dane-users
Threads by month
- ----- 2024 -----
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- 2 participants
- 244 discussions
Summary: The DANE domain count is now 3,733,547 (c.f. 3,720,888 last
month and 2,998,143 this time last year).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 20,675,170 (up from 20,310,165 last
month and 17,263,168 this time last year). Thus DANE TLSA is
deployed on ~18.05% of domains with DNSSEC. For more stats,
see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today, I count ~3.73 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month Last Year
---------- ---------- ----------
1214177 one.com 1214759 one.com 1214915 one.com
286784 hostpoint.ch 285701 hostpoint.ch 273907 hostpoint.ch
195060 infomaniak.ch 194398 infomaniak.ch 156065 infomaniak.ch
182438 mijndomein.nl 185672 mijndomein.nl 155803 transip.nl
166314 transip.nl 165714 transip.nl 150793 argewebhosting.nl
154096 argewebhosting.nl 155508 argewebhosting.nl 106219 domeneshop.no
134199 simply.com 124416 simply.com 97607 webhostingserver.nl
118030 jouwweb.nl 114928 jouwweb.nl 95145 loopia.se
111945 hostnet.nl 112051 hostnet.nl 72612 forpsi.com
108682 domeneshop.no 108214 domeneshop.no 50892 zxcs.nl
104887 loopia.se 105216 loopia.se 46657 active24.com
94600 webhostingserver.nl 95288 webhostingserver.nl 41634 webreus.nl
79127 forpsi.com 78911 forpsi.com 38388 antagonist.nl
67139 zxcs.nl 66428 zxcs.nl 36106 pcextreme.nl
46886 active24.com 47492 active24.com 27209 udmedia.de
39610 webreus.nl 39822 webreus.nl 27073 vevida.com
39483 antagonist.nl 39658 antagonist.nl 26765 webhosting.dk
34977 protonmail.ch 33391 pcextreme.nl 26430 web4u.cz
32983 pcextreme.nl 33350 protonmail.ch 23331 hosting2go.nl
29297 xel.nl 29153 xel.nl 22745 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month Last Year
----------- ---------- ------------
10595 TOTAL 10447 TOTAL 9262 TOTAL
3209 DE, Germany 3145 DE, Germany 2704 DE, Germany
1891 NL, Netherlands 1900 NL, Netherlands 1785 NL, Netherlands
1833 US, United States 1791 US, United States 1723 US, United States
799 FR, France 779 FR, France 674 FR, France
388 CZ, Czechia 372 GB, United Kingdom 338 GB, United Kingdom
362 GB, United Kingdom 369 CZ, Czechia 275 CZ, Czechia
235 FI, Finland 233 FI, Finland 202 FI, Finland
221 CA, Canada 229 CA, Canada 199 CA, Canada
153 AT, Austria 153 AT, Austria 132 DK, Denmark
135 SE, Sweden 131 SE, Sweden 132 AT, Austria
134 CH, Switzerland 131 DK, Denmark 114 SG, Singapore
132 DK, Denmark 128 CH, Switzerland 113 CH, Switzerland
122 SG, Singapore 127 SG, Singapore 99 SE, Sweden
120 AU, Australia 123 AU, Australia 99 AU, Australia
72 PL, Poland 68 PL, Poland 54 PL, Poland
58 JP, Japan 57 RU, Russia 46 RU, Russia
57 RU, Russia 57 JP, Japan 42 IE, Ireland
47 NO, Norway 46 NO, Norway 41 NO, Norway
42 BR, Brazil 41 IE, Ireland 39 JP, Japan
38 IE, Ireland 41 BR, Brazil 37 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month Last Year
---------- ---------- ----------
8339 TOTAL 8246 TOTAL 7177 TOTAL
3666 NL, Netherlands 3650 NL, Netherlands 3323 NL, Netherlands
2330 DE, Germany 2334 DE, Germany 1926 DE, Germany
860 US, United States 837 US, United States 759 US, United States
406 FR, France 359 FR, France 288 FR, France
175 CZ, Czechia 172 GB, United Kingdom 164 CZ, Czechia
162 GB, United Kingdom 166 CZ, Czechia 144 GB, United Kingdom
77 CA, Canada 81 CA, Canada 82 FI, Finland
74 FI, Finland 75 FI, Finland 60 CA, Canada
67 AU, Australia 66 AU, Australia 44 CH, Switzerland
64 CH, Switzerland 62 CH, Switzerland 43 SE, Sweden
56 SE, Sweden 56 SE, Sweden 42 AU, Australia
54 AT, Austria 45 SG, Singapore 40 SG, Singapore
44 SG, Singapore 40 AT, Austria 32 AT, Austria
36 JP, Japan 34 JP, Japan 28 JP, Japan
23 EE, Estonia 21 IE, Ireland 23 IE, Ireland
21 NO, Norway 21 DK, Denmark 18 NO, Norway
21 IE, Ireland 20 RU, Russia 16 BR, Brazil
21 DK, Denmark 20 NO, Norway 15 DK, Denmark
17 BR, Brazil 19 BR, Brazil 12 IN, India
15 LT, Lithuania 16 LT, Lithuania 11 PL, Poland
There are 9,144 unique zones (8,914 last month and 7,482 this time last
year) in which the underlying MX hosts are found. This counts each of
the above providers as just one zone, so is a measure of the breadth of
adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 19,380 (18,619 last
month and 16,403 this time last year). These cover 19,675 distinct MX
hosts (18,915 last month and 16,670 this time last year, some MX hosts
share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 841 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 525
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.73 million DANE domains, 13,107 (13,265 last month and 12,621
this time last year) have "partial" TLSA records, that cover only a
subset of the (secondary) MX hosts. While this protects traffic to some
of the MX hosts, such domains are still vulnerable to the usual active
attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,320
(1,507 last month and 1,225 this time last year). Some of these have
additional MX hosts that don't have broken TLSA records, so mail can
still arrive via the remaining MX hosts. The affected domain counts for
the top 10 problem MX hosts are:
103 mail.blueconsulting.cz
37 mx1.mdbraber.com
33 mx1.synetcon.net
30 mail.behindthemars.de
20 mx1.logging.ch
18 semark.dk
17 mx1.traxion.com
17 mx01.xworks.net
16 mail.odissee.net
15 artemis.strebsjig.net
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,076 (2,068 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
148 swizzonic.ch 115 worldnic.com
134 worldnic.com 114 axc.nl
106 epik.com 81 epik.com
95 axc.nl 73 ebola.cz
73 ebola.cz 64 openprovider.nl
61 openprovider.nl 32 active24.cz
29 made-easy.ch 29 made-easy.ch
20 register.com 18 sectigoweb.com
18 sectigoweb.com 15 netcup.net
12 ispapi.net 12 ispapi.net
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just two of the domains all whose nameservers have broken denial of existence
appears in the last 120 days of Google transparency reports:
calyxinstitute.org
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at mail.de fivecityspa.nl
gmx.at mailstoyou.de gebruikersnamen.nl
vbv.at marburger-bund-zeitung.de haargroeispecialist.nl
boozyshop.be mensa.de healthcheckcenter.nl
register.bg mpg.de hobbygigant.nl
cetelemnegocie.com.br posteo.de home.nl
e-negociacao.com.br ruhr-uni-bochum.de hostingpeople.nl
defesa.gov.br schlittermann.de hostnet.nl
nic.br smartwatcharmbaender.de interim-netwerk.nl
registro.br tum.de josephinajewelry.nl
activfitness-news.ch tutanota.de kralingsebosfestival.nl
blackout-bonusclub.ch uni-augsburg.de lico.nl
cbd420.ch uni-bielefeld.de luxiez.nl
docks.ch uni-erlangen.de mail-studio.nl
empiriconmails.ch uni-kl.de mailmore.nl
escalade.ch uni-muenchen.de mailon.nl
gmx.ch vicinityclo.de mailplus.nl
hostpoint.ch web.de managementboek.nl
infomaniak.ch westlotto.de markteffectmail.nl
msochrono.ch allbuy.dk mcmta.nl
open.ch attode.dk messen.nl
protonmail.ch australian-bodycare.dk mijndomein.nl
sherlockhomes.ch avabeauty.dk minbzk.nl
sms-gagnant.ch bambustoej.dk mindef.nl
switch.ch barons.dk mm1.nl
ravenation.club calisweats.dk mulderretail.nl
santeglobale.club danielspengetips.dk nieuwsservice-rvo.nl
bionoble.co dfi.dk noties.nl
simplelogin.co dinhstore.dk ns.nl
3dsmx.com dinvintageshop.dk nuudcare.nl
addymail.com dk-hostmaster.dk ongehoordnederland.nl
albourne.com exoticmix.dk orangebag.nl
also.com fibianet.dk otys.nl
anonaddy.com fitnessudsalg.dk ouderenfonds.nl
appliedgo.com foraeldresparring.dk ouderportaal.nl
azgop.com gastrotools.dk overheid.nl
beaconx.com globestudios.dk oxilionhosted.nl
bymalina.com incover.dk parlement.nl
cm.com innoliving.dk partijvoordedieren.nl
collarofsweden.com ixstudioscph.dk partnermail.nl
colourfulrebel.com juliesandlau.dk paypro.nl
connectsb.com kodbilen.dk petsgifts.nl
dailyplaylists.com konkurspriser.dk petsonline.nl
datev.com kystfisken.dk ploegendienst-festival.nl
exegy.com labelking.dk podiumcadeaukaart.nl
fabfilter.com lacabra.dk politie.nl
farmergracy.com mobilcovers.dk pp-prd.nl
fastware-hosting.com musclehouse.dk previder.nl
flaneurhomme.com netic.dk prorun-mail.nl
frequentis.com nfinitybeauty.dk quicknet.nl
gmx.com nimara.dk rdw.nl
goodforme.com nordd.dk rijksoverheid.nl
groed.com nota.dk rivm.nl
habr.com opdagverden.dk rug.nl
hedon.com peterhald.dk rvo.nl
highcharts.com qknives.dk sans-mail.nl
imcnig.com sengefabrikken.dk schoudercom.nl
infomaniak.com seniornews.dk schuurman-schoenen.nl
ingthink.com shapeit.dk shampoobars.nl
johnbeerens.com shellcard.dk smartwatchbanden.nl
joomlapolis.com smoon.dk sportrusten.nl
jula.com soelvstein.dk ssonet.nl
kabayarefashion.com stil.dk stater.nl
kantarresearch.com stori.dk telefoonglaasje.nl
klbrlive.com themeatclub.dk teso.nl
leszexpertsfle.com thesneakerstore.dk thealphamen.nl
librti.com tricommerce.dk transip.nl
liefleven.com trueliving.dk travelclown.nl
mactabeauty.com uvm.dk triodos.nl
mail.com venderbys.dk truetickets.nl
mailzerver.com wavell.dk tudelft.nl
matilhadobemadestramento.com yuaiahaircare.dk tweedekamer.nl
migadu.com yummihaircare.dk twinq.nl
mplbeauty.com tilburguniversity.edu uitgeverijpica.nl
nanolearning.com estet.ee upcmail.nl
nine-pine.com holtmail.ee uvt.nl
one.com turunduslabor.ee uwv.nl
orsys.com blueits.email valys.nl
orverkiezing.com myownconference.email vimexx.nl
pieter-pot.com spam-filter.email voorpositiviteit.nl
pompomlondon.com spike.email vpo.nl
ppcpcv.com spotler.email watchbandjes-shop.nl
protonmail.com nuudcare.es winterlake.nl
protonvpn.com triodos.es woongarantvolmacht.nl
renworkshops.com egu.eu ziggo.nl
run-motion.com finesoftware.eu zorgmail.nl
sankakucomplex.com litebit.eu annabellstefanussen.no
scorecloud.com qard.eu bergengokart.no
serverclienti.com skhosting.eu bilflipp.no
solvinity.com tbibank.eu domeneshop.no
stasdock.com zone.eu guttelus.no
stater.com zonevs.eu handelsbanken.no
stellarequipment.com fsol.fi hyttefeber.no
t-2.com handelsbanken.fi idrettenonline.no
thalesgroup.com tarjousrinki.fi infinityshop.no
thepcw.com traficom.fi malestudio.no
thepcwholesale.com ac-strasbourg.fr marikrogshus.no
triodos.com compagnie-des-sens.fr mystuff.no
truewaykids.com edtm-actu.fr nordicprint.no
tutanota.com mastouille.fr norskgrammatikk.no
unionnearme.com nuudcare.fr raskebriller.no
up2staff.com oo2.fr rushtrampoline.no
veganallsorts.com privea.fr spillfabrikken.no
veka.com waveisland.fr storytravel.no
vendiblelabs.com tid.gov.hk tickettothemoon.no
vivaldi.com fidesz.hu uib.no
webcruiter.com pandi.id atelkamera.nu
webmailph.com bluebiz.info goget.nu
xfinity.com eurocontrol.int lenhud.nu
xfinityhomesecurity.com neolink.link aegee.org
xfinitymobile.com anonaddy.me debian.org
your-site.com pm.me exim.org
bncr.fi.cr proton.me freebsd.org
airbank.cz army.mil gentoo.org
akce-incomputer.cz dla.mil ietf.org
amenit.cz health.mil irtf.org
bewooden.cz jten.mil isc.org
centrum.cz mail.mil mailbox.org
csob.cz navy.mil mailop.org
cuni.cz osd.mil netbsd.org
dedra.cz socom.mil openssl.org
e-kondomy.cz uscg.mil ozlabs.org
fio.cz usmc.mil p8x.org
hellspy.cz comcast.net samba.org
hypotecnibanka.cz ewetel.net torproject.org
itesco.cz ficbook.net kemono.party
kb.cz fivem.net biotechnologia.com.pl
klenotyaurum.cz gmx.net brebank.com.pl
klubpevnehozdravi.cz habramail.net mobily.com.sa
ksporting.cz hr-manager.net arbetsformedlingen.se
manymail.cz jonaharagon.net atlasrock.se
maxmax.cz mijngezondheid.net bilprovningen.se
mbank.cz mpssec.net damernasmagasin.se
mfcr.cz procurios.net ecster.se
mkluzkoviny.cz ripe.net frederikbagger.se
mojedatovaschranka.cz riseup.net geflemetalfestival.se
muni.cz s-qrc.net handelsbanken.se
mzv.cz t-2.net hellomantle.se
nic.cz 123watches.nl innebandy24.se
o2.cz africanfabs.nl lansstyrelsen.se
optimail.cz amsterdam.nl lnu.se
outlet-alpine.cz aquastorexl.nl lomervarde.se
patentnimedicina.cz artsenzorg.nl loopia.se
poptavej.cz bankhoesdiscounter.nl merchsweden.se
pre.cz belastingdienst.nl minmyndighetspost.se
predplatit.cz beterinbeleggen.nl nordicprint.se
scrptd.cz beterspellen.nl polisen.se
server4u.cz bhosted.nl silverdotter.se
shopex.cz bhsupport.nl skatteverket.se
smtp.cz bibliotheekdenhaag.nl skolverket.se
stoklasa.cz bit.nl sunet.se
trilimi.cz blushfashionstore.nl teknikdelar.se
vas-server.cz bobo.nl theletter.se
vcelka.cz body-supplies.nl vaccinova.se
virusfree.cz boekwinkeltjes.nl websupport.se
web4u.cz bolerolimonadewinkel.nl centrum.sk
zdravestravovani.cz boozyshop.nl fio.sk
123watches.de bratsites-grs.nl kadernickyservis.sk
bayern.de bruut.nl mklozkoviny.sk
brandenburg.de burgernet.nl naau.sk
bund.de caracamilla.nl pneusvet.sk
bundesregierung.de casema.nl pobox.sk
datev.de cbr.nl rondogo.sk
dfn.de chello.nl satro.sk
elster.de clubplanner.nl zapardrobnych.sk
ewetel.de denhaag.nl mstdn.social
fau.de derooijfotografie.nl simpcity.su
freenet.de desan.nl clientnews3.co.uk
gmx.de dictu.nl handelsbanken.co.uk
hi7.de digid.nl nuudcare.co.uk
huellen-shop.de dorcas.nl triodos.co.uk
jpberlin.de duo.nl nuudcare.us
knauermann.de efactuurdirect.nl quantum-services.us
lmu.de esuals.nl ru.ac.za
lrz.de ezorg.nl stargaze.zone
1
0
Summary: The DANE domain count is now 3,720,888 (c.f. 3,701,200 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 20,310,165 (up from 20,041,659 last
month). Thus DANE TLSA is deployed on ~18.32% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today I count ~3.72 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1214759 one.com 1224541 one.com
285701 hostpoint.ch 284142 hostpoint.ch
194398 infomaniak.ch 194132 infomaniak.ch
185672 mijndomein.nl 186459 mijndomein.nl
165714 transip.nl 164902 transip.nl
155508 argewebhosting.nl 154681 argewebhosting.nl
124416 simply.com 126469 simply.com
114928 jouwweb.nl 112645 jouwweb.nl
112051 hostnet.nl 111958 hostnet.nl
108214 domeneshop.no 108448 domeneshop.no
105216 loopia.se 104708 loopia.se
95288 webhostingserver.nl 93613 webhostingserver.nl
78911 forpsi.com 78681 forpsi.com
66428 zxcs.nl 65510 zxcs.nl
47492 active24.com 47461 active24.com
39822 webreus.nl 40154 webreus.nl
39658 antagonist.nl 39645 antagonist.nl
33391 pcextreme.nl 33729 pcextreme.nl
33350 protonmail.ch 32031 protonmail.ch
29153 xel.nl 29009 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- -----------
10447 TOTAL 10358 TOTAL
3145 DE, Germany 3116 DE, Germany
1900 NL, Netherlands 1867 NL, Netherlands
1791 US, United States 1811 US, United States
779 FR, France 770 FR, France
372 GB, United Kingdom 376 GB, United Kingdom
369 CZ, Czechia 360 CZ, Czechia
233 FI, Finland 229 FI, Finland
229 CA, Canada 221 CA, Canada
153 AT, Austria 155 AT, Austria
131 SE, Sweden 132 CH, Switzerland
131 DK, Denmark 130 DK, Denmark
128 CH, Switzerland 129 SE, Sweden
127 SG, Singapore 128 SG, Singapore
123 AU, Australia 115 AU, Australia
68 PL, Poland 63 PL, Poland
57 RU, Russia 58 RU, Russia
57 JP, Japan 57 JP, Japan
46 NO, Norway 47 NO, Norway
41 IE, Ireland 45 BR, Brazil
41 BR, Brazil 41 IE, Ireland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
8246 TOTAL 8162 TOTAL
3650 NL, Netherlands 3584 NL, Netherlands
2334 DE, Germany 2317 DE, Germany
837 US, United States 851 US, United States
359 FR, France 358 FR, France
172 GB, United Kingdom 176 CZ, Czechia
166 CZ, Czechia 164 GB, United Kingdom
81 CA, Canada 77 CA, Canada
75 FI, Finland 71 FI, Finland
66 AU, Australia 63 CH, Switzerland
62 CH, Switzerland 58 AU, Australia
56 SE, Sweden 50 SE, Sweden
45 SG, Singapore 47 SG, Singapore
40 AT, Austria 47 AT, Austria
34 JP, Japan 33 JP, Japan
21 IE, Ireland 26 RU, Russia
21 DK, Denmark 21 IE, Ireland
20 RU, Russia 20 NO, Norway
20 NO, Norway 19 DK, Denmark
19 BR, Brazil 18 BR, Brazil
16 LT, Lithuania 13 LT, Lithuania
There are 8,914 unique zones (8,763 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 18,619 (18,205 last
month). These cover 18,915 distinct MX hosts (18,501 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 793 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 478
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.72 million DANE domains, 13,265 (13,370 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts. While this
protects traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,507
(1,310 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
104 mail.blueconsulting.cz
66 beta.itcomputers.eu
34 mx1.mdbraber.com
33 mx[12].synetcon.net
18 semark.dk
17 mx[12].traxion.com
15 artemis.strebsjig.net
14 mta9.pointner.at
13 postagrosu.grosu.ro
10 mail.ontharen-rotterdam.nl
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,076 (2,068 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
115 worldnic.com 147 online.net
114 axc.nl 124 worldnic.com
81 epik.com 117 axc.nl
73 ebola.cz 73 ebola.cz
64 openprovider.nl 57 openprovider.nl
32 active24.cz 39 epik.com
29 made-easy.ch 32 active24.cz
18 sectigoweb.com 28 made-easy.ch
15 netcup.net 21 renault.fr
12 ispapi.net 21 register.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains all whose nameservers have broken denial of existence
appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at mail.de haargroeispecialist.nl
gmx.at mailstoyou.de hobbygigant.nl
vbv.at marburger-bund-zeitung.de home.nl
boozyshop.be mensa.de hostnet.nl
aarquiteta.com.br mpg.de hr.nl
cetelemnegocie.com.br posteo.de interconnect.nl
e-negociacao.com.br ruhr-uni-bochum.de interim-netwerk.nl
defesa.gov.br schlittermann.de jayno.nl
nic.br smartwatcharmbaender.de josephinajewelry.nl
registro.br tum.de kralingsebosfestival.nl
activfitness-news.ch tutanota.de lico.nl
cbd420.ch uni-augsburg.de luxiez.nl
docks.ch uni-bielefeld.de mail-studio.nl
empiriconmails.ch uni-erlangen.de mailmore.nl
gmx.ch uni-muenchen.de mailon.nl
hostpoint.ch vicinityclo.de mailplus.nl
infomaniak.ch web.de managementboek.nl
linsenkontakt.ch westlotto.de markteffectmail.nl
msochrono.ch allbuy.dk mcmta.nl
open.ch australian-bodycare.dk mijndomein.nl
protonmail.ch avabeauty.dk minbzk.nl
sherlockhomes.ch barons.dk mindef.nl
sms-gagnant.ch danielspengetips.dk mm1.nl
switch.ch dfi.dk mulderretail.nl
ravenation.club dinhstore.dk nieuwsservice-rvo.nl
santeglobale.club dinvintageshop.dk ns.nl
bionoble.co dk-hostmaster.dk nuudcare.nl
simplelogin.co exoticmix.dk ongehoordnederland.nl
3dsmx.com fibianet.dk orangebag.nl
402automotive.com gastrotools.dk otys.nl
addymail.com ixstudioscph.dk ouderenfonds.nl
albourne.com kodbilen.dk ouderportaal.nl
also.com konkurspriser.dk overheid.nl
anonaddy.com labelking.dk oxilionhosted.nl
beaconx.com lacabra.dk parlement.nl
bymalina.com mobilcovers.dk partijvoordedieren.nl
cm.com musclehouse.dk partnermail.nl
colourfulrebel.com netic.dk paypro.nl
connectsb.com nimara.dk petsonline.nl
dailyplaylists.com nordd.dk ploegendienst-festival.nl
datev.com nota.dk podiumcadeaukaart.nl
fabfilter.com opdagverden.dk politie.nl
farmergracy.com perfectjeans.dk pp-prd.nl
fastware-hosting.com peterhald.dk previder.nl
flaneurhomme.com sengefabrikken.dk quicknet.nl
gmx.com seniornews.dk rdw.nl
goodforme.com shapeit.dk rijksoverheid.nl
groed.com shellcard.dk rivm.nl
habr.com smoon.dk rug.nl
imcnig.com stil.dk rvo.nl
infomaniak.com stori.dk sans-mail.nl
ingthink.com teeshoppen.dk schoudercom.nl
jesuis1as.com themeatclub.dk schuurman-schoenen.nl
johnbeerens.com thesneakerstore.dk smartwatchbanden.nl
jula.com tricommerce.dk sportrusten.nl
kabayarefashion.com trueliving.dk ssonet.nl
kantarresearch.com uvm.dk stater.nl
klbrlive.com wavell.dk surfspot.nl
leszexpertsfle.com yummihaircare.dk telefoonglaasje.nl
librti.com tilburguniversity.edu teso.nl
liefleven.com estet.ee thealphamen.nl
mactabeauty.com holtmail.ee transip.nl
mail.com turunduslabor.ee travelclown.nl
matilhadobemadestramento.com myownconference.email triodos.nl
migadu.com spam-filter.email tudelft.nl
mplbeauty.com spike.email tweedekamer.nl
nanolearning.com spotler.email twinq.nl
nine-pine.com talentech.email uitgeverijpica.nl
one.com nuudcare.es upcmail.nl
orsys.com triodos.es uvt.nl
orverkiezing.com egu.eu uwv.nl
pieter-pot.com finesoftware.eu valtifest.nl
pompomlondon.com litebit.eu valys.nl
ppcpcv.com qard.eu vimexx.nl
protonmail.com skhosting.eu voorpositiviteit.nl
protonvpn.com tbibank.eu wannahavesfashion.nl
renworkshops.com zone.eu watchbandjes-shop.nl
run-motion.com zonevs.eu waternet.nl
runbox.com fsol.fi xel.nl
sankakucomplex.com handelsbanken.fi ziggo.nl
scorecloud.com tarjousrinki.fi zorgmail.nl
serverclienti.com traficom.fi annabellstefanussen.no
solvinity.com ac-strasbourg.fr audi.no
stasdock.com compagnie-des-sens.fr domeneshop.no
stater.com edtm-actu.fr guttelus.no
stellarequipment.com mastouille.fr handelsbanken.no
t-2.com nuudcare.fr hyttefeber.no
thalesgroup.com oo2.fr idrettenonline.no
thepcw.com privea.fr infinityshop.no
thepcwholesale.com nsa.gov malestudio.no
triodos.com tid.gov.hk mystuff.no
truewaykids.com fidesz.hu nordicprint.no
tutanota.com mszp.hu norskgrammatikk.no
up2staff.com bluebiz.info rushtrampoline.no
veganallsorts.com netabuse.info spillfabrikken.no
veka.com eurocontrol.int uib.no
vendiblelabs.com neolink.link atelkamera.nu
vivaldi.com anonaddy.me goget.nu
webcruiter.com pm.me lenhud.nu
webmailph.com proton.me aegee.org
xfinity.com army.mil debian.org
xfinityhomesecurity.com dla.mil exim.org
xfinitymobile.com health.mil freebsd.org
bncr.fi.cr jten.mil gentoo.org
airbank.cz mail.mil ietf.org
akce-incomputer.cz navy.mil irtf.org
bewooden.cz osd.mil isc.org
centrum.cz socom.mil mailbox.org
csob.cz uscg.mil mailop.org
cuni.cz usmc.mil netbsd.org
dedra.cz apnic.net openssl.org
e-kondomy.cz comcast.net ozlabs.org
fio.cz ewetel.net p8x.org
itesco.cz fivem.net samba.org
kb.cz gmx.net torproject.org
klenotyaurum.cz habramail.net kemono.party
klubpevnehozdravi.cz hr-manager.net biotechnologia.com.pl
ksporting.cz jonaharagon.net mobily.com.sa
manymail.cz mijngezondheid.net atlasrock.se
maxmax.cz mpssec.net bilprovningen.se
mfcr.cz procurios.net damernasmagasin.se
mkluzkoviny.cz ripe.net ecster.se
mojedatovaschranka.cz riseup.net geflemetalfestival.se
muni.cz s-qrc.net handelsbanken.se
nic.cz t-2.net hellomantle.se
o2.cz 123watches.nl innebandy24.se
optimail.cz africanfabs.nl lansstyrelsen.se
outlet-alpine.cz amsterdam.nl lnu.se
poptavej.cz aquastorexl.nl lomervarde.se
pre.cz argeweb.nl loopia.se
predplatit.cz belastingdienst.nl merchsweden.se
scrptd.cz beterinbeleggen.nl minmyndighetspost.se
server4u.cz beterspellen.nl nordicprint.se
shopex.cz bhosted.nl parksnackan.se
smtp.cz bhsupport.nl polisen.se
stoklasa.cz bibliotheekdenhaag.nl silverdotter.se
tiscali.cz blushfashionstore.nl skatteverket.se
trilimi.cz bobo.nl skolverket.se
vas-server.cz body-supplies.nl sunet.se
vcelka.cz boekwinkeltjes.nl teknikdelar.se
virusfree.cz bolerolimonadewinkel.nl theletter.se
web4u.cz boozyshop.nl websupport.se
zdravestravovani.cz bratsites-grs.nl centrum.sk
123watches.de bruut.nl fio.sk
bayern.de burgernet.nl kadernickyservis.sk
brandenburg.de casema.nl mklozkoviny.sk
bund.de cbr.nl pneusvet.sk
bundesregierung.de chello.nl pobox.sk
datev.de clubplanner.nl rondogo.sk
dfn.de denhaag.nl satro.sk
elster.de derooijfotografie.nl zapardrobnych.sk
ewetel.de desan.nl mstdn.social
fau.de dictu.nl simpcity.su
freenet.de digid.nl nuudcare.co.uk
gmx.de dimehouse.nl triodos.co.uk
hi7.de duo.nl govtrack.us
huellen-shop.de esuals.nl nuudcare.us
jpberlin.de expeditionfestival.nl quantum-services.us
lmu.de ezorg.nl ru.ac.za
lrz.de
1
0
Greetings,
The Sender Policy Framework (SPF) is an easy way to check whether the
sender is authorized to send emails – however, it may cause some security
holes if it causes too many DNS lookups.
Together with researchers from Virginia Tech and Max-Planck-Institut für
Informatik, we would like to understand which challenges operators face
when configuring the proper limit of DNS queries for SPF lookups and when
deploying other email security protocols.
Filling out the survey should take between 5 and 10 minutes; we would
highly appreciate your participation.
https://www.surveymonkey.com/r/D9M3ZHV
Please note that we do NOT collect any personal information, thus the
Institutional Review Board (IRB) at Virginia Tech determined the survey as
Non-Human Subjects Research.
*We will aggregate and anonymize all responses during evaluation and share
the results after evaluation. *
Please do not hesitate to drop me a mail if you have questions or comments.
Taejoong "Tijay" Chung, Assistant Professor
Virginia Tech | Computer Science
Knowledge Works II, RM 2228
2202 Kraft Drive, Blacksburg, VA 24060
(540) 231-0667| tijay(a)vt.edu
1
0
News: New milestone crossed this month: the number of DNSSEC-signed
delegations tracked by the DANE survey has crossed 20 million.
Many thanks to simply.com for signing ~200k .DK domains, of
which ~100k support DANE SMTP.
Summary: The DANE domain count is now 3,701,200 (c.f. 3,603,343 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 20,041,659 (up from 19,588,402 last
month). Thus DANE TLSA is deployed on ~18.46% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today I count ~3.70 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1224541 one.com 1229109 one.com
284142 hostpoint.ch 282877 hostpoint.ch
194132 infomaniak.ch 193040 infomaniak.ch
186459 mijndomein.nl 185568 mijndomein.nl
164902 transip.nl 164423 transip.nl
154681 argewebhosting.nl 155782 argewebhosting.nl
126469 simply.com 112118 hostnet.nl
112645 jouwweb.nl 109897 jouwweb.nl
111958 hostnet.nl 108431 domeneshop.no
108448 domeneshop.no 96992 loopia.se
104708 loopia.se 94049 webhostingserver.nl
93613 webhostingserver.nl 78282 forpsi.com
78681 forpsi.com 64627 zxcs.nl
65510 zxcs.nl 47352 active24.com
47461 active24.com 40473 webreus.nl
40154 webreus.nl 39617 antagonist.nl
39645 antagonist.nl 33978 pcextreme.nl
33729 pcextreme.nl 31219 protonmail.ch
32031 protonmail.ch 29050 xel.nl
29009 xel.nl 27608 udmedia.de
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- -----------
10358 TOTAL 10211 TOTAL
3116 DE, Germany 3066 DE, Germany
1867 NL, Netherlands 1878 NL, Netherlands
1811 US, United States 1797 US, United States
770 FR, France 755 FR, France
376 GB, United Kingdom 369 GB, United Kingdom
360 CZ, Czechia 351 CZ, Czechia
229 FI, Finland 224 FI, Finland
221 CA, Canada 215 CA, Canada
155 AT, Austria 152 AT, Austria
132 CH, Switzerland 130 CH, Switzerland
130 DK, Denmark 129 DK, Denmark
129 SE, Sweden 126 SG, Singapore
128 SG, Singapore 121 SE, Sweden
115 AU, Australia 114 AU, Australia
63 PL, Poland 58 RU, Russia
58 RU, Russia 56 PL, Poland
57 JP, Japan 56 JP, Japan
47 NO, Norway 45 NO, Norway
45 BR, Brazil 40 IE, Ireland
41 IE, Ireland 39 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
8162 TOTAL 8063 TOTAL
3584 NL, Netherlands 3580 NL, Netherlands
2317 DE, Germany 2280 DE, Germany
851 US, United States 825 US, United States
358 FR, France 358 FR, France
176 CZ, Czechia 177 CZ, Czechia
164 GB, United Kingdom 162 GB, United Kingdom
77 CA, Canada 73 CA, Canada
71 FI, Finland 71 FI, Finland
63 CH, Switzerland 65 CH, Switzerland
58 AU, Australia 58 AU, Australia
50 SE, Sweden 47 AT, Austria
47 SG, Singapore 46 SE, Sweden
47 AT, Austria 44 SG, Singapore
33 JP, Japan 36 JP, Japan
26 RU, Russia 21 NO, Norway
21 IE, Ireland 21 IE, Ireland
20 NO, Norway 20 DK, Denmark
19 DK, Denmark 16 BR, Brazil
18 BR, Brazil 12 RU, Russia
13 LT, Lithuania 12 RO, Romania
There are 8,763 unique zones (8,574 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 18,205 (same as last
month). These cover 18,501 distinct MX hosts (18,498 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 753 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 421
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.70 million DANE domains, 13,370 (13,693 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts. While this
protects traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1310
(1,386 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
104 mail.blueconsulting.cz
65 beta.itcomputers.eu
40 smtp.jkkn.net
33 mx2.synetcon.net
21 mail.mxx.dk
20 mx1.mdbraber.com
17 mx1.traxion.com
15 artemis.strebsjig.net
14 mx2.traxion.com
14 mta9.pointner.at
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,076 (2,068 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
147 online.net [*] 363 worldnic.com
124 worldnic.com 123 axc.nl
117 axc.nl 74 ebola.cz
73 ebola.cz 57 openprovider.nl
57 openprovider.nl 38 epik.com
39 epik.com 32 psi-japan.net
32 active24.cz 32 active24.cz
28 made-easy.ch 28 made-easy.ch
21 renault.fr 21 register.com
21 register.com 17 sectigoweb.com
[*] Notified and acknowledged.
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains all whose nameservers have broken denial of existence
appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at jpberlin.de esuals.nl
gmx.at lmu.de expeditionfestival.nl
aarquiteta.com.br lrz.de ezorg.nl
cetelemnegocie.com.br mail.de fivecityspa.nl
nic.br marburger-bund-zeitung.de hobbygigant.nl
registro.br mensa.de home.nl
activfitness-news.ch mpg.de hr.nl
cbd420.ch posteo.de interconnect.nl
englmaier.ch ruhr-uni-bochum.de interim-netwerk.nl
gmx.ch schlittermann.de jayno.nl
hostpoint.ch tum.de kiesrijk.nl
infomaniak.ch tutanota.de lico.nl
linsenkontakt.ch uni-augsburg.de luxiez.nl
msochrono.ch uni-erlangen.de mail-studio.nl
open.ch uni-muenchen.de mailmore.nl
protonmail.ch vicinityclo.de mailon.nl
sms-gagnant.ch web.de mailplus.nl
switch.ch westlotto.de managementboek.nl
simplelogin.co allbuy.dk markteffectmail.nl
402automotive.com australian-bodycare.dk mcmta.nl
addymail.com barons.dk mijndomein.nl
albourne.com dfi.dk minbzk.nl
anonaddy.com dinhstore.dk mindef.nl
beaconx.com dk-hostmaster.dk mm1.nl
bymalina.com exoticmix.dk mulderretail.nl
colourfulrebel.com fibianet.dk nieuwsservice-rvo.nl
connectsb.com fvst.dk ns.nl
dailyplaylists.com gastrotools.dk orangebag.nl
datev.com ixstudioscph.dk otys.nl
elementalraiders.com kompetenceudvikling.dk ouderenfonds.nl
fabfilter.com konkurspriser.dk ouderportaal.nl
farmergracy.com labelking.dk overheid.nl
fastware-hosting.com lacabra.dk partijvoordedieren.nl
flaneurhomme.com mobilcovers.dk paypro.nl
gmx.com musclehouse.dk ploegendienst-festival.nl
groed.com netic.dk podiumcadeaukaart.nl
habr.com nimara.dk politie.nl
hoobly.com nordd.dk pp-prd.nl
hotelsinduitsland.com nota.dk previder.nl
imcnig.com oddsprofit.dk quicknet.nl
infomaniak.com perfectjeans.dk rijksoverheid.nl
ingthink.com peterhald.dk rotterdam.nl
jesuis1as.com seniornews.dk rug.nl
johnbeerens.com shapeit.dk rvo.nl
joomlapolis.com shellcard.dk sans-mail.nl
jula.com smoon.dk schoudercom.nl
kabayarefashion.com stil.dk schuurman-schoenen.nl
kantarresearch.com stori.dk smartwatchbanden.nl
klbrlive.com teeshoppen.dk sportrusten.nl
leszexpertsfle.com thesneakerstore.dk ssonet.nl
librti.com tricommerce.dk stater.nl
liefleven.com trueliving.dk surfspot.nl
mactabeauty.com uvm.dk telefoonglaasje.nl
mail.com wavell.dk thealphamen.nl
matilhadobemadestramento.com yummihaircare.dk transip.nl
mplbeauty.com tilburguniversity.edu travelclown.nl
nanolearning.com holtmail.ee triodos.nl
nine-pine.com myownconference.email upcmail.nl
one.com spike.email uvt.nl
orsys.com spotler.email uwv.nl
orverkiezing.com talentech.email valtifest.nl
pieter-pot.com nuudcare.es vimexx.nl
pompomlondon.com triodos.es voorpositiviteit.nl
ppcpcv.com egu.eu wannahavesfashion.nl
protonmail.com litebit.eu watchbandjes-shop.nl
protonvpn.com qard.eu waternet.nl
run-motion.com skhosting.eu xel.nl
runbox.com tbibank.eu ziggo.nl
sankakucomplex.com zone.eu zorgmail.nl
scorecloud.com zonevs.eu annabellstefanussen.no
serverclienti.com handelsbanken.fi audi.no
solvinity.com metaburn.fi domeneshop.no
stasdock.com tarjousrinki.fi guttelus.no
stater.com traficom.fi handelsbanken.no
stellarequipment.com ac-strasbourg.fr hyttefeber.no
t-2.com compagnie-des-sens.fr idrettenonline.no
thalesgroup.com edtm-actu.fr mystuff.no
thepcw.com nuudcare.fr naprapatlandslaget.no
thepcwholesale.com oo2.fr nordicprint.no
triodos.com privea.fr norskgrammatikk.no
truewaykids.com nsa.gov rushtrampoline.no
tutanota.com fidesz.hu spillfabrikken.no
up2staff.com mszp.hu uib.no
veganallsorts.com pandi.id atelkamera.nu
veka.com bluebiz.info goget.nu
vendiblelabs.com netabuse.info lenhud.nu
vivaldi.com eurocontrol.int aegee.org
webcruiter.com neolink.link debian.org
webmailph.com anonaddy.me exim.org
xfinity.com pm.me freebsd.org
xfinityhomesecurity.com proton.me gentoo.org
xfinitymobile.com army.mil ietf.org
bncr.fi.cr dla.mil isc.org
airbank.cz health.mil mailbox.org
akce-incomputer.cz jten.mil mailop.org
amenit.cz mail.mil netbsd.org
bewooden.cz militaryonesource.mil openssl.org
csob.cz navy.mil ozlabs.org
cuni.cz nga.mil samba.org
dedra.cz osd.mil torproject.org
e-kondomy.cz socom.mil kemono.party
fio.cz uscg.mil biotechnologia.com.pl
itesco.cz usmc.mil mobily.com.sa
kb.cz apnic.net bilprovningen.se
klenotyaurum.cz comcast.net damernasmagasin.se
klubpevnehozdravi.cz ewetel.net ecster.se
ksporting.cz fivem.net geflemetalfestival.se
manymail.cz gmx.net handelsbanken.se
mfcr.cz habramail.net lnu.se
mkluzkoviny.cz hr-manager.net loopia.se
mojedatovaschranka.cz mijngezondheid.net merchsweden.se
muni.cz mpssec.net minmyndighetspost.se
nic.cz procurios.net nordicprint.se
optimail.cz ripe.net parksnackan.se
outlet-alpine.cz riseup.net polisen.se
poptavej.cz s-qrc.net silverdotter.se
predplatit.cz t-2.net skatteverket.se
scrptd.cz transip.net teknikdelar.se
server4u.cz 123watches.nl theletter.se
smtp.cz amsterdam.nl websupport.se
stoklasa.cz aquastorexl.nl centrum.sk
tiscali.cz argeweb.nl dovypredania.sk
vas-server.cz belastingdienst.nl e-slovak.sk
vcelka.cz beterspellen.nl fio.sk
virusfree.cz bibliotheekdenhaag.nl kadernickyservis.sk
volny.cz blushfashionstore.nl mklozkoviny.sk
zdravestravovani.cz boekwinkeltjes.nl naau.sk
123watches.de boozyshop.nl pneusvet.sk
bayern.de bratsites-grs.nl pobox.sk
brandenburg.de bruut.nl rondogo.sk
bund.de burgernet.nl satro.sk
bundesregierung.de casema.nl teacher.sk
datev.de cbr.nl zapardrobnych.sk
dfn.de chello.nl simpcity.su
elster.de denhaag.nl adelina.com.ua
ewetel.de derooijfotografie.nl triodos.co.uk
fau.de dictu.nl govtrack.us
freenet.de digid.nl nuudcare.us
gmx.de dimehouse.nl quantum-services.us
hi7.de duo.nl ru.ac.za
huellen-shop.de
1
0
Summary: The DANE domain count is now 3,603,343 (c.f. 3,598,975 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 19,588,402 (up from 19,332,285 last
month). Thus DANE TLSA is deployed on ~18.39% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today I count ~3.60 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1229109 one.com 1236565 one.com
282877 hostpoint.ch 281674 hostpoint.ch
193040 infomaniak.ch 190849 infomaniak.ch
185568 mijndomein.nl 185033 mijndomein.nl
164423 transip.nl 163544 transip.nl
155782 argewebhosting.nl 159122 argewebhosting.nl
112118 hostnet.nl 112282 hostnet.nl
109897 jouwweb.nl 108076 domeneshop.no
108431 domeneshop.no 107087 jouwweb.nl
96992 loopia.se 97044 loopia.se
94049 webhostingserver.nl 94545 webhostingserver.nl
78282 forpsi.com 77900 forpsi.com
64627 zxcs.nl 63883 zxcs.nl
47352 active24.com 47339 active24.com
40473 webreus.nl 40371 webreus.nl
39617 antagonist.nl 39576 antagonist.nl
33978 pcextreme.nl 34177 pcextreme.nl
31219 protonmail.ch 30328 protonmail.ch
29050 xel.nl 28469 xel.nl
27608 udmedia.de 27636 udmedia.de
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- -----------
10211 TOTAL 10154 TOTAL
3066 DE, Germany 3062 DE, Germany
1878 NL, Netherlands 1845 NL, Netherlands
1797 US, United States 1780 US, United States
755 FR, France 766 FR, France
369 GB, United Kingdom 355 GB, United Kingdom
351 CZ, Czechia 340 CZ, Czechia
224 FI, Finland 239 FI, Finland
215 CA, Canada 220 CA, Canada
152 AT, Austria 151 AT, Austria
130 CH, Switzerland 128 DK, Denmark
129 DK, Denmark 127 CH, Switzerland
126 SG, Singapore 124 SG, Singapore
121 SE, Sweden 120 SE, Sweden
114 AU, Australia 110 AU, Australia
58 RU, Russia 57 PL, Poland
56 PL, Poland 55 RU, Russia
56 JP, Japan 54 JP, Japan
45 NO, Norway 49 NO, Norway
40 IE, Ireland 38 BR, Brazil
39 BR, Brazil 35 IE, Ireland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
8063 TOTAL 7992 TOTAL
3580 NL, Netherlands 3557 NL, Netherlands
2280 DE, Germany 2264 DE, Germany
825 US, United States 849 US, United States
358 FR, France 341 FR, France
177 CZ, Czechia 180 CZ, Czechia
162 GB, United Kingdom 152 GB, United Kingdom
73 CA, Canada 74 FI, Finland
71 FI, Finland 67 CA, Canada
65 CH, Switzerland 61 CH, Switzerland
58 AU, Australia 50 AU, Australia
47 AT, Austria 47 AT, Austria
46 SE, Sweden 44 SE, Sweden
44 SG, Singapore 38 SG, Singapore
36 JP, Japan 34 JP, Japan
21 NO, Norway 23 NO, Norway
21 IE, Ireland 20 DK, Denmark
20 DK, Denmark 19 IE, Ireland
16 BR, Brazil 17 BR, Brazil
12 RU, Russia 12 LT, Lithuania
12 RO, Romania 11 RO, Romania
There are 8,574 unique zones (8,468 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 18,205 (17,855 last
month). These cover 18,498 distinct MX hosts (18,152 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 725 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 405
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.60 million DANE domains, 13,693 (13,723 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts. While this
protects traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,386
(1,349 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
107 mx.xobit.nl
105 mail.blueconsulting.cz
34 mx2.synetcon.net
26 mail.sig-io.nl
26 fsn1-c04.xemo-net.de
20 mx1.mdbraber.com
17 mx1.traxion.com
15 artemis.strebsjig.net
14 mx2.traxion.com
14 mta9.pointner.at
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,076 (2,068 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
363 worldnic.com 357 worldnic.com
123 axc.nl 134 axc.nl
74 ebola.cz 75 ebola.cz
57 openprovider.nl 60 openprovider.nl
38 epik.com 41 psi-japan.net
32 psi-japan.net 34 active24.cz
32 active24.cz 28 made-easy.ch
28 made-easy.ch 25 ns01.nl
21 register.com 22 register.com
17 sectigoweb.com 18 epik.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains all whose nameservers have broken denial of existence
appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at elster.de expeditionfestival.nl
gmx.at ewetel.de ezorg.nl
cetelemnegocie.com.br fau.de fivecityspa.nl
nic.br freenet.de herinneringenoplinnen.nl
registro.br gmx.de hobbygigant.nl
activfitness-news.ch hi7.de hostnet.nl
cbd420.ch hobart.de hr.nl
englmaier.ch jpberlin.de interconnect.nl
gmx.ch lmu.de interim-netwerk.nl
hostpoint.ch lrz.de jayno.nl
infomaniak.ch mail.de kiesrijk.nl
linsenkontakt.ch mensa.de lico.nl
migros-runnwin.ch mpg.de luxiez.nl
msochrono.ch posteo.de mail-studio.nl
onemillionrun.ch ruhr-uni-bochum.de mailplus.nl
open.ch spacenet.de managementboek.nl
protonmail.ch tum.de markteffectmail.nl
sms-gagnant.ch tutanota.de mcmta.nl
switch.ch uni-augsburg.de mijndomein.nl
simplelogin.co uni-erlangen.de minbzk.nl
402automotive.com uni-muenchen.de mindef.nl
albourne.com vicinityclo.de mm1.nl
anonaddy.com web.de mulderretail.nl
beaconx.com westlotto.de ndt.nl
bymalina.com allbuy.dk netsamen.nl
cm.com dfi.dk nieuwsservice-rvo.nl
connectsb.com dinhstore.dk ns.nl
cryptowallet.com dk-hostmaster.dk orangebag.nl
dailyplaylists.com fibianet.dk otys.nl
datev.com fvst.dk ouderportaal.nl
elementalraiders.com inkpro.dk overheid.nl
fabfilter.com ixstudioscph.dk partijvoordedieren.nl
fastware-hosting.com kompetenceudvikling.dk paypro.nl
flaneurhomme.com labelking.dk ploegendienst-festival.nl
gmx.com lacabra.dk politie.nl
groed.com mobilcovers.dk pp-prd.nl
habr.com netic.dk previder.nl
hoobly.com nordd.dk rdw.nl
hotelsinduitsland.com peterhald.dk rijksoverheid.nl
imcnig.com powerhosting.dk roken.nl
infomaniak.com seniornews.dk rotterdam.nl
ingthink.com shapeit.dk rug.nl
jesuis1as.com shellcard.dk rvo.nl
johnbeerens.com stil.dk sans-mail.nl
joomlapolis.com uvm.dk schoudercom.nl
jula.com wavell.dk schuurman-schoenen.nl
kabayarefashion.com webhosting.dk smartwatchbanden.nl
kantarresearch.com tilburguniversity.edu sportrusten.nl
klbrlive.com holtmail.ee ssonet.nl
leszexpertsfle.com just.ee stater.nl
librti.com rik.ee surfspot.nl
liefleven.com myownconference.email telefoonglaasje.nl
mactabeauty.com spike.email thealphamen.nl
mail.com spotler.email transip.nl
mailfence.com talentech.email travelclown.nl
matilhadobemadestramento.com nuudcare.es triodos.nl
mplbeauty.com triodos.es uitgeverijpica.nl
mx-relay.com uv.es utwente.nl
nine-pine.com egu.eu uvt.nl
one.com litebit.eu uwv.nl
orsys.com skhosting.eu valtifest.nl
orverkiezing.com tbibank.eu valys.nl
pieter-pot.com zone.eu vimexx.nl
polyas.com zonevs.eu visitoost.nl
pompomlondon.com fsol.fi visittwente.nl
ppcpcv.com handelsbanken.fi voorpositiviteit.nl
protonmail.com metaburn.fi vrijevolkfestival.nl
protonvpn.com tarjousrinki.fi wannahavesfashion.nl
run-motion.com ac-strasbourg.fr watchbandjes-shop.nl
runbox.com compagnie-des-sens.fr waternet.nl
sankakucomplex.com edtm-actu.fr xel.nl
scorecloud.com kangouroukids.fr ziggo.nl
serverclienti.com nuudcare.fr zorgmail.nl
solvinity.com oo2.fr annabellstefanussen.no
stater.com privea.fr audi.no
stellarequipment.com nsa.gov derute.no
t-2.com fidesz.hu domeneshop.no
thalesgroup.com mszp.hu guttelus.no
thepcw.com pandi.id hyttefeber.no
thepcwholesale.com bluebiz.info idrettenonline.no
triodos.com netabuse.info mystuff.no
truewaykids.com eurocontrol.int naprapatlandslaget.no
tutanota.com neolink.link nordicprint.no
up2staff.com anonaddy.me norskgrammatikk.no
veganallsorts.com pm.me plukkselv.no
vivaldi.com proton.me rushtrampoline.no
webcruiter.com army.mil spillfabrikken.no
webmailph.com dla.mil uib.no
xfinity.com health.mil analysedanmark.nu
xfinityhomesecurity.com jten.mil atelkamera.nu
xfinitymobile.com mail.mil goget.nu
bncr.fi.cr militaryonesource.mil lenhud.nu
airbank.cz navy.mil debian.org
akce-incomputer.cz nga.mil freebsd.org
amenit.cz osd.mil gentoo.org
atlas.cz socom.mil ietf.org
bewooden.cz uscg.mil isc.org
centrum.cz usmc.mil mailbox.org
csob.cz apnic.net mailop.org
cuni.cz comcast.net netbsd.org
dedra.cz ewetel.net ozlabs.org
directmail-fraus.cz fivem.net samba.org
e-kondomy.cz gmx.net torproject.org
ekokoza.cz habramail.net kemono.party
fio.cz hr-manager.net biotechnologia.com.pl
itesco.cz inexio.net mobily.com.sa
kb.cz mijngezondheid.net bilprovningen.se
klenotyaurum.cz mpssec.net ecster.se
klubpevnehozdravi.cz procurios.net geflemetalfestival.se
ksporting.cz ripe.net handelsbanken.se
manymail.cz riseup.net lomervarde.se
mfcr.cz t-2.net loopia.se
mkluzkoviny.cz transip.net minmyndighetspost.se
mojedatovaschranka.cz 123watches.nl nordicprint.se
muni.cz agriton.nl parksnackan.se
nanospace.cz amsterdam.nl polisen.se
nic.cz aquastorexl.nl silverdotter.se
onebit.cz argeweb.nl skatteverket.se
optimail.cz belastingdienst.nl teknikdelar.se
outlet-alpine.cz beterspellen.nl theletter.se
poptavej.cz blushfashionstore.nl centrum.sk
scrptd.cz bobo.nl dovypredania.sk
server4u.cz boekwinkeltjes.nl e-slovak.sk
smtp.cz boozyshop.nl kadernickyservis.sk
stoklasa.cz bratsites-grs.nl mklozkoviny.sk
tiscali.cz bruut.nl naau.sk
vas-server.cz burgernet.nl pobox.sk
vcelka.cz cbr.nl rondogo.sk
virusfree.cz cbs.nl satro.sk
volny.cz corpoflow.nl teacher.sk
zdravestravovani.cz derooijfotografie.nl zapardrobnych.sk
123watches.de dictu.nl simpcity.su
bayern.de digid.nl adelina.com.ua
brandenburg.de dimehouse.nl triodos.co.uk
bund.de duo.nl govtrack.us
bundesregierung.de eco-logisch.nl quantum-services.us
datev.de edenhotels.nl ru.ac.za
dfn.de esuals.nl
1
0
Summary: The DANE domain count is now 3,598,975 (c.f. 3,584,050 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 19,332,285 (up from 19,130,407 last
month). Thus DANE TLSA is deployed on ~18.61% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
registrar-servers.com (Namecheap) and mijndomein.nl resolved
all their outstanding TLSA record denial of existence issues,
contributing to a reduction in problem domains from ~2k to ~1k.
As of today I count ~3.60 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1236565 one.com 1236935 one.com
281674 hostpoint.ch 280585 hostpoint.ch
190849 infomaniak.ch 189107 infomaniak.ch
185033 mijndomein.nl 184512 mijndomein.nl
163544 transip.nl 162755 transip.nl
159122 argewebhosting.nl 159073 argewebhosting.nl
112282 hostnet.nl 112570 hostnet.nl
108076 domeneshop.no 107805 domeneshop.no
107087 jouwweb.nl 104255 jouwweb.nl
97044 loopia.se 96819 loopia.se
94545 webhostingserver.nl 94919 webhostingserver.nl
77900 forpsi.com 77692 forpsi.com
63883 zxcs.nl 63160 zxcs.nl
47339 active24.com 47265 active24.com
40371 webreus.nl 40191 webreus.nl
39576 antagonist.nl 39451 antagonist.nl
34177 pcextreme.nl 34401 pcextreme.nl
30328 protonmail.ch 29158 protonmail.ch
28469 xel.nl 27581 udmedia.de
27636 udmedia.de 26543 web4u.cz
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- -----------
10154 TOTAL 10134 TOTAL
3062 DE, Germany 3005 DE, Germany
1845 NL, Netherlands 1894 NL, Netherlands
1780 US, United States 1774 US, United States
766 FR, France 763 FR, France
355 GB, United Kingdom 356 GB, United Kingdom
340 CZ, Czechia 338 CZ, Czechia
239 FI, Finland 235 FI, Finland
220 CA, Canada 224 CA, Canada
151 AT, Austria 156 AT, Austria
128 DK, Denmark 129 CH, Switzerland
127 CH, Switzerland 127 SG, Singapore
124 SG, Singapore 127 DK, Denmark
120 SE, Sweden 110 SE, Sweden
110 AU, Australia 110 AU, Australia
57 PL, Poland 56 PL, Poland
55 RU, Russia 54 RU, Russia
54 JP, Japan 54 JP, Japan
49 NO, Norway 48 NO, Norway
38 BR, Brazil 41 IE, Ireland
35 IE, Ireland 40 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7992 TOTAL 7968 TOTAL
3557 NL, Netherlands 3557 NL, Netherlands
2264 DE, Germany 2241 DE, Germany
849 US, United States 831 US, United States
341 FR, France 347 FR, France
180 CZ, Czechia 172 CZ, Czechia
152 GB, United Kingdom 149 GB, United Kingdom
74 FI, Finland 77 CH, Switzerland
67 CA, Canada 76 FI, Finland
61 CH, Switzerland 65 CA, Canada
50 AU, Australia 54 AU, Australia
47 AT, Austria 43 SE, Sweden
44 SE, Sweden 36 SG, Singapore
38 SG, Singapore 36 JP, Japan
34 JP, Japan 35 AT, Austria
23 NO, Norway 24 RU, Russia
20 DK, Denmark 21 NO, Norway
19 IE, Ireland 20 DK, Denmark
17 BR, Brazil 19 IE, Ireland
12 LT, Lithuania 16 BR, Brazil
11 RO, Romania 12 LT, Lithuania
There are 8,468 unique zones (8,375 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 17,855 (17,725 last
month). These cover 18,152 distinct MX hosts (18,019 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 714 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 405
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.60 million DANE domains, 13,723 (13,921 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts. While this
protects traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,349
(2,442 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
105 mail.blueconsulting.cz
87 vps01.marcus.services
85 beta.itcomputers.eu
34 mx2.synetcon.net
18 mx3.hug.info
18 mx1.mdbraber.com
17 mx1.traxion.com
15 artemis.strebsjig.net
14 mx2.traxion.com
13 postagrosu.grosu.ro
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,076 (2,068 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
357 worldnic.com 593 registrar-servers.com
134 axc.nl 402 worldnic.com
75 ebola.cz 249 mijndomein.nl
60 openprovider.nl 138 axc.nl
41 psi-japan.net 77 ebola.cz
34 active24.cz 60 openprovider.nl
28 made-easy.ch 55 zihlmann.net
25 ns01.nl 41 psi-japan.net
22 register.com 29 made-easy.ch
18 epik.com 26 ns01.nl
[ Many thanks to Namecheap and Mijndomein for resolving all issues for their
customer domains. ]
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Three of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
urbtix.hk
mailazy.net
kprm.gov.pl
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at bayern.de fivecityspa.nl
gmx.at brandenburg.de herinneringenoplinnen.nl
vbv.at bund.de hobbygigant.nl
tip.net.au bundesregierung.de hostnet.nl
cetelemnegocie.com.br datev.de hr.nl
e-negociacao.com.br dfn.de interconnect.nl
nic.br elster.de interim-netwerk.nl
registro.br ewetel.de jayno.nl
activfitness-news.ch fau.de kiesrijk.nl
cbd420.ch freenet.de lico.nl
englmaier.ch gmx.de luxiez.nl
gmx.ch jpberlin.de mail-studio.nl
hostpoint.ch lmu.de mailplus.nl
infomaniak.ch lrz.de managementboek.nl
linsenkontakt.ch mail.de markteffectmail.nl
migros-runnwin.ch mpg.de mcmta.nl
onemillionrun.ch posteo.de mijndomein.nl
open.ch ruhr-uni-bochum.de minbzk.nl
protonmail.ch spacenet.de mindef.nl
sms-gagnant.ch tum.de mm1.nl
switch.ch tutanota.de mulderretail.nl
simplelogin.co uni-augsburg.de ndt.nl
402automotive.com uni-erlangen.de netsamen.nl
albourne.com uni-muenchen.de nieuwsservice-rvo.nl
also.com vicinityclo.de ns.nl
altospam.com web.de orangebag.nl
beaconx.com westlotto.de otys.nl
bymalina.com allbuy.dk ouderportaal.nl
cm.com dk-hostmaster.dk overheid.nl
connectsb.com fibianet.dk partijvoordedieren.nl
cryptowallet.com fvst.dk ploegendienst-festival.nl
dailyplaylists.com inkpro.dk politie.nl
datev.com juliesandlau.dk pp-prd.nl
elementalraiders.com kompetenceudvikling.dk previder.nl
fabfilter.com labelking.dk rdw.nl
fastware-hosting.com netic.dk rijksoverheid.nl
flaneurhomme.com nordd.dk roken.nl
gmx.com nota.dk rotterdam.nl
groed.com peterhald.dk rug.nl
habr.com powerhosting.dk rvo.nl
hoobly.com seniornews.dk sans-mail.nl
hotelsinduitsland.com shapeit.dk schoudercom.nl
imcnig.com shellcard.dk schuurman-schoenen.nl
infomaniak.com stil.dk smartwatchbanden.nl
ingthink.com uvm.dk sportrusten.nl
johnbeerens.com webhosting.dk ssonet.nl
joomlapolis.com tilburguniversity.edu stater.nl
jula.com holtmail.ee telefoonglaasje.nl
kabayarefashion.com just.ee thealphamen.nl
klbrlive.com rik.ee transip.nl
leszexpertsfle.com myownconference.email travelclown.nl
librti.com spike.email triodos.nl
liefleven.com spotler.email uitgeverijpica.nl
mactabeauty.com talentech.email utwente.nl
mail.com nuudcare.es uvt.nl
mailfence.com rediris.es uwv.nl
matilhadobemadestramento.com triodos.es valys.nl
mplbeauty.com uv.es vimexx.nl
mx-relay.com egu.eu visitoost.nl
nanolearning.com finesoftware.eu visittwente.nl
nine-pine.com skhosting.eu voorpositiviteit.nl
one.com tbibank.eu vrijevolkfestival.nl
orsys.com zone.eu wannahavesfashion.nl
orverkiezing.com zonevs.eu watchbandjes-shop.nl
pieter-pot.com fsol.fi waternet.nl
polyas.com handelsbanken.fi xel.nl
pompomlondon.com metaburn.fi ziggo.nl
ppcpcv.com tarjousrinki.fi zorgmail.nl
protonmail.com ac-strasbourg.fr annabellstefanussen.no
protonvpn.com compagnie-des-sens.fr audi.no
renworkshops.com edtm-actu.fr derute.no
run-motion.com kangouroukids.fr domeneshop.no
runbox.com nuudcare.fr guttelus.no
sankakucomplex.com oo2.fr handelsbanken.no
scorecloud.com privea.fr hyttefeber.no
serverclienti.com fidesz.hu idrettenonline.no
societe.com pandi.id mystuff.no
solvinity.com bluebiz.info naprapatlandslaget.no
stater.com eurocontrol.int nordicprint.no
stellarequipment.com neolink.link norskgrammatikk.no
t-2.com anonaddy.me plukkselv.no
thalesgroup.com pm.me rushtrampoline.no
thepcw.com proton.me spillfabrikken.no
thepcwholesale.com army.mil uib.no
triodos.com dla.mil analysedanmark.nu
truewaykids.com health.mil atelkamera.nu
tutanota.com jten.mil goget.nu
up2staff.com mail.mil lenhud.nu
veganallsorts.com militaryonesource.mil debian.org
vivaldi.com navy.mil freebsd.org
webcruiter.com nga.mil gentoo.org
webmailph.com osd.mil ietf.org
xfinity.com socom.mil isc.org
xfinityhomesecurity.com uscg.mil mailbox.org
xfinitymobile.com usmc.mil mailop.org
bncr.fi.cr comcast.net netbsd.org
airbank.cz ewetel.net openssl.org
akce-incomputer.cz fivem.net oraclegirl.org
amenit.cz gmx.net ozlabs.org
atlas.cz habramail.net samba.org
bewooden.cz hr-manager.net torproject.org
centrum.cz inexio.net biotechnologia.com.pl
csob.cz mijngezondheid.net mobily.com.sa
cuni.cz mpssec.net barons.se
dedra.cz procurios.net bilprovningen.se
directmail-fraus.cz ripe.net ecster.se
e-kondomy.cz riseup.net geflemetalfestival.se
ekokoza.cz t-2.net handelsbanken.se
fio.cz transip.net lomervarde.se
itesco.cz 123watches.nl loopia.se
itnetwork.cz agriton.nl minmyndighetspost.se
kb.cz amsterdam.nl nordicprint.se
klenotyaurum.cz aquastorexl.nl parksnackan.se
klubpevnehozdravi.cz belastingdienst.nl polisen.se
ksporting.cz beterspellen.nl silverdotter.se
manymail.cz blushfashionstore.nl skatteverket.se
mfcr.cz bobo.nl teknikdelar.se
mkluzkoviny.cz boekwinkeltjes.nl theletter.se
muni.cz boozyshop.nl centrum.sk
nanospace.cz bratsites-grs.nl dovypredania.sk
nic.cz bruut.nl e-slovak.sk
onebit.cz burgernet.nl kadernickyservis.sk
optimail.cz cbr.nl mklozkoviny.sk
outlet-alpine.cz cbs.nl naau.sk
poptavej.cz corpoflow.nl pneusvet.sk
predplatit.cz derooijfotografie.nl pobox.sk
scrptd.cz dictu.nl rondogo.sk
server4u.cz digid.nl satro.sk
smtp.cz dimehouse.nl teacher.sk
stoklasa.cz duo.nl zapardrobnych.sk
vas-server.cz eco-logisch.nl adelina.com.ua
virusfree.cz edenhotels.nl triodos.co.uk
volny.cz esuals.nl govtrack.us
zdravestravovani.cz expeditionfestival.nl quantum-services.us
123watches.de ezorg.nl ru.ac.za
1
0
LetsDNS release 1.0.1 is now publicly available.
Website: https://letsdns.org
GitHub : https://github.com/LetsDNS/letsdns
PyPI : https://pypi.org/project/letsdns/
LetsDNS is a utility to manage DANE TLSA records in DNS servers with
only a few lines of configuration. It supports multiple domains with
multiple TLS certificates each.
LetsDNS can be invoked manually, from cron jobs, or called in hook
functions of ACME clients like dehydrated or certbot. It currently
supports backends via the DNS Update Protocol (RFC 2136), the Hetzner
DNS API, and a generator for nsupdate scripts. Additionally, LetsDNS
is designed be expanded using custom Python modules which are loaded
dynamically during runtime.
-Ralph
1
0
Summary: The DANE domain count is now 3,584,050 (c.f. 3,553,159 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 19,130,407 (up from 18,845,352 last
month). Thus DANE TLSA is deployed on ~18.73% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today I count ~3.58 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1236935 one.com 1241738 one.com
280585 hostpoint.ch 279135 hostpoint.ch
189107 infomaniak.ch 184346 mijndomein.nl
184512 mijndomein.nl 176747 infomaniak.ch
162755 transip.nl 162079 transip.nl
159073 argewebhosting.nl 158826 argewebhosting.nl
112570 hostnet.nl 112883 hostnet.nl
107805 domeneshop.no 107551 domeneshop.no
104255 jouwweb.nl 101152 jouwweb.nl
96819 loopia.se 96925 loopia.se
94919 webhostingserver.nl 95235 webhostingserver.nl
77692 forpsi.com 77276 forpsi.com
63160 zxcs.nl 62102 zxcs.nl
47265 active24.com 47236 active24.com
40191 webreus.nl 40429 webreus.nl
39451 antagonist.nl 39297 antagonist.nl
34401 pcextreme.nl 34585 pcextreme.nl
29158 protonmail.ch 28545 protonmail.ch
27581 udmedia.de 27627 udmedia.de
26543 web4u.cz 26577 web4u.cz
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
10134 TOTAL 10177 TOTAL
3005 DE, Germany 2978 DE, Germany
1894 NL, Netherlands 1890 NL, Netherlands
1774 US, United States 1811 US, United States
763 FR, France 763 FR, France
356 GB, United Kingdom 362 GB, United Kingdom
338 CZ, Czechia 340 CZ, Czechia
235 FI, Finland 236 CA, Canada
224 CA, Canada 232 FI, Finland
156 AT, Austria 154 AT, Austria
129 CH, Switzerland 130 CH, Switzerland
127 SG, Singapore 126 SG, Singapore
127 DK, Denmark 126 DK, Denmark
110 SE, Sweden 115 SE, Sweden
110 AU, Australia 108 AU, Australia
56 PL, Poland 57 PL, Poland
54 RU, Russia 56 JP, Japan
54 JP, Japan 50 RU, Russia
48 NO, Norway 50 HU, Hungary
41 IE, Ireland 44 NO, Norway
40 BR, Brazil 42 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7968 TOTAL 7936 TOTAL
3557 NL, Netherlands 3552 NL, Netherlands
2241 DE, Germany 2216 DE, Germany
831 US, United States 801 US, United States
347 FR, France 337 FR, France
172 CZ, Czechia 193 CZ, Czechia
149 GB, United Kingdom 163 GB, United Kingdom
77 CH, Switzerland 74 FI, Finland
76 FI, Finland 71 CA, Canada
65 CA, Canada 59 CH, Switzerland
54 AU, Australia 53 AU, Australia
43 SE, Sweden 45 AT, Austria
36 SG, Singapore 42 SE, Sweden
36 JP, Japan 39 SG, Singapore
35 AT, Austria 38 JP, Japan
24 RU, Russia 27 RU, Russia
21 NO, Norway 22 IE, Ireland
20 DK, Denmark 19 DK, Denmark
19 IE, Ireland 18 NO, Norway
16 BR, Brazil 15 BR, Brazil
12 LT, Lithuania 12 LT, Lithuania
There are 8,375 unique zones (8,342 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 17,725 (17,639 last
month). These cover 18,019 distinct MX hosts (17,929 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 702 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 410
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.58 million DANE domains, 13,921 (14,518 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts. While this
protects traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 2,442
(1,026 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
1270 unit.nmugroup.com
86 beta.itcomputers.eu
44 relay-1.rws.nl
43 relay-2.rws.nl
35 mx2.synetcon.net
26 fsn1-c04.xemo-net.de
19 mx1.mdbraber.com
15 artemis.strebsjig.net
14 e-vps.hacktheplanet.nl
12 mail.blanketmail.de
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 2,068 (1,408 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
593 registrar-servers.com 591 registrar-servers.com
402 worldnic.com 302 worldnic.com
249 mijndomein.nl 245 mijndomein.nl
138 axc.nl 137 axc.nl
77 ebola.cz 79 ebola.cz
60 openprovider.nl 46 psi-japan.net
55 zihlmann.net 32 openprovider.nl
41 psi-japan.net 30 made-easy.ch
29 made-easy.ch 30 ispapi.net
26 ns01.nl 27 register.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Three of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
urbtix.hk
mailazy.net
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at 123watches.de hobbygigant.nl
gmx.at bayern.de hostnet.nl
vbv.at brandenburg.de hr.nl
tip.net.au bund.de interconnect.nl
cetelemnegocie.com.br bundesregierung.de interim-netwerk.nl
e-negociacao.com.br datev.de jayno.nl
nic.br dfn.de kiesrijk.nl
registro.br elster.de lico.nl
20km.ch ewetel.de luxiez.nl
activfitness-news.ch fau.de mail-studio.nl
cbd420.ch freenet.de mailplus.nl
gmx.ch gmx.de mailshover.nl
hostpoint.ch jpberlin.de managementboek.nl
infomaniak.ch lmu.de markteffectmail.nl
linsenkontakt.ch lrz.de mcmta.nl
migros-runnwin.ch mail.de mijndomein.nl
onemillionrun.ch mensa.de minbzk.nl
open.ch mpg.de mindef.nl
protonmail.ch posteo.de mm1.nl
sms-gagnant.ch ruhr-uni-bochum.de mulderretail.nl
switch.ch spacenet.de netsamen.nl
travailler-en-suisse.ch tum.de nieuwsservice-rvo.nl
simplelogin.co tutanota.de ns.nl
402automotive.com uni-augsburg.de nuudcare.nl
albourne.com uni-erlangen.de orangebag.nl
altospam.com uni-kl.de otys.nl
bymalina.com uni-muenchen.de ouderportaal.nl
cm.com vicinityclo.de overheid.nl
connectsb.com web.de partijvoordedieren.nl
cryptowallet.com westlotto.de ploegendienst-festival.nl
dailyplaylists.com allbuy.dk politie.nl
datev.com egmontpublishing.dk pp-prd.nl
exegy.com fibianet.dk previder.nl
fabfilter.com inkpro.dk rdw.nl
fastware-hosting.com juliesandlau.dk revolt.nl
flaneurhomme.com netic.dk rijksoverheid.nl
gmx.com nordd.dk roken.nl
groed.com nota.dk rug.nl
habr.com peterhald.dk rvo.nl
hoobly.com powerhosting.dk sans-mail.nl
hotelsinduitsland.com seniornews.dk schoudercom.nl
imcnig.com shapeit.dk schuurman-schoenen.nl
infomaniak.com shellcard.dk smartwatchbanden.nl
ingthink.com stil.dk sportrusten.nl
joomlapolis.com tricommerce.dk ssonet.nl
jula.com uvm.dk stater.nl
kabayarefashion.com webhosting.dk telefoonglaasje.nl
klbrlive.com tilburguniversity.edu thealphamen.nl
leszexpertsfle.com holtmail.ee transip.nl
librti.com just.ee travelclown.nl
liefleven.com rik.ee triodos.nl
mactabeauty.com myownconference.email uitgeverijpica.nl
mail.com spike.email utwente.nl
mailfence.com spotler.email uvt.nl
matilhadobemadestramento.com nuudcare.es uwv.nl
mplbeauty.com rediris.es valys.nl
mx-relay.com triodos.es venauto.nl
nanolearning.com uv.es vimexx.nl
nine-pine.com egu.eu vitalize.nl
nuudcare.com finesoftware.eu vogeldagboek.nl
one.com litebit.eu voorpositiviteit.nl
orsys.com zone.eu vrijevolkfestival.nl
pieter-pot.com zonevs.eu wannahavesfashion.nl
polyas.com fsol.fi watchbandjes-shop.nl
pompomlondon.com handelsbanken.fi waternet.nl
ppcpcv.com metaburn.fi xel.nl
protonmail.com tarjousrinki.fi ziggo.nl
protonvpn.com ac-strasbourg.fr zorgmail.nl
renworkshops.com compagnie-des-sens.fr annabellstefanussen.no
run-motion.com edtm-actu.fr audi.no
runbox.com kangouroukids.fr deldinbil.no
sankakucomplex.com nuudcare.fr derute.no
scorecloud.com oo2.fr domeneshop.no
serverclienti.com privea.fr guttelus.no
societe.com fidesz.hu handelsbanken.no
solvinity.com pandi.id hyttefeber.no
stater.com bluebiz.info idrettenonline.no
stellarequipment.com eurocontrol.int mystuff.no
t-2.com neolink.link norskgrammatikk.no
thalesgroup.com pm.me plukkselv.no
thegreenery.com proton.me raskebriller.no
thepcw.com army.mil rushtrampoline.no
thepcwholesale.com dla.mil spillfabrikken.no
triodos.com jten.mil uib.no
truewaykids.com mail.mil viphuset.no
tutanota.com militaryonesource.mil analysedanmark.nu
up2staff.com navy.mil atelkamera.nu
veganallsorts.com nga.mil goget.nu
vivaldi.com osd.mil lenhud.nu
webcruiter.com socom.mil debian.org
webmailph.com uscg.mil freebsd.org
xfinity.com usmc.mil gentoo.org
xfinityhomesecurity.com benjaminfulford.net ietf.org
xfinitymobile.com comcast.net isc.org
bncr.fi.cr ewetel.net mailbox.org
akce-incomputer.cz fivem.net mailop.org
amenit.cz gmx.net netbsd.org
atlas.cz habramail.net openssl.org
bewooden.cz hr-manager.net oraclegirl.org
centrum.cz inexio.net ozlabs.org
csob.cz mijngezondheid.net samba.org
cuni.cz mpssec.net torproject.org
cvut.cz procurios.net biotechnologia.com.pl
dedra.cz ripe.net asf.com.pt
directmail-fraus.cz riseup.net mobily.com.sa
e-kondomy.cz t-2.net barons.se
ekokoza.cz transip.net bilprovningen.se
fio.cz xs4all.net ecster.se
itesco.cz 123watches.nl geflemetalfestival.se
itnetwork.cz amsterdam.nl handelsbanken.se
kb.cz aquastorexl.nl kronofogden.se
klenotyaurum.cz argeweb.nl lomervarde.se
klubpevnehozdravi.cz belastingdienst.nl loopia.se
ksporting.cz beterspellen.nl loopiahosting.se
manymail.cz blushfashionstore.nl minmyndighetspost.se
markomat.cz bobo.nl parksnackan.se
mfcr.cz boekwinkeltjes.nl polisen.se
mkluzkoviny.cz boozyshop.nl silverdotter.se
muni.cz bratsites-grs.nl skatteverket.se
nanospace.cz bruut.nl teknikdelar.se
nic.cz burgernet.nl theletter.se
onebit.cz cbr.nl websupport.se
optimail.cz cbs.nl centrum.sk
outlet-alpine.cz corpoflow.nl dovypredania.sk
poptavej.cz derooijfotografie.nl kadernickyservis.sk
pre.cz devoorleeshoek.nl mklozkoviny.sk
predplatit.cz dictu.nl pneusvet.sk
scrptd.cz digid.nl pobox.sk
server4u.cz dimehouse.nl rondogo.sk
smtp.cz duo.nl satro.sk
sparkys.cz eco-logisch.nl zapardrobnych.sk
vas-server.cz edenhotels.nl nuudcare.co.uk
vcelka.cz expeditionfestival.nl triodos.co.uk
virusfree.cz extinctionrebellion.nl govtrack.us
volny.cz ezorg.nl quantum-services.us
zdravestravovani.cz fivecityspa.nl ru.ac.za
zlate-mince.cz herinneringenoplinnen.nl
1
0
Summary: The DANE domain count is now 3,553,159 (c.f. 3,235,913 last
month). Most of the increate is owed to mijndomein.nl
enabling DANE SMTP for ~184k domains and hostnet.nl for 113k
domains, thank you mijndomain.nl and hostnet.nl!
The number of domains that return DNSSEC-validated replies in
response to MX queries is 18,845,352 (up from 18,591,690 last
month). Thus DANE TLSA is deployed on ~18.85% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
Another milestone, as of today, the .COM TLD now has more than
5 million signed delegations.
As of today I count ~3.55 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1241738 one.com 1242988 one.com
279135 hostpoint.ch 278263 hostpoint.ch
184346 mijndomein.nl 165958 infomaniak.ch
176747 infomaniak.ch 160813 transip.nl
162079 transip.nl 158555 argewebhosting.nl
158826 argewebhosting.nl 107363 domeneshop.no
112883 hostnet.nl 98980 jouwweb.nl
107551 domeneshop.no 96757 loopia.se
101152 jouwweb.nl 95704 webhostingserver.nl
96925 loopia.se 76489 forpsi.com
95235 webhostingserver.nl 60790 zxcs.nl
77276 forpsi.com 47127 active24.com
62102 zxcs.nl 40731 webreus.nl
47236 active24.com 39430 antagonist.nl
40429 webreus.nl 34847 pcextreme.nl
39297 antagonist.nl 27612 udmedia.de
34585 pcextreme.nl 26602 protonmail.ch
28545 protonmail.ch 26570 web4u.cz
27627 udmedia.de 25850 webhosting.dk
26577 web4u.cz 25519 vevida.com
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
10177 TOTAL 10052 TOTAL
2978 DE, Germany 2983 DE, Germany
1890 NL, Netherlands 1864 NL, Netherlands
1811 US, United States 1790 US, United States
763 FR, France 737 FR, France
362 GB, United Kingdom 349 GB, United Kingdom
340 CZ, Czechia 325 CZ, Czechia
236 CA, Canada 228 FI, Finland
232 FI, Finland 225 CA, Canada
154 AT, Austria 159 AT, Austria
130 CH, Switzerland 137 SG, Singapore
126 SG, Singapore 129 DK, Denmark
126 DK, Denmark 129 CH, Switzerland
115 SE, Sweden 109 AU, Australia
108 AU, Australia 107 SE, Sweden
57 PL, Poland 59 PL, Poland
56 JP, Japan 52 JP, Japan
50 RU, Russia 51 RU, Russia
50 HU, Hungary 47 NO, Norway
44 NO, Norway 44 BR, Brazil
42 BR, Brazil 41 IE, Ireland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7936 TOTAL 7869 TOTAL
3552 NL, Netherlands 3534 NL, Netherlands
2216 DE, Germany 2202 DE, Germany
801 US, United States 817 US, United States
337 FR, France 322 FR, France
193 CZ, Czechia 191 CZ, Czechia
163 GB, United Kingdom 150 GB, United Kingdom
74 FI, Finland 76 FI, Finland
71 CA, Canada 71 CA, Canada
59 CH, Switzerland 59 CH, Switzerland
53 AU, Australia 51 AU, Australia
45 AT, Austria 42 SE, Sweden
42 SE, Sweden 40 SG, Singapore
39 SG, Singapore 38 AT, Austria
38 JP, Japan 37 JP, Japan
27 RU, Russia 25 NO, Norway
22 IE, Ireland 22 DK, Denmark
19 DK, Denmark 18 IE, Ireland
18 NO, Norway 16 RU, Russia
15 BR, Brazil 15 BR, Brazil
12 LT, Lithuania 12 LT, Lithuania
There are 8,342 unique zones (8,234 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 17,639 (17,494 last
month). These cover 17,929 distinct MX hosts (17,782 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 694 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 406
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.55 million DANE domains, 14,518 (12,258 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts. While this
protects traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,026
(1,109 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
19 mx1.mdbraber.com
15 e-vps.hacktheplanet.nl
15 artemis.strebsjig.net
13 postagrosu.grosu.ro
12 mail.blanketmail.de
12 hf-hosting-02.hf-services.net
10 mail.syngenuity.com
10 mail.ontharen-rotterdam.nl
9 smtp.hoggins.fr
9 mx01.mykolab.com
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,408 (1,181 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
591 registrar-servers.com 573 registrar-servers.com
302 worldnic.com 236 mijndomein.nl
245 mijndomein.nl 159 worldnic.com
137 axc.nl 145 axc.nl
79 ebola.cz 85 ebola.cz
46 psi-japan.net 31 openprovider.nl
32 openprovider.nl 31 made-easy.ch
30 made-easy.ch 31 epik.com
30 ispapi.net 26 ns01.nl
27 register.com 24 register.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Four of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
greenspot.fi
urbtix.hk
mailazy.net
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at zdravestravovani.cz hostingpeople.nl
gmx.at zlate-mince.cz hostnet.nl
vbv.at bantschowundbantschow.de hr.nl
tip.net.au bayern.de interim-netwerk.nl
cetelemnegocie.com.br brandenburg.de jayno.nl
e-negociacao.com.br bund.de kiesrijk.nl
nic.br bundesregierung.de kralingsebosfestival.nl
registro.br datev.de lico.nl
20km.ch dfn.de luxiez.nl
activfitness-news.ch elster.de mail-studio.nl
cbd420.ch ewetel.de mailplus.nl
erotik-service.ch fau.de mailshover.nl
gmx.ch freenet.de managementboek.nl
hostpoint.ch gmx.de markteffectmail.nl
infomaniak.ch jpberlin.de mcmta.nl
linsenkontakt.ch lmu.de mijndomein.nl
open.ch lrz.de minbzk.nl
promorealdeals.ch mail.de mindef.nl
protonmail.ch mensa.de mm1.nl
sms-gagnant.ch mpg.de mulderretail.nl
switch.ch posteo.de nieuwsservice-rvo.nl
travailler-en-suisse.ch ruhr-uni-bochum.de ns.nl
simplelogin.co tum.de nuudcare.nl
402automotive.com tutanota.de orangebag.nl
albourne.com uni-augsburg.de otys.nl
altospam.com uni-erlangen.de ouderenfonds.nl
ansigtsyogaonline.com uni-kl.de ouderportaal.nl
brassthistle.com uni-muenchen.de overheid.nl
cm.com vicinityclo.de partijvoordedieren.nl
connectsb.com web.de ploegendienst-festival.nl
cryptowallet.com westlotto.de politie.nl
dailyplaylists.com allbuy.dk pp-prd.nl
datev.com borgerforslag.dk previder.nl
exegy.com dk-hostmaster.dk rdw.nl
fastware-hosting.com egmontpublishing.dk revolt.nl
flaneurhomme.com fibianet.dk rijksoverheid.nl
gmx.com handelsbanken.dk rivm.nl
groed.com juliesandlau.dk rug.nl
habr.com netic.dk rvo.nl
hoobly.com nota.dk sans-mail.nl
hotelsinduitsland.com seniornews.dk schoudercom.nl
imcnig.com shapeit.dk schuurman-schoenen.nl
infomaniak.com shellcard.dk smartwatchbanden.nl
ingthink.com stil.dk sportrusten.nl
joomlapolis.com tricommerce.dk ssonet.nl
jula.com uvm.dk stater.nl
klbrlive.com tilburguniversity.edu telefoonglaasje.nl
leszexpertsfle.com just.ee transip.nl
librti.com rik.ee travelclown.nl
liefleven.com spike.email triodos.nl
mactabeauty.com spotler.email uitgeverijpica.nl
mail.com nuudcare.es utwente.nl
mammoetmail.com rediris.es uvt.nl
matilhadobemadestramento.com triodos.es uwv.nl
mplbeauty.com uv.es valys.nl
mx-relay.com egu.eu venauto.nl
nanolearning.com finesoftware.eu vimexx.nl
nine-pine.com litebit.eu vitalize.nl
nuudcare.com zone.eu vogeldagboek.nl
one.com zonevs.eu voorpositiviteit.nl
orsys.com fsol.fi vrijevolkfestival.nl
pieter-pot.com handelsbanken.fi vu.nl
polyas.com metaburn.fi wannahavesfashion.nl
pompomlondon.com tarjousrinki.fi watchbandjes-shop.nl
ppcpcv.com ac-strasbourg.fr waternet.nl
protonmail.com compagnie-des-sens.fr xel.nl
protonvpn.com edtm-actu.fr zorgmail.nl
renworkshops.com nuudcare.fr audi.no
run-motion.com oo2.fr bergengokart.no
runbox.com privea.fr deldinbil.no
sankakucomplex.com fidesz.hu derute.no
scorecloud.com bluebiz.info domeneshop.no
serverclienti.com eurocontrol.int guttelus.no
societe.com neolink.link handelsbanken.no
solvinity.com pm.me hyttefeber.no
srsforward.com proton.me idrettenonline.no
stater.com army.mil mystuff.no
stellarequipment.com dla.mil norskgrammatikk.no
t-2.com jten.mil plukkselv.no
thalesgroup.com mail.mil raskebriller.no
thegreenery.com militaryonesource.mil rushtrampoline.no
thepcw.com navy.mil spillfabrikken.no
thepcwholesale.com nga.mil tjenestekompaniet.no
triodos.com osd.mil uib.no
truewaykids.com socom.mil viphuset.no
tutanota.com uscg.mil analysedanmark.nu
up2staff.com usmc.mil atelkamera.nu
veganallsorts.com benjaminfulford.net goget.nu
vitstore.com comcast.net lenhud.nu
vivaldi.com ewetel.net debian.org
webcruiter.com fivem.net freebsd.org
webmailph.com gmx.net gentoo.org
xfinity.com habramail.net ietf.org
xfinityhomesecurity.com hr-manager.net isc.org
xfinitymobile.com inexio.net kindredcircle.org
bncr.fi.cr mijngezondheid.net mailbox.org
akce-incomputer.cz mpssec.net mailop.org
amenit.cz procurios.net netbsd.org
atlas.cz ripe.net openssl.org
bewooden.cz riseup.net oraclegirl.org
centrum.cz t-2.net ozlabs.org
csob.cz xs4all.net samba.org
cuni.cz 123watches.nl torproject.org
cvut.cz amsterdam.nl biotechnologia.com.pl
dedra.cz aquastorexl.nl asf.com.pt
directmail-fraus.cz argeweb.nl mobily.com.sa
e-kondomy.cz belastingdienst.nl barons.se
ekokoza.cz beterspellen.nl bilprovningen.se
fio.cz bhosted.nl ecster.se
itesco.cz blushfashionstore.nl handelsbanken.se
kb.cz boekwinkeltjes.nl kronofogden.se
klenotyaurum.cz bolerolimonadewinkel.nl lansstyrelsen.se
klubpevnehozdravi.cz boozyshop.nl lomervarde.se
ksporting.cz bratsites-grs.nl loopia.se
manymail.cz bruut.nl loopiahosting.se
markomat.cz cbr.nl minmyndighetspost.se
mfcr.cz corpoflow.nl polisen.se
mkluzkoviny.cz derooijfotografie.nl skatteverket.se
muni.cz devoorleeshoek.nl teknikdelar.se
nanospace.cz dictu.nl theletter.se
nic.cz digid.nl websupport.se
onebit.cz digitaleverkiezing.nl centrum.sk
optimail.cz dimehouse.nl kadernickyservis.sk
outlet-alpine.cz duo.nl mklozkoviny.sk
poptavej.cz eco-logisch.nl pneusvet.sk
pre.cz edenhotels.nl pobox.sk
predplatit.cz efactuurdirect.nl rondogo.sk
scrptd.cz expeditionfestival.nl satro.sk
server4u.cz extinctionrebellion.nl toptop.sk
smtp.cz ezorg.nl zapardrobnych.sk
sparkys.cz fidus.nl nuudcare.co.uk
stoklasa.cz fivecityspa.nl triodos.co.uk
vas-server.cz herinneringenoplinnen.nl govtrack.us
vcelka.cz high5.nl quantum-services.us
virusfree.cz hobbygigant.nl ru.ac.za
volny.cz
1
0
Summary: The DANE domain count is now 3,235,913 (c.f. 3,197,734 last
month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 18,591,690 (up from 18,409,733 last
month). Thus DANE TLSA is deployed on ~17.40% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
Another milestone, as of today, the .COM TLD now has more than
5 million signed delegations.
As of today I count ~3.24 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1242988 one.com 1243696 one.com
278263 hostpoint.ch 277421 hostpoint.ch
165958 infomaniak.ch 164315 infomaniak.ch
160813 transip.nl 159902 transip.nl
158555 argewebhosting.nl 158479 argewebhosting.nl
107363 domeneshop.no 107350 domeneshop.no
98980 jouwweb.nl 97611 jouwweb.nl
96757 loopia.se 96400 loopia.se
95704 webhostingserver.nl 96065 webhostingserver.nl
76489 forpsi.com 75966 forpsi.com
60790 zxcs.nl 59337 zxcs.nl
47127 active24.com 47090 active24.com
40731 webreus.nl 41006 webreus.nl
39430 antagonist.nl 39296 antagonist.nl
34847 pcextreme.nl 35099 pcextreme.nl
27612 udmedia.de 27513 udmedia.de
26602 protonmail.ch 26802 web4u.cz
26570 web4u.cz 25925 webhosting.dk
25850 webhosting.dk 25763 vevida.com
25519 vevida.com 25515 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
----------- ----------
10052 TOTAL 9944 TOTAL
2983 DE, Germany 2956 DE, Germany
1864 NL, Netherlands 1844 NL, Netherlands
1790 US, United States 1789 US, United States
737 FR, France 737 FR, France
349 GB, United Kingdom 346 GB, United Kingdom
325 CZ, Czechia 331 CZ, Czechia
228 FI, Finland 226 FI, Finland
225 CA, Canada 213 CA, Canada
159 AT, Austria 156 AT, Austria
137 SG, Singapore 130 SG, Singapore
129 DK, Denmark 129 CH, Switzerland
129 CH, Switzerland 127 DK, Denmark
109 AU, Australia 110 SE, Sweden
107 SE, Sweden 106 AU, Australia
59 PL, Poland 59 PL, Poland
52 JP, Japan 48 JP, Japan
51 RU, Russia 46 RU, Russia
47 NO, Norway 46 NO, Norway
44 BR, Brazil 43 BR, Brazil
41 IE, Ireland 40 IE, Ireland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7869 TOTAL 7816 TOTAL
3534 NL, Netherlands 3507 NL, Netherlands
2202 DE, Germany 2162 DE, Germany
817 US, United States 812 US, United States
322 FR, France 317 FR, France
191 CZ, Czechia 187 CZ, Czechia
150 GB, United Kingdom 158 GB, United Kingdom
76 FI, Finland 82 FI, Finland
71 CA, Canada 63 CA, Canada
59 CH, Switzerland 60 CH, Switzerland
51 AU, Australia 50 AU, Australia
42 SE, Sweden 45 AT, Austria
40 SG, Singapore 40 SG, Singapore
38 AT, Austria 39 SE, Sweden
37 JP, Japan 32 JP, Japan
25 NO, Norway 30 RU, Russia
22 DK, Denmark 22 IE, Ireland
18 IE, Ireland 20 DK, Denmark
16 RU, Russia 19 NO, Norway
15 BR, Brazil 15 BG, Bulgaria
12 LT, Lithuania 13 LT, Lithuania
There are 8,234 unique zones (8,119 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 17,494 (17,295 last
month). These cover 17,782 distinct MX hosts (17,568 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 643 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 387
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.24 million DANE domains, 12,258 (27,938 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts. While this
protects traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,109
(1,147 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
85 beta.itcomputers.eu
19 mx1.mdbraber.com
16 e-vps.hacktheplanet.nl
15 mail.nationaalarchief.nl
15 mail.gregdouglas.net
15 artemis.strebsjig.net
11 mail.ontharen-rotterdam.nl
9 mx1.digi.nl
9 mx01.mykolab.com
9 mail.qusign.net
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,408 (1,181 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
573 registrar-servers.com 563 registrar-servers.com
236 mijndomein.nl 151 axc.nl
159 worldnic.com 90 worldnic.com
145 axc.nl 76 ebola.cz
85 ebola.cz 41 epik.com
31 openprovider.nl 39 mijndomein.nl
31 made-easy.ch 32 openprovider.nl
31 epik.com 31 made-easy.ch
26 ns01.nl 27 register.com
24 register.com 26 ns01.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Four of the domains all whose nameservers have broken denial of existence
appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
mailazy.net
kprm.gov.pl
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
123watches.nl ietf.org revolt.nl
402automotive.com imcnig.com rijksoverheid.nl
ac-strasbourg.fr inexio.net ripe.net
activfitness-news.ch infomaniak.ch riseup.net
akce-incomputer.cz infomaniak.com rivm.nl
altidev.com ingthink.com rondogo.sk
altospam.com interim-netwerk.nl rotterdam.nl
amenit.cz isc.org ru.ac.za
amsterdam.nl itesco.cz ruhr-uni-bochum.de
analysedanmark.nu joomlapolis.com run-motion.com
ansigtsyogaonline.com jpberlin.de runbox.com
argeweb.nl jten.mil rushtrampoline.no
army.mil jula.com rvo.nl
asf.com.pt kadernickyservis.sk samba.org
atelkamera.nu kantarresearch.com sankakucomplex.com
atlas.cz kb.cz sans-mail.nl
audi.no kindredcircle.org satro.sk
bantschowundbantschow.de klbrlive.com schoudercom.nl
bayern.de klenotyaurum.cz schuurman-schoenen.nl
belastingdienst.nl klubpevnehozdravi.cz scorecloud.com
benjaminfulford.net kpn.com scrptd.cz
bergengokart.no kralingsebosfestival.nl seniornews.dk
beterspellen.nl kronofogden.se server4u.cz
bewooden.cz ksporting.cz serverclienti.com
bhosted.nl lansstyrelsen.se shapeit.dk
bilprovningen.se leszexpertsfle.com shellcard.dk
biotechnologia.com.pl librti.com sidn.nl
bluebiz.info lico.nl simplelogin.co
bncr.fi.cr linhard.nl skatteverket.se
boekwinkeltjes.nl linsenkontakt.ch skyaccess.nl
bolerolimonadewinkel.nl litebit.eu smartwatchbanden.nl
boozyshop.nl lmu.de smtp.cz
borgerforslag.dk loopia.se societe.com
brandenburg.de loopiahosting.se socom.mil
brassthistle.com lrz.de solvinity.com
bratsites-grs.nl luxiez.nl spamservice.nl
bund.de mactabeauty.com sparkys.cz
bundesregierung.de mail-studio.nl spike.email
burgernet.nl mail.com spillfabrikken.no
caracamilla.nl mail.de sportrusten.nl
cbd420.ch mail.mil spotler.email
cbr.nl mailbox.org srsforward.com
centrum.cz mailop.org ssonet.nl
centrum.sk mailplus.nl stater.com
cetelemnegocie.com.br mailshover.nl stater.nl
cm.com mammoetmail.com stellarequipment.com
comcast.net managementboek.nl stil.dk
compagnie-des-sens.fr manymail.cz stoklasa.cz
connectsb.com markomat.cz switch.ch
corpoflow.nl markteffectmail.nl t-2.com
csob.cz matilhadobemadestramento.com t-2.net
cuni.cz mensa.de talentech.email
cvut.cz metaburn.fi tarjousrinki.fi
dailyplaylists.com mijngezondheid.net teknikdelar.se
datev.com mijnuvt.nl telefoonglaasje.nl
datev.de militaryonesource.mil thalesgroup.com
debian.org minbuza.nl thegreenery.com
dedra.cz minbzk.nl theletter.se
deldinbil.no mindef.nl thepcw.com
derooijfotografie.nl minmyndighetspost.se thepcwholesale.com
derute.no mklozkoviny.sk theruleofliberty.com
dfn.de mkluzkoviny.cz tilburguniversity.edu
dictu.nl mm1.nl tjenestekompaniet.no
digid.nl mobily.com.sa toptop.sk
digitaleverkiezing.nl mpg.de torproject.org
directmail-fraus.cz mplbeauty.com traficom.fi
dk-hostmaster.dk mpssec.net transip.nl
dla.mil mulderretail.nl travailler-en-suisse.ch
domeneshop.no muni.cz tricommerce.dk
dressuurnatuurlijk.nl mx-relay.com triodos.co.uk
duo.nl mystuff.no triodos.com
e-kondomy.cz myvillage.com triodos.es
e-negociacao.com.br nanolearning.com triodos.nl
eco-logisch.nl nanospace.cz truewaykids.com
ecster.se navy.mil tum.de
edenhotels.nl neolink.link tutanota.com
edtm-actu.fr netbsd.org tutanota.de
efactuurdirect.nl netic.dk uib.no
egmontpublishing.dk nic.br uitgeverijpica.nl
egu.eu nic.cz uni-augsburg.de
ekokoza.cz nieuwsservice-rvo.nl uni-c.dk
elster.de nine-pine.com uni-erlangen.de
erotik-service.ch norskgrammatikk.no uni-kl.de
exegy.com ns.nl uni-muenchen.de
extinctionrebellion.nl one.com univie.ac.at
ezorg.nl onebit.cz up2staff.com
fabfilter.com oo2.fr uscg.mil
fastware-hosting.com open.ch usmc.mil
fau.de openssl.org utwente.nl
fibianet.dk optimail.cz uv.es
fidesz.hu oraclegirl.org uvt.nl
fidus.nl orangebag.nl uwv.nl
finesoftware.eu orsys.com valys.nl
fio.cz osd.mil vas-server.cz
fivem.net otys.nl vcelka.cz
flaneurhomme.com ouderenfonds.nl veganallsorts.com
freebsd.org ouderportaal.nl venauto.nl
freenet.de outlet-alpine.cz vicinityclo.de
fsol.fi overheid.nl vimexx.nl
gentoo.org ozlabs.org viphuset.no
gezond.nl partijvoordedieren.nl virusfree.cz
gmx.at peterhald.dk vitalize.nl
gmx.ch pieter-pot.com vitstore.com
gmx.com pm.me vivaldi.com
gmx.de pobox.sk vogeldagboek.nl
gmx.net podiumcadeaukaart.nl volny.cz
goget.nu polisen.se voorpositiviteit.nl
govtrack.us politie.nl vu.nl
guttelus.no pompomlondon.com waternet.nl
habr.com poptavej.cz web.de
habramail.net posteo.de webcruiter.com
handelsbanken.dk pp-prd.nl webmailph.com
handelsbanken.fi ppcpcv.com websupport.se
handelsbanken.no pre.cz westlotto.de
handelsbanken.se predplatit.cz win-rar.com
healthcheckcenter.nl previder.nl wog.ch
herinneringenoplinnen.nl procurios.net xel.nl
herobrine.org promorealdeals.ch xfinity.com
hi7.de proton.me xfinityhomesecurity.com
high5.nl protonmail.ch xfinitymobile.com
hobbygigant.nl protonmail.com xs4all.net
hoobly.com protonvpn.com ymeuniverse.com
hostingpeople.nl publicroam.nl zapardrobnych.sk
hostpoint.ch pvv.nl zdravestravovani.cz
hotelsinduitsland.com quantum-services.us zlate-mince.cz
hr-manager.net raskebriller.no zone.ee
hr.nl rediris.es zone.eu
hyttefeber.no registro.br zonevs.eu
idrettenonline.no renworkshops.com zorgmail.nl
1
0