercom.nl
kpn.com envie.email schuurman-schoenen.nl
leszexpertsfle.com spike.email sportrusten.nl
mail.com spotler.email ssonet.nl
mammoetmail.com rediris.es telefoonglaasje.nl
matilhadobemadestramento.com triodos.es triodos.nl
mx-relay.com uv.es truetickets.nl
nine-pine.com litebit.eu uitgeverijpica.nl
one.com transadvise.eu utwente.nl
orverkiezing.com zone.eu uvt.nl
outsystems.com zonevs.eu uwv.nl
protonmail.com handelsbanken.fi veilinghuispeerdeman.nl
protonvpn.com traficom.fi voorpositiviteit.nl
sankakucomplex.com ac-strasbourg.fr vu.nl
schizinfo.com compagnie-des-sens.fr waternet.nl
societe.com oo2.fr xs4all.nl
solvinity.com srci.fr zorgmail.nl
stellarequipment.com fidesz.hu annabellstefanussen.no
t-2.com mszp.hu audi.no
thalesgroup.com pm.me derute.no
thepcw.com army.mil domeneshop.no
triodos.com dla.mil handelsbanken.no
ugritone.com jten.mil idrettenonline.no
veganallsorts.com mail.mil nordicprint.no
vitstore.com militaryonesource.mil norskgrammatikk.no
webcruiter.com navy.mil uib.no
xfinity.com nga.mil viphuset.no
xfinityhomesecurity.com osd.mil webcruitermail.no
xfinitymobile.com socom.mil atelkamera.nu
active24.cz uscg.mil goget.nu
akce-incomputer.cz usmc.mil aegee.org
bewooden.cz comcast.net debian.org
colours.cz gmx.net freebsd.org
cuni.cz habramail.net gentoo.org
ekokoza.cz hr-manager.net ietf.org
gigalekarna.cz inexio.net irtf.org
itesco.cz mijngezondheid.net isc.org
klenotyaurum.cz mpssec.net mailbox.org
klubpevnehozdravi.cz procurios.net mailop.org
manymail.cz ripe.net mkpbelgium.org
nic.cz riseup.net netbsd.org
omvnovinky.cz t-2.net openssl.org
onebit.cz transip.net ozlabs.org
optimail.cz triodos.net samba.org
poptavej.cz xs4all.net torproject.org
reserved.cz xworks.net whatpulse.org
scrptd.cz 123watches.nl psgaz.pl
server4u.cz 50plusbeurs.nl asf.com.pt
smtp.cz amsterdam.nl mobily.com.sa
stoklasa.cz argeweb.nl bilprovningen.se
toplist.cz awcloud.nl boplatssyd-automail.se
vas-server.cz belastingdienst.nl ecster.se
vcelka.cz bhosted.nl handelsbanken.se
virusfree.cz bhsupport.nl loopia.se
zdravestravovani.cz bibliotheekdenhaag.nl matlistan.se
bayern.de bluerail.nl minmyndighetspost.se
brandenburg.de boekwinkeltjes.nl personligalmanacka.se
bund.de bolerolimonadewinkel.nl skatteverket.se
bundesregierung.de boozyshop.nl teknikdelar.se
datev.de burgernet.nl theletter.se
dfn.de corpoflow.nl pneusvet.sk
ekom21.de denhaag.nl triodos.co.uk
elster.de derooijfotografie.nl govtrack.us
fau.de dictu.nl quantum-services.us
freenet.de digid.nl ru.ac.za
1
0
Overview of outbound DANE for SMTP support
by Knubben, B.S.J. (Bart) - Forum Standaardisatie 26 May '21
by Knubben, B.S.J. (Bart) - Forum Standaardisatie 26 May '21
26 May '21
Hi,
We made the following overview of products/services with outbound DANE support (i.e. DANE verification). Any remarks/additions are welcome.
I. Supported:
- Postfix (since version 2.11.0, January 2014): http://www.postfix.org/TLS_README.html#client_tls_dane
- Halon (since version 3.4-r2, November 2015): https://halon.io/dane and https://wiki.halon.io/DANE
- OpenSSL (since version 1.1.0, August 2016): https://www.openssl.org/docs/manmaster/man3/SSL_CTX_dane_enable.html and https://www.openssl.org/docs/manmaster/man1/openssl-s_client.html
- Cloudmark (since version 5.2, March 2017): https://blog.cloudmark.com/2017/03/27/dane-and-email-security/
- Exim (since version 4.91, April 2018): https://www.exim.org/exim-html-current/doc/html/spec_html/ch-encrypted_smtp…
- Mail-in-a-Box (uses Postfix): https://github.com/mail-in-a-box/mailinabox/blob/master/security.md
- ldns (uses OpenSSL): https://www.nlnetlabs.nl/documentation/ldns/dane_8h.html
II. Requested:
- Cisco: Bug ID: CSCuo87918 - [ Feature Request] TLS DANE Support for Email Security Appliance, https://bst.cloudapps.cisco.com/bugsearch/bug/CSCuo87918/
- MS O365: https://office365.uservoice.com/forums/273493-office-365-admin/suggestions/… and https://office365.uservoice.com/forums/289138-office-365-security-complianc…
- Fortinet: https://fortinet.uservoice.com/forums/23797-fortipartner-feature-requests/s…
- Protonmail: https://protonmail.uservoice.com/forums/284483-feedback/suggestions/3433882… and https://protonmail.uservoice.com/forums/284483-feedback/suggestions/1659360…
BTW a simple outbound DANE test can be found on https://havedane.net.
--
Best regards,
Bart Knubben
Dutch Standardisation Forum
https://www.forumstandaardisatie.nl/content/english
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
5
6
NOTE: When using NSEC3, please make sure your iteration count is
not needlessly large (above ~25). For details see:
https://mail.sys4.de/pipermail/dane-users/2021-March/000594.html
Summary: The DANE domain count is now 2,623,358 (up from 2,580,510
last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 14,890,975 (up from 14,597,373 last
month). Thus DANE TLSA is deployed on ~17.61% of domains with
DNSSEC.
https://stats.dnssec-tools.org/
The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has
taken place, and all previously issued X3-issued certificates
are now expired. If you're still publishing the X3 hash in
your TLSA RRSet, it is best removed:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,623,358 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last month
---------- ----------
1227082 one.com 1219094 one.com
150090 transip.nl 149627 transip.nl
149333 argewebhosting.nl 148446 argewebhosting.nl
108672 infomaniak.ch 106039 infomaniak.ch
104762 domeneshop.no 104614 domeneshop.no
99669 webhostingserver.nl 99953 webhostingserver.nl
93660 loopia.se 93378 loopia.se
68752 forpsi.com 68008 forpsi.com
41710 active24.com 41460 active24.com
39907 webreus.nl 40278 webreus.nl
38426 pcextreme.nl 38710 pcextreme.nl
37231 antagonist.nl 36833 antagonist.nl
35720 zxcs.nl 34505 zxcs.nl
29296 vevida.com 29520 vevida.com
27736 webhosting.dk 27896 webhosting.dk
26588 web4u.cz 26473 web4u.cz
25968 udmedia.de 25964 udmedia.de
25447 hosting2go.nl 18829 bhosted.nl
18827 bhosted.nl 17072 protonmail.ch
17855 protonmail.ch 14579 onebit.cz
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
8579 TOTAL 8450 TOTAL
2595 DE, Germany 2555 DE, Germany
1650 US, United States 1628 US, United States
1648 NL, Netherlands 1628 NL, Netherlands
631 FR, France 624 FR, France
313 GB, United Kingdom 306 GB, United Kingdom
226 CZ, Czechia 229 CZ, Czechia
197 CA, Canada 199 CA, Canada
165 FI, Finland 150 FI, Finland
125 DK, Denmark 121 SG, Singapore
116 SG, Singapore 121 DK, Denmark
95 SE, Sweden 95 SE, Sweden
95 CH, Switzerland 93 CH, Switzerland
75 AU, Australia 77 AU, Australia
70 AT, Austria 69 AT, Austria
45 PL, Poland 39 RU, Russia
39 NO, Norway 39 PL, Poland
39 BR, Brazil 39 BR, Brazil
38 JP, Japan 38 JP, Japan
37 IE, Ireland 37 NO, Norway
36 IN, India 37 IE, Ireland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
6806 TOTAL 6706 TOTAL
3268 NL, Netherlands 3238 NL, Netherlands
1782 DE, Germany 1747 DE, Germany
659 US, United States 678 US, United States
299 FR, France 289 FR, France
147 GB, United Kingdom 144 CZ, Czechia
134 CZ, Czechia 132 GB, United Kingdom
52 CA, Canada 53 CA, Canada
46 SG, Singapore 44 CH, Switzerland
46 SE, Sweden 42 SG, Singapore
46 CH, Switzerland 42 AT, Austria
42 RU, Russia 41 SE, Sweden
33 FI, Finland 25 FI, Finland
26 AU, Australia 23 AU, Australia
26 AT, Austria 21 JP, Japan
24 JP, Japan 20 RU, Russia
17 NO, Norway 18 DK, Denmark
17 DK, Denmark 17 IE, Ireland
16 IE, Ireland 16 NO, Norway
14 BR, Brazil 14 BR, Brazil
10 SI, Slovenia 11 PL, Poland
There are 6,934 unique zones (6,808 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 15,467 (15,010 last
month). These cover 15,701 distinct MX hosts (15,241 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 478 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 297
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.62 million domains, 12,852 (12,913 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1999
(1801 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1295 (1298 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
485 registrar-servers.com 468 registrar-servers.com
119 axc.nl 122 movenext.nl
94 ebola.cz 93 ebola.cz
48 yourict.net 46 axc.nl
45 epik.com 43 epik.com
29 mijndomein.nl 31 mijndomein.nl
29 made-easy.ch 29 made-easy.ch
25 tiscomhosting.nl 25 tiscomhosting.nl
18 movenext.nl 18 infracom.nl
17 infracom.nl 16 eatserver.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Five of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
fed.be
trt1.jus.br
bncr.fi.cr
sauditelecom.com.sa
kmutt.ac.th
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at mail.de herinneringenoplinnen.nl
gmx.at mensa.de hetamsterdamsverbond.nl
idec.at mpg.de hr.nl
triodos.be posteo.de huizenzoeker.nl
clubedohardware.com.br ruhr-uni-bochum.de interim-netwerk.nl
nic.br tum.de mailplus.nl
registro.br uni-erlangen.de mailshover.nl
gmx.ch uni-muenchen.de markteffectmail.nl
hostpoint.ch unitybox.de mijnhypotheekonline.nl
infomaniak.ch unitymedia.de mijnsalon.nl
open.ch web.de mijnuvt.nl
protonmail.ch westlotto.de minbzk.nl
switch.ch actie.deals mindef.nl
travailler-en-suisse.ch bridgewalking.dk minienw.nl
simplelogin.co dfi.dk mkbbelangen.nl
connectsb.com dk-hostmaster.dk mm1.nl
dailyplaylists.com fibianet.dk ns.nl
datev.com handelsbanken.dk ongehoordnederland.nl
digitalelections.com labelking.dk ouderportaal.nl
ecstase.com netic.dk overheid.nl
exegy.com nst.dk partijvoordedieren.nl
flaneurhomme.com shapeit.dk podiumcadeaukaart.nl
gmx.com star.dk politie.nl
habr.com stil.dk powerslim.nl
horagames.com uni-c.dk pp-prd.nl
hotelsinduitsland.com uvm.dk previder.nl
imcnig.com tilburguniversity.edu provalue.nl
infomaniak.com emta.ee rijksoverheid.nl
ingthink.com lugeja.ee rivm.nl
jula.com riigikogu.ee rotterdam.nl
kpn.com rmit.ee rvo.nl
leszexpertsfle.com envie.email sans-mail.nl
mail.com spike.email schoudercom.nl
mammoetmail.com spotler.email schuurman-schoenen.nl
matilhadobemadestramento.com rediris.es sportrusten.nl
mx-relay.com triodos.es ssonet.nl
one.com uv.es stater.nl
orverkiezing.com litebit.eu telefoonglaasje.nl
outsystems.com transadvise.eu triodos.nl
protonmail.com zone.eu truetickets.nl
protonvpn.com zonevs.eu uitgeverijpica.nl
sankakucomplex.com handelsbanken.fi utwente.nl
schizinfo.com traficom.fi uvt.nl
societe.com ac-strasbourg.fr uwv.nl
solvinity.com bloctel.fr veilinghuispeerdeman.nl
stater.com compagnie-des-sens.fr voorpositiviteit.nl
stellarequipment.com oo2.fr vu.nl
t-2.com srci.fr waternet.nl
thalesgroup.com fidesz.hu xs4all.nl
thepcw.com mszp.hu zorgmail.nl
triodos.com interestexplorer.io annabellstefanussen.no
ugritone.com pm.me audi.no
vanderkam.com dla.mil derute.no
veganallsorts.com jten.mil domeneshop.no
vitstore.com mail.mil handelsbanken.no
webmailph.com militaryonesource.mil idrettenonline.no
xfinity.com navy.mil leadmail.no
xfinityhomesecurity.com nga.mil nordicprint.no
xfinitymobile.com osd.mil norskgrammatikk.no
active24.cz socom.mil uib.no
akce-incomputer.cz uscg.mil viphuset.no
colours.cz usmc.mil webcruitermail.no
cuni.cz comcast.net atelkamera.nu
flagranti.cz gmx.net goget.nu
gigalekarna.cz habramail.net aegee.org
itesco.cz hr-manager.net debian.org
klenotyaurum.cz inexio.net freebsd.org
klubpevnehozdravi.cz mijngezondheid.net gentoo.org
manymail.cz mpssec.net ietf.org
nic.cz procurios.net irtf.org
omvnovinky.cz ripe.net isc.org
onebit.cz riseup.net mailbox.org
optimail.cz t-2.net mailop.org
poptavej.cz transip.net mkpbelgium.org
reserved.cz triodos.net netbsd.org
scrptd.cz xs4all.net openssl.org
server4u.cz xworks.net ozlabs.org
smtp.cz 123watches.nl samba.org
stoklasa.cz 50plusbeurs.nl torproject.org
toplist.cz amsterdam.nl whatpulse.org
vas-server.cz argeweb.nl psgaz.pl
vcelka.cz awcloud.nl asf.com.pt
virusfree.cz belastingdienst.nl mobily.com.sa
zdravestravovani.cz bhosted.nl bilprovningen.se
agdsn.de bhsupport.nl boplatssyd-automail.se
bayern.de bluerail.nl ecster.se
brandenburg.de boeketcadeau.nl handelsbanken.se
bund.de boekwinkeltjes.nl loopia.se
bundesregierung.de boozyshop.nl minmyndighetspost.se
datev.de burgernet.nl nordicprint.se
dfn.de chipbizz.nl personligalmanacka.se
ekom21.de corpoflow.nl skatteverket.se
elster.de derooijfotografie.nl teknikdelar.se
fau.de dictu.nl theletter.se
freenet.de digid.nl pneusvet.sk
gmx.de duo.nl triodos.co.uk
jpberlin.de etz.nl govtrack.us
kabelmail.de expeditionfestival.nl quantum-services.us
lrz.de ezorg.nl ru.ac.za
1
0
IMPORTANT: Please ensure your NSEC3 iteration count is sufficiently low
by Viktor Dukhovni 01 Apr '21
by Viktor Dukhovni 01 Apr '21
01 Apr '21
RFC 5155 defined NSEC3 iterations to scale up with the RSA/DSA key size
up to perhaps as high as 2500 iterations for 4096-bit keys. In
retrospect such a generous iteration allowance proved
counter-productive. It is neither particularly effective at keeping
your zone content "secret", nor sufficiently cheap to avoid negative
impact on authoritative and iterative resolver performance.
In that light, Wes Hardaker and I are working on an Internet-Draft
that strongly recommends setting the NSEC3 additional iteration count
to 0 (at least one initial SHA1 hash is always performed).
https://tools.ietf.org/html/draft-hardaker-dnsop-nsec3-guidance-02
Today, the Knot resolver became the first one to cap NSEC3 iterations
for now at 150, but this will likely be reduced further:
https://gitlab.nic.cz/knot/knot-resolver/-/tags/v5.3.1
and is expected to be done by more resolvers.
Since DANE SMTP downgrade-resistance relies critically on the security
of denial-of-existence, but iteration counts above the resolver cap make
denial-of-existence for the entire zone insecure, it is important that
all domains with an NSEC3 iteration count in excess of ~25 proactively
lower their iteration counts (ideally to 0, but otherwise ~10 or less).
A number of TLDs have already done this, and most of the rest will
follow soon.
TLD before after
--- ------ -----
la 150 1
xn--q7ce6a 150 1
blue 100 10
green 100 10
lat 100 10
mx 100 10
pink 100 10
red 100 10
schaeffler 100 10
by 100 3
creditunion 100 3
ally 100 1
autos 100 1
boats 100 1
homes 100 1
motorcycles 100 1
yachts 100 1
If your DNS zone is configured to use NSEC3, please:
- Reduce the iteration count to 10 or less.
- Disable opt-out, you're very unlikely to need it.
- Either rotate the salt each time you sign, or skip
it entirely. But a short fixed salt is harmless if
leaving it alone easier than changing it.
Of course, if your zone is small enough (just the zone apex and a
handful of already public or easy to guess names) or in any case has
nothing to hide, even better is to use just plain NSEC. You get smaller
negative replies (less exposure to DoS) and more effective negative
caching at resolvers. So in many cases, it is even simpler to abandon
NSEC3 entirely. Please also consider the pros/cons of that option.
My impression is that this list has a small subscriber base, feel free
to pass this message along...
--
Viktor.
2
1
NOTE: When using NSEC3, please make sure your iteration count is
not needlessly large (above ~25). For details see:
https://mail.sys4.de/pipermail/dane-users/2021-March/000594.html
Summary: The DANE domain count is now 2,580,510 (up from 2,568,169
last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 14,597,373 (up from 14,288,417 last
month). Thus DANE TLSA is deployed on ~17.67% of domains with
DNSSEC.
https://stats.dnssec-tools.org/
The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has
taken place, and all previously issued X3-issued certificates
are now expired. If you're still publishing the X3 hash in
your TLSA RRSet, it is best removed:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,580,510 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last month
---------- ----------
1219094 one.com 1219827 one.com
149627 transip.nl 148553 transip.nl
148446 argewebhosting.nl 147435 argewebhosting.nl
106039 infomaniak.ch 104178 domeneshop.no
104614 domeneshop.no 102904 infomaniak.ch
99953 webhostingserver.nl 99738 webhostingserver.nl
93378 loopia.se 92884 loopia.se
68008 forpsi.com 67647 forpsi.com
41460 active24.com 41221 active24.com
40278 webreus.nl 40647 webreus.nl
38710 pcextreme.nl 39035 pcextreme.nl
36833 antagonist.nl 36298 antagonist.nl
34505 zxcs.nl 33417 zxcs.nl
29520 vevida.com 29790 vevida.com
27896 webhosting.dk 27967 webhosting.dk
26473 web4u.cz 26531 web4u.cz
25964 udmedia.de 25882 udmedia.de
18829 bhosted.nl 18695 bhosted.nl
17072 protonmail.ch 16210 protonmail.ch
14579 onebit.cz 14555 onebit.cz
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
8450 TOTAL 8200 TOTAL
2555 DE, Germany 2467 DE, Germany
1628 US, United States 1591 US, United States
1628 NL, Netherlands 1567 NL, Netherlands
624 FR, France 632 FR, France
306 GB, United Kingdom 302 GB, United Kingdom
229 CZ, Czechia 225 CZ, Czechia
199 CA, Canada 190 CA, Canada
150 FI, Finland 144 FI, Finland
121 SG, Singapore 119 DK, Denmark
121 DK, Denmark 114 SG, Singapore
95 SE, Sweden 94 CH, Switzerland
93 CH, Switzerland 92 SE, Sweden
77 AU, Australia 71 AU, Australia
69 AT, Austria 63 AT, Austria
39 RU, Russia 38 PL, Poland
39 PL, Poland 37 JP, Japan
39 BR, Brazil 36 RU, Russia
38 JP, Japan 36 IE, Ireland
37 NO, Norway 36 BR, Brazil
37 IE, Ireland 33 NO, Norway
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
6706 TOTAL 6537 TOTAL
3238 NL, Netherlands 3203 NL, Netherlands
1747 DE, Germany 1682 DE, Germany
678 US, United States 641 US, United States
289 FR, France 280 FR, France
144 CZ, Czechia 145 CZ, Czechia
132 GB, United Kingdom 123 GB, United Kingdom
53 CA, Canada 49 CA, Canada
44 CH, Switzerland 44 CH, Switzerland
42 SG, Singapore 42 SE, Sweden
42 AT, Austria 42 AT, Austria
41 SE, Sweden 39 SG, Singapore
25 FI, Finland 26 FI, Finland
23 AU, Australia 23 AU, Australia
21 JP, Japan 21 JP, Japan
20 RU, Russia 17 IE, Ireland
18 DK, Denmark 17 DK, Denmark
17 IE, Ireland 15 NO, Norway
16 NO, Norway 14 BR, Brazil
14 BR, Brazil 13 RU, Russia
11 PL, Poland 10 PL, Poland
There are 6,808 unique zones (6,612 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 15,010 (14,671 last
month). These cover 15,241 distinct MX hosts (14,882 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 465 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 297
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.58 million domains, 12,913 (12,871 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1801
(1028 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1298 (940 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
468 registrar-servers.com 439 registrar-servers.com
122 movenext.nl 119 movenext.nl
93 ebola.cz 93 ebola.cz
46 axc.nl 46 axc.nl
43 epik.com 45 made-easy.ch
31 mijndomein.nl 39 epik.com
29 made-easy.ch 34 mijndomein.nl
25 tiscomhosting.nl 26 tiscomhosting.nl
18 infracom.nl 22 eatserver.nl
16 eatserver.nl 19 infracom.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Five of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
trt1.jus.br
bncr.fi.cr
ofda.gov
mobily.com.sa
sauditelecom.com.sa
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at mpg.de hetamsterdamsverbond.nl
gmx.at posteo.de hr.nl
idec.at ruhr-uni-bochum.de interim-netwerk.nl
triodos.be tum.de introweb.nl
clubedohardware.com.br uni-erlangen.de mailplus.nl
outeletro.com.br uni-muenchen.de mailshover.nl
nic.br unitybox.de markteffectmail.nl
registro.br unitymedia.de mijnhypotheekonline.nl
gmx.ch web.de mijnsalon.nl
hostpoint.ch westlotto.de mijnuvt.nl
infomaniak.ch actie.deals minbuza.nl
open.ch bridgewalking.dk minbzk.nl
protonmail.ch dk-hostmaster.dk mindef.nl
switch.ch egmontpublishing.dk minienw.nl
travailler-en-suisse.ch fibianet.dk mkbbelangen.nl
simplelogin.co labelking.dk mm1.nl
connectsb.com netic.dk nieuwsservice-rvo.nl
dailyplaylists.com nota.dk ns.nl
datev.com nst.dk ongehoordnederland.nl
digitalelections.com peterhald.dk ouderportaal.nl
ecstase.com powerhosting.dk overheid.nl
exegy.com shapeit.dk parlement.nl
flaneurhomme.com star.dk partijvoordedieren.nl
fmc-na.com stil.dk plusticket.nl
gmx.com uni-c.dk podiumcadeaukaart.nl
habr.com uvm.dk politie.nl
horagames.com tilburguniversity.edu powerslim.nl
hotelsinduitsland.com emta.ee pp-prd.nl
imcnig.com lugeja.ee previder.nl
infomaniak.com rmit.ee provalue.nl
ingthink.com envie.email rijksoverheid.nl
jula.com spike.email rivm.nl
kpn.com spotler.email rotterdam.nl
leszexpertsfle.com rediris.es ru.nl
mail.com triodos.es rvo.nl
mammoetmail.com uv.es sans-mail.nl
matilhadobemadestramento.com litebit.eu schoudercom.nl
mx-relay.com transadvise.eu schuurman-schoenen.nl
one.com zone.eu sportrusten.nl
outsystems.com zonevs.eu ssonet.nl
protonmail.com traficom.fi stater.nl
protonvpn.com ac-strasbourg.fr telefoonglaasje.nl
sankakucomplex.com bloctel.fr triodos.nl
schizinfo.com compagnie-des-sens.fr truetickets.nl
societe.com srci.fr tweedekamer.nl
solvinity.com fidesz.hu uitgeverijpica.nl
stater.com mszp.hu utwente.nl
stellarequipment.com voorbeeldsollicitatiebrief.info uvt.nl
t-2.com interestexplorer.io uwv.nl
thalesgroup.com pm.me vu.nl
thepcw.com dla.mil waternet.nl
triodos.com jten.mil webcentral.nl
ugritone.com mail.mil wehkampfinance.nl
vanderkam.com militaryonesource.mil xs4all.nl
veganallsorts.com navy.mil zorgmail.nl
vitstore.com nga.mil annabellstefanussen.no
webmailph.com osd.mil audi.no
xfinity.com socom.mil derute.no
xfinityhomesecurity.com uscg.mil domeneshop.no
xfinitymobile.com usmc.mil handelsbanken.no
active24.cz comcast.net idrettenonline.no
akce-incomputer.cz gmx.net leadmail.no
amenit.cz habramail.net nordicprint.no
cuni.cz hr-manager.net norskgrammatikk.no
flagranti.cz inexio.net uib.no
gigalekarna.cz mijngezondheid.net viphuset.no
itesco.cz mpssec.net atelkamera.nu
klenotyaurum.cz procurios.net goget.nu
klubpevnehozdravi.cz prolocation.net debian.org
manymail.cz ripe.net freebsd.org
nic.cz riseup.net gentoo.org
omvnovinky.cz t-2.net ietf.org
onebit.cz transip.net isc.org
optimail.cz triodos.net mailbox.org
poptavej.cz xs4all.net mailop.org
reserved.cz 50plusbeurs.nl netbsd.org
server4u.cz amsterdam.nl openssl.org
smtp.cz argeweb.nl ozlabs.org
stoklasa.cz argewebhosting.nl samba.org
toplist.cz arrangementenparade.nl torproject.org
vas-server.cz awcloud.nl whatpulse.org
vcelka.cz belastingdienst.nl psgaz.pl
virusfree.cz bhosted.nl asf.com.pt
zdravestravovani.cz bhsupport.nl bilprovningen.se
agdsn.de bluerail.nl boplatssyd-automail.se
bayern.de boeketcadeau.nl ecster.se
brandenburg.de boekwinkeltjes.nl handelsbanken.se
bund.de boozyshop.nl loopia.se
bundesregierung.de burgernet.nl minmyndighetspost.se
datev.de cbr.nl nordicprint.se
dfn.de chipbizz.nl personligalmanacka.se
ekom21.de corpoflow.nl skatteverket.se
elster.de derooijfotografie.nl teknikdelar.se
fau.de dictu.nl theletter.se
freenet.de digid.nl pneusvet.sk
gmx.de duo.nl triodos.co.uk
jpberlin.de etz.nl govtrack.us
lrz.de ezorg.nl quantum-services.us
mail.de herinneringenoplinnen.nl ru.ac.za
1
0
Summary: The DANE domain count is now 2,568,169 (up from 2,544,101
last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 14,288,417 (up from 13,923,656 last
month). Thus DANE TLSA is deployed on ~17.97% of domains with
DNSSEC.
https://stats.dnssec-tools.org/
The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has
taken place, and all previously issued X3-issued certificates
are now expired. If you're still publishing the X3 hash in
your TLSA RRSet, it is best removed:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,568,169 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last month
---------- ----------
1219827 one.com 1205788 one.com
148553 transip.nl 147619 transip.nl
147435 argewebhosting.nl 146775 argewebhosting.nl
104178 domeneshop.no 103761 domeneshop.no
102904 infomaniak.ch 99912 infomaniak.ch
99738 webhostingserver.nl 99338 webhostingserver.nl
92884 loopia.se 92519 loopia.se
67647 forpsi.com 67146 forpsi.com
41221 active24.com 40970 webreus.nl
40647 webreus.nl 40962 active24.com
39035 pcextreme.nl 39427 pcextreme.nl
36298 antagonist.nl 35906 antagonist.nl
33417 zxcs.nl 32396 zxcs.nl
29790 vevida.com 30001 vevida.com
27967 webhosting.dk 27989 webhosting.dk
26531 web4u.cz 26427 web4u.cz
25882 udmedia.de 25822 udmedia.de
18695 bhosted.nl 18607 bhosted.nl
16210 protonmail.ch 15356 protonmail.ch
14555 onebit.cz 14474 onebit.cz
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
8200 TOTAL 8033 TOTAL
2467 DE, Germany 2432 DE, Germany
1591 US, United States 1542 US, United States
1567 NL, Netherlands 1524 NL, Netherlands
632 FR, France 635 FR, France
302 GB, United Kingdom 294 GB, United Kingdom
225 CZ, Czechia 221 CZ, Czechia
190 CA, Canada 175 CA, Canada
144 FI, Finland 142 FI, Finland
119 DK, Denmark 120 DK, Denmark
114 SG, Singapore 113 SG, Singapore
94 CH, Switzerland 96 CH, Switzerland
92 SE, Sweden 87 SE, Sweden
71 AU, Australia 69 AU, Australia
63 AT, Austria 66 AT, Austria
38 PL, Poland 37 IN, India
37 JP, Japan 36 PL, Poland
36 RU, Russia 35 IE, Ireland
36 IE, Ireland 35 BR, Brazil
36 BR, Brazil 34 JP, Japan
33 NO, Norway 31 NO, Norway
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
6537 TOTAL 6444 TOTAL
3203 NL, Netherlands 3179 NL, Netherlands
1682 DE, Germany 1639 DE, Germany
641 US, United States 618 US, United States
280 FR, France 283 FR, France
145 CZ, Czechia 131 CZ, Czechia
123 GB, United Kingdom 122 GB, United Kingdom
49 CA, Canada 52 CA, Canada
44 CH, Switzerland 43 CH, Switzerland
42 SE, Sweden 43 AT, Austria
42 AT, Austria 40 SG, Singapore
39 SG, Singapore 38 SE, Sweden
26 FI, Finland 26 AU, Australia
23 AU, Australia 22 RU, Russia
21 JP, Japan 20 IE, Ireland
17 IE, Ireland 18 JP, Japan
17 DK, Denmark 18 FI, Finland
15 NO, Norway 18 DK, Denmark
14 BR, Brazil 17 UA, Ukraine
13 RU, Russia 16 NO, Norway
10 PL, Poland 12 BR, Brazil
There are 6,612 unique zones (6,428 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 14,671 (14,448 last
month). These cover 14,882 distinct MX hosts (14,652 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 449 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 283
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.57 million domains, 12,871 (12,995 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1028
(1229 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1298 (940 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
439 registrar-servers.com 405 registrar-servers.com
119 movenext.nl 119 movenext.nl
93 ebola.cz 86 ebola.cz
46 axc.nl 35 criscompinformatika.hu
45 made-easy.ch 33 epik.com
39 epik.com 31 mijndomein.nl
34 mijndomein.nl 25 tiscomhosting.nl
26 tiscomhosting.nl 24 eatserver.nl
22 eatserver.nl 18 cloudflare.com
19 infracom.nl 17 infracom.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Six of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
trt1.jus.br
bncr.fi.cr
ofda.gov
ticketspy.nl
sauditelecom.com.sa
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at lrz.de hr.nl
gmx.at mail.de interim-netwerk.nl
triodos.be mailserver4.de introweb.nl
register.bg mensa.de mailplus.nl
clubedohardware.com.br mpg.de markteffectmail.nl
outeletro.com.br posteo.de mijnhypotheekonline.nl
nic.br ruhr-uni-bochum.de mijnsalon.nl
registro.br stwm.de mijnuvt.nl
gmx.ch tum.de minbuza.nl
hostpoint.ch uni-erlangen.de minbzk.nl
infomaniak.ch uni-muenchen.de mindef.nl
open.ch unitybox.de minienw.nl
protonmail.ch unitymedia.de mkbbelangen.nl
switch.ch web.de mm1.nl
travailler-en-suisse.ch westlotto.de ns.nl
simplelogin.co dk-hostmaster.dk ouderportaal.nl
connectsb.com egmontpublishing.dk overheid.nl
dailyplaylists.com labelking.dk parlement.nl
datev.com netic.dk partijvoordedieren.nl
ecstase.com nota.dk pathe.nl
flaneurhomme.com nst.dk politie.nl
fmc-na.com peterhald.dk powerslim.nl
gmx.com powerhosting.dk pp-prd.nl
habr.com star.dk previder.nl
horagames.com uvm.dk rijksoverheid.nl
hotelsinduitsland.com tilburguniversity.edu rotterdam.nl
imcnig.com emta.ee ru.nl
infomaniak.com lugeja.ee rvo.nl
ingthink.com rmit.ee sans-mail.nl
intakt.com envie.email schoudercom.nl
jula.com spike.email schuurman-schoenen.nl
kpn.com spotler.email sportrusten.nl
leszexpertsfle.com rediris.es ssonet.nl
mail.com triodos.es stater.nl
mammoetmail.com uv.es telefoonglaasje.nl
matilhadobemadestramento.com litebit.eu triodos.nl
one.com transadvise.eu truetickets.nl
protonmail.com zone.eu tweedekamer.nl
protonvpn.com zonevs.eu uitgeverijpica.nl
sankakucomplex.com traficom.fi utwente.nl
societe.com ac-strasbourg.fr uvt.nl
solvinity.com bloctel.fr uwv.nl
stater.com compagnie-des-sens.fr vu.nl
stellarequipment.com srci.fr waternet.nl
t-2.com fidesz.hu webcentral.nl
thalesgroup.com interestexplorer.io wehkampfinance.nl
thepcw.com pm.me xs4all.nl
triodos.com dla.mil zorgmail.nl
ugritone.com jten.mil annabellstefanussen.no
vanderkam.com mail.mil audi.no
veganallsorts.com militaryonesource.mil derute.no
vitstore.com navy.mil domeneshop.no
webmailph.com nga.mil handelsbanken.no
xfinity.com osd.mil idrettenonline.no
xfinityhomesecurity.com socom.mil leadmail.no
xfinitymobile.com uscg.mil nordicprint.no
active24.cz usmc.mil norskgrammatikk.no
akce-incomputer.cz comcast.net rushtrampoline.no
amenit.cz gmx.net uib.no
bewooden.cz habramail.net viphuset.no
cuni.cz hr-manager.net atelkamera.nu
flagranti.cz inexio.net goget.nu
gigalekarna.cz mijngezondheid.net lenhud.nu
hellspy.cz mpssec.net debian.org
isportsystem.cz procurios.net freebsd.org
itesco.cz prolocation.net gentoo.org
klenotyaurum.cz ripe.net ietf.org
klubpevnehozdravi.cz riseup.net isc.org
manymail.cz t-2.net mailbox.org
nic.cz transip.net mailop.org
omvnovinky.cz triodos.net netbsd.org
onebit.cz xs4all.net openssl.org
optimail.cz amsterdam.nl ozlabs.org
poptavej.cz argewebhosting.nl samba.org
reserved.cz arrangementenparade.nl torproject.org
smtp.cz awcloud.nl whatpulse.org
stoklasa.cz belastingdienst.nl asf.com.pt
toplist.cz bhosted.nl bilprovningen.se
vas-server.cz bhsupport.nl boplatssyd-automail.se
vcelka.cz bluerail.nl ecster.se
virusfree.cz boeketcadeau.nl handelsbanken.se
zdravestravovani.cz boekwinkeltjes.nl loopia.se
agdsn.de boozyshop.nl minmyndighetspost.se
bayern.de burgernet.nl nordicprint.se
brandenburg.de cbr.nl personligalmanacka.se
bund.de chipbizz.nl polisen.se
bundesregierung.de corpoflow.nl skatteverket.se
datev.de derooijfotografie.nl teknikdelar.se
dfn.de dictu.nl theletter.se
ekom21.de digid.nl pneusvet.sk
elster.de duo.nl triodos.co.uk
fau.de etz.nl govtrack.us
freenet.de ezorg.nl quantum-services.us
gmx.de hetamsterdamsverbond.nl ru.ac.za
jpberlin.de
1
0
Summary: The DANE domain count is now 2,544,101 (up from 2,522,820
last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 13,923,656 (up from 13,559,686 last
month). Thus DANE TLSA is deployed on ~18.27% of domains with
DNSSEC.
The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has
taken place, but some X3-issued certificates are not yet
expired, and will soon renewed via R3. Take proactive steps
to avoid mail delivery issues:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,544,101 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last month
---------- ----------
1205788 one.com 1,197,409 one.com
147619 transip.nl 146,757 transip.nl
146775 argewebhosting.nl 146,041 argewebhosting.nl
103761 domeneshop.no 103,374 domeneshop.no
99912 infomaniak.ch 98,861 webhostingserver.nl
99338 webhostingserver.nl 96,166 infomaniak.ch
92519 loopia.se 92,051 loopia.se
67146 forpsi.com 66,772 forpsi.com
40970 webreus.nl 41,264 webreus.nl
40962 active24.com 40,642 active24.com
39427 pcextreme.nl 39,895 pcextreme.nl
35906 antagonist.nl 35,523 antagonist.nl
32396 zxcs.nl 31,194 zxcs.nl
30001 vevida.com 30,096 vevida.com
27989 webhosting.dk 27,456 webhosting.dk
26427 web4u.cz 26,566 web4u.cz
25822 udmedia.de 25,718 udmedia.de
18607 bhosted.nl 18,487 bhosted.nl
15356 protonmail.ch 14,530 protonmail.ch
14474 onebit.cz 14,434 onebit.cz
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
8033 TOTAL 7,799 TOTAL
2432 DE, Germany 2,390 DE, Germany
1542 US, United States 1,497 US, United States
1524 NL, Netherlands 1,437 NL, Netherlands
635 FR, France 637 FR, France
294 GB, United Kingdom 279 GB, United Kingdom
221 CZ, Czechia 227 CZ, Czechia
175 CA, Canada 170 CA, Canada
142 FI, Finland 123 FI, Finland
120 DK, Denmark 113 DK, Denmark
113 SG, Singapore 109 SG, Singapore
96 CH, Switzerland 99 CH, Switzerland
87 SE, Sweden 88 SE, Sweden
69 AU, Australia 63 AU, Australia
66 AT, Austria 62 AT, Austria
37 IN, India 42 IE, Ireland
36 PL, Poland 40 BR, Brazil
35 IE, Ireland 38 IN, India
35 BR, Brazil 34 JP, Japan
34 JP, Japan 33 PL, Poland
31 NO, Norway 30 RU, Russia
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
6444 TOTAL 6,378 TOTAL
3179 NL, Netherlands 3,183 NL, Netherlands
1639 DE, Germany 1,587 DE, Germany
618 US, United States 606 US, United States
283 FR, France 287 FR, France
131 CZ, Czechia 136 CZ, Czechia
122 GB, United Kingdom 112 GB, United Kingdom
52 CA, Canada 48 CA, Canada
43 CH, Switzerland 44 CH, Switzerland
43 AT, Austria 42 AT, Austria
40 SG, Singapore 38 SG, Singapore
38 SE, Sweden 36 SE, Sweden
26 AU, Australia 27 RU, Russia
22 RU, Russia 22 IE, Ireland
20 IE, Ireland 19 UA, Ukraine
18 JP, Japan 19 JP, Japan
18 FI, Finland 18 AU, Australia
18 DK, Denmark 17 NO, Norway
17 UA, Ukraine 17 FI, Finland
16 NO, Norway 17 DK, Denmark
12 BR, Brazil 14 BR, Brazil
There are 6,428 unique zones (6,291 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 14,448 (14,130 last
month). These cover 14,652 distinct[3] MX hosts (14,328 last month,
some MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 423 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 260
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.54 million domains, 12,995 (13,070 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1229
(1155 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 940 (1491 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
405 registrar-servers.com 325 registrar-servers.com
119 movenext.nl 116 movenext.nl
86 ebola.cz 86 ebola.cz
35 criscompinformatika.hu 25 tiscomhosting.nl
33 epik.com 24 epik.com
31 mijndomein.nl 23 eatserver.nl
25 tiscomhosting.nl 17 infracom.nl
24 eatserver.nl 14 ns01.nl
18 cloudflare.com 12 renault.fr
17 infracom.nl 11 nrdns.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Five of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
trt1.jus.br
trtrj.jus.br
bncr.fi.cr
ofda.gov
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at dfn.de markteffectmail.nl
gmx.at elster.de mijnsalon.nl
boozyshop.be fau.de mijnuvt.nl
tjek.be freenet.de minbuza.nl
triodos.be gmx.de minbzk.nl
register.bg jpberlin.de mindef.nl
clubedohardware.com.br lrz.de mkbbelangen.nl
outeletro.com.br mail.de mm1.nl
nic.br mailserver4.de ns.nl
registro.br mensa.de ouderportaal.nl
gmx.ch mpg.de overheid.nl
hostpoint.ch posteo.de parlement.nl
infomaniak.ch ruhr-uni-bochum.de partijvoordedieren.nl
open.ch stwm.de pathe.nl
protonmail.ch tum.de politie.nl
switch.ch uni-erlangen.de powerslim.nl
travailler-en-suisse.ch uni-muenchen.de pp-prd.nl
connectsb.com unitybox.de previder.nl
dailyplaylists.com unitymedia.de rijksoverheid.nl
datev.com web.de rotterdam.nl
ecstase.com westlotto.de ru.nl
fmc-na.com dfi.dk rvo.nl
gmx.com dk-hostmaster.dk sans-mail.nl
habr.com egmontpublishing.dk schoudercom.nl
horagames.com netic.dk schuurman-schoenen.nl
hotelsinduitsland.com nota.dk sportrusten.nl
imcnig.com nst.dk ssonet.nl
infomaniak.com peterhald.dk stater.nl
ingthink.com powerhosting.dk telefoonglaasje.nl
intakt.com star.dk ticketapp.nl
jula.com uvm.dk triodos.nl
kpn.com tilburguniversity.edu truetickets.nl
leszexpertsfle.com lugeja.ee tweedekamer.nl
mail.com spam-filter.email uitgeverijpica.nl
mammoetmail.com spike.email uvt.nl
matilhadobemadestramento.com rediris.es uwv.nl
one.com triodos.es vu.nl
protonmail.com uv.es webcentral.nl
protonvpn.com zone.eu wehkampfinance.nl
sankakucomplex.com zonevs.eu xs4all.nl
societe.com ac-strasbourg.fr zorgmail.nl
solvinity.com compagnie-des-sens.fr annabellstefanussen.no
stater.com srci.fr audi.no
stellarequipment.com fidesz.hu derute.no
t-2.com interestexplorer.io domeneshop.no
thalesgroup.com pm.me handelsbanken.no
thepcw.com comcast.net idrettenonline.no
triodos.com gmx.net nordicprint.no
ugritone.com habramail.net norskgrammatikk.no
veganallsorts.com hr-manager.net rushtrampoline.no
vitstore.com inexio.net uib.no
xfinity.com mijngezondheid.net viphuset.no
xfinityhomesecurity.com mpssec.net atelkamera.nu
xfinitymobile.com procurios.net goget.nu
active24.cz prolocation.net lenhud.nu
akce-incomputer.cz ripe.net debian.org
amenit.cz riseup.net freebsd.org
atlas.cz t-2.net gentoo.org
bewooden.cz transip.net ietf.org
centrum.cz triodos.net isc.org
cuni.cz xs4all.net mailbox.org
flagranti.cz amsterdam.nl mailop.org
gigalekarna.cz argewebhosting.nl netbsd.org
hellspy.cz arrangementenparade.nl openssl.org
isportsystem.cz awcloud.nl ozlabs.org
itesco.cz belastingdienst.nl samba.org
klenotyaurum.cz bhosted.nl torproject.org
klubpevnehozdravi.cz bhsupport.nl whatpulse.org
nic.cz bluerail.nl asf.com.pt
omvnovinky.cz boeketcadeau.nl boplatssyd-automail.se
onebit.cz boekwinkeltjes.nl digitaltolk.se
optimail.cz boozyshop.nl ecster.se
poptavej.cz burgernet.nl handelsbanken.se
reserved.cz cbr.nl loopia.se
smtp.cz chipbizz.nl minmyndighetspost.se
stoklasa.cz corpoflow.nl nordicprint.se
toplist.cz derooijfotografie.nl personligalmanacka.se
vas-server.cz dictu.nl polisen.se
vcelka.cz digid.nl skatteverket.se
virusfree.cz duo.nl teknikdelar.se
volny.cz efactuurdirect.nl theletter.se
zdravestravovani.cz ezorg.nl websupport.se
bayern.de gerryweber.nl pneusvet.sk
brandenburg.de hostingpeople.nl triodos.co.uk
bund.de hr.nl govtrack.us
bundesregierung.de interim-netwerk.nl ru.ac.za
datev.de introweb.nl
[3] Some significant de-duplication of MX hosts has become necessary
recently, as a result of providers using the same IP address and TLSA
RRset under multiple per-customer names. Ideally, they'd reduce the
complexity of the deployment by migrating to a common MX hostname, but
for now this makes the numbers no longer directly comparable to values
prior to 2020-12.
1
0
Summary: The DANE domain count is now 2,522,820 (up from 2,351,764
last month and 1,734,012 this time last year).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 13,559,686 (up from 13,221,772 last
month and 10,715,677 this time last year). Thus DANE TLSA is
deployed on ~18.60% of domains with DNSSEC.
The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has
taken place, but some X3-issued certificates are not yet
expired, and will soon renewed via R3. Take proactive
steps to avoid mail delivery issues:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,522,820 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last Month Last year
---------- ---------- ---------
1,197,409 one.com 1,131,984 one.com 1,019,882 one.com
146,757 transip.nl 145,526 transip.nl 132,965 transip.nl
146,041 argewebhosting.nl 145,371 argewebhosting.nl 99,844 domeneshop.no
103,374 domeneshop.no 103,043 domeneshop.no 88,024 loopia.se
98,861 webhostingserver.nl 93,223 infomaniak.ch 37,425 active24.com
96,166 infomaniak.ch 91,856 loopia.se 31,555 vevida.com
92,051 loopia.se 66,281 forpsi.com 29,476 antagonist.nl
66,772 forpsi.com 41,628 webreus.nl 26,738 web4u.cz
41,264 webreus.nl 40,442 active24.com 24,646 udmedia.de
40,642 active24.com 40,363 pcextreme.nl 18,342 zxcs.nl
39,895 pcextreme.nl 34,985 antagonist.nl 17,227 bhosted.nl
35,523 antagonist.nl 30,298 zxcs.nl 15,468 flexfilter.nl
31,194 zxcs.nl 30,200 vevida.com 13,505 onebit.cz
30,096 vevida.com 29,937 webhostingserver.nl 8,765 protonmail.ch
27,456 webhosting.dk 26,412 web4u.cz 5,886 netzone.ch
26,566 web4u.cz 25,722 udmedia.de 5,632 previder.nl
25,718 udmedia.de 18,438 bhosted.nl 4,707 mailplatform.eu
18,487 bhosted.nl 14,501 flexfilter.nl 4,116 soverin.net
14,530 protonmail.ch 14,340 onebit.cz 3,548 ips.nl
14,434 onebit.cz 13,807 protonmail.ch 3,239 zonemx.eu
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month Last year
---------- ---------- ---------
7,799 TOTAL 7,559 TOTAL 6,015 TOTAL
2,390 DE, Germany 2,386 DE, Germany 1,998 DE, Germany
1,497 US, United States 1,465 US, United States 1,209 US, United States
1,437 NL, Netherlands 1,261 NL, Netherlands 892 NL, Netherlands
637 FR, France 624 FR, France 480 FR, France
279 GB, United Kingdom 293 GB, United Kingdom 229 GB, United Kingdom
227 CZ, Czechia 236 CZ, Czechia 194 CZ, Czechia
170 CA, Canada 166 CA, Canada 128 CA, Canada
123 FI, Finland 113 FI, Finland 82 CH, Switzerland
113 DK, Denmark 111 SG, Singapore 79 SG, Singapore
109 SG, Singapore 99 CH, Switzerland 74 SE, Sweden
99 CH, Switzerland 90 SE, Sweden 67 DK, Denmark
88 SE, Sweden 79 DK, Denmark 54 FI, Finland
63 AU, Australia 60 AU, Australia 46 IE, Ireland
62 AT, Austria 51 AT, Austria 45 AT, Austria
42 IE, Ireland 45 IE, Ireland 38 PL, Poland
40 BR, Brazil 39 IN, India 38 JP, Japan
38 IN, India 39 BR, Brazil 38 AU, Australia
34 JP, Japan 37 RU, Russia 30 RU, Russia
33 PL, Poland 37 PL, Poland 26 BR, Brazil
30 RU, Russia 35 JP, Japan 24 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month Last year
---------- ---------- ---------
6,378 TOTAL 4,384 TOTAL 3,103 TOTAL
3,183 NL, Netherlands 1,577 DE, Germany 1,275 DE, Germany
1,587 DE, Germany 1,215 NL, Netherlands 540 US, United States
606 US, United States 598 US, United States 463 NL, Netherlands
287 FR, France 289 FR, France 261 FR, France
136 CZ, Czechia 133 CZ, Czechia 105 CZ, Czechia
112 GB, United Kingdom 113 GB, United Kingdom 90 GB, United Kingdom
48 CA, Canada 45 SE, Sweden 41 SE, Sweden
44 CH, Switzerland 45 CH, Switzerland 33 SG, Singapore
42 AT, Austria 45 CA, Canada 30 CH, Switzerland
38 SG, Singapore 39 SG, Singapore 28 JP, Japan
36 SE, Sweden 36 AT, Austria 28 CA, Canada
27 RU, Russia 22 RU, Russia 24 AT, Austria
22 IE, Ireland 22 IE, Ireland 18 IE, Ireland
19 UA, Ukraine 19 JP, Japan 17 RU, Russia
19 JP, Japan 18 FI, Finland 15 DK, Denmark
18 AU, Australia 16 NO, Norway 14 SI, Slovenia
17 NO, Norway 15 BR, Brazil 13 NO, Norway
17 FI, Finland 15 AU, Australia 13 ID, Indonesia
17 DK, Denmark 14 DK, Denmark 12 FI, Finland
14 BR, Brazil 10 UA, Ukraine 12 BR, Brazil
There are 6,291 unique zones in which the underlying MX hosts are found,
this counts each of the above providers as just one zone, so is a
measure of the breadth of adoption in terms of organizations deploying
DANE SMTP.
The number of published MX host TLSA RRsets found is 14,130. These
cover 14,328 distinct[3] MX hosts (some MX hosts share the same TLSA
records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 420 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 262
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.52 million domains, 13,070 (13,189 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1155
(817 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of "real"
email domains with bad DNSSEC support stands at 940 (1491 last month). The
top 10 name server operators with problem domains are:
This Month Last month Last year
---------- ---------- ---------
325 registrar-servers.com 425 registrar-servers.com 347 registrar-servers.com
116 movenext.nl 406 axc.nl 221 mijnhostingpartner.nl
86 ebola.cz 107 movenext.nl 95 egensajt.se
25 tiscomhosting.nl 89 ebola.cz 62 movenext.nl
24 epik.com 25 tiscomhosting.nl 59 eurodns.com
23 eatserver.nl 25 mijndomein.nl 47 metaregistrar.nl
17 infracom.nl 24 eatserver.nl 32 tiscomhosting.nl
14 ns01.nl 22 epik.com 29 nrdns.nl
12 renault.fr 17 infracom.nl 26 hostnet.nl
11 nrdns.nl 15 cloudflare.com 24 ebola.cz
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Six of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
trt1.jus.br
bncr.fi.cr
ofda.gov
mobily.com.sa
sauditelecom.com.sa
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at fau.de mijnuvt.nl
gmx.at freenet.de minbuza.nl
boozyshop.be gmx.de minbzk.nl
tjek.be jpberlin.de mindef.nl
triodos.be lrz.de mkbbelangen.nl
register.bg mail.de mm1.nl
clubedohardware.com.br mailserver4.de nieuwsservice-rvo.nl
nic.br mensa.de ns.nl
registro.br mpg.de ouderportaal.nl
gmx.ch posteo.de overheid.nl
hostpoint.ch ruhr-uni-bochum.de parlement.nl
infomaniak.ch stwm.de partijvoordedieren.nl
open.ch tum.de pathe.nl
protonmail.ch uni-erlangen.de politie.nl
switch.ch uni-muenchen.de powerslim.nl
travailler-en-suisse.ch unitybox.de pp-prd.nl
altospam.com unitymedia.de previder.nl
connectsb.com web.de rijksoverheid.nl
dailyplaylists.com westlotto.de rotterdam.nl
datev.com dfi.dk ru.nl
ecstase.com dk-hostmaster.dk rvo.nl
fmc-na.com egmontpublishing.dk sans-mail.nl
gmx.com netic.dk schoudercom.nl
habr.com nota.dk schuurman-schoenen.nl
horagames.com powerhosting.dk sportrusten.nl
hotelsinduitsland.com star.dk ssonet.nl
imcnig.com tilburguniversity.edu stater.nl
infomaniak.com just.ee telefoonglaasje.nl
ingthink.com lugeja.ee ticketapp.nl
intakt.com spam-filter.email triodos.nl
jula.com spike.email truetickets.nl
kpn.com spotler.email tweedekamer.nl
leszexpertsfle.com rediris.es uitgeverijpica.nl
mail.com triodos.es utwente.nl
mammoetmail.com uv.es uvt.nl
matilhadobemadestramento.com inetadmin.eu uwv.nl
one.com zone.eu vu.nl
orverkiezing.com zonevs.eu webcentral.nl
protonmail.com ac-strasbourg.fr wehkampfinance.nl
protonvpn.com bloctel.fr xs4all.nl
societe.com compagnie-des-sens.fr zorgmail.nl
solvinity.com kangouroukids.fr annabellstefanussen.no
stater.com srci.fr audi.no
stellarequipment.com fidesz.hu derute.no
t-2.com interestexplorer.io domeneshop.no
thalesgroup.com pm.me handelsbanken.no
thepcw.com comcast.net idrettenonline.no
triodos.com gmx.net nordicprint.no
ugritone.com habramail.net norskgrammatikk.no
veganallsorts.com hr-manager.net rushtrampoline.no
vitstore.com inexio.net uib.no
xfinity.com mijngezondheid.net viphuset.no
xfinityhomesecurity.com mpssec.net atelkamera.nu
xfinitymobile.com procurios.net goget.nu
active24.cz ripe.net lenhud.nu
akce-incomputer.cz riseup.net debian.org
amenit.cz t-2.net freebsd.org
atlas.cz transip.net gentoo.org
bewooden.cz triodos.net ietf.org
centrum.cz xs4all.net isc.org
cuni.cz amsterdam.nl mailbox.org
flagranti.cz awcloud.nl mailop.org
hellspy.cz belastingdienst.nl netbsd.org
isportsystem.cz bhosted.nl openssl.org
itesco.cz bhsupport.nl ozlabs.org
klenotyaurum.cz bluerail.nl samba.org
klubpevnehozdravi.cz boeketcadeau.nl torproject.org
krypton.cz boekwinkeltjes.nl whatpulse.org
nic.cz boozyshop.nl asf.com.pt
omvnovinky.cz burgernet.nl boplatssyd-automail.se
onebit.cz buzaservices.nl digitaltolk.se
optimail.cz cbr.nl ecster.se
poptavej.cz chipbizz.nl handelsbanken.se
reserved.cz corpoflow.nl loopia.se
smtp.cz derooijfotografie.nl minmyndighetspost.se
toplist.cz dictu.nl nordicprint.se
vas-server.cz digid.nl personligalmanacka.se
vcelka.cz duo.nl polisen.se
virusfree.cz efactuurdirect.nl skatteverket.se
volny.cz ezorg.nl teknikdelar.se
zdravestravovani.cz gerryweber.nl theletter.se
bayern.de hostingpeople.nl websupport.se
brandenburg.de hr.nl kadernickyservis.sk
bund.de interim-netwerk.nl triodos.co.uk
bundesregierung.de mailplus.nl govtrack.us
datev.de markteffectmail.nl quantum-services.us
dfn.de mijnsalon.nl ru.ac.za
elster.de
[3] Some significant de-duplication of MX hosts has become necessary
recently, as a result of providers using the same IP address and TLSA
RRset under multiple per-customer names. Ideally, they'd reduce the
complexity of the deployment by migrating to a common MX hostname, but
for now this makes the numbers no longer directly comparable to previous
values.
1
0
06 Dec '20
Please note that the Let's Encrypt intermediate CA certificate "X3" will soon be
phased out in favour of "R3" and "E1" which have new keys, and so any DANE TLSA
"2 1 1" records matching "X3" will not match "R3" or "E1".
https://letsencrypt.org/2020/09/17/new-root-and-intermediates.html
If you are using Let's Encrypt with DANE-TA(2) [issuer CA] TLSA records, any extant
"2 1 1" records need to be augmented soon with additional records matching the new
"R3" and "E1", in advance of these reissuing your certificates.
Failure to act in time is likely to result in an outage once renewals switch to
signing via "R3" or "E1".
Links to the actual certificates can be found at:
https://letsencrypt.org/certificates/
https://letsencrypt.org/certs/lets-encrypt-r3.pem
https://letsencrypt.org/certs/lets-encrypt-e1.pem
The "2 1 1" digests of "R3" and "E1" are (but don't take my word for it,
re-compute these for yourself):
; $ tlsagen lets-encrypt-r3.pem smtp.example.org 2 1 1
;
_25._tcp.smtp.example.org. IN TLSA 2 1 1 8D02536C887482BC34FF54E41D2BA659BF85B341A0A20AFADB5813DCFBCF286D
; $ tlsagen lets-encrypt-e1.pem smtp.example.org 2 1 1
;
_25._tcp.smtp.example.org. IN TLSA 2 1 1 276FE8A8C4EC7611565BF9FCE6DCACE9BE320C1B5BEA27596B2204071ED04F10
The above were computed with the attached "tlsagen" script, but it is
prudent to also check with tools from other sources, this email message
could well have been a forgery (I hope your copy matches what I sent).
--
Viktor.
1
2
Summary: The DANE domain count is now 2,351,764 (up from 2,312,209 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 13,221,772 (up from 12,951,015 last
month). Thus DANE TLSA is deployed on ~17.78% of domains with
DNSSEC.
Please be mindful of the upcoming Let's Encrypt Issuer
CA switch from X3/X4 to R3/R4 and E1/E2. See:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,351,764 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last Month
---------- ----------
1,131,984 one.com 1,135,322 one.com
145,526 transip.nl 147,497 argewebhosting.nl
145,371 argewebhosting.nl 144,505 transip.nl
103,043 domeneshop.no 102,517 domeneshop.no
93,223 infomaniak.ch 91,246 loopia.se
91,856 loopia.se 90,381 infomaniak.ch
66,281 forpsi.com 65,843 forpsi.com
41,628 webreus.nl 41,983 webreus.nl
40,442 active24.com 40,816 pcextreme.nl
40,363 pcextreme.nl 40,094 active24.com
34,985 antagonist.nl 34,527 antagonist.nl
30,298 zxcs.nl 30,427 vevida.com
30,200 vevida.com 29,638 zxcs.nl
29,937 webhostingserver.nl 26,515 web4u.cz
26,412 web4u.cz 25,522 udmedia.de
25,722 udmedia.de 18,409 bhosted.nl
18,438 bhosted.nl 14,660 flexfilter.nl
14,501 flexfilter.nl 14,272 onebit.cz
14,340 onebit.cz 13,133 protonmail.ch
13,807 protonmail.ch 8,151 zonemx.eu
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last Month
---------- ----------
7,559 TOTAL 7,347 TOTAL
2,386 DE, Germany 2,332 DE, Germany
1,465 US, United States 1,439 US, United States
1,261 NL, Netherlands 1,175 NL, Netherlands
624 FR, France 602 FR, France
293 GB, United Kingdom 289 GB, United Kingdom
236 CZ, Czechia 233 CZ, Czechia
166 CA, Canada 170 CA, Canada
113 FI, Finland 112 FI, Finland
111 SG, Singapore 108 SG, Singapore
99 CH, Switzerland 102 CH, Switzerland
90 SE, Sweden 90 SE, Sweden
79 DK, Denmark 76 DK, Denmark
60 AU, Australia 56 AU, Australia
51 AT, Austria 50 AT, Austria
45 IE, Ireland 46 IE, Ireland
39 IN, India 39 IN, India
39 BR, Brazil 37 JP, Japan
37 RU, Russia 36 BR, Brazil
37 PL, Poland 35 RU, Russia
35 JP, Japan 34 PL, Poland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This Month Last month
---------- ----------
4,384 TOTAL 3,786 TOTAL
1,577 DE, Germany 1,549 DE, Germany
1,215 NL, Netherlands 628 NL, Netherlands
598 US, United States 595 US, United States
289 FR, France 280 FR, France
133 CZ, Czechia 139 CZ, Czechia
113 GB, United Kingdom 113 GB, United Kingdom
45 SE, Sweden 49 RU, Russia
45 CH, Switzerland 49 CH, Switzerland
45 CA, Canada 43 CA, Canada
39 SG, Singapore 38 SG, Singapore
36 AT, Austria 36 SE, Sweden
22 RU, Russia 32 AT, Austria
22 IE, Ireland 21 IE, Ireland
19 JP, Japan 20 JP, Japan
18 FI, Finland 16 NO, Norway
16 NO, Norway 16 FI, Finland
15 BR, Brazil 16 DK, Denmark
15 AU, Australia 16 AU, Australia
14 DK, Denmark 14 LV, Latvia
10 UA, Ukraine 14 BR, Brazil
There are 6,721 (6,457 last month) unique zones in which the underlying
MX hosts are found, this counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 11,089 (9,296 last
month). These cover 11,288 (10,622 last month) distinct MX hosts (some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 409 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 257
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.35 million domains, 13,189 (13,253 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 817
(771 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of "real"
email domains with bad DNSSEC support stands at 1491 (1431 last month). The
top 15 name server operators with problem domains are:
This Month Last month
---------- ----------
425 registrar-servers.com 412 registrar-servers.com
406 axc.nl 385 axc.nl
107 movenext.nl 107 movenext.nl
89 ebola.cz 85 ebola.cz
25 tiscomhosting.nl 25 tiscomhosting.nl
25 mijndomein.nl 25 eatserver.nl
24 eatserver.nl 20 epik.com
22 epik.com 18 metaregistrar.nl
17 infracom.nl 18 infracom.nl
15 cloudflare.com 14 cloudflare.com
13 ns01.nl 12 ns01.nl
11 nrdns.nl 12 nrdns.nl
11 iterik.nu 11 sylconia.net
11 accenture.com 11 iterik.nu
10 sylconia.net 10 mobi-net.ch
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Seven of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
trt1.jus.br
trtrj.jus.br
accenturealumni.com
bncr.fi.cr
ofda.gov
sauditelecom.com.sa
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at gmx.de mailplus.nl
gmx.at jpberlin.de markteffectmail.nl
boozyshop.be lrz.de mijnuvt.nl
tjek.be mail.de minbuza.nl
triodos.be mailserver4.de minbzk.nl
clubedohardware.com.br mensa.de mindef.nl
corridaeaventura.com.br mpg.de mkbbelangen.nl
nic.br posteo.de mm1.nl
registro.br ruhr-uni-bochum.de nieuwsservice-rvo.nl
abuse.ch tum.de ns.nl
gmx.ch uni-erlangen.de ouderportaal.nl
hostpoint.ch uni-muenchen.de overheid.nl
infomaniak.ch unitybox.de parlement.nl
open.ch unitymedia.de partijvoordedieren.nl
protonmail.ch web.de pathe.nl
switch.ch westlotto.de politie.nl
altospam.com dfi.dk powerslim.nl
connectsb.com dk-hostmaster.dk pp-prd.nl
datev.com egmontpublishing.dk previder.nl
ecstase.com hormonterapeut.dk rijksoverheid.nl
fmc-na.com netic.dk rotterdam.nl
gmx.com nota.dk ru.nl
habr.com powerhosting.dk rvo.nl
horagames.com star.dk sans-mail.nl
hotelsinduitsland.com tilburguniversity.edu schoudercom.nl
imcnig.com just.ee schuurman-schoenen.nl
infomaniak.com spam-filter.email sportrusten.nl
ingthink.com spike.email ssonet.nl
intakt.com spotler.email stater.nl
joomlapolis.com rediris.es telefoonglaasje.nl
kpn.com triodos.es ticketapp.nl
leszexpertsfle.com uv.es triodos.nl
mail.com inetadmin.eu truetickets.nl
mammoetmail.com zone.eu tweedekamer.nl
matilhadobemadestramento.com zonevs.eu uitgeverijpica.nl
one.com ac-strasbourg.fr utwente.nl
orverkiezing.com bloctel.fr uvt.nl
protonmail.com compagnie-des-sens.fr vu.nl
protonvpn.com kangouroukids.fr xs4all.nl
solvinity.com orsys.fr zorgmail.nl
stater.com srci.fr annabellstefanussen.no
stellarequipment.com fidesz.hu derute.no
t-2.com mszp.hu domeneshop.no
telfort.com interestexplorer.io handelsbanken.no
thalesgroup.com pm.me idrettenonline.no
thepcw.com comcast.net nordicprint.no
triodos.com gmx.net norskgrammatikk.no
ugritone.com habramail.net rushtrampoline.no
veganallsorts.com hr-manager.net uib.no
vitstore.com inexio.net viphuset.no
xfinity.com mijngezondheid.net atelkamera.nu
xfinityhomesecurity.com mpssec.net goget.nu
xfinitymobile.com nedport.net lenhud.nu
active24.cz procurios.net debian.org
akce-incomputer.cz ripe.net freebsd.org
amenit.cz riseup.net gentoo.org
atlas.cz t-2.net ietf.org
blueconsulting.cz transip.net isc.org
centrum.cz triodos.net mailbox.org
cuni.cz xs4all.net mailop.org
isetos.cz 123watches.nl netbsd.org
isportsystem.cz amsterdam.nl openssl.org
itesco.cz awcloud.nl ozlabs.org
klenotyaurum.cz belastingdienst.nl samba.org
klubpevnehozdravi.cz bhosted.nl torproject.org
krypton.cz bhsupport.nl whatpulse.org
omvnovinky.cz bluerail.nl asf.com.pt
onebit.cz boekwinkeltjes.nl boplatssyd-automail.se
optimail.cz bolerolimonadewinkel.nl digitaltolk.se
poptavej.cz boozyshop.nl ecster.se
reserved.cz burgernet.nl ekokul.se
smtp.cz buzaservices.nl handelsbanken.se
vas-server.cz cbr.nl loopia.se
vcelka.cz chipbizz.nl minmyndighetspost.se
virusfree.cz corpoflow.nl nordicprint.se
volny.cz derooijfotografie.nl personligalmanacka.se
zdravestravovani.cz dictu.nl skatteverket.se
bayern.de digid.nl teknikdelar.se
brandenburg.de duo.nl theletter.se
bund.de efactuurdirect.nl websupport.se
bundesregierung.de ezorg.nl kadernickyservis.sk
datev.de gerryweber.nl triodos.co.uk
dfn.de hostingpeople.nl govtrack.us
elster.de hr.nl quantum-services.us
fau.de hro.nl ru.ac.za
freenet.de interim-netwerk.nl
1
0