dane-users
Threads by month
- ----- 2024 -----
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- 2 participants
- 244 discussions
Summary: The DANE domain count is now 3,005,393 (up from 2,974,861 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 16,982,372 (up from 16,638,332 last
month). Thus DANE TLSA is deployed on ~17.69% of domains with
DNSSEC. See https://stats.dnssec-tools.org/ for more stats.
[ See the Credits[0] list below my signature. ]
As of today I count ~3.0 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last month
---------- ----------
1230165 one.com 1219713 one.com
272727 hostpoint.ch 270842 hostpoint.ch
154952 transip.nl 154249 transip.nl
154347 infomaniak.ch 152372 infomaniak.ch
149718 argewebhosting.nl 150807 argewebhosting.nl
106004 domeneshop.no 105814 domeneshop.no
98029 webhostingserver.nl 98302 webhostingserver.nl
95100 loopia.se 94851 loopia.se
71946 forpsi.com 71517 forpsi.com
48270 zxcs.nl 46431 active24.com
46581 active24.com 45675 zxcs.nl
42121 webreus.nl 42325 webreus.nl
38213 antagonist.nl 38150 antagonist.nl
36362 pcextreme.nl 36614 pcextreme.nl
27450 vevida.com 27758 vevida.com
26984 udmedia.de 27035 webhosting.dk
26916 webhosting.dk 26937 udmedia.de
26483 web4u.cz 26456 web4u.cz
23612 hosting2go.nl 23884 hosting2go.nl
22118 protonmail.ch 21623 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
9230 TOTAL 9206 TOTAL
2691 DE, Germany 2692 DE, Germany
1781 NL, Netherlands 1768 NL, Netherlands
1710 US, United States 1731 US, United States
697 FR, France 699 FR, France
325 GB, United Kingdom 334 GB, United Kingdom
264 CZ, Czechia 245 CZ, Czechia
206 CA, Canada 208 CA, Canada
204 FI, Finland 203 FI, Finland
131 AT, Austria 127 DK, Denmark
129 DK, Denmark 121 AT, Austria
118 SG, Singapore 120 SG, Singapore
108 CH, Switzerland 107 CH, Switzerland
98 SE, Sweden 100 AU, Australia
93 AU, Australia 98 SE, Sweden
56 PL, Poland 54 PL, Poland
44 NO, Norway 44 RU, Russia
43 RU, Russia 44 NO, Norway
43 IE, Ireland 42 IE, Ireland
38 JP, Japan 41 BR, Brazil
38 BR, Brazil 36 JP, Japan
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7274 TOTAL 7202 TOTAL
3431 NL, Netherlands 3389 NL, Netherlands
1903 DE, Germany 1889 DE, Germany
757 US, United States 767 US, United States
300 FR, France 290 FR, France
156 CZ, Czechia 153 CZ, Czechia
133 GB, United Kingdom 136 GB, United Kingdom
80 FI, Finland 78 FI, Finland
60 CA, Canada 61 CA, Canada
45 CH, Switzerland 42 SG, Singapore
42 SG, Singapore 42 CH, Switzerland
42 SE, Sweden 41 SE, Sweden
38 AU, Australia 40 AU, Australia
31 AT, Austria 37 AT, Austria
28 JP, Japan 24 JP, Japan
26 RU, Russia 22 IE, Ireland
23 IE, Ireland 20 NO, Norway
19 NO, Norway 17 DK, Denmark
18 DK, Denmark 15 BR, Brazil
15 BR, Brazil 14 RU, Russia
13 IN, India 11 SI, Slovenia
There are 7,451 unique zones (7,410 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 16,295 (16,101 last
month). These cover 16,562 distinct MX hosts (16,358 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 557 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 331
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.0 million DANE domains, 12,750 (12,735 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1086
(1802 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
90 beta.itcomputers.eu
44 fsn1-c04.xemo-net.de
19 mx1.mdbraber.com
16 mail.odissee.net
16 e-vps.hacktheplanet.nl
15 web1.ams.dcg.t-host.net
15 artemis.strebsjig.net
13 entrante.svnt.com
12 mail.bi9.de
8 postmark.flame.org
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1181 (1148 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
564 registrar-servers.com 553 registrar-servers.com
124 axc.nl 122 axc.nl
88 ebola.cz 87 ebola.cz
33 worldnic.com 33 made-easy.ch
30 mijndomein.nl 32 mijndomein.nl
30 made-easy.ch 30 worldnic.com
16 cloudflare.com 17 cloudflare.com
11 vtx.ch 11 openprovider.nl
11 openprovider.nl 10 vtx.ch
10 register.com 8 register.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Six of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
icv-crew.com
tdnewissues.com
urbtix.hk
kprm.gov.pl
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at fau.de herinneringenoplinnen.nl
gmx.at freenet.de hetamsterdamsverbond.nl
tip.net.au gmx.de huizenzoeker.nl
pcug.org.au jpberlin.de interconnect.nl
pictolezen.be lrz.de interim-netwerk.nl
triodos.be mail.de justis.nl
tbibank.bg mpg.de luxiez.nl
cetelemnegocie.com.br mvnet.de mailplus.nl
e-renegocie.com.br neutraler-versand.de mailshover.nl
nic.br posteo.de markteffectmail.nl
registro.br ruhr-uni-bochum.de mijnuvt.nl
ehefueralle.ch tum.de minbuza.nl
gmx.ch tutanota.de minbzk.nl
hostpoint.ch uni-erlangen.de mindef.nl
infomaniak.ch uni-muenchen.de minvenj.nl
linsenkontakt.ch unitymedia.de mm1.nl
open.ch web.de mulderretail.nl
protonmail.ch westlotto.de nieuwsservice-rvo.nl
switch.ch actie.deals ns.nl
travailler-en-suisse.ch dk-hostmaster.dk orangebag.nl
simplelogin.co fibianet.dk ouderenfonds.nl
altospam.com handelsbanken.dk overheid.nl
ansigtsyogaonline.com netic.dk parlement.nl
boekenwereld.com nota.dk partijvoordedieren.nl
bornomail.com nst.dk paypro.nl
cm.com powerhosting.dk podiumcadeaukaart.nl
connectsb.com shapeit.dk politie.nl
dailyplaylists.com shellcard.dk pp-prd.nl
datev.com uvm.dk previder.nl
exegy.com wavell.dk purdey.nl
flaneurhomme.com webhosting.dk rdw.nl
gmx.com tilburguniversity.edu rijksoverheid.nl
habr.com just.ee rivm.nl
hotelsinduitsland.com envie.email rotterdam.nl
imcnig.com spike.email sans-mail.nl
infomaniak.com spotler.email schoudercom.nl
ingthink.com talentech.email schuurman-schoenen.nl
intakt.com rediris.es smartwatchbanden.nl
joomlapolis.com triodos.es sportrusten.nl
jula.com uv.es ssonet.nl
kpn.com egu.eu telefoonglaasje.nl
leszexpertsfle.com glowliving.eu triodos.nl
mail.com zone.eu truetickets.nl
mailfence.com zonevs.eu tweedekamer.nl
mammoetmail.com handelsbanken.fi uitgeverijpica.nl
mantapsurvey.com tarjousrinki.fi utwente.nl
matilhadobemadestramento.com traficom.fi uvt.nl
mx-relay.com ac-strasbourg.fr uwv.nl
nanolearning.com compagnie-des-sens.fr veilinghuispeerdeman.nl
nine-pine.com edtm-actu.fr voorpositiviteit.nl
one.com oo2.fr vu.nl
outsystems.com srci.fr waternet.nl
protonmail.com excelsior.hu werkenbijaldautomotive.nl
protonvpn.com fidesz.hu zorgmail.nl
renworkshops.com gardrobom.hu annabellstefanussen.no
sankakucomplex.com mszp.hu audi.no
schizinfo.com obiserver.hu derute.no
serverclienti.com otthonplus.hu domeneshop.no
societe.com bluebiz.info forbrukslaan.no
solvinity.com interestexplorer.io handelsbanken.no
spareklubbnorge.com neolink.link idrettenonline.no
stellarequipment.com pm.me kapitalkontroll.no
t-2.com army.mil leadmail.no
thalesgroup.com dla.mil mystuff.no
thepcw.com jten.mil norskgrammatikk.no
thepcwholesale.com mail.mil plukkselv.no
triodos.com militaryonesource.mil uib.no
tutanota.com navy.mil viphuset.no
veganallsorts.com osd.mil atelkamera.nu
vitstore.com socom.mil goget.nu
vivaldi.com uscg.mil debian.org
webcruiter.com usmc.mil exim.org
webmailph.com comcast.net freebsd.org
xfinity.com fivem.net gentoo.org
xfinityhomesecurity.com gmx.net ietf.org
xfinitymobile.com habramail.net isc.org
30tidennivyzva.cz hr-manager.net mailbox.org
akce-incomputer.cz inexio.net mailop.org
cesnet.cz mijngezondheid.net netbsd.org
csob.cz mpssec.net openssl.org
cuni.cz procurios.net ozlabs.org
cvut.cz prolocation.net samba.org
ekokoza.cz ripe.net torproject.org
gigalekarna.cz riseup.net whatpulse.org
itesco.cz t-2.net psgaz.pl
klenotyaurum.cz transip.net asf.com.pt
klubpevnehozdravi.cz xs4all.net mobily.com.sa
manymail.cz 123watches.nl alterskjaer.se
mkluzkoviny.cz amsterdam.nl axmarin.se
muni.cz argeweb.nl bilprovningen.se
nic.cz artsenzorg.nl boplatssyd-automail.se
omvnovinky.cz awcloud.nl ecster.se
onebit.cz belastingdienst.nl handelsbanken.se
optimail.cz bhosted.nl loopia.se
poptavej.cz bhsupport.nl loopiahosting.se
scrptd.cz bluerail.nl minmyndighetspost.se
server4u.cz boekwinkeltjes.nl racketspecialisten.se
smtp.cz bolerolimonadewinkel.nl skatteverket.se
sparkys.cz boozyshop.nl teknikdelar.se
stoklasa.cz burgernet.nl theletter.se
vas-server.cz cbr.nl websupport.se
virusfree.cz cbs.nl kadernickyservis.sk
zdravestravovani.cz corpoflow.nl mklozkoviny.sk
bayern.de derooijfotografie.nl najlacnejsisport.sk
brandenburg.de digid.nl rondogo.sk
bund.de duo.nl toptop.sk
bundesregierung.de edenhotels.nl triodos.co.uk
datev.de ezorg.nl govtrack.us
dfn.de healthcheckcenter.nl quantum-services.us
dvz-mv.de heilbron.nl ru.ac.za
elster.de
1
0
Hi Moritz
First of all - thanks (to all the article authors) for providing research in DANE deployments - it is very much appreciated.
I would however really wish that you compared the amount (in %) of mismanaged SMTP servers doing DANE to the in general amount (in %) of mismanaged SMTP servers. In order to provide some sort of “baseline”.
My gut feeling is that the amount of mismanaged SMTP servers handling DANE is very very low, comared to the in general mismanaged SMTP servers.
I also hope that you have read and taken Viktors remarks (regarding the initial paper from 2020) into account in the new version:
http://dnssec-stats.ant.isi.edu/~viktor/usenix-security-dane-response.html <http://dnssec-stats.ant.isi.edu/~viktor/usenix-security-dane-response.html>
Since you mention Antagonist.nl in the report:
Antagonist has been bought by Group.ONE : https://group.one/group-one-acquires-antagonist/ <https://group.one/group-one-acquires-antagonist/>
I had hoped, that I had a chance to pull some statistics out of our one.com <http://one.com/> outbound mailservers, with some real % on errors that we see, and share, but unfortunately I simply havn’t had time. :-(
It looks like the USENIX Security ’22 is in August - so that gives me some possibilities to look into that next year before the conference. :-)
Kind Regards,
Sidsel Jensen
Team manager Mail & Abuse, Systems Engineer @ One.com <http://one.com/>
> On 29 Nov 2021, at 10.55, Moritz Müller via mailop <mailop(a)mailop.org> wrote:
>
> Signed PGP part
> Hi all,
>
> A while ago we’ve asked the members of this mailing list to fill in a survey about DANE management.
> First of all: Thanks to everyone who filled in the survey!
>
> We’ve processed the results which are now part of our paper "Under the Hood of DANE Mismanagement in SMTP”, which is going to be published at usenix security [1].
>
> Overall, we see that the vast majority of domain names that outsource their SMTP server (which is the majority of all domain names) configure DANE correctly.
> Self hosted SMTP servers, however, are misconfigured frequently.
> Especially keeping the TLSA records from a name server and certificates from an SMTP server synchronized is not straightforward.
>
> You can read the full abstract and paper here [1].
>
> —
> Moritz
>
> [1] https://www.usenix.org/conference/usenixsecurity22/presentation/lee
>
>
1
0
Hi all,
A while ago we’ve asked the members of this mailing list to fill in a survey about DANE management.
First of all: Thanks to everyone who filled in the survey!
We’ve processed the results which are now part of our paper "Under the Hood of DANE Mismanagement in SMTP”, which is going to be published at usenix security [1].
Overall, we see that the vast majority of domain names that outsource their SMTP server (which is the majority of all domain names) configure DANE correctly.
Self hosted SMTP servers, however, are misconfigured frequently.
Especially keeping the TLSA records from a name server and certificates from an SMTP server synchronized is not straightforward.
You can read the full abstract and paper here [1].
—
Moritz
[1] https://www.usenix.org/conference/usenixsecurity22/presentation/lee
1
0
Summary: The DANE domain count is now 2,974,861 (up from 2,912,048 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 16,638,332 (up from 16,310,355 last
month). Thus DANE TLSA is deployed on ~17.87% of domains with
DNSSEC. See https://stats.dnssec-tools.org/ for more stats.
[ See the Credits[0] list below my signature. ]
As of today I count ~2.97 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last month
---------- ----------
1219713 one.com 1225237 one.com
270842 hostpoint.ch 211135 hostpoint.ch
154249 transip.nl 153581 transip.nl
152372 infomaniak.ch 151214 argewebhosting.nl
150807 argewebhosting.nl 150461 infomaniak.ch
105814 domeneshop.no 105846 domeneshop.no
98302 webhostingserver.nl 98581 webhostingserver.nl
94851 loopia.se 94743 loopia.se
71517 forpsi.com 71205 forpsi.com
46431 active24.com 46199 active24.com
45675 zxcs.nl 43026 zxcs.nl
42325 webreus.nl 40150 webreus.nl
38150 antagonist.nl 37893 antagonist.nl
36614 pcextreme.nl 36906 pcextreme.nl
27758 vevida.com 28102 vevida.com
27035 webhosting.dk 27607 webhosting.dk
26937 udmedia.de 26882 udmedia.de
26456 web4u.cz 26468 web4u.cz
23884 hosting2go.nl 24184 hosting2go.nl
21623 protonmail.ch 20972 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
9206 TOTAL 9030 TOTAL
2692 DE, Germany 2649 DE, Germany
1768 NL, Netherlands 1723 US, United States
1731 US, United States 1720 NL, Netherlands
699 FR, France 690 FR, France
334 GB, United Kingdom 330 GB, United Kingdom
245 CZ, Czechia 231 CZ, Czechia
208 CA, Canada 205 CA, Canada
203 FI, Finland 196 FI, Finland
127 DK, Denmark 125 DK, Denmark
121 AT, Austria 119 SG, Singapore
120 SG, Singapore 117 AT, Austria
107 CH, Switzerland 109 CH, Switzerland
100 AU, Australia 98 SE, Sweden
98 SE, Sweden 95 AU, Australia
54 PL, Poland 50 PL, Poland
44 RU, Russia 45 RU, Russia
44 NO, Norway 42 NO, Norway
42 IE, Ireland 40 IE, Ireland
41 BR, Brazil 37 IT, Italy
36 JP, Japan 35 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7202 TOTAL 7116 TOTAL
3389 NL, Netherlands 3368 NL, Netherlands
1889 DE, Germany 1862 DE, Germany
767 US, United States 728 US, United States
290 FR, France 294 FR, France
153 CZ, Czechia 141 CZ, Czechia
136 GB, United Kingdom 136 GB, United Kingdom
78 FI, Finland 76 FI, Finland
61 CA, Canada 63 CA, Canada
42 SG, Singapore 50 CH, Switzerland
42 CH, Switzerland 44 SE, Sweden
41 SE, Sweden 43 SG, Singapore
40 AU, Australia 39 AU, Australia
37 AT, Austria 30 RU, Russia
24 JP, Japan 30 AT, Austria
22 IE, Ireland 23 JP, Japan
20 NO, Norway 21 IE, Ireland
17 DK, Denmark 17 NO, Norway
15 BR, Brazil 17 DK, Denmark
14 RU, Russia 14 BR, Brazil
11 SI, Slovenia 11 PL, Poland
There are 7,410 unique zones (7,308 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 16,101 (15,915 last
month). These cover 16,358 distinct MX hosts (16,170 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 543 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 309
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.97 million DANE domains, 12,735 (12,805 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1802
(1110 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
780 mta1.vaiadigital.net (explains this month's "bump")
71 vps01.marcus.services
41 mx1.redpill.servernetz.biz
16 mail.odissee.net
16 e-vps.hacktheplanet.nl
15 web1.ams.dcg.t-host.net
15 artemis.strebsjig.net
13 entrante.svnt.com
11 smtp.hoggins.fr
9 mail.syngenuity.com
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1148 (1148 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
553 registrar-servers.com 546 registrar-servers.com
122 axc.nl 119 axc.nl
87 ebola.cz 85 ebola.cz
33 made-easy.ch 35 made-easy.ch
32 mijndomein.nl 29 mijndomein.nl
30 worldnic.com 19 cloudflare.com
17 cloudflare.com 16 worldnic.com
11 openprovider.nl 13 renault.fr
10 vtx.ch 11 openprovider.nl
8 register.com 9 vtx.ch
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Four of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
icv-crew.com
kprm.gov.pl
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at fau.de digid.nl
gmx.at followerpilot.de duo.nl
pictolezen.be freenet.de edenhotels.nl
triodos.be gmx.de ezorg.nl
tbibank.bg jpberlin.de healthcheckcenter.nl
cetelemnegocie.com.br lrz.de herinneringenoplinnen.nl
e-negociacao.com.br mail.de hetamsterdamsverbond.nl
e-renegocie.com.br mensa.de huizenzoeker.nl
nic.br mpg.de interconnect.nl
registro.br mvnet.de interim-netwerk.nl
ehefueralle.ch neutraler-versand.de luxiez.nl
gmx.ch posteo.de mailplus.nl
hostpoint.ch ruhr-uni-bochum.de mailshover.nl
infomaniak.ch tum.de markteffectmail.nl
linsenkontakt.ch tutanota.de mijnuvt.nl
open.ch uni-erlangen.de minbuza.nl
protonmail.ch uni-muenchen.de minbzk.nl
switch.ch unitymedia.de mindef.nl
travailler-en-suisse.ch web.de mm1.nl
wog.ch westlotto.de mulderretail.nl
simplelogin.co actie.deals nieuwsservice-rvo.nl
altospam.com dk-hostmaster.dk ns.nl
bornomail.com fibianet.dk orangebag.nl
cm.com handelsbanken.dk overheid.nl
connectsb.com netic.dk partijvoordedieren.nl
dailyplaylists.com nota.dk paypro.nl
datev.com peterhald.dk podiumcadeaukaart.nl
flaneurhomme.com powerhosting.dk politie.nl
gmx.com shapeit.dk pp-prd.nl
habr.com shellcard.dk previder.nl
hotelsinduitsland.com webhosting.dk purdey.nl
imcnig.com tilburguniversity.edu rijksoverheid.nl
infomaniak.com just.ee rotterdam.nl
ingthink.com envie.email sans-mail.nl
intakt.com spike.email schoudercom.nl
joomlapolis.com spotler.email schuurman-schoenen.nl
jula.com rediris.es sportrusten.nl
kpn.com triodos.es ssonet.nl
leszexpertsfle.com uv.es telefoonglaasje.nl
mail.com egu.eu triodos.nl
mailfence.com qard.eu truetickets.nl
mammoetmail.com zone.eu uitgeverijpica.nl
matilhadobemadestramento.com zonevs.eu utwente.nl
mx-relay.com handelsbanken.fi uvt.nl
nanolearning.com tarjousrinki.fi uwv.nl
nine-pine.com ac-strasbourg.fr veilinghuispeerdeman.nl
one.com compagnie-des-sens.fr voorpositiviteit.nl
outsystems.com edtm-actu.fr vu.nl
protonmail.com oo2.fr waternet.nl
protonvpn.com srci.fr werkenbijaldautomotive.nl
renworkshops.com excelsior.hu xs4all.nl
sankakucomplex.com fidesz.hu zorgmail.nl
schizinfo.com gardrobom.hu annabellstefanussen.no
societe.com obiserver.hu audi.no
solvinity.com otthonplus.hu derute.no
spareklubbnorge.com popfilm.hu domeneshop.no
stellarequipment.com pandi.id handelsbanken.no
t-2.com bluebiz.info idrettenonline.no
thalesgroup.com interestexplorer.io leadmail.no
thepcw.com neolink.link norskgrammatikk.no
thepcwholesale.com pm.me uib.no
triodos.com army.mil viphuset.no
tutanota.com dla.mil atelkamera.nu
veganallsorts.com jten.mil goget.nu
vitstore.com mail.mil debian.org
vivaldi.com militaryonesource.mil exim.org
webcruiter.com navy.mil freebsd.org
webmailph.com nga.mil gentoo.org
xfinity.com osd.mil ietf.org
xfinityhomesecurity.com socom.mil isc.org
xfinitymobile.com uscg.mil mailbox.org
30tidennivyzva.cz usmc.mil mailop.org
akce-incomputer.cz comcast.net netbsd.org
cuni.cz fivem.net openssl.org
ekokoza.cz gmx.net ozlabs.org
gigalekarna.cz habramail.net samba.org
itesco.cz hr-manager.net torproject.org
klenotyaurum.cz inexio.net whatpulse.org
klubpevnehozdravi.cz mijngezondheid.net psgaz.pl
manymail.cz mpssec.net asf.com.pt
mkluzkoviny.cz procurios.net mobily.com.sa
nic.cz prolocation.net alterskjaer.se
omvnovinky.cz ripe.net bilprovningen.se
onebit.cz riseup.net boplatssyd-automail.se
optimail.cz s-qrc.net ecster.se
poptavej.cz t-2.net handelsbanken.se
scrptd.cz transip.net loopia.se
server4u.cz xs4all.net loopiahosting.se
smtp.cz 123watches.nl minmyndighetspost.se
sparkys.cz amsterdam.nl parkerat.se
stoklasa.cz argeweb.nl skatteverket.se
vas-server.cz artsenzorg.nl teknikdelar.se
virusfree.cz awcloud.nl theletter.se
zdravestravovani.cz belastingdienst.nl websupport.se
bayern.de bhosted.nl flagranti.sk
brandenburg.de bluerail.nl mklozkoviny.sk
bund.de boekwinkeltjes.nl najlacnejsisport.sk
bundesregierung.de boozyshop.nl rondogo.sk
datev.de burgernet.nl toptop.sk
dfn.de cbr.nl triodos.co.uk
dvz-mv.de cbs.nl govtrack.us
ekom21.de corpoflow.nl quantum-services.us
elster.de derooijfotografie.nl ru.ac.za
1
0
Summary: The DANE domain count is now 2,912,048 (up from 2,779,500 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 16,310,355 (up from 16,107,719 last
month). Thus DANE TLSA is deployed on ~17.85% of domains with
DNSSEC. See https://stats.dnssec-tools.org/ for more stats.
[ See the Credits[0] list below my signature. ]
As of today I count ~2.91 million domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last month
---------- ----------
1225237 one.com 1225124 one.com
211135 hostpoint.ch 152779 transip.nl
153581 transip.nl 150719 argewebhosting.nl
151214 argewebhosting.nl 148426 infomaniak.ch
150461 infomaniak.ch 105493 domeneshop.no
105846 domeneshop.no 98765 webhostingserver.nl
98581 webhostingserver.nl 94403 loopia.se
94743 loopia.se 86961 hostpoint.ch
71205 forpsi.com 70606 forpsi.com
46199 active24.com 46019 active24.com
43026 zxcs.nl 40474 zxcs.nl
40150 webreus.nl 40396 webreus.nl
37893 antagonist.nl 37911 antagonist.nl
36906 pcextreme.nl 37226 pcextreme.nl
28102 vevida.com 28411 vevida.com
27607 webhosting.dk 27416 webhosting.dk
26882 udmedia.de 26691 udmedia.de
26468 web4u.cz 26509 web4u.cz
24184 hosting2go.nl 24443 hosting2go.nl
20972 protonmail.ch 20574 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
9030 TOTAL 8890 TOTAL
2649 DE, Germany 2655 DE, Germany
1723 US, United States 1715 US, United States
1720 NL, Netherlands 1686 NL, Netherlands
690 FR, France 654 FR, France
330 GB, United Kingdom 330 GB, United Kingdom
231 CZ, Czechia 226 CZ, Czechia
205 CA, Canada 202 CA, Canada
196 FI, Finland 185 FI, Finland
125 DK, Denmark 125 DK, Denmark
119 SG, Singapore 114 SG, Singapore
117 AT, Austria 107 CH, Switzerland
109 CH, Switzerland 99 SE, Sweden
98 SE, Sweden 88 AU, Australia
95 AU, Australia 84 AT, Austria
50 PL, Poland 44 PL, Poland
45 RU, Russia 43 IE, Ireland
42 NO, Norway 40 RU, Russia
40 IE, Ireland 40 BR, Brazil
37 IT, Italy 39 NO, Norway
35 BR, Brazil 35 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7116 TOTAL 7009 TOTAL
3368 NL, Netherlands 3336 NL, Netherlands
1862 DE, Germany 1826 DE, Germany
728 US, United States 714 US, United States
294 FR, France 290 FR, France
141 CZ, Czechia 145 CZ, Czechia
136 GB, United Kingdom 136 GB, United Kingdom
76 FI, Finland 74 FI, Finland
63 CA, Canada 59 CA, Canada
50 CH, Switzerland 47 CH, Switzerland
44 SE, Sweden 44 SE, Sweden
43 SG, Singapore 42 SG, Singapore
39 AU, Australia 30 AU, Australia
30 RU, Russia 29 AT, Austria
30 AT, Austria 26 RU, Russia
23 JP, Japan 23 JP, Japan
21 IE, Ireland 21 IE, Ireland
17 NO, Norway 17 DK, Denmark
17 DK, Denmark 16 NO, Norway
14 BR, Brazil 14 BR, Brazil
11 PL, Poland 11 SI, Slovenia
There are 7,308 unique zones (7,242 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 15,915 (15,791 last
month). These cover 16,170 distinct MX hosts (16,039 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 538 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 314
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.91 million DANE domains, 12,805 (12,794 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1110
(1298 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1148 (1298 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
546 registrar-servers.com 542 registrar-servers.com
119 axc.nl 119 axc.nl
85 ebola.cz 89 ebola.cz
35 made-easy.ch 59 westgatehosting.com
29 mijndomein.nl 49 netcup.net
19 cloudflare.com 46 epik.com
16 worldnic.com 30 made-easy.ch
13 renault.fr 27 mijndomein.nl
11 openprovider.nl 19 cloudflare.com
9 vtx.ch 15 worldnic.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Five of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
icv-crew.com
bncr.fi.cr
kprm.gov.pl
novathreads.us
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at freenet.de herinneringenoplinnen.nl
gmx.at gmx.de hetamsterdamsverbond.nl
triodos.be jpberlin.de hostingpeople.nl
tbibank.bg lmu.de interconnect.nl
cetelemnegocie.com.br lrz.de interim-netwerk.nl
clubedohardware.com.br mail.de luxiez.nl
e-negociacao.com.br mensa.de mailplus.nl
nic.br mpg.de mailshover.nl
registro.br mvnet.de markteffectmail.nl
pdac.ca neutraler-versand.de mijnuvt.nl
ehefueralle.ch posteo.de minbuza.nl
gmx.ch ruhr-uni-bochum.de minbzk.nl
hostpoint.ch tum.de mindef.nl
infomaniak.ch tutanota.de mkbbelangen.nl
linsenkontakt.ch uni-erlangen.de mm1.nl
open.ch uni-muenchen.de mulderretail.nl
protonmail.ch unitymedia.de nieuwsservice-rvo.nl
switch.ch web.de ns.nl
travailler-en-suisse.ch westlotto.de ouderportaal.nl
wog.ch actie.deals overheid.nl
simplelogin.co dk-hostmaster.dk parlement.nl
altospam.com fibianet.dk partijvoordedieren.nl
beaconx.com netic.dk paypro.nl
connectsb.com nota.dk politie.nl
dailyplaylists.com peterhald.dk powerslim.nl
datev.com shapeit.dk pp-prd.nl
flaneurhomme.com shellcard.dk previder.nl
gmx.com stil.dk purdey.nl
habr.com tilburguniversity.edu rijksoverheid.nl
hotelsinduitsland.com just.ee rotterdam.nl
imcnig.com rik.ee sans-mail.nl
infomaniak.com spam-filter.email schoudercom.nl
ingthink.com spike.email schuurman-schoenen.nl
intakt.com spotler.email sportrusten.nl
joomlapolis.com rediris.es ssonet.nl
jula.com triodos.es telefoonglaasje.nl
kpn.com uv.es triodos.nl
leszexpertsfle.com egu.eu truetickets.nl
mail.com qard.eu tweedekamer.nl
mailfence.com zone.eu uitgeverijpica.nl
mammoetmail.com zonevs.eu utwente.nl
matilhadobemadestramento.com handelsbanken.fi uvt.nl
mx-relay.com tarjousrinki.fi uwv.nl
mychildlebensborn.com ac-strasbourg.fr veilinghuispeerdeman.nl
nine-pine.com compagnie-des-sens.fr vogeldagboek.nl
one.com oo2.fr voorpositiviteit.nl
outsystems.com srci.fr vu.nl
protonmail.com excelsior.hu waternet.nl
protonvpn.com fidesz.hu werkenbijaldautomotive.nl
renworkshops.com gardrobom.hu xs4all.nl
sankakucomplex.com obiserver.hu zorgmail.nl
societe.com otthonplus.hu annabellstefanussen.no
solvinity.com popfilm.hu audi.no
spareklubbnorge.com pandi.id derute.no
stellarequipment.com interestexplorer.io domeneshop.no
t-2.com neolink.link handelsbanken.no
thalesgroup.com pm.me idrettenonline.no
thepcw.com army.mil leadmail.no
thepcwholesale.com dla.mil norskgrammatikk.no
triodos.com jten.mil rushtrampoline.no
tutanota.com mail.mil uib.no
veganallsorts.com militaryonesource.mil viphuset.no
veoliasophos.com navy.mil atelkamera.nu
vitstore.com nga.mil goget.nu
vivaldi.com osd.mil debian.org
webmailph.com socom.mil exim.org
xfinity.com uscg.mil freebsd.org
xfinityhomesecurity.com usmc.mil gentoo.org
xfinitymobile.com comcast.net ietf.org
30tidennivyzva.cz fivem.net isc.org
active24.cz gmx.net mailbox.org
akce-incomputer.cz habramail.net mailop.org
cuni.cz hr-manager.net netbsd.org
ekokoza.cz inexio.net openssl.org
gigalekarna.cz mijngezondheid.net ozlabs.org
itesco.cz mpssec.net samba.org
klenotyaurum.cz procurios.net torproject.org
klubpevnehozdravi.cz prolocation.net whatpulse.org
manymail.cz ripe.net psgaz.pl
mkluzkoviny.cz riseup.net asf.com.pt
nic.cz s-qrc.net mobily.com.sa
omvnovinky.cz t-2.net alterskjaer.se
onebit.cz transip.net bilprovningen.se
optimail.cz xs4all.net boplatssyd-automail.se
poptavej.cz 123watches.nl ecster.se
reserved.cz amsterdam.nl handelsbanken.se
scrptd.cz argeweb.nl loopia.se
server4u.cz awcloud.nl loopiahosting.se
smtp.cz belastingdienst.nl minmyndighetspost.se
stoklasa.cz bhosted.nl parkerat.se
vas-server.cz bluerail.nl racketspecialisten.se
virusfree.cz bolerolimonadewinkel.nl skatteverket.se
zdravestravovani.cz boozyshop.nl teknikdelar.se
123watches.de burgernet.nl theletter.se
bayern.de cbr.nl websupport.se
brandenburg.de cbs.nl flagranti.sk
bund.de citrusveiling.nl mklozkoviny.sk
bundesregierung.de corpoflow.nl najlacnejsisport.sk
datev.de derooijfotografie.nl rondogo.sk
dfn.de digid.nl toptop.sk
dvz-mv.de duo.nl triodos.co.uk
ekom21.de edenhotels.nl govtrack.us
elster.de efactuurdirect.nl quantum-services.us
fau.de ezorg.nl ru.ac.za
followerpilot.de healthcheckcenter.nl
1
0
30 Sep '21
The DANE survey continues to observe a "long tail" of MX hosts with TLSA
records that match the retired "X3" and/or "X4" Let's Encrypt issuer Cas.
If you're publishing TLSA records with Let's Encrypt issuer CA hashes,
the "X3" and "X4" CAs should no longer appear in your TLSA RRset. Also
be sure to use "2 1 1" and not "2 0 1" or "2 0 2" TLSA parameters.
For details see:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
The MX host counts for the various LE CAs are:
# | CA
------+----
538 | X3
248 | X4
1133 | R3
436 | R4
483 | E1
396 | E2
* The counts for X3 and X4 should by now be 0.
* Every MX host that publishes R3 should also publish R4.
* Every MX host publishing E1 should also publish E2.
* The simplest strategy is to publish all four of R3,R4,E1 and E2
--
Viktor.
3
3
Summary: The DANE domain count is now 2,779,500 (up from 2,653,718 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 16,107,719 (up from 15,663,538 last
month). Thus DANE TLSA is deployed on ~17.26% of domains with
DNSSEC. See https://stats.dnssec-tools.org/ for more stats.
[ A major part of the increase in both DNSSEC and DANE domains is
a result of a significant expansion of use of DNSSEC among .CH
domains, particularly at hostpoint.ch and infomaniak.ch.
Congratulations and thanks to both and also switch.ch.
The .CH TLD is now the 9th largest by count of signed
delegations in the survey dataset, just behind .NO, perhaps
not for long, if the present growth rate holds up. ]
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,779,500 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last month
---------- ----------
1225124 one.com 1227184 one.com
152779 transip.nl 151493 transip.nl
150719 argewebhosting.nl 150376 argewebhosting.nl
148426 infomaniak.ch 114457 infomaniak.ch
105493 domeneshop.no 105236 domeneshop.no
98765 webhostingserver.nl 98871 webhostingserver.nl
94403 loopia.se 94187 loopia.se
86961 hostpoint.ch 70345 forpsi.com
70606 forpsi.com 42190 active24.com
46019 active24.com 39057 zxcs.nl
40474 zxcs.nl 38973 webreus.nl
40396 webreus.nl 37753 antagonist.nl
37911 antagonist.nl 37509 pcextreme.nl
37226 pcextreme.nl 28712 vevida.com
28411 vevida.com 27550 webhosting.dk
27416 webhosting.dk 26580 web4u.cz
26691 udmedia.de 26555 udmedia.de
26509 web4u.cz 24671 hosting2go.nl
24443 hosting2go.nl 19910 protonmail.ch
20574 protonmail.ch 18975 bhosted.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
8890 TOTAL 8815 TOTAL
2655 DE, Germany 2631 DE, Germany
1715 US, United States 1693 US, United States
1686 NL, Netherlands 1676 NL, Netherlands
654 FR, France 662 FR, France
330 GB, United Kingdom 313 GB, United Kingdom
226 CZ, Czechia 226 CZ, Czechia
202 CA, Canada 206 CA, Canada
185 FI, Finland 174 FI, Finland
125 DK, Denmark 124 DK, Denmark
114 SG, Singapore 122 SG, Singapore
107 CH, Switzerland 106 CH, Switzerland
99 SE, Sweden 102 SE, Sweden
88 AU, Australia 84 AU, Australia
84 AT, Austria 76 AT, Austria
44 PL, Poland 41 RU, Russia
43 IE, Ireland 41 PL, Poland
40 RU, Russia 41 IE, Ireland
40 BR, Brazil 40 NO, Norway
39 NO, Norway 40 BR, Brazil
35 IT, Italy 38 JP, Japan
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
7009 TOTAL 6948 TOTAL
3336 NL, Netherlands 3301 NL, Netherlands
1826 DE, Germany 1810 DE, Germany
714 US, United States 710 US, United States
290 FR, France 297 FR, France
145 CZ, Czechia 154 CZ, Czechia
136 GB, United Kingdom 137 GB, United Kingdom
74 FI, Finland 71 FI, Finland
59 CA, Canada 61 CA, Canada
47 CH, Switzerland 44 SG, Singapore
44 SE, Sweden 43 SE, Sweden
42 SG, Singapore 42 CH, Switzerland
30 AU, Australia 32 AU, Australia
29 AT, Austria 29 AT, Austria
26 RU, Russia 27 JP, Japan
23 JP, Japan 20 IE, Ireland
21 IE, Ireland 17 RU, Russia
17 DK, Denmark 17 DK, Denmark
16 NO, Norway 16 NO, Norway
14 BR, Brazil 14 BR, Brazil
11 SI, Slovenia 12 IN, India
There are 7,242 unique zones (7,168 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 15,791 (15,673 last
month). These cover 16,039 distinct MX hosts (15,908 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 517 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 301
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.78 million DANE domains, 12,794 (12,719 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1298
(1187 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1298 (1329 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
542 registrar-servers.com 548 registrar-servers.com
119 axc.nl 119 axc.nl
89 ebola.cz 88 ebola.cz
59 westgatehosting.com 48 epik.com
49 netcup.net 28 made-easy.ch
46 epik.com 27 mijndomein.nl
30 made-easy.ch 26 3zy.de
27 mijndomein.nl 24 tiscomhosting.nl
19 cloudflare.com 22 netcup.net
15 worldnic.com 20 cloudflare.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Five of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
icv-crew.com
bncr.fi.cr
pedulilindungi.id
novathreads.us
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at followerpilot.de healthcheckcenter.nl
gmx.at freenet.de herinneringenoplinnen.nl
triodos.be gmx.de hetamsterdamsverbond.nl
cetelemnegocie.com.br jpberlin.de hostingpeople.nl
clubedohardware.com.br lmu.de interconnect.nl
corridaeaventura.com.br lrz.de interim-netwerk.nl
nic.br mail.de luxiez.nl
registro.br mensa.de mailplus.nl
pdac.ca mpg.de markteffectmail.nl
gmx.ch neutraler-versand.de mijnuvt.nl
hostpoint.ch posteo.de minbuza.nl
infomaniak.ch ruhr-uni-bochum.de minbzk.nl
linsenkontakt.ch tum.de mindef.nl
open.ch tutanota.de mkbbelangen.nl
protonmail.ch uni-erlangen.de mm1.nl
switch.ch uni-muenchen.de mulderretail.nl
travailler-en-suisse.ch unitymedia.de nieuwsservice-rvo.nl
wog.ch web.de ns.nl
simplelogin.co westlotto.de ouderportaal.nl
beaconx.com actie.deals overheid.nl
connectsb.com fibianet.dk parlement.nl
coremultichain.com fvst.dk partijvoordedieren.nl
dailyplaylists.com handelsbanken.dk paypro.nl
datev.com netic.dk politie.nl
flaneurhomme.com peterhald.dk powerslim.nl
gmx.com shapeit.dk pp-prd.nl
habr.com shellcard.dk previder.nl
hotelsinduitsland.com stil.dk purdey.nl
imcnig.com tilburguniversity.edu rijksoverheid.nl
infomaniak.com just.ee rotterdam.nl
ingthink.com rik.ee sans-mail.nl
intakt.com spam-filter.email schoudercom.nl
joomlapolis.com spike.email schuurman-schoenen.nl
jula.com spotler.email sportrusten.nl
kpn.com rediris.es ssonet.nl
leszexpertsfle.com triodos.es telefoonglaasje.nl
mail.com uv.es triodos.nl
mammoetmail.com egu.eu truetickets.nl
matilhadobemadestramento.com qard.eu tweedekamer.nl
mx-relay.com transadvise.eu uitgeverijpica.nl
mychildlebensborn.com zone.eu utwente.nl
nine-pine.com zonevs.eu uvt.nl
one.com handelsbanken.fi uwv.nl
outsystems.com tarjousrinki.fi veilinghuispeerdeman.nl
protonmail.com ac-strasbourg.fr vogeldagboek.nl
protonvpn.com compagnie-des-sens.fr voorpositiviteit.nl
sanderrossel.com edtm-actu.fr vu.nl
sankakucomplex.com oo2.fr waternet.nl
societe.com fidesz.hu xs4all.nl
solvinity.com gardrobom.hu zorgmail.nl
spareklubbnorge.com mindigbutor.hu annabellstefanussen.no
stellarequipment.com mszp.hu audi.no
t-2.com popfilm.hu bergengokart.no
thalesgroup.com pandi.id derute.no
thepcw.com interestexplorer.io domeneshop.no
thepcwholesale.com pm.me handelsbanken.no
triodos.com army.mil idrettenonline.no
tutanota.com dla.mil norskgrammatikk.no
veganallsorts.com jten.mil rushtrampoline.no
veoliasophos.com mail.mil uib.no
vitstore.com militaryonesource.mil viphuset.no
webcruiter.com navy.mil atelkamera.nu
xfinity.com nga.mil goget.nu
xfinityhomesecurity.com osd.mil debian.org
xfinitymobile.com socom.mil freebsd.org
30tidennivyzva.cz uscg.mil gentoo.org
active24.cz comcast.net ietf.org
akce-incomputer.cz fivem.net isc.org
cuni.cz gmx.net mailbox.org
ekokoza.cz habramail.net mailop.org
gigalekarna.cz hr-manager.net netbsd.org
itesco.cz inexio.net openssl.org
klenotyaurum.cz mijngezondheid.net ozlabs.org
klubpevnehozdravi.cz mpssec.net samba.org
manymail.cz procurios.net torproject.org
mkluzkoviny.cz riseup.net whatpulse.org
nic.cz s-qrc.net psgaz.pl
omvnovinky.cz t-2.net asf.com.pt
onebit.cz transip.net mobily.com.sa
optimail.cz xs4all.net bilprovningen.se
poptavej.cz 123watches.nl boplatssyd-automail.se
reserved.cz amsterdam.nl ecster.se
scrptd.cz awcloud.nl handelsbanken.se
server4u.cz belastingdienst.nl loopia.se
smtp.cz bhosted.nl loopiahosting.se
stoklasa.cz bluerail.nl minmyndighetspost.se
toplist.cz boekwinkeltjes.nl personligalmanacka.se
vas-server.cz bolerolimonadewinkel.nl skatteverket.se
vcelka.cz boozyshop.nl teknikdelar.se
virusfree.cz burgernet.nl theletter.se
zdravestravovani.cz cbr.nl websupport.se
123watches.de cbs.nl flagranti.sk
bayern.de citrusveiling.nl najlacnejsisport.sk
brandenburg.de corpoflow.nl rondogo.sk
bund.de derooijfotografie.nl toptop.sk
bundesregierung.de digid.nl triodos.co.uk
datev.de duo.nl xepay.co.uk
dfn.de edenhotels.nl govtrack.us
ekom21.de efactuurdirect.nl quantum-services.us
elster.de ezorg.nl ru.ac.za
fau.de
1
0
NOTE: When using NSEC3 to sign your domain, please make sure your extra
iteration count is not needlessly large (i.e. above ~25, 0 is best).
For details see:
https://mail.sys4.de/pipermail/dane-users/2021-March/000594.html
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-00
Summary: The DANE domain count is now 2,653,718 (down from 2,671,696 last month).
[ One Dutch hosting provider with ~25k DANE domains last month, no
longer has MX TLSA records this month, perhaps temporarily? ]
The number of domains that return DNSSEC-validated replies in
response to MX queries is 15,663,538 (up from 15,370,647 last
month). Thus DANE TLSA is deployed on ~16.94% of domains with
DNSSEC. See https://stats.dnssec-tools.org/ for more stats.
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,653,718 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last month
---------- ----------
1227184 one.com 1229596 one.com
151493 transip.nl 150659 transip.nl
150376 argewebhosting.nl 150607 argewebhosting.nl
114457 infomaniak.ch 112821 infomaniak.ch
105236 domeneshop.no 105401 domeneshop.no
98871 webhostingserver.nl 99195 webhostingserver.nl
94187 loopia.se 94181 loopia.se
70345 forpsi.com 70039 forpsi.com
42190 active24.com 42040 active24.com
39057 zxcs.nl 39239 webreus.nl
38973 webreus.nl 38021 zxcs.nl
37753 antagonist.nl 37715 pcextreme.nl
37509 pcextreme.nl 37563 antagonist.nl
28712 vevida.com 28958 vevida.com
27550 webhosting.dk 27525 webhosting.dk
26580 web4u.cz 26607 web4u.cz
26555 udmedia.de 26407 udmedia.de
24671 hosting2go.nl 24915 hosting2go.nl
19910 protonmail.ch 24728 spamservice.nl
18975 bhosted.nl 19280 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
8815 TOTAL 8751 TOTAL
2631 DE, Germany 2635 DE, Germany
1693 US, United States 1677 US, United States
1676 NL, Netherlands 1668 NL, Netherlands
662 FR, France 653 FR, France
313 GB, United Kingdom 317 GB, United Kingdom
226 CZ, Czechia 227 CZ, Czechia
206 CA, Canada 202 CA, Canada
174 FI, Finland 169 FI, Finland
124 DK, Denmark 124 DK, Denmark
122 SG, Singapore 121 SG, Singapore
106 CH, Switzerland 106 CH, Switzerland
102 SE, Sweden 97 SE, Sweden
84 AU, Australia 81 AU, Australia
76 AT, Austria 72 AT, Austria
41 RU, Russia 45 PL, Poland
41 PL, Poland 39 NO, Norway
41 IE, Ireland 39 IE, Ireland
40 NO, Norway 38 RU, Russia
40 BR, Brazil 37 JP, Japan
38 JP, Japan 37 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
6948 TOTAL 6912 TOTAL
3301 NL, Netherlands 3291 NL, Netherlands
1810 DE, Germany 1807 DE, Germany
710 US, United States 699 US, United States
297 FR, France 292 FR, France
154 CZ, Czechia 143 GB, United Kingdom
137 GB, United Kingdom 138 CZ, Czechia
71 FI, Finland 75 FI, Finland
61 CA, Canada 59 CA, Canada
44 SG, Singapore 45 CH, Switzerland
43 SE, Sweden 44 SG, Singapore
42 CH, Switzerland 41 SE, Sweden
32 AU, Australia 30 AU, Australia
29 AT, Austria 28 AT, Austria
27 JP, Japan 25 JP, Japan
20 IE, Ireland 18 DK, Denmark
17 RU, Russia 17 RU, Russia
17 DK, Denmark 16 NO, Norway
16 NO, Norway 16 IE, Ireland
14 BR, Brazil 14 BR, Brazil
12 IN, India 11 PL, Poland
There are 7,168 unique zones (7,132 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 15,673 (15,568 last
month). These cover 15,908 distinct MX hosts (15,805 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 496 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 301
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.65 million domains, 12,719 (12,786 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1187
(also 1187 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1329 (1661 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
548 registrar-servers.com 526 registrar-servers.com
119 axc.nl 393 serverion.nl
88 ebola.cz 118 axc.nl
48 epik.com 89 ebola.cz
28 made-easy.ch 50 epik.com
27 mijndomein.nl 29 made-easy.ch
26 3zy.de 28 mijndomein.nl
24 tiscomhosting.nl 24 tiscomhosting.nl
22 netcup.net 22 cloudflare.com
20 cloudflare.com 16 movenext.nl
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Three of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br
icv-crew.com
bncr.fi.cr
peacecorps.gov
ssa.gov
sauditelecom.com.sa
kmutt.ac.th
novathreads.us
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at gmx.de ezorg.nl
gmx.at jpberlin.de healthcheckcenter.nl
triodos.be kabelmail.de herinneringenoplinnen.nl
cetelemnegocie.com.br lmu.de hetamsterdamsverbond.nl
clubedohardware.com.br lrz.de hostingpeople.nl
contactflex.com.br mail.de hr.nl
corridaeaventura.com.br mpg.de interconnect.nl
nic.br neutraler-versand.de interim-netwerk.nl
registro.br posteo.de luxiez.nl
pdac.ca ruhr-uni-bochum.de mailplus.nl
gmx.ch tum.de markteffectmail.nl
hostpoint.ch tutanota.de mijnuvt.nl
infomaniak.ch uni-erlangen.de minbuza.nl
open.ch uni-muenchen.de minbzk.nl
protonmail.ch unitymedia.de mindef.nl
switch.ch web.de mkbbelangen.nl
travailler-en-suisse.ch westlotto.de mm1.nl
simplelogin.co actie.deals mulderretail.nl
ansigtsyogaonline.com fibianet.dk nieuwsservice-rvo.nl
beaconx.com fvst.dk ns.nl
connectsb.com handelsbanken.dk ouderportaal.nl
coremultichain.com netic.dk overheid.nl
dailyplaylists.com shapeit.dk parlement.nl
datev.com shellcard.dk partijvoordedieren.nl
exegy.com stil.dk politie.nl
flaneurhomme.com tilburguniversity.edu powerslim.nl
gmx.com holt.ee pp-prd.nl
habr.com just.ee previder.nl
hotelsinduitsland.com rik.ee purdey.nl
imcnig.com envie.email rijksoverheid.nl
infomaniak.com spam-filter.email rivm.nl
ingthink.com spike.email rotterdam.nl
intakt.com spotler.email sans-mail.nl
joomlapolis.com rediris.es schoudercom.nl
jula.com triodos.es schuurman-schoenen.nl
kpn.com uv.es sportrusten.nl
leszexpertsfle.com litebit.eu ssonet.nl
mail.com transadvise.eu telefoonglaasje.nl
mammoetmail.com zone.eu triodos.nl
matilhadobemadestramento.com zonevs.eu truetickets.nl
mx-relay.com handelsbanken.fi tweedekamer.nl
mychildlebensborn.com tarjousrinki.fi uitgeverijpica.nl
nine-pine.com traficom.fi utwente.nl
one.com ac-strasbourg.fr uvt.nl
outsystems.com compagnie-des-sens.fr uwv.nl
protonmail.com edtm-actu.fr veilinghuispeerdeman.nl
protonvpn.com oo2.fr vogeldagboek.nl
sanderrossel.com fidesz.hu voorpositiviteit.nl
sankakucomplex.com mindigbutor.hu vu.nl
societe.com mszp.hu waternet.nl
solvinity.com interestexplorer.io xs4all.nl
spareklubbnorge.com pm.me zorgmail.nl
stellarequipment.com army.mil annabellstefanussen.no
t-2.com dla.mil audi.no
thalesgroup.com jten.mil bergengokart.no
triodos.com mail.mil derute.no
tutanota.com militaryonesource.mil domeneshop.no
veganallsorts.com navy.mil handelsbanken.no
veoliasophos.com nga.mil idrettenonline.no
vitstore.com osd.mil norskgrammatikk.no
webcruiter.com socom.mil rushtrampoline.no
xfinity.com uscg.mil uib.no
xfinityhomesecurity.com usmc.mil viphuset.no
xfinitymobile.com comcast.net atelkamera.nu
active24.cz fivem.net goget.nu
akce-incomputer.cz gmx.net debian.org
bewooden.cz habramail.net freebsd.org
cuni.cz hr-manager.net gentoo.org
ekokoza.cz inexio.net ietf.org
gigalekarna.cz mijngezondheid.net irtf.org
itesco.cz mpssec.net isc.org
klenotyaurum.cz procurios.net mailbox.org
klubpevnehozdravi.cz ripe.net mailop.org
manymail.cz riseup.net netbsd.org
nic.cz t-2.net openssl.org
omvnovinky.cz transip.net ozlabs.org
onebit.cz xs4all.net samba.org
optimail.cz xworks.net torproject.org
poptavej.cz 123watches.nl whatpulse.org
reserved.cz amsterdam.nl psgaz.pl
scrptd.cz awcloud.nl asf.com.pt
server4u.cz belastingdienst.nl mobily.com.sa
smtp.cz bhosted.nl bilprovningen.se
stoklasa.cz bhsupport.nl boplatssyd-automail.se
toplist.cz bibliotheekdenhaag.nl ecster.se
vas-server.cz bluerail.nl handelsbanken.se
vcelka.cz boekwinkeltjes.nl loopia.se
virusfree.cz bolerolimonadewinkel.nl loopiahosting.se
zdravestravovani.cz boozyshop.nl matlistan.se
123watches.de burgernet.nl minmyndighetspost.se
bayern.de cbr.nl personligalmanacka.se
brandenburg.de cbs.nl skatteverket.se
bund.de citrusveiling.nl teknikdelar.se
bundesregierung.de corpoflow.nl theletter.se
datev.de denhaag.nl websupport.se
dfn.de derooijfotografie.nl triodos.co.uk
ekom21.de digid.nl xepay.co.uk
elster.de duo.nl govtrack.us
fau.de edenhotels.nl quantum-services.us
followerpilot.de efactuurdirect.nl ru.ac.za
freenet.de
1
0
NOTE: When using NSEC3 to sign your domain, please make sure your extra
iteration count is not needlessly large (i.e. above ~25, 0 is best).
For details see:
https://mail.sys4.de/pipermail/dane-users/2021-March/000594.html
https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-00
Summary: The DANE domain count is now 2,671,696 (up from 2,638,525 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 15,370,647 (up from 15,118,039 last
month). Thus DANE TLSA is deployed on ~17.38% of domains with
DNSSEC. See https://stats.dnssec-tools.org/ for more stats.
The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has
taken place, and all previously issued X3-issued certificates
are now expired. If you're still publishing the X3 hash in
your TLSA RRSet, it is best removed:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.
Credits also due to ICANN for gTLD data via CZDS, and to
the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI,
.NL, .NU, .ORG and .SE. More data sources of ccTLD
signed delegations welcome.
As of today I count 2,671,696 domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last month
---------- ----------
1229596 one.com 1228949 one.com
150659 transip.nl 150486 transip.nl
150607 argewebhosting.nl 150288 argewebhosting.nl
112821 infomaniak.ch 110793 infomaniak.ch
105401 domeneshop.no 104816 domeneshop.no
99195 webhostingserver.nl 99494 webhostingserver.nl
94181 loopia.se 93948 loopia.se
70039 forpsi.com 69464 forpsi.com
42040 active24.com 41882 active24.com
39239 webreus.nl 39617 webreus.nl
38021 zxcs.nl 38179 pcextreme.nl
37715 pcextreme.nl 37449 antagonist.nl
37563 antagonist.nl 37023 zxcs.nl
28958 vevida.com 29200 vevida.com
27525 webhosting.dk 27706 webhosting.dk
26607 web4u.cz 26564 web4u.cz
26407 udmedia.de 26255 udmedia.de
24915 hosting2go.nl 25168 hosting2go.nl
24728 spamservice.nl 18914 bhosted.nl
19280 protonmail.ch 18594 protonmail.ch
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be.
Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX
hosts shows the below top 20 countries (each unique IP address is
counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month
---------- ----------
8751 TOTAL 8677 TOTAL
2635 DE, Germany 2631 DE, Germany
1677 US, United States 1664 US, United States
1668 NL, Netherlands 1644 NL, Netherlands
653 FR, France 636 FR, France
317 GB, United Kingdom 328 GB, United Kingdom
227 CZ, Czechia 224 CZ, Czechia
202 CA, Canada 201 CA, Canada
169 FI, Finland 167 FI, Finland
124 DK, Denmark 124 DK, Denmark
121 SG, Singapore 120 SG, Singapore
106 CH, Switzerland 100 SE, Sweden
97 SE, Sweden 98 CH, Switzerland
81 AU, Australia 79 AU, Australia
72 AT, Austria 73 AT, Austria
45 PL, Poland 44 PL, Poland
39 NO, Norway 41 IE, Ireland
39 IE, Ireland 39 NO, Norway
38 RU, Russia 37 BR, Brazil
37 JP, Japan 36 JP, Japan
37 BR, Brazil 35 RU, Russia
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
6912 TOTAL 6851 TOTAL
3291 NL, Netherlands 3253 NL, Netherlands
1807 DE, Germany 1802 DE, Germany
699 US, United States 664 US, United States
292 FR, France 296 FR, France
143 GB, United Kingdom 145 CZ, Czechia
138 CZ, Czechia 142 GB, United Kingdom
75 FI, Finland 76 FI, Finland
59 CA, Canada 58 CA, Canada
45 CH, Switzerland 45 SG, Singapore
44 SG, Singapore 44 CH, Switzerland
41 SE, Sweden 43 SE, Sweden
30 AU, Australia 29 AT, Austria
28 AT, Austria 28 AU, Australia
25 JP, Japan 27 RU, Russia
18 DK, Denmark 26 JP, Japan
17 RU, Russia 17 NO, Norway
16 NO, Norway 17 IE, Ireland
16 IE, Ireland 17 DK, Denmark
14 BR, Brazil 14 BR, Brazil
11 PL, Poland 12 PL, Poland
There are 7,132 unique zones (7,053 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 15,568 (15,479 last
month). These cover 15,805 distinct MX hosts (15,711 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 489 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 294
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.67 million domains, 12,786 (12,757 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.
While this protects traffic to some of the MX hosts, such domains are
still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1187
(1976 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1
http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1661 (1295 last
month). The top 10 name server operators with problem domains are:
This month Last month
---------- ----------
526 registrar-servers.com 509 registrar-servers.com
393 serverion.nl 122 axc.nl
118 axc.nl 93 ebola.cz
89 ebola.cz 45 epik.com
50 epik.com 32 mijndomein.nl
29 made-easy.ch 29 made-easy.ch
28 mijndomein.nl 24 tiscomhosting.nl
24 tiscomhosting.nl 22 cloudflare.com
22 cloudflare.com 18 movenext.nl
16 movenext.nl 17 openprovider.nl
17 worldnic.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Three of the domains all whose nameservers have broken denial of
existence appear in the last 120 days of Google transparency reports:
bncr.fi.cr
kmutt.ac.th
sauditelecom.com.sa
--
Viktor.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at jpberlin.de duo.nl
gmx.at kabelmail.de expeditionfestival.nl
triodos.be lrz.de ezorg.nl
cetelemnegocie.com.br mail.de herinneringenoplinnen.nl
clubedohardware.com.br mensa.de hr.nl
contactflex.com.br mpg.de huizenzoeker.nl
corridaeaventura.com.br neutraler-versand.de interim-netwerk.nl
nic.br posteo.de luxiez.nl
registro.br ruhr-uni-bochum.de mail-studio.nl
pdac.ca tum.de mailplus.nl
gmx.ch tutanota.de markteffectmail.nl
hostpoint.ch uni-erlangen.de mijnuvt.nl
infomaniak.ch uni-muenchen.de minbuza.nl
open.ch unitymedia.de minbzk.nl
protonmail.ch web.de mindef.nl
switch.ch westlotto.de mkbbelangen.nl
travailler-en-suisse.ch actie.deals mm1.nl
simplelogin.co dfi.dk nieuwsservice-rvo.nl
ansigtsyogaonline.com dk-hostmaster.dk ns.nl
connectsb.com fibianet.dk ouderportaal.nl
coremultichain.com fvst.dk overheid.nl
dailyplaylists.com handelsbanken.dk partijvoordedieren.nl
datev.com netic.dk politie.nl
ecstase.com shapeit.dk powerslim.nl
exegy.com shellcard.dk pp-prd.nl
flaneurhomme.com stil.dk previder.nl
gmx.com tilburguniversity.edu pvv.nl
habr.com holt.ee rijksoverheid.nl
hotelsinduitsland.com just.ee rivm.nl
imcnig.com riigikogu.ee rotterdam.nl
infomaniak.com envie.email rvo.nl
ingthink.com spam-filter.email sans-mail.nl
intakt.com spike.email schoudercom.nl
jula.com spotler.email schuurman-schoenen.nl
kpn.com rediris.es sportrusten.nl
leszexpertsfle.com triodos.es ssonet.nl
mail.com uv.es telefoonglaasje.nl
mammoetmail.com litebit.eu triodos.nl
matilhadobemadestramento.com transadvise.eu truetickets.nl
mx-relay.com zone.eu uitgeverijpica.nl
nine-pine.com zonevs.eu utwente.nl
one.com handelsbanken.fi uvt.nl
orverkiezing.com traficom.fi uwv.nl
outsystems.com ac-strasbourg.fr veilinghuispeerdeman.nl
protonmail.com compagnie-des-sens.fr voorpositiviteit.nl
protonvpn.com edtm-actu.fr vu.nl
sanderrossel.com oo2.fr waternet.nl
sankakucomplex.com srci.fr xs4all.nl
societe.com fidesz.hu zorgmail.nl
solvinity.com mszp.hu annabellstefanussen.no
stellarequipment.com tuta.io audi.no
t-2.com pm.me bergengokart.no
thalesgroup.com army.mil derute.no
triodos.com dla.mil domeneshop.no
tutanota.com jten.mil handelsbanken.no
veganallsorts.com mail.mil idrettenonline.no
vitstore.com militaryonesource.mil norskgrammatikk.no
webcruiter.com navy.mil rushtrampoline.no
xfinity.com nga.mil uib.no
xfinityhomesecurity.com osd.mil viphuset.no
xfinitymobile.com socom.mil webcruitermail.no
active24.cz uscg.mil atelkamera.nu
akce-incomputer.cz usmc.mil goget.nu
bewooden.cz comcast.net aegee.org
colours.cz gmx.net debian.org
cuni.cz habramail.net freebsd.org
ekokoza.cz hr-manager.net gentoo.org
gigalekarna.cz inexio.net ietf.org
itesco.cz mijngezondheid.net irtf.org
klenotyaurum.cz mpssec.net isc.org
klubpevnehozdravi.cz procurios.net mailbox.org
manymail.cz ripe.net mailop.org
nic.cz riseup.net mkpbelgium.org
omvnovinky.cz t-2.net netbsd.org
onebit.cz transip.net openssl.org
optimail.cz xs4all.net ozlabs.org
poptavej.cz xworks.net samba.org
reserved.cz 123watches.nl torproject.org
scrptd.cz amsterdam.nl whatpulse.org
server4u.cz awcloud.nl asf.com.pt
smtp.cz belastingdienst.nl mobily.com.sa
stoklasa.cz beterspellen.nl bilprovningen.se
toplist.cz bhosted.nl boplatssyd-automail.se
vas-server.cz bhsupport.nl ecster.se
vcelka.cz bibliotheekdenhaag.nl handelsbanken.se
virusfree.cz bluerail.nl loopia.se
zdravestravovani.cz boekwinkeltjes.nl matlistan.se
bayern.de bolerolimonadewinkel.nl minmyndighetspost.se
brandenburg.de boozyshop.nl personligalmanacka.se
bund.de bratpack-charly.nl skatteverket.se
bundesregierung.de bratsites-grs.nl teknikdelar.se
datev.de burgernet.nl theletter.se
dfn.de cbr.nl websupport.se
ekom21.de corpoflow.nl triodos.co.uk
elster.de denhaag.nl xepay.co.uk
fau.de derooijfotografie.nl govtrack.us
freenet.de dictu.nl quantum-services.us
gmx.de digid.nl ru.ac.za
2
2
Hi,
Some of you might have seen our invitation to fill out our survey on DANE and SMTP usage before.
In case you've already taken the time to fill in the survey: thanks a lot!
For the others that wonder what this is all about:
Together with researchers from Seoul National University, Virginia Tech and the University of Twente, we would like to understand which challenges operators face when deploying DANE for SMTP.
Also, we would like to understand how operators deploy DANE successfully.
Finally, we want to develop solutions to simplify DANE deployment for SMTP.
Filling out the survey should take between 10 and 20 minutes.
We would highly appreciate your participation.
https://forms.gle/AAEsdAGRQNjrqpNY7
Don’t hesitate to drop me a mail if you have questions or remarks.
We’ll share the results with the list after evaluation.
— Moritz
—
Moritz Müller | Research Engineer
SIDN | Meander 501 | 6825 MD | Postbus 5022 | 6802 EA | ARNHEM
T +31 (0)26 352 55 00
moritz.muller(a)sidn.nl | www.sidn.nl
1
0