dane-users
Threads by month
- ----- 2024 -----
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2023 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2022 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2021 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2020 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2019 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2018 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2017 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2016 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- ----- 2015 -----
- December
- November
- October
- September
- August
- July
- June
- May
- April
- March
- February
- January
- 2 participants
- 244 discussions
Summary: The DANE domain count is now 4,158,589 (4,069,697 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 23,220,430 (23,199,861 last month).
Thus DANE TLSA is deployed on ~17.90% of domains with DNSSEC.
For more stats, see <https://stats.dnssec-tools.org/>.
A major fraction of the increase in DANE domains is
thanks to Cloudflare publishing TLSA records for the MX
hosts handling inbound email for ~70k customer domains.
[ The credits[0] list is below my signature. ]
Reminder: If you're relying on trust-anchor (usage DANE-TA(2)) TLSA records
matching a Let's Encrypt issuing CA, please note important recent
and upcoming changes in Let's Encrypt certificate issuance:
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/HESAY6…
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/GLRVY2…
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/X4SS2E…
[ There's a still stready trickle of domains whose DANE
authentication fails because the DST X3 cross certificate
for the ISRG X1 root is no longer by default included in
Let's Encrypt certificate chains. ]
As of today, I count ~4.16 million domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last Month
---------- ----------
1299886 one.com 1305272 one.com
311818 hostpoint.ch 310345 hostpoint.ch
231981 infomaniak.ch 228070 infomaniak.ch
200783 jouwweb.nl 191647 jouwweb.nl
173600 transip.nl 173391 transip.nl
170737 mijndomein.nl 171433 mijndomein.nl
166585 simply.com 161671 simply.com
131424 argewebhosting.nl 133508 argewebhosting.nl
112252 hostnet.nl 112176 hostnet.nl
110565 domeneshop.no 110331 domeneshop.no
106658 loopia.se 106740 loopia.se
87582 webhostingserver.nl 87960 webhostingserver.nl
84325 zxcs.nl 83860 zxcs.nl
83706 forpsi.com 83010 forpsi.com
71228 cloudflare.net 49979 protonmail.ch
51274 protonmail.ch 41335 antagonist.nl
41416 antagonist.nl 37883 active24.com
36256 active24.com 35476 webreus.nl
35245 webreus.nl 27833 xel.nl
27758 xel.nl 27552 pcextreme.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl,
.de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
12355 TOTAL 12348 TOTAL
4035 DE, Germany 3958 DE, Germany
1960 NL, The Netherlands 1962 NL, The Netherlands
1925 US, United States 1929 US, United States
876 FR, France 888 FR, France
488 CZ, Czechia 492 CZ, Czechia
421 GB, United Kingdom 418 GB, United Kingdom
310 FI, Finland 309 FI, Finland
242 CH, Switzerland 231 CH, Switzerland
211 CA, Canada 209 CA, Canada
190 SE, Sweden 204 AT, Austria
171 DK, Denmark 175 SE, Sweden
153 AU, Australia 168 DK, Denmark
123 AT, Austria 150 AU, Australia
115 SG, Singapore 119 SG, Singapore
107 RU, Russia 115 PL, Poland
104 PL, Poland 100 RU, Russia
65 NO, Norway 66 NO, Norway
64 BR, Brazil 60 BR, Brazil
63 IT, Italy 57 JP, Japan
55 JP, Japan 56 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
9920 TOTAL 9785 TOTAL
4295 NL, The Netherlands 4215 NL, The Netherlands
2915 DE, Germany 2907 DE, Germany
916 US, United States 906 US, United States
425 FR, France 398 FR, France
212 CZ, Czechia 213 CZ, Czechia
189 GB, United Kingdom 185 GB, United Kingdom
115 FI, Finland 116 FI, Finland
92 CA, Canada 88 CA, Canada
88 SE, Sweden 83 SE, Sweden
79 CH, Switzerland 80 CH, Switzerland
70 AU, Australia 76 AU, Australia
61 AT, Austria 56 AT, Austria
45 SG, Singapore 43 SG, Singapore
40 JP, Japan 40 JP, Japan
32 RO, Romania 32 RU, Russia
32 BR, Brazil 31 RO, Romania
31 NO, Norway 31 NO, Norway
30 RU, Russia 30 DK, Denmark
27 DK, Denmark 30 BR, Brazil
19 LT, Lithuania 17 LT, Lithuania
There are 10,936 unique zones (10,895 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of organizations
deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 22,121 (21,863 last
month). These cover 22,427 distinct MX hosts (22,163 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 1,381 (1,272 last month, this is my ad-hoc
criterion for a domain being a large-enough actively used email domain).
Of these, 758 (743 last month) are in recent (last 90 days of) reports
(see [2] below my signature).
Of the ~4.16 million DANE domains, 14,232 (14,334 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 2,669
(2,344 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
545 mx2.xcellerate.nl
169 mx2.tkservers.com
72 mail.fiyge.com
66 beta.itcomputers.eu
38 master.redinta.com
24 mx-5.magellanic.eu
22 semark.dk
22 hello.mailray.dk
16 mail.nationaalarchief.nl
14 mx.jmt.gr
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 624 (697 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
446 neostrada.nl 463 neostrada.nl
47 worldnic.com 54 worldnic.com
21 active24.cz 21 active24.cz
17 openprovider.nl 17 openprovider.nl
13 sectigoweb.com 14 sectigoweb.com
10 register.com 12 register.com
7 dnssrv.nl 7 dnssrv.nl
6 vultr.com 6 vultr.com
6 ispapi.net 6 ispapi.net
6 forpsi.net 6 forpsi.net
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits:
Hosting for the DANE/DNSSEC project is donated by isi.edu (Wes Hardaker and
team). Wes also hosts and maintains the https://stats.dnssec-tools.org
website. Thanks go to ICANN for sponsoring acquisition of the server hardware.
Coverage of DNSSEC domains continues to improve with ongoing data
support from Chris Mikkelson from domaintools.com. Credits also due to
ICANN providing gTLD data via CZDS, and to the ccTLD registries for .CH,
.DK, .FI, .FR, .IS, .LI, .NL, .NU and .SE. More data sources of ccTLD
signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
orbiit.app landtag-mv.de ezorg.nl
univie.ac.at lmu.de fitnesskoerier.nl
gmx.at lrz.de fivecityspa.nl
vbv.at mail.de floathouse.nl
vorsorgekasse.at mail2many.de hobbygigant.nl
boozyshop.be mensa.de home.nl
lesbastions.be mpg.de hostnet.nl
medinaexpo.be mvnet.de hr.nl
ringkortrijk.be oberstdorf.de hro.nl
shopping-nivelles.be osnanet.de huurexpert.nl
triodos.be posteo.de huusken.nl
nra.bg ruhr-uni-bochum.de ikdeburger.nl
dwvmail.com.br secumail.de interim-netwerk.nl
e-negociacao.com.br sifjakobs.de jointherebellion.nl
e-renegocie.com.br sillysanta.de kadaster.nl
zaaztelecom.com.br smartwatcharmbaender.de kiesrijk.nl
aneel.gov.br sys4.de kinderkleding-tekoop.nl
nic.br taures.de klassiekemuziek.nl
mst.org.br th-nuernberg.de ledcustoms.nl
registro.br tu-darmstadt.de liveatamsterdamsebos.nl
greenpeace.ca tum.de maastrichtuniversity.nl
ph.casino tutanota.de mailmore.nl
activfitness-news.ch uni-augsburg.de mailon.nl
blackout-bonusclub.ch uni-bielefeld.de mailplus.nl
gmx.ch uni-erlangen.de managementboek.nl
hostpoint.ch uni-muenchen.de markteffectmail.nl
infomaniak.ch vicinityclo.de mcmta.nl
msochrono.ch web.de merkmeisjeskleding.nl
only-grams.ch westlotto.de mijndomein.nl
open.ch sanchezadv.digital minbzk.nl
protonmail.ch aeldresagen.dk mindef.nl
sherlockhomes.ch allbuy.dk minvenj.nl
sms-gagnant.ch anna-hjorth.dk mm1.nl
switch.ch annebrauner.dk mulderretail.nl
votreopinion.ch anodyne.dk nefkens.nl
biolinky.co athleticstudio.dk nieuwsservice-rvo.nl
formsubmit.co attode.dk nmnhevents.nl
ipregistry.co avabeauty.dk notbranded.nl
lumitherapy.co backpackerlife.dk ns.nl
simplelogin.co bambustoej.dk nutribites.nl
aim-care.com barons.dk nuudcare.nl
akuislam.com bigsaver.dk nuwegexclusief.nl
albourne.com bisgaardshoes.dk opnaarwonderland.nl
alcanside.com blandselvfroe.dk ouderportaal.nl
also.com bog.dk outlawevents.nl
anonaddy.com bystinewinther.dk overheid.nl
ansigtsyogaonline.com camillakroeyer.dk oxilionhosted.nl
aotax.com champagnekaelderen.dk ozsw.nl
autogespot.com champagneklubben.dk partijvoordedieren.nl
azizbekkaoui.com computerworld.dk partnermail.nl
barasportswear.com damask.dk pharmacom.nl
beyondmedals.com danskebank.dk picacongressen.nl
buroventures.com densidsteflaske.dk podiumcadeaukaart.nl
byic.com dfi.dk politie.nl
cainte.com dressforsuccess.dk pp-prd.nl
canva-facile.com ejvinds.dk previder.nl
caskcartel.com fibianet.dk proefdiervrij.nl
cm.com fodboldgaver.dk prorun-mail.nl
collarofsweden.com foraeldresparring.dk protislank.nl
connectsb.com frisorenogbaronen.dk puurfiguur.nl
danskebank.com fvst.dk pvv.nl
datev.com garna.dk quicknet.nl
detectiveforaday.com gastrotools.dk rdw.nl
driverscloud.com globestudios.dk rebirth-festival.nl
enoksenwatches.com hook-up.dk rechtspraak.nl
europesnus.com hostedsepo.dk restaurant-sparkling.nl
explorer-hotels.com idelig.dk rijksoverheid.nl
fabfilter.com inkpro.dk rivm.nl
farmergracy.com kagegrisen.dk rotterdam.nl
fastware-hosting.com kk.dk rustinouderschap.nl
flaneurhomme.com kodbilen.dk sans-mail.nl
fromanteel-watches.com konkurspriser.dk schuurman-schoenen.nl
funkysimplicity.com kystfisken.dk shampoobars.nl
gearboxdigital.com lacabra.dk shoesme.nl
giarite.com lederstof.dk sizzthebrand.nl
gmx.com littleluux.dk smartwatchbanden.nl
gohoeorgohome.com localfitness.dk spamservice.nl
goodforme.com lollyslaundry.dk sportrusten.nl
gosoaky.com lomax.dk ssonet.nl
grimfrost.com mastri.dk stater.nl
habitamat.com memery.dk supportervanschoon.nl
habr.com merchhub.dk teeshoppen.nl
hannahbarrettyoga.com mobilcovers.dk telefoonglaasje.nl
headachecalendar.com modekompagniet.dk thealphamen.nl
heartymail.com modstroem.dk thefightcompany.nl
highcharts.com musclehouse.dk thehappybed.nl
hwigroup.com netic.dk transip.nl
imcnig.com nexsmart.dk triodos.nl
infomaniak.com nfinitybeauty.dk truetickets.nl
ingthink.com nimara.dk u-mailer.nl
intakt.com no1shop.dk uitgeverijpica.nl
jesuis1as.com nordd.dk upcmail.nl
johnbeerens.com nordelegastro.dk upfront.nl
joomlapolis.com nota.dk uvt.nl
jula.com online-mode.dk uwv.nl
justpadel.com opdagverden.dk vacaturesonline.nl
kabayarefashion.com perfectjeans.dk valys.nl
kae-cosmetici.com powercircle.dk vivonline.nl
kheaa.com salinassundhed.dk vluchtelingenwerk.nl
lantzcph.com sengefabrikken.dk vunzigedeuntjes.nl
leszexpertsfle.com seniornews.dk vvv-venlo.nl
librti.com shapeit.dk watchbandjes-shop.nl
lizamariefit.com sillysanta.dk waternet.nl
luxembourgartprize.com skjold-burne.dk werkzoeken.nl
mail.com sneakerzone.dk ziggo.nl
maileroo.com sofiamanning.dk zorgmail.nl
mailzerver.com stil.dk babybanden.no
marsblade.com stormfashion.dk bull-ski-kajakk.no
medicaskinpro.com sygeforsikring.dk chillout.no
meriamecouture.com taenk.dk domeneshop.no
milamovement.com themeatclub.dk dressmykid.no
mplbeauty.com thenap.dk gjormer.no
mxuptime.com thesneakerstore.dk guttelus.no
mydrivingacademy.com trueliving.dk hoppin.no
natutube.com trustfitness.dk hypopressivtrening.no
neonfilter.com uni-c.dk hyttefeber.no
nine-pine.com venderbys.dk idrettenonline.no
nomadeyewear.com viggo.dk kristinetghardeberg.no
nordicbasketball.com vind.dk lillepr.no
nordicdogtrainer.com vissevasse.dk marikrogshus.no
novashops.com yuaiahaircare.dk metaburn.no
oenling.com tilburguniversity.edu mystuff.no
offshorecorptalk.com boostyourself.ee nordiskbylien.no
one.com holt.ee norisma.no
onezoz.com maarahvapood.ee norskgrammatikk.no
orsys.com minuvalik.ee raskebriller.no
ottobredesign.com pesapuuperekeskus.ee rushtrampoline.no
ourcountryourchoice.com sirena.ee russedress.no
pageloot.com surveyturtle.ee smaaungene.no
pipfitk9.com turunduslabor.ee spillfabrikken.no
planetnusa.com myownconference.email strikkia.no
polyas.com spam-filter.email webcruitermail.no
pompomlondon.com spotler.email atelkamera.nu
ppcpcv.com talentech.email goget.nu
protonmail.com logalty.es happydays.nu
recwatches.com triodos.es lenhud.nu
remy-jupille.com egu.eu aarding.org
rightandfree.com zone.eu calyxinstitute.org
run-motion.com zonevs.eu checkmyads.org
runbox.com danskebank.fi debian.org
sankakucomplex.com fsol.fi digital-shift.org
schizinfo.com handelsbanken.fi freebsd.org
scorecloud.com hersecret.fi fridaysforfuture.org
secureandprosper.com metaburn.fi gentoo.org
serverclienti.com swiftbanker.fi ietf.org
siratperfumes.com traficom.fi isc.org
sisuknitwear.com ac-strasbourg.fr mailbox.org
solvinity.com braceletsmartwatch.fr mailop.org
space4server.com compagnie-des-sens.fr netbsd.org
spellcases.com edtm-actu.fr openssl.org
stasdock.com oo2.fr ozlabs.org
stater.com printique.fr postfix.org
stellarequipment.com privea.fr rfc-editor.org
tcs.com fvap.gov samba.org
techspot.com aklub.hu torproject.org
techvisiongames.com fidesz.hu turtle-wow.org
teeshoppen.com italiamail.hu un-ihe.org
theintercept.com pulowear.hu psgaz.pl
thelabelmachine.com vidammokus.hu circusbet.rs
thetranslatoracademy.com bluebiz.info loopia.rs
tibush.com j360.info mobily.com.sa
triodos.com onesignal.info advisamail.se
tuftingshop.com eurocontrol.int arbetsformedlingen.se
tutanota.com meeds.io bearbell.se
uat-landgorilla.com ryde.io bearplayshop.se
ugritone.com nuudcare.it bilprovningen.se
up2staff.com ultima-generazione.it blandafron.se
varietymode.com hoj.life dingolfshop.se
vivaldi.com neolink.link ellevio.se
webcruiter.com education.lu epochtimes-mejl.se
win-rar.com etat.lu fotproffsen.se
xfinity.com restena.lu getvibes.se
xfinityhomesecurity.com anonaddy.me glowid.se
xfinitymobile.com pm.me handelsbanken.se
ymeuniverse.com proton.me hellomantle.se
zangra.com army.mil inkrebel.se
ez.community dla.mil innebandy24.se
bncr.fi.cr health.mil isayshop.se
airbank.cz jten.mil jaramba.se
akce-incomputer.cz mail.mil kidsonestore.se
balikovna.cz navy.mil koreanbeauty.se
bewooden.cz nga.mil kth.se
cokoladovnajanek.cz osd.mil kursledarskap.se
cpost.cz socom.mil livlyclothing.se
creammy.cz spaceforce.mil lnu.se
csob.cz uscg.mil lomervarde.se
csobhypotecni.cz usmc.mil loopia.se
csobstavebni.cz onesignal.mobi merchsweden.se
cuni.cz aifi.net mikaelapuranen.se
dashofer.cz anarchistfederation.net minmyndighetspost.se
dedra.cz anarcho-punk.net naprapatlandslaget.se
e-kondomy.cz comcast.net naturligtsnygg.se
ekokoza.cz ewetel.net northsquad.se
fio.cz ficbook.net polisen.se
gov.cz fivem.net redaktionen.se
hangarbrno.cz forwardemail.net relode.se
hobynaradi.cz gmx.net samblamail.se
innogy.cz habramail.net sillysanta.se
itesco.cz hr-manager.net silverdotter.se
kb.cz institutocultivo.net skatteverket.se
klenotyaurum.cz listelixr.net skolverket.se
klubpevnehozdravi.cz mailanyone.net soleplus.se
ksporting.cz masterinter.net svenskhusman.se
manymail.cz mpssec.net teeshoppen.se
mbank.cz pirate-punk.net teknikdelar.se
mfcr.cz procurios.net teknikhallen.se
mindsoft.cz ripe.net theletter.se
mkluzkoviny.cz riseup.net websupport.se
mojedatovaschranka.cz s-qrc.net agatinsvet.sk
mrakyhracek.cz soverin.net coopka.sk
mujandilek.cz space.net dublez.sk
muni.cz t-2.net edirect.sk
nic.cz transip.net fio.sk
o2.cz alexstory.nl hecht.sk
optimail.cz amsterdam.nl mamaaja.sk
outlet-alpine.cz aquastorexl.nl meditec.sk
p-info.cz arthouse-online.nl mklozkoviny.sk
pivoteka.cz balanzs.nl mnforce-panel.sk
poptavej.cz bankhoesdiscounter.nl nakupujzdravo.sk
scrptd.cz bearlifestyle.nl nameserver.sk
server4u.cz belastingdienst.nl nlp-akademia.sk
smdledzarovky.cz bellobox.nl partner.sk
smtp.cz beterspellen.nl penzionmara.sk
sparkys.cz bewustpuur.nl poziadavka.sk
stoklasa.cz bhosted.nl primatravel.sk
tefal.cz blushfashionstore.nl rondogo.sk
thinline.cz bobo.nl travelmail.sk
tiscali.cz body-supplies.nl zapardrobnych.sk
virusfree.cz bolerolimonadewinkel.nl exercere.store
vitalpoint.cz boozyshop.nl zeit-des-wandels.tv
vshosting.cz box.nl boca.gov.tw
vzp.cz bruut.nl clientnews2.co.uk
zafido.cz burgernet.nl clientnews3.co.uk
zdravestravovani.cz carre.nl clientnews4.co.uk
zonky.cz casema.nl handelsbanken.co.uk
bayern.de cbr.nl harrogateorganics.co.uk
bisgaardshoes.de chello.nl honeybalm.co.uk
brandenburg.de citotoetsgroep4.nl millieandblake.co.uk
bund.de clubplanner.nl nuudcare.co.uk
datev.de commithappiness.nl thecalzonekitchen.co.uk
dbtg.de cornemarchand.nl thewordman.co.uk
denic.de debrandaris.nl triodos.co.uk
dfn.de degros.nl nuudcare.us
elster.de denhaag.nl quantum-services.us
ewetel.de deonlinetandarts.nl ru.ac.za
fau.de derooijfotografie.nl swiftbanker.co.za
freenet.de desan.nl pnw.zone
gmx.de digid.nl benzakdenimdevelopers.com
huellen-shop.de dimehouse.nl thingsilikethingsilove.com
iks-jena.de dorcas.nl agirpourlenvironnement.org
jawliner.de duo.nl allevakantiehuizeninbelgie.nl
jpberlin.de esuals.nl hoogenboezem-nieuwsbrieven.nl
kultus-bw.de extinctionrebellion.nl
1
0
Summary: The DANE domain count is now 4,069,697 (4,022,036 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 23,199,861 (23,122,328 last month).
Thus DANE TLSA is deployed on ~17.54% of domains with DNSSEC.
For more stats, see <https://stats.dnssec-tools.org/>.
[ The credits[0] list is below my signature. ]
Reminder: If you're relying on trust-anchor (usage DANE-TA(2)) TLSA records
matching a Let's Encrypt issuing CA, please note important recent
and upcoming changes in Let's Encrypt certificate issuance:
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/HESAY6…
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/GLRVY2…
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/X4SS2E…
[ This month there's a stready trickle of domains whose DANE authentication
fails because the DST cross certificate for the ISRG X1 root is no longer
included in Let's Encrypt certificate chains. ]
As of today, I count ~4.07 million domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last Month
---------- ----------
1305272 one.com 1305552 one.com
310345 hostpoint.ch 308177 hostpoint.ch
228070 infomaniak.ch 223679 infomaniak.ch
191647 jouwweb.nl 181030 jouwweb.nl
173391 transip.nl 173116 transip.nl
171433 mijndomein.nl 170668 mijndomein.nl
161671 simply.com 135204 argewebhosting.nl
133508 argewebhosting.nl 129324 simply.com
112176 hostnet.nl 111973 hostnet.nl
110331 domeneshop.no 110214 domeneshop.no
106740 loopia.se 106668 loopia.se
87960 webhostingserver.nl 88592 webhostingserver.nl
83860 zxcs.nl 83114 zxcs.nl
83010 forpsi.com 82996 forpsi.com
49979 protonmail.ch 48550 protonmail.ch
41335 antagonist.nl 41346 antagonist.nl
37883 active24.com 37932 active24.com
35476 webreus.nl 35799 webreus.nl
27833 xel.nl 28089 pcextreme.nl
27552 pcextreme.nl 27964 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl,
.de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
12348 TOTAL 12241 TOTAL
3958 DE, Germany 3906 DE, Germany
1962 NL, The Netherlands 1972 NL, The Netherlands
1929 US, United States 1912 US, United States
888 FR, France 871 FR, France
492 CZ, Czechia 486 CZ, Czechia
418 GB, United Kingdom 414 GB, United Kingdom
309 FI, Finland 290 FI, Finland
231 CH, Switzerland 245 CA, Canada
209 CA, Canada 221 CH, Switzerland
204 AT, Austria 193 AT, Austria
175 SE, Sweden 166 SE, Sweden
168 DK, Denmark 156 DK, Denmark
150 AU, Australia 152 AU, Australia
119 SG, Singapore 121 SG, Singapore
115 PL, Poland 121 PL, Poland
100 RU, Russia 103 RU, Russia
66 NO, Norway 66 NO, Norway
60 BR, Brazil 57 JP, Japan
57 JP, Japan 56 BR, Brazil
56 IT, Italy 53 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
9785 TOTAL 9761 TOTAL
4215 NL, The Netherlands 4263 NL, The Netherlands
2907 DE, Germany 2849 DE, Germany
906 US, United States 905 US, United States
398 FR, France 417 FR, France
213 CZ, Czechia 210 CZ, Czechia
185 GB, United Kingdom 180 GB, United Kingdom
116 FI, Finland 109 FI, Finland
88 CA, Canada 87 CA, Canada
83 SE, Sweden 80 CH, Switzerland
80 CH, Switzerland 78 SE, Sweden
76 AU, Australia 75 AU, Australia
56 AT, Austria 52 AT, Austria
43 SG, Singapore 46 SG, Singapore
40 JP, Japan 36 JP, Japan
32 RU, Russia 32 RO, Romania
31 RO, Romania 30 BR, Brazil
31 NO, Norway 29 RU, Russia
30 DK, Denmark 29 NO, Norway
30 BR, Brazil 28 DK, Denmark
17 LT, Lithuania 18 LT, Lithuania
There are 10,895 unique zones (10,719 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of organizations
deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 21,863 (24,636 last
month). These cover 22,163 distinct MX hosts (24,945 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 1,272 (1,199 last month, this is my ad-hoc
criterion for a domain being a large-enough actively used email domain).
Of these, 743 (683 last month) are in recent (last 90 days of) reports
(see [2] below my signature).
Of the ~4.07 million DANE domains, 14,334 (14,204 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 2,344
(2,424 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
547 mx2.xcellerate.nl
171 mx2.tkservers.com
25 mail.orionpanel.nl
23 semark.dk
22 web1.sys.ccs-baumann.de
22 smtp2.kruik-it.nl
15 mail.nationaalarchief.nl
15 mail.mostertman.com
15 artemis.strebsjig.net
14 mail.liebner-server.de
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 697 (838 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
463 neostrada.nl 490 neostrada.nl
54 worldnic.com 58 worldnic.com
21 active24.cz 21 openprovider.nl
17 openprovider.nl 21 active24.cz
14 sectigoweb.com 14 sectigoweb.com
12 register.com 13 register.com
7 dnssrv.nl 7 dnssrv.nl
6 vultr.com 6 vultr.com
6 ispapi.net 6 ispapi.net
6 forpsi.net 6 forpsi.net
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits:
Hosting for the DANE/DNSSEC project is donated by isi.edu (Wes Hardaker and
team). Wes also hosts and maintains the https://stats.dnssec-tools.org
website. Thanks go to ICANN for sponsoring acquisition of the server hardware.
Coverage of DNSSEC domains continues to improve with ongoing data
support from Chris Mikkelson from domaintools.com. Credits also due to
ICANN providing gTLD data via CZDS, and to the ccTLD registries for .CH,
.DK, .FI, .FR, .IS, .LI, .NL, .NU and .SE. More data sources of ccTLD
signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
freshstore.app sifjakobs.de kadaster.nl
univie.ac.at sillysanta.de kiesrijk.nl
gmx.at smartwatcharmbaender.de klassiekemuziek.nl
vbv.at sys4.de liveatamsterdamsebos.nl
boozyshop.be taures.de maastrichtuniversity.nl
eos-contentia.be tu-darmstadt.de mailmore.nl
shopping-nivelles.be tum.de mailon.nl
triodos.be tutanota.de mailplus.nl
nra.bg uni-augsburg.de managementboek.nl
register.bg uni-bielefeld.de markteffectmail.nl
dwvmail.com.br uni-erlangen.de mcmta.nl
e-negociacao.com.br uni-muenchen.de merkmeisjeskleding.nl
e-renegocie.com.br vicinityclo.de mijndomein.nl
zaaztelecom.com.br web.de mijnmagazines.nl
aneel.gov.br westlotto.de minbzk.nl
nic.br sanchezadv.digital mindef.nl
mst.org.br aeldresagen.dk minvenj.nl
registro.br allbuy.dk mm1.nl
activfitness-news.ch annebrauner.dk mulderretail.nl
blackout-bonusclub.ch anodyne.dk nefkens.nl
escalade.ch athleticstudio.dk netpoint.nl
gmx.ch attode.dk netpointfactoring.nl
handy-abovergleich.ch avabeauty.dk nieuwsservice-rvo.nl
hostpoint.ch barons.dk nmnhevents.nl
infomaniak.ch bigsaver.dk notbranded.nl
kalender-win.ch bisgaardshoes.dk ns.nl
msochrono.ch blandselvfroe.dk nuudcare.nl
open.ch boblberg.dk nuwegexclusief.nl
protonmail.ch bog.dk okki.nl
sherlockhomes.ch borgerforslag.dk oomverzekeringen.nl
sms-gagnant.ch bymelanie.dk opnaarwonderland.nl
switch.ch bystinewinther.dk ouderenfonds.nl
votreopinion.ch camillakroeyer.dk ouderportaal.nl
biolinky.co champagneklubben.dk outlawevents.nl
bionoble.co cillouettes.dk overheid.nl
simplelogin.co computerworld.dk oxilionhosted.nl
aim-care.com damask.dk ozsw.nl
albourne.com danskebank.dk partijvoordedieren.nl
alcanside.com densidsteflaske.dk partnermail.nl
also.com dfi.dk podiumcadeaukaart.nl
anonaddy.com dressforsuccess.dk politie.nl
ansigtsyogaonline.com ejvinds.dk pp-prd.nl
aotax.com fibianet.dk previder.nl
autogespot.com foraeldresparring.dk proefdiervrij.nl
azizbekkaoui.com frisorenogbaronen.dk prorun-mail.nl
barasportswear.com fvst.dk protislank.nl
beyondmedals.com gasolinegrill.dk puurfiguur.nl
boozyshop.com gastrotools.dk quicknet.nl
buroventures.com globestudios.dk ranzijn.nl
byic.com hook-up.dk rdw.nl
cainte.com hostedsepo.dk rebirth-festival.nl
canva-facile.com idelig.dk rechtspraak.nl
caskcartel.com inkpro.dk restaurant-sparkling.nl
cm.com kagegrisen.dk rijksoverheid.nl
collarofsweden.com kk.dk rivm.nl
connectsb.com kodbilen.dk rotterdam.nl
cornerstoneplatform.com konkurspriser.dk rvo.nl
danskebank.com kystfisken.dk sans-mail.nl
datev.com lacabra.dk schuurman-schoenen.nl
denhaag.com lammeskindet.dk shampoobars.nl
detectiveforaday.com lederstof.dk shapeit.nl
eliteincomesociety.com legekammeraten.dk shoesme.nl
enoksenwatches.com littleluux.dk sizzthebrand.nl
europesnus.com mastri.dk smartwatchbanden.nl
explorer-hotels.com memery.dk sportrusten.nl
fabfilter.com mobilcovers.dk ssonet.nl
farmergracy.com modstroem.dk stage-app.nl
fastware-hosting.com musclehouse.dk stater.nl
flaneurhomme.com naturhandel.dk steunactie.nl
fromanteel-watches.com netic.dk supportervanschoon.nl
gearboxdigital.com nexsmart.dk technicus.nl
giarite.com nfinitybeauty.dk teeshoppen.nl
gmx.com nimara.dk telefoonglaasje.nl
gohoeorgohome.com no1shop.dk thealphamen.nl
goodforme.com nordd.dk thefightcompany.nl
gosoaky.com nordelegastro.dk transip.nl
grimfrost.com nordicsheep.dk triodos.nl
habitamat.com nota.dk truetickets.nl
habr.com online-mode.dk u-mailer.nl
hannahbarrettyoga.com opdagverden.dk uitgeverijpica.nl
headachecalendar.com perfectjeans.dk upcmail.nl
hedon.com sengefabrikken.dk upfront.nl
highcharts.com seniornews.dk uvt.nl
hwigroup.com shapeit.dk uwv.nl
imcnig.com sillysanta.dk vacaturesonline.nl
infomaniak.com skjold-burne.dk valys.nl
ingthink.com smoon.dk vimexx.nl
intakt.com sneakerzone.dk vluchtelingenwerk.nl
johnbeerens.com stil.dk vpo.nl
joomlapolis.com stormfashion.dk vunzigedeuntjes.nl
jula.com sygeforsikring.dk vvv-venlo.nl
justpadel.com taenk.dk watchbandjes-shop.nl
kabayarefashion.com thenap.dk waternet.nl
kae-cosmetici.com thesneakerstore.dk werkzoeken.nl
kheaa.com trueliving.dk woongarantvolmacht.nl
leszexpertsfle.com trustfitness.dk ziggo.nl
librti.com venderbys.dk zorgmail.nl
lizamariefit.com viggo.dk ankerstjerne.no
luvrefranco.com vind.dk annabellstefanussen.no
mail.com yuaiahaircare.dk babybanden.no
maileroo.com tilburguniversity.edu bull-ski-kajakk.no
mailzerver.com biotheka.ee chillout.no
marsblade.com holt.ee day-et.no
medicaskinpro.com maarahvapood.ee dinholdning.no
meriamecouture.com minuvalik.ee domeneshop.no
mplbeauty.com pesapuuperekeskus.ee dressmykid.no
mydrivingacademy.com sirena.ee gjormer.no
naillak.com surveyturtle.ee guttelus.no
nanolearning.com turunduslabor.ee handelsbanken.no
nautisme-pratique.com myownconference.email hoppin.no
neonfilter.com spam-filter.email hypopressivtrening.no
nine-pine.com spotler.email hyttefeber.no
nomadeyewear.com talentech.email idrettenonline.no
nordicbasketball.com triodos.es jule-genser.no
nordicdogtrainer.com egu.eu kristinetghardeberg.no
novashops.com finesoftware.eu lagerpriser.no
number-nineshop.com qard.eu lillepr.no
oenling.com rybarik.eu marikrogshus.no
offshorecorptalk.com zone.eu metaburn.no
one.com zonevs.eu mystuff.no
orsys.com danskebank.fi nordiskbylien.no
ottobredesign.com f-solutions.fi norisma.no
pageloot.com handelsbanken.fi norskgrammatikk.no
planetnusa.com hersecret.fi raskebriller.no
polyas.com io-tech.fi rushtrampoline.no
pompomlondon.com metaburn.fi smaaungene.no
ppcpcv.com raumanteatteri.fi spillfabrikken.no
protonmail.com sillysanta.fi stilshoppen.no
recwatches.com swiftbanker.fi strikkia.no
remy-jupille.com traficom.fi tickettothemoon.no
run-motion.com ac-strasbourg.fr veronicalill.no
runbox.com boozyshop.fr atelkamera.nu
sankakucomplex.com braceletsmartwatch.fr goget.nu
schizinfo.com compagnie-des-sens.fr happydays.nu
scienceshepherd.com edtm-actu.fr lenhud.nu
scorecloud.com oo2.fr skjutsgruppen.nu
serverclienti.com passefranceallemagne.fr calyxinstitute.org
sisuknitwear.com printique.fr debian.org
solvinity.com privea.fr freebsd.org
stasdock.com fvap.gov fridaysforfuture.org
stater.com aklub.hu gentoo.org
stellarequipment.com fidesz.hu ietf.org
tcs.com italiamail.hu mailbox.org
techvisiongames.com marathonlife.hu mailop.org
theintercept.com nyirbatorvaroskartya.hu netbsd.org
thelabelmachine.com pulowear.hu openssl.org
thepcw.com zsibvasar.hu ozlabs.org
thepcwholesale.com bluebiz.info postfix.org
tibush.com j360.info rfc-editor.org
trainwithlov.com eurocontrol.int samba.org
triodos.com simplelogin.io torproject.org
tuftingshop.com nuudcare.it un-ihe.org
tutanota.com hoj.life loopia.rs
ugritone.com neolink.link pinnbet.rs
up2staff.com education.lu mobily.com.sa
vivaldi.com etat.lu advisamail.se
webcruiter.com restena.lu arbetsformedlingen.se
xfinity.com anonaddy.me bearbell.se
xfinityhomesecurity.com pm.me bearplayshop.se
xfinitymobile.com proton.me bilprovningen.se
ymeuniverse.com army.mil dingolfshop.se
zangra.com dla.mil ellevio.se
bncr.fi.cr health.mil epochtimes-mejl.se
airbank.cz jten.mil fotproffsen.se
akce-incomputer.cz mail.mil getthegallop.se
amenit.cz navy.mil getvibes.se
balikovna.cz nga.mil glowid.se
bewooden.cz osd.mil handelsbanken.se
cinemax.cz socom.mil hellomantle.se
cokoladovnajanek.cz spaceforce.mil inkrebel.se
cpost.cz uscg.mil innebandy24.se
creammy.cz usmc.mil jaramba.se
csob.cz aifi.net jul-troja.se
csobstavebni.cz comcast.net koreanbeauty.se
cuni.cz ewetel.net kth.se
dashofer.cz ficbook.net kulturaktiebolaget.se
dedra.cz fivem.net livlyclothing.se
e-kondomy.cz forwardemail.net lnu.se
ekokoza.cz gmx.net lomervarde.se
fio.cz graphistepro.net loopia.se
gov.cz habramail.net merchsweden.se
hobynaradi.cz hr-manager.net metaburn.se
hypotecnibanka.cz institutocultivo.net mikaelapuranen.se
innogy.cz intares.net minmyndighetspost.se
itesco.cz mailanyone.net naprapatlandslaget.se
kb.cz masterinter.net naturligtsnygg.se
klenotyaurum.cz mijngezondheid.net nordd.se
klubpevnehozdravi.cz mpssec.net nordicsheep.se
ksporting.cz procurios.net polisen.se
manymail.cz ripe.net redaktionen.se
mbank.cz riseup.net samblamail.se
mfcr.cz s-qrc.net sillysanta.se
mindsoft.cz soverin.net silverdotter.se
mkluzkoviny.cz space.net skatteverket.se
mojedatovaschranka.cz t-2.net skolverket.se
mojemincovna.cz transip.net snbostader.se
mrakyhracek.cz alexstory.nl soleplus.se
muni.cz amsterdam.nl spelfabrik.se
nic.cz aquastorexl.nl svenskhusman.se
o2.cz arthouse-online.nl teeshoppen.se
opravdovezlociny.cz balanzs.nl teknikdelar.se
optimail.cz bankhoesdiscounter.nl teknikhallen.se
outlet-alpine.cz belastingdienst.nl theletter.se
p-info.cz bellobox.nl websupport.se
pivoteka.cz beterspellen.nl agatinsvet.sk
poptavej.cz bewustpuur.nl coopka.sk
scrptd.cz bhosted.nl edirect.sk
server4u.cz blushfashionstore.nl fio.sk
shopex.cz bobo.nl gravirovane.sk
smtp.cz body-supplies.nl hecht.sk
sparkys.cz bolerolimonadewinkel.nl mamaaja.sk
stoklasa.cz boozyshop.nl meditec.sk
tefal.cz box.nl mklozkoviny.sk
thinline.cz bruut.nl mnforce-panel.sk
vas-server.cz carre.nl nakupujzdravo.sk
vitalpoint.cz casema.nl nameserver.sk
vshosting.cz cateringdekorenbloem.nl nlp-akademia.sk
zafido.cz cbr.nl partner.sk
zdravestravovani.cz chello.nl penzionmara.sk
zonky.cz citotoetsgroep4.nl poziadavka.sk
bayern.de clubplanner.nl primatravel.sk
bisgaardshoes.de commithappiness.nl rondogo.sk
brandenburg.de cornemarchand.nl travelmail.sk
bund.de debrandaris.nl zapardrobnych.sk
datev.de degros.nl exercere.store
dbtg.de deonlinetandarts.nl zeit-des-wandels.tv
denic.de derooijfotografie.nl afinepairofshoes.co.uk
dfn.de desan.nl clientnews3.co.uk
elster.de dictu.nl handelsbanken.co.uk
ewetel.de digid.nl honeybalm.co.uk
fau.de dimehouse.nl millieandblake.co.uk
freenet.de dorcas.nl nuudcare.co.uk
gmx.de duo.nl teeshoppen.co.uk
huellen-shop.de esuals.nl thecalzonekitchen.co.uk
iks-jena.de extinctionrebellion.nl thewordman.co.uk
jawliner.de ezorg.nl triodos.co.uk
jpberlin.de fitnesskoerier.nl nuudcare.us
knauermann.de fivecityspa.nl quantum-services.us
lmu.de floathouse.nl ru.ac.za
lrz.de glamouryourhair.nl swiftbanker.co.za
mail.de hobbygigant.nl benzakdenimdevelopers.com
mail2many.de home.nl conscience-et-realites.com
mensa.de hostnet.nl thingsilikethingsilove.com
mpg.de huurexpert.nl agirpourlenvironnement.org
oberstdorf.de ikdeburger.nl allevakantiehuizeninbelgie.nl
posteo.de interim-netwerk.nl hoogenboezem-nieuwsbrieven.nl
ruhr-uni-bochum.de jointherebellion.nl deutsch-franzoesischer-freundschaftspass.de
secumail.de josephinajewelry.nl
1
0
DANE: ATTENTION: Let's Encrypt drops DST X3 from default chain, breaking "depth 2" ISRG "2 1 1" TLSA records...
by Viktor Dukhovni 13 Feb '24
by Viktor Dukhovni 13 Feb '24
13 Feb '24
As of roughly the start of this month, the DANE survey at
<https://stats.dnssec-tools.org> is seeing a steady stream
of validation failures for MX hosts that rely only on:
_25._tcp.mail.domain.example. IN TLSA 2 1 1 0b9fa5a59eed715c26c1020c711b4f6ec42d58b0015e14337a39dad301c5afc3
[ Some also list a no-longer valid "3 1 1" record that broke
when the unerlying EE key was rotated, because they failed to ensure
that certificate renewals do not automatically rotate the key. ]
As promised by Let's Encrypt some months back, Let's Encrypt have
dropped the expired DST X3 cross-certificate from the default generated
"fullchain.pem" file, which now contains just the leaf (EE) certificate
(depth 0) and the intermediate CA (depth 1) issuer (R3, R4, E1 or E2),
the parent ISRG root CA is implicit and there's no longer a legacy
cross certificate from DST for outdated Android devices.
Domains whose MX hosts relied only on the "2 1 1" record for the
ISRG root CA (present in the cross certificate, but absent from
the new chain) are no longer passing DANE TLSA validity checks.
My notices to these domains include the below advice:
[ Perhaps consider: <https://github.com/tlsaware/danebot>?
Your TLSA record designates a root CA key, but, as is common, the root
CA certificate is not included in your certificate chain. It would need
to be incuded to work with DANE-TA(2), but simpler to use an intermediate
CA hash instead. See:
https://github.com/Mailu/Mailu/issues/2138
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
https://dane.sys4.de/common_mistakes#4
https://datatracker.ietf.org/doc/html/rfc7671#section-5.2.3
Important information about certificate issuance changes at Let's Encrypt
discussed at the links below:
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/HESAY6…
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/GLRVY2…
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/X4SS2E… ]
The issues can be resolved by removing or updating the associated DNS
DANE TLSA records.
- "3 0 [12]" vs. Let's Encrypt:
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
- Best practice "3 1 1" rollover methodology:
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
- Monitoring code snippet:
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/thread/NKDBQAB…
--
Viktor.
1
0
Summary: The DANE domain count is now 4,022,036 (3,988,988 last month)
The number of domains that return DNSSEC-validated replies in
response to MX queries is 23,122,328 (23,098,096 last month).
Thus DANE TLSA is deployed on ~17.39% of domains with DNSSEC.
For more stats, see <https://stats.dnssec-tools.org/>.
[ The credits[0] list is below my signature. ]
Reminder: If you're relying on trust-anchor (usage DANE-TA(2)) TLSA records
matching a Let's Encrypt issuing CA, please note important upcoming
changes in Let's Encrypt certificate issuance:
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/HESAY6…
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/GLRVY2…
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/X4SS2E…
As of today, I count ~4.02 million domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last Month
---------- ----------
1305552 one.com 1306568 one.com
308177 hostpoint.ch 306621 hostpoint.ch
223679 infomaniak.ch 219246 infomaniak.ch
181030 jouwweb.nl 172777 transip.nl
173116 transip.nl 172069 jouwweb.nl
170668 mijndomein.nl 170317 mijndomein.nl
135204 argewebhosting.nl 137375 argewebhosting.nl
129324 simply.com 130652 simply.com
111973 hostnet.nl 111485 hostnet.nl
110214 domeneshop.no 109779 domeneshop.no
106668 loopia.se 106544 loopia.se
88592 webhostingserver.nl 89264 webhostingserver.nl
83114 zxcs.nl 82634 forpsi.com
82996 forpsi.com 81475 zxcs.nl
48550 protonmail.ch 47296 protonmail.ch
41346 antagonist.nl 41179 antagonist.nl
37932 active24.com 38161 active24.com
35799 webreus.nl 36259 webreus.nl
28089 pcextreme.nl 28643 pcextreme.nl
27964 xel.nl 28102 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl,
.de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
12241 TOTAL 12019 TOTAL
3906 DE, Germany 3819 DE, Germany
1972 NL, The Netherlands 1948 NL, The Netherlands
1912 US, United States 1929 US, United States
871 FR, France 905 FR, France
486 CZ, Czechia 481 CZ, Czechia
414 GB, United Kingdom 380 GB, United Kingdom
290 FI, Finland 287 FI, Finland
245 CA, Canada 212 CA, Canada
221 CH, Switzerland 199 CH, Switzerland
193 AT, Austria 186 AT, Austria
166 SE, Sweden 176 SE, Sweden
156 DK, Denmark 160 DK, Denmark
152 AU, Australia 148 AU, Australia
121 SG, Singapore 117 SG, Singapore
121 PL, Poland 103 RU, Russia
103 RU, Russia 93 PL, Poland
66 NO, Norway 67 NO, Norway
57 JP, Japan 57 JP, Japan
56 BR, Brazil 49 IT, Italy
53 IT, Italy 49 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
9761 TOTAL 9592 TOTAL
4263 NL, The Netherlands 4210 NL, The Netherlands
2849 DE, Germany 2791 DE, Germany
905 US, United States 888 US, United States
417 FR, France 390 FR, France
210 CZ, Czechia 202 CZ, Czechia
180 GB, United Kingdom 185 GB, United Kingdom
109 FI, Finland 113 FI, Finland
87 CA, Canada 86 CA, Canada
80 CH, Switzerland 80 SE, Sweden
78 SE, Sweden 75 AU, Australia
75 AU, Australia 72 CH, Switzerland
52 AT, Austria 50 AT, Austria
46 SG, Singapore 44 SG, Singapore
36 JP, Japan 39 JP, Japan
32 RO, Romania 31 RU, Russia
30 BR, Brazil 31 NO, Norway
29 RU, Russia 29 RO, Romania
29 NO, Norway 29 BR, Brazil
28 DK, Denmark 26 DK, Denmark
18 LT, Lithuania 16 IE, Ireland
There are 10,719 unique zones (10,449 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of organizations
deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 24,636 (21,169 last
month). These cover 24,945 distinct MX hosts (21,466 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 1,199 (1,173 last month, this is my ad-hoc
criterion for a domain being a large-enough actively used email domain).
Of these, 683 (674 last month) are in recent (last 90 days of) reports
(see [2] below my signature).
Of the ~4.02 million DANE domains, 14,204 (14,456 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 2,424
(1,862 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
550 mx2.xcellerate.nl
172 mx2.tkservers.com
123 mx2.dotxs.net
106 mx.xobit.nl
35 mx1.mdbraber.com
26 mail.orionpanel.nl
23 semark.dk
22 smtp2.kruik-it.nl
15 mail.nationaalarchief.nl
15 artemis.strebsjig.net
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 697 (838 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
490 neostrada.nl 528 neostrada.nl
58 worldnic.com 60 worldnic.com
21 openprovider.nl 22 openprovider.nl
21 active24.cz 21 active24.cz
14 sectigoweb.com 14 sectigoweb.com
13 register.com 13 register.com
7 dnssrv.nl 7 vultr.com
6 vultr.com 7 dnssrv.nl
6 ispapi.net 6 resolver.domains
6 forpsi.net 6 ispapi.net
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits:
Hosting for the DANE/DNSSEC project is donated by isi.edu (Wes Hardaker and
team). Wes also hosts and maintains the https://stats.dnssec-tools.org
website. Thanks go to ICANN for sponsoring acquisition of the server hardware.
Coverage of DNSSEC domains continues to improve with ongoing data
support from Chris Mikkelson from domaintools.com. Credits also due to
ICANN providing gTLD data via CZDS, and to the ccTLD registries for .CH,
.DK, .FI, .FR, .IS, .LI, .NL, .NU and .SE. More data sources of ccTLD
signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
vbv.ag uni-augsburg.de maastrichtuniversity.nl
univie.ac.at uni-bielefeld.de mailmore.nl
gmx.at uni-erlangen.de mailon.nl
boozyshop.be uni-muenchen.de mailplus.nl
eos-contentia.be vicinityclo.de managementboek.nl
triodos.be web.de markteffectmail.nl
nra.bg westlotto.de mcmta.nl
register.bg sanchezadv.digital mijndomein.nl
dwvmail.com.br aeldresagen.dk mijnmagazines.nl
e-negociacao.com.br allbuy.dk minbzk.nl
e-renegocie.com.br annebrauner.dk mindef.nl
pn1.com.br anodyne.dk minvenj.nl
zaaztelecom.com.br avabeauty.dk mm1.nl
defesa.gov.br barons.dk mulderretail.nl
nic.br bigsaver.dk nefkens.nl
registro.br bisgaardshoes.dk netpoint.nl
activfitness-news.ch blandselvfroe.dk netpointfactoring.nl
blackout-bonusclub.ch boblberg.dk nieuwsservice-rvo.nl
creditum.ch bog.dk notbranded.nl
escalade.ch borgerforslag.dk noties.nl
gmx.ch bymelanie.dk ns.nl
handy-abovergleich.ch bystinewinther.dk nuudcare.nl
hostpoint.ch camillakroeyer.dk nuwegexclusief.nl
infomaniak.ch casanova.dk okki.nl
jobsmore.ch champagneklubben.dk oomverzekeringen.nl
kalender-win.ch cillouettes.dk opnaarwonderland.nl
msochrono.ch computerworld.dk otys.nl
open.ch damask.dk ouderenfonds.nl
protonmail.ch danskebank.dk ouderportaal.nl
sherlockhomes.ch densidsteflaske.dk outlawevents.nl
sms-gagnant.ch dfi.dk overheid.nl
votreopinion.ch dressforsuccess.dk oxilionhosted.nl
bionoble.co ejvinds.dk ozsw.nl
simplelogin.co fibianet.dk partijvoordedieren.nl
aim-care.com finesmile.dk partnermail.nl
albourne.com fletkurven.dk podiumcadeaukaart.nl
also.com foraeldresparring.dk politie.nl
anonaddy.com frisorenogbaronen.dk pp-prd.nl
ansigtsyogaonline.com gasolinegrill.dk previder.nl
aotax.com gastrotools.dk proefdiervrij.nl
boozyshop.com globestudios.dk prorun-mail.nl
buroventures.com hook-up.dk pvv.nl
canva-facile.com hostedsepo.dk quicknet.nl
cm.com idelig.dk ranzijn.nl
collarofsweden.com inkpro.dk rdw.nl
connectsb.com iphoneopladere.dk rebirth-festival.nl
conscience-et-realites.com ixstudioscph.dk rechtspraak.nl
cornerstoneplatform.com kagegrisen.dk restaurant-sparkling.nl
danskebank.com kisserpaludan.dk rijksoverheid.nl
datev.com kk.dk rivm.nl
denhaag.com kodbilen.dk rotterdam.nl
detectiveforaday.com konkurspriser.dk rvig.nl
eliteincomesociety.com kystfisken.dk rvo.nl
explorer-hotels.com lacabra.dk sans-mail.nl
fabfilter.com lammeskindet.dk schuurman-schoenen.nl
farmergracy.com lederstof.dk scorion.nl
fastware-hosting.com legekammeraten.dk shampoobars.nl
flaneurhomme.com memery.dk shapeit.nl
fromanteel-watches.com mobilcovers.dk shoesme.nl
gearboxdigital.com modstroem.dk sizzthebrand.nl
getpaidopportunities.com musclehouse.dk smartwatchbanden.nl
gmx.com naturhandel.dk snowbass.nl
goodforme.com netic.dk spamservice.nl
grimfrost.com nexsmart.dk sportrusten.nl
habitamat.com nfinitybeauty.dk ssonet.nl
habr.com nimara.dk stage-app.nl
hannahbarrettyoga.com nordd.dk stater.nl
headachecalendar.com nordicsheep.dk steunactie.nl
hedon.com nota.dk svr.nl
highcharts.com online-mode.dk technicus.nl
hwigroup.com perfectjeans.dk telefoonglaasje.nl
imcnig.com qookware.dk thealphamen.nl
infomaniak.com sengefabrikken.dk thefightcompany.nl
ingthink.com seniornews.dk triodos.nl
intakt.com shapeit.dk truetickets.nl
johnbeerens.com sillysanta.dk tudelft.nl
joomlapolis.com skjold-burne.dk u-mailer.nl
jula.com smoon.dk uitgeverijpica.nl
justpadel.com sneakerzone.dk upcmail.nl
kabayarefashion.com stil.dk uvt.nl
kae-cosmetici.com sygeforsikring.dk uwv.nl
kheaa.com thenap.dk vacaturesonline.nl
leszexpertsfle.com thesneakerstore.dk valys.nl
librti.com trueliving.dk vandale.nl
luvrefranco.com trustfitness.dk vimexx.nl
mail.com viggo.dk vluchtelingenwerk.nl
maileroo.com vind.dk vpo.nl
mailzerver.com yuaiahaircare.dk vunzigedeuntjes.nl
marsblade.com tilburguniversity.edu vvv-venlo.nl
meriamecouture.com biotheka.ee watchbandjes-shop.nl
mplbeauty.com holt.ee waternet.nl
nanolearning.com maarahvapood.ee werkzoeken.nl
nautisme-pratique.com minuvalik.ee woongarantvolmacht.nl
nine-pine.com surveyturtle.ee ziggo.nl
novashops.com turunduslabor.ee zorgmail.nl
offshorecorptalk.com myownconference.email ankerstjerne.no
one.com spam-filter.email annabellstefanussen.no
orsys.com spotler.email babybanden.no
ottobredesign.com talentech.email bull-ski-kajakk.no
pieter-pot.com triodos.es chillout.no
polyas.com egu.eu day-et.no
pompomlondon.com finesoftware.eu dinholdning.no
ppcpcv.com mailplatform.eu domeneshop.no
protonmail.com qard.eu dressmykid.no
run-motion.com rybarik.eu guttelus.no
runbox.com zone.eu handelsbanken.no
sankakucomplex.com zonevs.eu hoppin.no
scienceshepherd.com danskebank.fi hypopressivtrening.no
scorecloud.com f-solutions.fi hyttefeber.no
serverclienti.com fsol.fi idrettenonline.no
sisuknitwear.com handelsbanken.fi kashmina.no
sneakerdistrict.com io-tech.fi lagerpriser.no
solvinity.com metaburn.fi lillepr.no
stasdock.com raumanteatteri.fi marikrogshus.no
stater.com sillysanta.fi metaburn.no
stellarequipment.com traficom.fi mystuff.no
tcs.com ac-strasbourg.fr nordiskbylien.no
theintercept.com boozyshop.fr norisma.no
thelabelmachine.com braceletsmartwatch.fr norskgrammatikk.no
thepcw.com compagnie-des-sens.fr raskebriller.no
thepcwholesale.com edtm-actu.fr rushtrampoline.no
thingsilikethingsilove.com oo2.fr smaaungene.no
tibush.com passefranceallemagne.fr spillfabrikken.no
trainwithlov.com privea.fr stilshoppen.no
triodos.com fvap.gov strikkia.no
tuftingshop.com fidesz.hu svippr.no
tutanota.com italiamail.hu tickettothemoon.no
up2staff.com marathonlife.hu veronicalill.no
vivaldi.com nyirbatorvaroskartya.hu atelkamera.nu
webcruiter.com zsibvasar.hu goget.nu
xfinity.com bluebiz.info lenhud.nu
xfinityhomesecurity.com j360.info skjutsgruppen.nu
xfinitymobile.com eurocontrol.int agirpourlenvironnement.org
zangra.com infinex.io calyxinstitute.org
bncr.fi.cr simplelogin.io debian.org
airbank.cz nuudcare.it freebsd.org
akce-incomputer.cz neolink.link fridaysforfuture.org
amenit.cz education.lu gentoo.org
balikovna.cz etat.lu ietf.org
bewooden.cz restena.lu isc.org
cd.cz anonaddy.me mailbox.org
cinemax.cz pm.me mailop.org
cokoladovnajanek.cz proton.me netbsd.org
cpost.cz army.mil openssl.org
creammy.cz dla.mil ozlabs.org
csob.cz dma.mil postfix.org
csobstavebni.cz health.mil rfc-editor.org
cuni.cz jten.mil samba.org
dashofer.cz mail.mil torproject.org
e-kondomy.cz navy.mil biotechnologia.com.pl
ecps.cz nga.mil asf.com.pt
ekokoza.cz osd.mil loopia.rs
fio.cz socom.mil pinnbet.rs
gov.cz spaceforce.mil mobily.com.sa
hobynaradi.cz uscg.mil advisamail.se
hypotecnibanka.cz usmc.mil arbetsformedlingen.se
innogy.cz aifi.net bearplay.se
itesco.cz comcast.net bearplayshop.se
jumpfamily.cz ewetel.net bilprovningen.se
kb.cz ficbook.net dingolfshop.se
klenotyaurum.cz fivem.net ellevio.se
klubpevnehozdravi.cz forwardemail.net epochtimes-mejl.se
ksporting.cz gmx.net fotproffsen.se
manymail.cz graphistepro.net getvibes.se
mbank.cz habramail.net handelsbanken.se
mfcr.cz hr-manager.net hellomantle.se
mindsoft.cz intares.net inkrebel.se
mkluzkoviny.cz mailanyone.net innebandy24.se
mojedatovaschranka.cz masterinter.net jaramba.se
mojemincovna.cz mijngezondheid.net jul-troja.se
mrakyhracek.cz mpssec.net koreanbeauty.se
muni.cz procurios.net kth.se
nic.cz ripe.net kulturaktiebolaget.se
o2.cz riseup.net livlyclothing.se
opravdovezlociny.cz s-qrc.net lnu.se
optimail.cz soverin.net lomervarde.se
outlet-alpine.cz space.net loopia.se
p-info.cz t-2.net merchsweden.se
pivoteka.cz alexstory.nl metaburn.se
poptavej.cz allevakantiehuizeninbelgie.nl minmyndighetspost.se
scrptd.cz amsterdam.nl naprapatlandslaget.se
server4u.cz aquastorexl.nl naturligtsnygg.se
shopex.cz bankhoesdiscounter.nl nordd.se
smtp.cz belastingdienst.nl nordicsheep.se
sparkys.cz beterinbeleggen.nl polisen.se
stoklasa.cz beterspellen.nl samblamail.se
tefal.cz bewustpuur.nl sillysanta.se
thinline.cz bhosted.nl silverdotter.se
vas-server.cz blushfashionstore.nl skatteverket.se
vitalpoint.cz bobo.nl skolverket.se
vshosting.cz body-supplies.nl snbostader.se
zafido.cz bolerolimonadewinkel.nl soleplus.se
zdravestravovani.cz boozyshop.nl spelfabrik.se
zonky.cz box.nl svenskhusman.se
bayern.de bruut.nl teeshoppen.se
brandenburg.de burgernet.nl teknikdelar.se
bund.de carre.nl theletter.se
datev.de casema.nl websupport.se
dbtg.de cbr.nl agatinsvet.sk
denic.de chello.nl bewooden.sk
deutsch-franzoesischer-freundschaftspass.de citotoetsgroep4.nl coopka.sk
dfn.de clubplanner.nl edirect.sk
elster.de degros.nl fio.sk
ewetel.de deonlinetandarts.nl gravirovane.sk
fau.de derooijfotografie.nl hecht.sk
freenet.de desan.nl mamaaja.sk
gmx.de dewebmakers.nl mklozkoviny.sk
hi7.de dictu.nl mnforce-panel.sk
huellen-shop.de digid.nl nakupujzdravo.sk
iks-jena.de dimehouse.nl nameserver.sk
jpberlin.de dorcas.nl nlp-akademia.sk
knauermann.de duo.nl partner.sk
lmu.de esuals.nl penzionmara.sk
lrz.de extinctionrebellion.nl poziadavka.sk
mail.de ezorg.nl rondogo.sk
mail2many.de fivecityspa.nl travelmail.sk
mensa.de glamouryourhair.nl zapardrobnych.sk
mpg.de hobbygigant.nl afinepairofshoes.co.uk
posteo.de home.nl clientnews3.co.uk
ruhr-uni-bochum.de hostnet.nl handelsbanken.co.uk
sifjakobs.de huurexpert.nl millieandblake.co.uk
sillysanta.de ikdeburger.nl nuudcare.co.uk
smartwatcharmbaender.de inspirerendleven.nl thewordman.co.uk
sys4.de interim-netwerk.nl triodos.co.uk
taures.de jointherebellion.nl nuudcare.us
tu-darmstadt.de josephinajewelry.nl quantum-services.us
tum.de kiesrijk.nl ru.ac.za
tutanota.de liveatamsterdamsebos.nl
1
0
Summary: The DANE domain count is now 3,988,988 (3,987,641 last month,
3,733,547 a year ago).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 23,098,096 (23,197,449 last month,
20,675,170 a year ago). Thus DANE TLSA is deployed on ~17.26%
of domains with DNSSEC. For more stats, see
<https://stats.dnssec-tools.org/>.
[ The credits[0] list is below my signature. ]
Reminder: If you're relying on trust-anchor (usage DANE-TA(2)) TLSA records
matching a Let's Encrypt issuing CA, please note important upcoming
changes in Let's Encrypt certificate issuance:
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/HESAY6…
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/GLRVY2…
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/X4SS2E…
As of today, I count ~3.99 million domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last Month Last year
---------- ---------- ---------
1306568 one.com 1314010 one.com 1214177 one.com
306621 hostpoint.ch 305329 hostpoint.ch 286784 hostpoint.ch
219246 infomaniak.ch 216411 infomaniak.ch 195060 infomaniak.ch
172777 transip.nl 172489 transip.nl 182438 mijndomein.nl
172069 jouwweb.nl 170058 mijndomein.nl 166314 transip.nl
170317 mijndomein.nl 166814 jouwweb.nl 154096 argewebhosting.nl
137375 argewebhosting.nl 138337 argewebhosting.nl 134199 simply.com
130652 simply.com 132653 simply.com 118030 jouwweb.nl
111485 hostnet.nl 111533 hostnet.nl 111945 hostnet.nl
109779 domeneshop.no 109976 domeneshop.no 108682 domeneshop.no
106544 loopia.se 106479 loopia.se 104887 loopia.se
89264 webhostingserver.nl 89713 webhostingserver.nl 94600 webhostingserver.nl
82634 forpsi.com 83026 forpsi.com 79127 forpsi.com
81475 zxcs.nl 81215 zxcs.nl 67139 zxcs.nl
47296 protonmail.ch 46191 protonmail.ch 46886 active24.com
41179 antagonist.nl 41111 antagonist.nl 39610 webreus.nl
38161 active24.com 38611 active24.com 39483 antagonist.nl
36259 webreus.nl 36576 webreus.nl 34977 protonmail.ch
28643 pcextreme.nl 29196 pcextreme.nl 32983 pcextreme.nl
28102 xel.nl 28283 xel.nl 29297 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl,
.de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month Last year
----------- ---------- ---------
12019 TOTAL 11870 TOTAL 10595 TOTAL
3819 DE, Germany 3785 DE, Germany 3209 DE, Germany
1948 NL, The Netherlands 1942 NL, The Netherlands 1891 NL, Netherlands
1929 US, United States 1883 US, United States 1833 US, United States
905 FR, France 921 FR, France 799 FR, France
481 CZ, Czechia 479 CZ, Czechia 388 CZ, Czechia
380 GB, United Kingdom 366 GB, United Kingdom 362 GB, United Kingdom
287 FI, Finland 272 FI, Finland 235 FI, Finland
212 CA, Canada 214 CA, Canada 221 CA, Canada
199 CH, Switzerland 187 CH, Switzerland 153 AT, Austria
186 AT, Austria 183 AT, Austria 135 SE, Sweden
176 SE, Sweden 169 SE, Sweden 134 CH, Switzerland
160 DK, Denmark 152 DK, Denmark 132 DK, Denmark
148 AU, Australia 145 AU, Australia 122 SG, Singapore
117 SG, Singapore 119 SG, Singapore 120 AU, Australia
103 RU, Russia 102 RU, Russia 72 PL, Poland
93 PL, Poland 89 PL, Poland 58 JP, Japan
67 NO, Norway 63 NO, Norway 57 RU, Russia
57 JP, Japan 61 JP, Japan 47 NO, Norway
49 IT, Italy 50 BR, Brazil 42 BR, Brazil
49 BR, Brazil 43 IT, Italy 38 IE, Ireland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month Last year
---------- ---------- ---------
9592 TOTAL 9515 TOTAL 8339 TOTAL
4210 NL, The Netherlands 4229 NL, The Netherlands 3666 NL, Netherlands
2791 DE, Germany 2724 DE, Germany 2330 DE, Germany
888 US, United States 868 US, United States 860 US, United States
390 FR, France 401 FR, France 406 FR, France
202 CZ, Czechia 198 CZ, Czechia 175 CZ, Czechia
185 GB, United Kingdom 183 GB, United Kingdom 162 GB, United Kingdom
113 FI, Finland 112 FI, Finland 77 CA, Canada
86 CA, Canada 83 CA, Canada 74 FI, Finland
80 SE, Sweden 78 SE, Sweden 67 AU, Australia
75 AU, Australia 76 AU, Australia 64 CH, Switzerland
72 CH, Switzerland 74 CH, Switzerland 56 SE, Sweden
50 AT, Austria 52 AT, Austria 54 AT, Austria
44 SG, Singapore 46 SG, Singapore 44 SG, Singapore
39 JP, Japan 39 JP, Japan 36 JP, Japan
31 RU, Russia 32 RU, Russia 23 EE, Estonia
31 NO, Norway 29 RO, Romania 21 NO, Norway
29 RO, Romania 28 NO, Norway 21 IE, Ireland
29 BR, Brazil 28 BR, Brazil 21 DK, Denmark
26 DK, Denmark 22 DK, Denmark 17 BR, Brazil
16 IE, Ireland 17 IE, Ireland 15 LT, Lithuania
There are 10,449 unique zones (10,192 last month, 9,144 last year) in
which the underlying MX hosts are found. This counts each of the above
providers as just one zone, so is a measure of the breadth of adoption
in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 21,169 (20,854 last
month, 19,380 last year). These cover 21,466 distinct MX hosts (21,158
last month, 19,380 last year, some MX hosts share the same TLSA records
through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 1,173 (841 last year, this is my ad-hoc
criterion for a domain being a large-enough actively used email domain).
Of these, 674 (525 last year) are in recent (last 90 days of) reports
(see [2] below my signature).
Of the ~3.99 million DANE domains, 14,456 (14,431 last month, 13,107
last year) have "partial" TLSA records, that cover only a subset of the
(secondary) MX hosts. While this protects traffic to some of the MX
hosts, such domains are still vulnerable to the usual active attacks via
the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,862
(1,655 last month, 1,320 last year). Some of these have additional MX
hosts that don't have broken TLSA records, so mail can still arrive via
the remaining MX hosts. The affected domain counts for the top 10
problem MX hosts are:
172 mx2.tkservers.com
48 mail.caop.nl
35 mx1.mdbraber.com
32 mx01.speicher-werk.de
31 mail-03.eu-central-1.aorta.space
26 mail.orionpanel.nl
23 smtp2.kruik-it.nl
23 mail.spreadity.com
22 mail.exot.cz
15 mail.nationaalarchief.nl
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 838 (901 last
month, 1,076 last year). The top 10 name server operators with problem
domains are:
This Month Last month Last year
---------- ---------- ----------
528 neostrada.nl 608 neostrada.nl 148 swizzonic.ch
60 worldnic.com 61 worldnic.com 134 worldnic.com
22 openprovider.nl 22 openprovider.nl 106 epik.com
21 active24.cz 14 sectigoweb.com 95 axc.nl
14 sectigoweb.com 13 register.com 73 ebola.cz
13 register.com 8 ispapi.net 61 openprovider.nl
7 vultr.com 8 dnssrv.nl 29 made-easy.ch
7 dnssrv.nl 7 vultr.com 20 register.com
6 resolver.domains 6 resolver.domains 18 sectigoweb.com
6 ispapi.net 6 forpsi.net 12 ispapi.net
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits:
Hosting for the DANE/DNSSEC project is donated by isi.edu (Wes Hardaker and
team). Wes also hosts and maintains the https://stats.dnssec-tools.org
website. Thanks go to ICANN for sponsoring acquisition of the server hardware.
Coverage of DNSSEC domains continues to improve with ongoing data
support from Chris Mikkelson from domaintools.com. Credits also due to
ICANN providing gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
vbv.ag uni-augsburg.de kiesrijk.nl
univie.ac.at uni-bielefeld.de liveatamsterdamsebos.nl
gmx.at uni-erlangen.de maastrichtuniversity.nl
vbv.at uni-muenchen.de mailmore.nl
boozyshop.be vicinityclo.de mailon.nl
eos-contentia.be web.de mailplus.nl
triodos.be westlotto.de managementboek.nl
nra.bg aeldresagen.dk markteffectmail.nl
register.bg allbuy.dk mcmta.nl
dwvmail.com.br anna-hjorth.dk mijndomein.nl
e-negociacao.com.br annebrauner.dk mijnmagazines.nl
e-renegocie.com.br anodyne.dk minbzk.nl
pn1.com.br australian-bodycare.dk mindef.nl
zaaztelecom.com.br avabeauty.dk mm1.nl
defesa.gov.br bambustoej.dk mulderretail.nl
nic.br barons.dk nefkens.nl
registro.br bigsaver.dk netpoint.nl
activfitness-news.ch bisgaardshoes.dk netpointfactoring.nl
blackout-bonusclub.ch boblberg.dk nieuwsservice-rvo.nl
creditum.ch bog.dk notbranded.nl
escalade.ch borgerforslag.dk noties.nl
gmx.ch bymelanie.dk ns.nl
handy-abovergleich.ch camillakroeyer.dk nuudcare.nl
hostpoint.ch casanova.dk nuwegexclusief.nl
infomaniak.ch champagneklubben.dk okki.nl
kalender-win.ch cillouettes.dk oomverzekeringen.nl
msochrono.ch computerworld.dk opnaarwonderland.nl
open.ch damask.dk otys.nl
protonmail.ch danielspengetips.dk ouderenfonds.nl
sherlockhomes.ch danskebank.dk ouderportaal.nl
sms-gagnant.ch densidsteflaske.dk outlawevents.nl
wog.ch dfi.dk overheid.nl
bionoble.co dressforsuccess.dk oxilionhosted.nl
simplelogin.co ejvinds.dk partijvoordedieren.nl
aim-care.com fibianet.dk partnermail.nl
albourne.com fletkurven.dk podiumcadeaukaart.nl
also.com foraeldresparring.dk politie.nl
anonaddy.com frisorenogbaronen.dk pp-prd.nl
ansigtsyogaonline.com gasolinegrill.dk previder.nl
boozyshop.com gastrotools.dk proefdiervrij.nl
buroventures.com globestudios.dk prorun-mail.nl
canva-facile.com hook-up.dk pvv.nl
cm.com hostedsepo.dk quicknet.nl
collarofsweden.com idelig.dk ranzijn.nl
connectsb.com inkpro.dk rdw.nl
conscience-et-realites.com iphoneopladere.dk rijksoverheid.nl
cornerstoneplatform.com ixstudioscph.dk rivm.nl
danskebank.com kagegrisen.dk rotterdam.nl
datev.com kisserpaludan.dk rvig.nl
denhaag.com kk.dk rvo.nl
detectiveforaday.com kodbilen.dk sans-mail.nl
eliteincomesociety.com konkurspriser.dk schuurman-schoenen.nl
explorer-hotels.com kystfisken.dk scorion.nl
fabfilter.com lacabra.dk shampoobars.nl
farmergracy.com lammeskindet.dk shapeit.nl
fastware-hosting.com lederstof.dk shoesme.nl
flaneurhomme.com legekammeraten.dk sietskescholten.nl
fromanteel-watches.com mobilcovers.dk sizzthebrand.nl
getpaidopportunities.com modstroem.dk smartwatchbanden.nl
gmx.com musclehouse.dk snowbass.nl
goodforme.com naturhandel.dk spamservice.nl
habitamat.com netic.dk sportrusten.nl
habr.com nexsmart.dk ssonet.nl
hannahbarrettyoga.com nfinitybeauty.dk stage-app.nl
headachecalendar.com nimara.dk stater.nl
hedon.com nordd.dk steunactie.nl
highcharts.com nordicsheep.dk svb.nl
imcnig.com nota.dk svr.nl
infomaniak.com online-mode.dk technicus.nl
ingthink.com pengeogfrihed.dk telefoonglaasje.nl
intakt.com perfectjeans.dk thealphamen.nl
itskaos.com qookware.dk thefightcompany.nl
johnbeerens.com sengefabrikken.dk transip.nl
joomlapolis.com seniornews.dk triodos.nl
jula.com shapeit.dk truetickets.nl
justpadel.com sillysanta.dk tudelft.nl
kabayarefashion.com skjold-burne.dk uitgeverijpica.nl
kheaa.com smoon.dk upcmail.nl
leszexpertsfle.com sneakerzone.dk uvt.nl
librti.com stil.dk uwv.nl
luvrefranco.com sygeforsikring.dk vacaturesonline.nl
mail.com thenap.dk valys.nl
maileroo.com thesneakerstore.dk vandale.nl
mailzerver.com trueliving.dk vimexx.nl
marsblade.com viggo.dk vluchtelingenwerk.nl
meriamecouture.com vin-huset.dk vpo.nl
mplbeauty.com vind.dk vunzigedeuntjes.nl
nanolearning.com yuaiahaircare.dk vvv-venlo.nl
nautisme-pratique.com tilburguniversity.edu watchbandjes-shop.nl
nine-pine.com biotheka.ee waternet.nl
novashops.com holt.ee werkzoeken.nl
offshorecorptalk.com maarahvapood.ee woongarantvolmacht.nl
one.com minuvalik.ee ziggo.nl
orsys.com surveyturtle.ee zorgmail.nl
ottobredesign.com turunduslabor.ee ankerstjerne.no
pieter-pot.com myownconference.email annabellstefanussen.no
pompomlondon.com spam-filter.email babybanden.no
ppcpcv.com spotler.email bergengokart.no
protonmail.com talentech.email bull-ski-kajakk.no
run-motion.com nuudcare.es chillout.no
runbox.com triodos.es day-et.no
sankakucomplex.com egu.eu dinholdning.no
scienceshepherd.com finesoftware.eu domeneshop.no
scorecloud.com mailplatform.eu dressmykid.no
serverclienti.com qard.eu godvar.no
sisuknitwear.com rybarik.eu guttelus.no
sneakerjeans.com zerolime.eu handelsbanken.no
solvinity.com zone.eu hoppin.no
speciale-offre.com zonevs.eu hyttefeber.no
sportnotch.com danskebank.fi idrettenonline.no
stasdock.com f-solutions.fi kashmina.no
stater.com fsol.fi lagerpriser.no
stellarequipment.com handelsbanken.fi marikrogshus.no
tcs.com io-tech.fi modostore.no
the-vfl.com metaburn.fi mystuff.no
theintercept.com raumanteatteri.fi nordiskbylien.no
thelabelmachine.com sillysanta.fi norskgrammatikk.no
thepcw.com ac-strasbourg.fr raskebriller.no
thepcwholesale.com boozyshop.fr rushtrampoline.no
thingsilikethingsilove.com braceletsmartwatch.fr smaaungene.no
trainwithlov.com compagnie-des-sens.fr spillfabrikken.no
triodos.com nuudcare.fr stilshoppen.no
tutanota.com oo2.fr strikkia.no
up2staff.com passefranceallemagne.fr suksessmednetthandel.no
vivaldi.com privea.fr svippr.no
webcruiter.com fvap.gov tickettothemoon.no
win-rar.com nsa.gov veronicalill.no
xfinity.com tid.gov.hk analysedanmark.nu
xfinityhomesecurity.com fidesz.hu atelkamera.nu
xfinitymobile.com italiamail.hu goget.nu
bncr.fi.cr marathonlife.hu hallbarhalsa.nu
airbank.cz nyirbatorvaroskartya.hu lenhud.nu
akce-incomputer.cz zsibvasar.hu skjutsgruppen.nu
amenit.cz bluebiz.info agirpourlenvironnement.org
balikovna.cz eurocontrol.int calyxinstitute.org
bewooden.cz infinex.io debian.org
cd.cz simplelogin.io freebsd.org
cinemax.cz nuudcare.it fridaysforfuture.org
cokoladovnajanek.cz neolink.link gentoo.org
cpost.cz etat.lu ietf.org
creammy.cz anonaddy.me isc.org
csob.cz pm.me mailbox.org
csobstavebni.cz proton.me mailop.org
cuni.cz army.mil netbsd.org
dashofer.cz dla.mil ozlabs.org
dedra.cz dma.mil postfix.org
e-kondomy.cz health.mil samba.org
ecps.cz jten.mil torproject.org
ekokoza.cz mail.mil biotechnologia.com.pl
fio.cz navy.mil asf.com.pt
gov.cz nga.mil pinnbet.rs
hobynaradi.cz osd.mil mobily.com.sa
hypotecnibanka.cz socom.mil arbetsformedlingen.se
innogy.cz spaceforce.mil australian-bodycare.se
itesco.cz uscg.mil bearplay.se
jumpfamily.cz usmc.mil bearplayshop.se
kb.cz comcast.net bidflow.se
klenotyaurum.cz ewetel.net bilprovningen.se
klubpevnehozdravi.cz ficbook.net crtzoo.se
ksporting.cz fivem.net egensajt.se
manymail.cz gmx.net ellevio.se
mbank.cz graphistepro.net epochtimes-mejl.se
mfcr.cz habramail.net fotproffsen.se
mindsoft.cz hr-manager.net handelsbanken.se
mkluzkoviny.cz intares.net hellomantle.se
mojedatovaschranka.cz mailanyone.net innebandy24.se
mojemincovna.cz masterinter.net jaramba.se
mrakyhracek.cz mijngezondheid.net jul-troja.se
muni.cz mpssec.net klasspengar.se
nic.cz octopoos.net koreanbeauty.se
nilia.cz procurios.net kth.se
o2.cz ripe.net kulturaktiebolaget.se
opravdovezlociny.cz riseup.net livlyclothing.se
optimail.cz s-qrc.net lnu.se
outlet-alpine.cz soverin.net lomervarde.se
p-info.cz space.net loopia.se
pivoteka.cz t-2.net malarfabriken.se
poptavej.cz amsterdam.nl merchsweden.se
scrptd.cz aquastorexl.nl metaburn.se
server4u.cz bankhoesdiscounter.nl minmyndighetspost.se
shopex.cz belastingdienst.nl nordd.se
smtp.cz beterinbeleggen.nl nordicsheep.se
sparkys.cz beterspellen.nl polisen.se
stoklasa.cz bewustpuur.nl samblamail.se
tefal.cz bhosted.nl sillysanta.se
thinline.cz blushfashionstore.nl silverdotter.se
vas-server.cz bobo.nl skatteverket.se
vitalpoint.cz body-supplies.nl skolverket.se
vshosting.cz bolerolimonadewinkel.nl snbostader.se
zafido.cz boozyshop.nl soleplus.se
zdravestravovani.cz box.nl spelfabrik.se
zlocinozrouti.cz bruut.nl svenskhusman.se
zonky.cz burgernet.nl teeshoppen.se
bayern.de carre.nl teknikdelar.se
brandenburg.de casema.nl theletter.se
bund.de cbr.nl websupport.se
datev.de chello.nl agatinsvet.sk
deutsch-franzoesischer-freundschaftspass.de clubplanner.nl bewooden.sk
dfn.de csvjongholland.nl coopka.sk
elster.de degros.nl edirect.sk
ewetel.de derooijfotografie.nl fio.sk
fau.de desan.nl gravirovane.sk
freenet.de dewebmakers.nl hecht.sk
gmx.de dictu.nl mamaaja.sk
hi7.de digid.nl mklozkoviny.sk
huellen-shop.de dimehouse.nl mnforce-panel.sk
jpberlin.de domain-registry.nl nakupujzdravo.sk
knauermann.de dorcas.nl nlp-akademia.sk
lmu.de duo.nl partner.sk
lrz.de efactuurdirect.nl penzionmara.sk
mail.de esuals.nl poziadavka.sk
mail2many.de extinctionrebellion.nl rondogo.sk
mensa.de ezorg.nl travelmail.sk
mindline-analytics.de fivecityspa.nl zapardrobnych.sk
mpg.de frfc1908.nl zeit-des-wandels.tv
posteo.de glamouryourhair.nl afinepairofshoes.co.uk
ruhr-uni-bochum.de hobbygigant.nl clientnews3.co.uk
sifjakobs.de home.nl millieandblake.co.uk
sillysanta.de hostingpeople.nl nuudcare.co.uk
smartwatcharmbaender.de hostnet.nl thewordman.co.uk
sys4.de huurexpert.nl triodos.co.uk
taures.de ikdeburger.nl nuudcare.us
tu-darmstadt.de inspirerendleven.nl quantum-services.us
tum.de interim-netwerk.nl ru.ac.za
tutanota.de josephinajewelry.nl
1
0
Summary: The DANE domain count is now 3,987,641 (3,949,527 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 23,197,449 (up slightly from 23,173,417
last month). Thus DANE TLSA is deployed on ~17.18% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>. [
See the Credits[0] list below my signature. ]
Reminder: If you're relying on trust-anchor (usage DANE-TA(2)) TLSA records
matching a Let's Encrypt issuing CA, please note important upcoming
changes in Let's Encrypt certificate issuance:
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/HESAY6…
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/GLRVY2…
As of today, I count ~3.99 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1314010 one.com 1314953 one.com
305329 hostpoint.ch 303663 hostpoint.ch
216411 infomaniak.ch 212629 infomaniak.ch
172489 transip.nl 172311 transip.nl
170058 mijndomein.nl 169592 mijndomein.nl
166814 jouwweb.nl 161972 jouwweb.nl
138337 argewebhosting.nl 139685 argewebhosting.nl
132653 simply.com 131004 simply.com
111533 hostnet.nl 111235 hostnet.nl
109976 domeneshop.no 109839 domeneshop.no
106479 loopia.se 106090 loopia.se
89713 webhostingserver.nl 90348 webhostingserver.nl
83026 forpsi.com 83074 forpsi.com
81215 zxcs.nl 81323 zxcs.nl
46191 protonmail.ch 44928 protonmail.ch
41111 antagonist.nl 40974 antagonist.nl
38611 active24.com 39102 active24.com
36576 webreus.nl 36892 webreus.nl
29196 pcextreme.nl 29674 pcextreme.nl
28283 xel.nl 28404 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl,
.de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
11870 TOTAL 11663 TOTAL
3785 DE, Germany 3687 DE, Germany
1942 NL, The Netherlands 1932 NL, Netherlands
1883 US, United States 1888 US, United States
921 FR, France 883 FR, France
479 CZ, Czechia 458 CZ, Czechia
366 GB, United Kingdom 364 GB, United Kingdom
272 FI, Finland 267 FI, Finland
214 CA, Canada 213 CA, Canada
187 CH, Switzerland 176 AT, Austria
183 AT, Austria 171 CH, Switzerland
169 SE, Sweden 161 SE, Sweden
152 DK, Denmark 147 DK, Denmark
145 AU, Australia 141 AU, Australia
119 SG, Singapore 123 SG, Singapore
102 RU, Russia 107 RU, Russia
89 PL, Poland 88 PL, Poland
63 NO, Norway 64 JP, Japan
61 JP, Japan 60 NO, Norway
50 BR, Brazil 51 BR, Brazil
43 IT, Italy 47 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
9515 TOTAL 9445 TOTAL
4229 NL, The Netherlands 4224 NL, Netherlands
2724 DE, Germany 2659 DE, Germany
868 US, United States 881 US, United States
401 FR, France 389 FR, France
198 CZ, Czechia 189 CZ, Czechia
183 GB, United Kingdom 177 GB, United Kingdom
112 FI, Finland 110 FI, Finland
83 CA, Canada 87 CA, Canada
78 SE, Sweden 81 SE, Sweden
76 AU, Australia 72 AU, Australia
74 CH, Switzerland 68 CH, Switzerland
52 AT, Austria 49 SG, Singapore
46 SG, Singapore 47 AT, Austria
39 JP, Japan 43 RU, Russia
32 RU, Russia 39 JP, Japan
29 RO, Romania 30 BR, Brazil
28 NO, Norway 28 RO, Romania
28 BR, Brazil 26 NO, Norway
22 DK, Denmark 23 DK, Denmark
17 IE, Ireland 18 LT, Lithuania
There are 10,192 unique zones (9,773 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 20,854 (20,781 last
month). These cover 21,158 distinct MX hosts (21,077 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 1,135 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 614
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.99 million DANE domains, 14,431 (14,236 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,655
(1,873 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
172 mx2.tkservers.com
40 svr3.it-df.net
35 mx1.mdbraber.com
27 mail.orionpanel.nl
23 smtp2.kruik-it.nl
19 web1.sys.ccs-baumann.de
19 fsn1-c04.xemo-net.de
15 mail.nationaalarchief.nl
15 artemis.strebsjig.net
13 smtp.philinnon.net
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 838 (901 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
608 neostrada.nl 665 neostrada.nl
61 worldnic.com 62 worldnic.com
22 openprovider.nl 24 openprovider.nl
14 sectigoweb.com 14 sectigoweb.com
13 register.com 13 register.com
8 ispapi.net 9 dnssrv.nl
8 dnssrv.nl 8 ispapi.net
7 vultr.com 7 vultr.com
6 resolver.domains 6 resolver.domains
6 forpsi.net 6 forpsi.net
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
vbv.ag tutanota.de hro.nl
univie.ac.at uni-augsburg.de huurexpert.nl
gmx.at uni-bielefeld.de ikdeburger.nl
vbv.at uni-erlangen.de inspirerendleven.nl
boozyshop.be uni-muenchen.de interconnect.nl
eos-contentia.be vicinityclo.de interim-netwerk.nl
triodos.be web.de josephinajewelry.nl
nra.bg westlotto.de kiesrijk.nl
cetelemnegocie.com.br aeldresagen.dk maastrichtuniversity.nl
dwvmail.com.br allbuy.dk mailmore.nl
e-negociacao.com.br anna-hjorth.dk mailon.nl
e-renegocie.com.br annebrauner.dk mailplus.nl
pn1.com.br australian-bodycare.dk managementboek.nl
zaaztelecom.com.br avabeauty.dk markteffectmail.nl
defesa.gov.br bambustoej.dk mcmta.nl
nic.br barons.dk mijndomein.nl
registro.br bigsaver.dk minbzk.nl
activfitness-news.ch bisgaardshoes.dk mindef.nl
blackout-bonusclub.ch bog.dk mm1.nl
creditum.ch borgerforslag.dk nieuwsservice-rvo.nl
escalade.ch bymelanie.dk notbranded.nl
gmx.ch camillakroeyer.dk noties.nl
handy-abovergleich.ch casanova.dk ns.nl
hostpoint.ch champagneklubben.dk nuudcare.nl
infomaniak.ch cillouettes.dk nuwegexclusief.nl
msochrono.ch computerworld.dk opnaarwonderland.nl
open.ch damask.dk ouderenfonds.nl
protonmail.ch danielspengetips.dk ouderportaal.nl
sherlockhomes.ch danskebank.dk overheid.nl
sms-gagnant.ch denmentalekriger.dk oxilionhosted.nl
wog.ch densidsteflaske.dk partijvoordedieren.nl
simplelogin.co dfi.dk partnermail.nl
aim-care.com dressforsuccess.dk podiumcadeaukaart.nl
albourne.com ens.dk politie.nl
also.com fibianet.dk pp-prd.nl
anonaddy.com foraeldresparring.dk previder.nl
ansigtsyogaonline.com gastrotools.dk prorun-mail.nl
boozyshop.com globestudios.dk pvv.nl
canva-facile.com hook-up.dk quicknet.nl
cm.com hostedsepo.dk rdw.nl
collarofsweden.com idelig.dk rijksoverheid.nl
connectsb.com iphoneopladere.dk rvig.nl
danskebank.com ixstudioscph.dk rvo.nl
datev.com kagegrisen.dk sans-mail.nl
denhaag.com kisserpaludan.dk schuurman-schoenen.nl
explorer-hotels.com kk.dk scorion.nl
fabfilter.com kodbilen.dk shampoobars.nl
farmergracy.com konkurspriser.dk shapeit.nl
fastware-hosting.com kystfisken.dk shoesme.nl
flaneurhomme.com lacabra.dk sietskescholten.nl
fromanteel-watches.com lammeskindet.dk sizzthebrand.nl
getpaidopportunities.com lederstof.dk smartwatchbanden.nl
gmx.com mobilcovers.dk snowbass.nl
goodforme.com musclehouse.dk spamservice.nl
habr.com netic.dk sportrusten.nl
headachecalendar.com nexsmart.dk ssonet.nl
highcharts.com nfinitybeauty.dk stater.nl
infomaniak.com nimara.dk svb.nl
ingthink.com nordd.dk svr.nl
intakt.com nordicsheep.dk technicus.nl
itskaos.com nota.dk telefoonglaasje.nl
johnbeerens.com online-mode.dk thealphamen.nl
joomlapolis.com opdagverden.dk transip.nl
jula.com pengeogfrihed.dk triodos.nl
kabayarefashion.com perfectjeans.dk truetickets.nl
kae-cosmetici.com qookware.dk tudelft.nl
kantarresearch.com sengefabrikken.dk uitgeverijpica.nl
kheaa.com seniornews.dk upcmail.nl
leszexpertsfle.com shapeit.dk uvt.nl
librti.com skjold-burne.dk uwv.nl
mail.com smoon.dk vacaturesonline.nl
mailzerver.com sneakerzone.dk vandale.nl
marsblade.com stil.dk vimexx.nl
meriamecouture.com sygeforsikring.dk vluchtelingenwerk.nl
mixx.com thenap.dk vunzigedeuntjes.nl
mplbeauty.com thesneakerstore.dk watchbandjes-shop.nl
nanolearning.com trueliving.dk waternet.nl
nine-pine.com viggo.dk wehkampfinance.nl
novashops.com vin-huset.dk werkzoeken.nl
offshorecorptalk.com vind.dk ziggo.nl
one.com yuaiahaircare.dk zorgmail.nl
orsys.com tilburguniversity.edu ankerstjerne.no
ottobredesign.com biotheka.ee annabellstefanussen.no
pieter-pot.com holt.ee babybanden.no
pompomlondon.com maarahvapood.ee bergengokart.no
protonmail.com minuvalik.ee bull-ski-kajakk.no
run-motion.com turunduslabor.ee chillout.no
runbox.com myownconference.email day-et.no
sankakucomplex.com spam-filter.email domeneshop.no
scorecloud.com spotler.email dressmykid.no
serverclienti.com nuudcare.es godvar.no
sisuknitwear.com triodos.es guttelus.no
sneakerjeans.com egu.eu handelsbanken.no
solvinity.com finesoftware.eu hoppin.no
speciale-offre.com iaccept.eu hyttefeber.no
sportnotch.com litebit.eu idrettenonline.no
stasdock.com mailplatform.eu kashmina.no
stater.com zerolime.eu lagerpriser.no
stellarequipment.com zonevs.eu marikrogshus.no
tcs.com danskebank.fi modostore.no
the-vfl.com fsol.fi mystuff.no
theintercept.com handelsbanken.fi nordiskbylien.no
thepcw.com metaburn.fi norskgrammatikk.no
thepcwholesale.com sillysanta.fi raskebriller.no
thesmmacademy.com ac-strasbourg.fr rushtrampoline.no
thingsilikethingsilove.com boozyshop.fr smaaungene.no
triodos.com braceletsmartwatch.fr spillfabrikken.no
tutanota.com compagnie-des-sens.fr strikkia.no
up2staff.com edtm-actu.fr suksessmednetthandel.no
veganallsorts.com nuudcare.fr svippr.no
vivaldi.com oo2.fr veronicalill.no
webcruiter.com passefranceallemagne.fr analysedanmark.nu
win-rar.com privea.fr atelkamera.nu
xfinity.com fvap.gov goget.nu
xfinityhomesecurity.com nsa.gov hallbarhalsa.nu
xfinitymobile.com tid.gov.hk lenhud.nu
bncr.fi.cr fidesz.hu agirpourlenvironnement.org
airbank.cz italiamail.hu checkmyads.org
akce-incomputer.cz bluebiz.info debian.org
amenit.cz eurocontrol.int freebsd.org
balikovna.cz infinex.io fridaysforfuture.org
bewooden.cz nuudcare.it gentoo.org
cd.cz neolink.link ietf.org
cokoladovnajanek.cz etat.lu isc.org
cpost.cz nic.lv mailbox.org
creammy.cz anonaddy.me mailop.org
csob.cz pm.me netbsd.org
csobstavebni.cz proton.me ozlabs.org
cuni.cz army.mil postfix.org
dashofer.cz dla.mil samba.org
dedra.cz dma.mil torproject.org
e-kondomy.cz health.mil biotechnologia.com.pl
ecps.cz jten.mil asf.com.pt
ekokoza.cz mail.mil mobily.com.sa
fio.cz navy.mil arbetsformedlingen.se
hobynaradi.cz nga.mil australian-bodycare.se
hypotecnibanka.cz osd.mil bearplay.se
innogy.cz socom.mil bearplayshop.se
itesco.cz spaceforce.mil bidflow.se
kb.cz uscg.mil bilprovningen.se
klenotyaurum.cz usmc.mil crtzoo.se
klubpevnehozdravi.cz comcast.net ecster.se
ksporting.cz ewetel.net egensajt.se
manymail.cz ficbook.net ellevio.se
maxmax.cz fivem.net epochtimes-mejl.se
mbank.cz gmx.net fashion-copenhagen.se
mfcr.cz habramail.net handelsbanken.se
mindsoft.cz hr-manager.net hellomantle.se
mkluzkoviny.cz inexio.net innebandy24.se
mojedatovaschranka.cz mailanyone.net jaramba.se
mrakyhracek.cz masterinter.net klasspengar.se
muni.cz mijngezondheid.net koreanbeauty.se
nic.cz mpssec.net kulturaktiebolaget.se
nilia.cz octopoos.net livlyclothing.se
nku.cz procurios.net lnu.se
o2.cz ripe.net lomervarde.se
opravdovezlociny.cz riseup.net loopia.se
optimail.cz s-qrc.net malarfabriken.se
outlet-alpine.cz soverin.net merchsweden.se
p-info.cz t-2.net minmyndighetspost.se
pivoteka.cz amsterdam.nl nordicsheep.se
poptavej.cz amsterdamwinefestival.nl performcollection.se
scrptd.cz aquastorexl.nl polisen.se
server4u.cz bankhoesdiscounter.nl refitness.se
shopex.cz belastingdienst.nl samblamail.se
smtp.cz beterinbeleggen.nl sillysanta.se
sparkys.cz beterspellen.nl silverdotter.se
stoklasa.cz bewustpuur.nl skatteverket.se
tefal.cz bhosted.nl skolverket.se
thinline.cz blushfashionstore.nl snbostader.se
vas-server.cz bobo.nl soleplus.se
vitalpoint.cz body-supplies.nl teeshoppen.se
vshosting.cz bolerolimonadewinkel.nl teknikdelar.se
zafido.cz boozyshop.nl theletter.se
zdravestravovani.cz box.nl websupport.se
zlocinozrouti.cz bruut.nl agatinsvet.sk
zonky.cz burgernet.nl bewooden.sk
bayern.de carre.nl coopka.sk
brandenburg.de casema.nl edirect.sk
bund.de cbr.nl fio.sk
bundesregierung.de chello.nl gravirovane.sk
datev.de clubplanner.nl hecht.sk
dfn.de csvjongholland.nl lenivakucharka.sk
elster.de degros.nl mamaaja.sk
ewetel.de derooijfotografie.nl mklozkoviny.sk
fau.de desan.nl mnforce-panel.sk
freenet.de dewebmakers.nl nakupujzdravo.sk
gmx.de dictu.nl nlp-akademia.sk
hi7.de digibtw.nl partner.sk
huellen-shop.de digid.nl penzionmara.sk
jpberlin.de dimehouse.nl poziadavka.sk
lmu.de domain-registry.nl rondogo.sk
lrz.de dorcas.nl travelmail.sk
mail.de duo.nl zapardrobnych.sk
mensa.de eabstest.nl zeit-des-wandels.tv
mindline-analytics.de efactuurdirect.nl afinepairofshoes.co.uk
mpg.de esuals.nl clientnews3.co.uk
posteo.de extinctionrebellion.nl millieandblake.co.uk
ruhr-uni-bochum.de ezorg.nl nuudcare.co.uk
sifjakobs.de frfc1908.nl thewordman.co.uk
smartwatcharmbaender.de hobbygigant.nl triodos.co.uk
sys4.de home.nl nuudcare.us
taures.de hostingpeople.nl quantum-services.us
tu-darmstadt.de hostnet.nl ru.ac.za
tum.de hr.nl
1
0
Summary: The DANE domain count is now 3,949,527 (3,923,543 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 23,173,417 (up slightly from 23,180,180
last month). Thus DANE TLSA is deployed on ~17.04% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
As of today, I count ~3.95 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1314953 one.com 1322240 one.com
303663 hostpoint.ch 302353 hostpoint.ch
212629 infomaniak.ch 209052 infomaniak.ch
172311 transip.nl 171630 transip.nl
169592 mijndomein.nl 168815 mijndomein.nl
161972 jouwweb.nl 156229 jouwweb.nl
139685 argewebhosting.nl 141433 argewebhosting.nl
131004 simply.com 129838 simply.com
111235 hostnet.nl 111275 hostnet.nl
109839 domeneshop.no 109926 domeneshop.no
106090 loopia.se 105948 loopia.se
90348 webhostingserver.nl 91048 webhostingserver.nl
83074 forpsi.com 83031 forpsi.com
81323 zxcs.nl 81293 zxcs.nl
44928 protonmail.ch 44103 protonmail.ch
40974 antagonist.nl 40754 antagonist.nl
39102 active24.com 39341 active24.com
36892 webreus.nl 37235 webreus.nl
29674 pcextreme.nl 30037 pcextreme.nl
28404 xel.nl 28501 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl,
.de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
11663 TOTAL 11403 TOTAL
3687 DE, Germany 3586 DE, Germany
1932 NL, Netherlands 1887 NL, Netherlands
1888 US, United States 1885 US, United States
883 FR, France 864 FR, France
458 CZ, Czechia 452 CZ, Czechia
364 GB, United Kingdom 360 GB, United Kingdom
267 FI, Finland 264 FI, Finland
213 CA, Canada 203 CA, Canada
176 AT, Austria 179 AT, Austria
171 CH, Switzerland 165 SE, Sweden
161 SE, Sweden 148 CH, Switzerland
147 DK, Denmark 146 DK, Denmark
141 AU, Australia 144 AU, Australia
123 SG, Singapore 125 SG, Singapore
107 RU, Russia 90 PL, Poland
88 PL, Poland 85 RU, Russia
64 JP, Japan 65 JP, Japan
60 NO, Norway 55 BR, Brazil
51 BR, Brazil 52 NO, Norway
47 IT, Italy 42 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
9445 TOTAL 9295 TOTAL
4224 NL, Netherlands 4201 NL, Netherlands
2659 DE, Germany 2602 DE, Germany
881 US, United States 866 US, United States
389 FR, France 375 FR, France
189 CZ, Czechia 178 GB, United Kingdom
177 GB, United Kingdom 178 CZ, Czechia
110 FI, Finland 110 FI, Finland
87 CA, Canada 82 CA, Canada
81 SE, Sweden 80 SE, Sweden
72 AU, Australia 72 AU, Australia
68 CH, Switzerland 65 CH, Switzerland
49 SG, Singapore 50 SG, Singapore
47 AT, Austria 49 AT, Austria
43 RU, Russia 41 JP, Japan
39 JP, Japan 30 RU, Russia
30 BR, Brazil 28 RO, Romania
28 RO, Romania 27 NO, Norway
26 NO, Norway 26 BR, Brazil
23 DK, Denmark 24 DK, Denmark
18 LT, Lithuania 18 IE, Ireland
There are 9,773 unique zones (9,391 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 20,781 (20,808 last
month). These cover 21,077 distinct MX hosts (21,102 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 1,090 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 569
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.95 million DANE domains, 14,236 (14,262 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,873
(2,180 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
177 mx2.tkservers.com
132 mx2.dotxs.net
44 mx.neutraldomains.net
41 svr3.it-df.net
35 mx1.mdbraber.com
23 smtp2.kruik-it.nl
22 mail.mxx.dk
20 fsn1-c04.xemo-net.de
19 web2.sys.ccs-baumann.de
15 mx1.zeromeaning.com
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 901 (1,057 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
665 neostrada.nl 715 neostrada.nl
62 worldnic.com 70 worldnic.com
24 openprovider.nl 60 ebola.cz
14 sectigoweb.com 32 openprovider.nl
13 register.com 14 sectigoweb.com
9 dnssrv.nl 13 register.com
8 ispapi.net 10 dnssrv.nl
7 vultr.com 8 ispapi.net
6 resolver.domains 7 vultr.com
6 forpsi.net 7 cloudns.net
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at tum.de hostingpeople.nl
gmx.at tutanota.de hostnet.nl
vbv.at uni-augsburg.de hr.nl
boozyshop.be uni-bielefeld.de hro.nl
eos-contentia.be uni-erlangen.de huurexpert.nl
triodos.be uni-muenchen.de ikdeburger.nl
vanbreda.be vicinityclo.de inspirerendleven.nl
nra.bg web.de interconnect.nl
cetelemnegocie.com.br westlotto.de interim-netwerk.nl
dwvmail.com.br aeldresagen.dk ithodaalderop.nl
e-negociacao.com.br allbuy.dk josephinajewelry.nl
e-renegocie.com.br anna-hjorth.dk kiesrijk.nl
zaaztelecom.com.br annebrauner.dk liveatamsterdamsebos.nl
nic.br australian-bodycare.dk mailmore.nl
registro.br avabeauty.dk mailon.nl
activfitness-news.ch bambustoej.dk mailplus.nl
blackout-bonusclub.ch barons.dk managementboek.nl
gmx.ch bigsaver.dk markteffectmail.nl
handy-abovergleich.ch bog.dk mcmta.nl
hostpoint.ch camillakroeyer.dk mijndomein.nl
infomaniak.ch casanova.dk minbzk.nl
msochrono.ch champagneklubben.dk mindef.nl
open.ch computerworld.dk mm1.nl
protonmail.ch damask.dk nieuwsservice-rvo.nl
sherlockhomes.ch danielspengetips.dk notbranded.nl
sms-gagnant.ch danskebank.dk ns.nl
switch.ch denmentalekriger.dk nuudcare.nl
wog.ch densidsteflaske.dk nuwegexclusief.nl
simplelogin.co dfi.dk opnaarwonderland.nl
albourne.com dressforsuccess.dk ouderenfonds.nl
anonaddy.com ens.dk ouderportaal.nl
ansigtsyogaonline.com fibianet.dk overheid.nl
canva-facile.com foraeldresparring.dk oxilionhosted.nl
cm.com gastrotools.dk partijvoordedieren.nl
collarofsweden.com globestudios.dk partnermail.nl
connectsb.com hook-up.dk podiumcadeaukaart.nl
danskebank.com hostedsepo.dk pp-prd.nl
datev.com idelig.dk previder.nl
denhaag.com iphoneopladere.dk prorun-mail.nl
exegy.com kagegrisen.dk protislank.nl
farmergracy.com kk.dk quicknet.nl
fastware-hosting.com kodbilen.dk rdw.nl
flaneurhomme.com konkurspriser.dk rijksoverheid.nl
fromanteel-watches.com kystfisken.dk rvig.nl
gmx.com labelking.dk rvo.nl
goodforme.com lacabra.dk sans-mail.nl
habr.com lederstof.dk schuurman-schoenen.nl
headachecalendar.com mobilcovers.dk shampoobars.nl
highcharts.com musclehouse.dk shapeit.nl
infomaniak.com netic.dk shoesme.nl
ingthink.com nfinitybeauty.dk sietskescholten.nl
intakt.com nimara.dk sizzthebrand.nl
itskaos.com nordd.dk smartwatchbanden.nl
johnbeerens.com nota.dk sportrusten.nl
joomlapolis.com opdagverden.dk ssonet.nl
jula.com pengeogfrihed.dk stater.nl
kabayarefashion.com perfectjeans.dk svb.nl
kae-cosmetici.com sengefabrikken.dk technicus.nl
kantarresearch.com seniornews.dk telefoonglaasje.nl
kheaa.com shapeit.dk teslin.nl
leszexpertsfle.com skjold-burne.dk thealphamen.nl
librti.com smoon.dk toms.nl
mail.com sneakerzone.dk transip.nl
mailzerver.com stil.dk triodos.nl
mixx.com stpt.dk truetickets.nl
mplbeauty.com strongcurves.dk tudelft.nl
nanolearning.com sygeforsikring.dk uitgeverijpica.nl
nine-pine.com thenap.dk upcmail.nl
novashops.com thesneakerstore.dk uvt.nl
one.com trueliving.dk uwv.nl
orsys.com venderbys.dk vacaturesonline.nl
ottobredesign.com vin-huset.dk vandale.nl
pieter-pot.com vind.dk vimexx.nl
polyas.com yuaiahaircare.dk vluchtelingenwerk.nl
pompomlondon.com tilburguniversity.edu vogeldagboek.nl
protonmail.com maarahvapood.ee voor14.nl
run-motion.com minuvalik.ee vunzigedeuntjes.nl
sankakucomplex.com surveyturtle.ee watchbandjes-shop.nl
scorecloud.com turunduslabor.ee waternet.nl
serverclienti.com zone.ee wehkampfinance.nl
sneakerjeans.com myownconference.email werkzoeken.nl
solvinity.com spam-filter.email wonenmetlef.nl
speciale-offre.com spotler.email ziggo.nl
sportnotch.com nuudcare.es zorgmail.nl
stasdock.com triodos.es zoweg-mail.nl
stater.com egu.eu annabellstefanussen.no
stellarequipment.com iaccept.eu babybanden.no
tcs.com litebit.eu bergengokart.no
the-vfl.com outletdelcalcio.eu bull-ski-kajakk.no
theintercept.com zerolime.eu chillout.no
thepcw.com zone.eu domeneshop.no
thepcwholesale.com zonevs.eu dressmykid.no
thesmmacademy.com danskebank.fi godvar.no
thingsilikethingsilove.com handelsbanken.fi guttelus.no
triodos.com metaburn.fi hyttefeber.no
tutanota.com rockdenim.fi idrettenonline.no
up2staff.com ac-strasbourg.fr lagerpriser.no
veganallsorts.com braceletsmartwatch.fr marikrogshus.no
vivaldi.com compagnie-des-sens.fr modostore.no
webcruiter.com edtm-actu.fr mystuff.no
win-rar.com nuudcare.fr nordicprint.no
xfinity.com oo2.fr norskgrammatikk.no
xfinityhomesecurity.com passefranceallemagne.fr raskebriller.no
xfinitymobile.com privea.fr rushtrampoline.no
bncr.fi.cr tid.gov.hk sillysanta.no
airbank.cz fidesz.hu smaaungene.no
akce-incomputer.cz italiamail.hu spillfabrikken.no
amenit.cz bluebiz.info strikkia.no
balikovna.cz eurocontrol.int suksessmednetthandel.no
bewooden.cz infinex.io analysedanmark.nu
cokoladovnajanek.cz nuudcare.it atelkamera.nu
cpost.cz neolink.link goget.nu
creammy.cz nic.lv hallbarhalsa.nu
cro.cz anonaddy.me lenhud.nu
csob.cz pm.me agirpourlenvironnement.org
cuni.cz proton.me checkmyads.org
dashofer.cz army.mil debian.org
dedra.cz dla.mil freebsd.org
e-kondomy.cz dma.mil fridaysforfuture.org
ecps.cz health.mil gentoo.org
fio.cz jten.mil ietf.org
hobynaradi.cz mail.mil mailbox.org
hypotecnibanka.cz navy.mil mailop.org
innogy.cz nga.mil netbsd.org
itesco.cz osd.mil openssl.org
kb.cz socom.mil ozlabs.org
klenotyaurum.cz uscg.mil postfix.org
klubpevnehozdravi.cz usmc.mil samba.org
ksporting.cz apnic.net torproject.org
manymail.cz comcast.net biotechnologia.com.pl
maxmax.cz ewetel.net mobily.com.sa
mbank.cz ficbook.net arbetsformedlingen.se
mfcr.cz fivem.net australian-bodycare.se
mkluzkoviny.cz gmx.net bearplay.se
mojedatovaschranka.cz habramail.net bearplayshop.se
mrakyhracek.cz hr-manager.net bidflow.se
muni.cz inexio.net bilprovningen.se
nic.cz intares.net crtzoo.se
nilia.cz mailanyone.net ecster.se
nku.cz masterinter.net egensajt.se
o2.cz mijngezondheid.net ellevio.se
opravdovezlociny.cz mpssec.net epochtimes-mejl.se
optimail.cz octopoos.net fashion-copenhagen.se
outlet-alpine.cz procurios.net handelsbanken.se
p-info.cz riseup.net hellomantle.se
pivoteka.cz s-qrc.net jaramba.se
poptavej.cz soverin.net klasspengar.se
pre.cz speedkom.net koreanbeauty.se
rozhlas.cz t-2.net kulturaktiebolaget.se
scrptd.cz amsterdam.nl livlyclothing.se
smtp.cz amsterdamwinefestival.nl lnu.se
sparkys.cz aquastorexl.nl lomervarde.se
stoklasa.cz bankhoesdiscounter.nl loopia.se
thinline.cz belastingdienst.nl malarfabriken.se
tiscali.cz beterinbeleggen.nl merchsweden.se
vas-server.cz beterspellen.nl minmyndighetspost.se
virusfree.cz bewustpuur.nl nordicprint.se
vitalpoint.cz bhosted.nl nordicsheep.se
vshosting.cz blushfashionstore.nl performcollection.se
zafido.cz bobo.nl polisen.se
zlocinozrouti.cz body-supplies.nl refitness.se
zonky.cz bolerolimonadewinkel.nl sillysanta.se
bayern.de boozyshop.nl silverdotter.se
brandenburg.de box.nl skatteverket.se
bund.de bruut.nl skolverket.se
bundesregierung.de caracamilla.nl snbostader.se
datev.de carre.nl soleplus.se
datronic.de casema.nl teeshoppen.se
dfn.de cbr.nl teknikdelar.se
elster.de chello.nl theletter.se
ewetel.de clubplanner.nl websupport.se
fau.de csvjongholland.nl agatinsvet.sk
freenet.de degros.nl fio.sk
gmx.de derooijfotografie.nl lenivakucharka.sk
hi7.de desan.nl mklozkoviny.sk
huellen-shop.de dictu.nl nakupujzdravo.sk
jpberlin.de digibtw.nl penzionmara.sk
lmu.de digid.nl rondogo.sk
lrz.de dimehouse.nl toptop.sk
mail.de domain-registry.nl zapardrobnych.sk
mensa.de dorcas.nl zeit-des-wandels.tv
mindline-analytics.de duo.nl clientnews3.co.uk
mpg.de eabstest.nl millieandblake.co.uk
posteo.de efactuurdirect.nl nuudcare.co.uk
ruhr-uni-bochum.de esuals.nl thewordman.co.uk
smartwatcharmbaender.de extinctionrebellion.nl triodos.co.uk
stwm.de ezorg.nl nuudcare.us
sys4.de frfc1908.nl quantum-services.us
taures.de hobbygigant.nl ru.ac.za
tu-darmstadt.de home.nl
1
0
Summary: A slow month. The DANE domain count is now 3,923,543
(c.f. 3,924,107 last month).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 23,180,180 (up slightly from 23,141,061
last month). Thus DANE TLSA is deployed on ~16.92% of domains with
DNSSEC. For more stats, see <https://stats.dnssec-tools.org/>.
[ See the Credits[0] list below my signature. ]
A light at the end of the tunnel is that Microsoft are moving
forward with enabling inbound DANE. Though the official
start date is in Q1 2024, the first domain is already live,
with its primary and secondary MX hosts DANE-enabled:
https://twitter.com/VDukhovni/status/1707817430125322421
https://stats.dnssec-tools.org/explore/?digitalcosmos.net
The 3rd and 4th MX hosts aren't yet on the new "mx.microsoft"
platform.
As of today, I count ~3.92 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1]. As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host. The top 20 MX host providers
by domain count are below.
This month Last Month
---------- ----------
1322240 one.com 1330342 one.com
302353 hostpoint.ch 300967 hostpoint.ch
209052 infomaniak.ch 205928 infomaniak.ch
171630 transip.nl 171750 transip.nl
168815 mijndomein.nl 168545 mijndomein.nl
156229 jouwweb.nl 151627 jouwweb.nl
141433 argewebhosting.nl 144160 argewebhosting.nl
129838 simply.com 132421 simply.com
111275 hostnet.nl 111071 hostnet.nl
109926 domeneshop.no 109902 domeneshop.no
105948 loopia.se 106030 loopia.se
91048 webhostingserver.nl 91275 webhostingserver.nl
83031 forpsi.com 83195 forpsi.com
81293 zxcs.nl 77300 zxcs.nl
44103 protonmail.ch 43426 protonmail.ch
40754 antagonist.nl 40528 antagonist.nl
39341 active24.com 39981 active24.com
37235 webreus.nl 37575 webreus.nl
30037 pcextreme.nl 30373 pcextreme.nl
28501 xel.nl 28672 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl,
.de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month
----------- ----------
11403 TOTAL 11375 TOTAL
3586 DE, Germany 3553 DE, Germany
1887 NL, Netherlands 1894 US, United States
1885 US, United States 1886 NL, Netherlands
864 FR, France 822 FR, France
452 CZ, Czechia 443 CZ, Czechia
360 GB, United Kingdom 369 GB, United Kingdom
264 FI, Finland 268 FI, Finland
203 CA, Canada 204 CA, Canada
179 AT, Austria 202 AT, Austria
165 SE, Sweden 167 SE, Sweden
148 CH, Switzerland 148 CH, Switzerland
146 DK, Denmark 144 DK, Denmark
144 AU, Australia 140 AU, Australia
125 SG, Singapore 123 SG, Singapore
90 PL, Poland 92 RU, Russia
85 RU, Russia 90 PL, Poland
65 JP, Japan 65 JP, Japan
55 BR, Brazil 50 BR, Brazil
52 NO, Norway 49 NO, Norway
42 IT, Italy 44 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month
---------- ----------
9295 TOTAL 8949 TOTAL
4201 NL, Netherlands 3857 NL, Netherlands
2602 DE, Germany 2596 DE, Germany
866 US, United States 883 US, United States
375 FR, France 363 FR, France
178 GB, United Kingdom 190 GB, United Kingdom
178 CZ, Czechia 176 CZ, Czechia
110 FI, Finland 111 FI, Finland
82 CA, Canada 85 CA, Canada
80 SE, Sweden 72 AU, Australia
72 AU, Australia 69 SE, Sweden
65 CH, Switzerland 62 CH, Switzerland
50 SG, Singapore 50 SG, Singapore
49 AT, Austria 48 AT, Austria
41 JP, Japan 41 JP, Japan
30 RU, Russia 30 RU, Russia
28 RO, Romania 30 RO, Romania
27 NO, Norway 27 DK, Denmark
26 BR, Brazil 25 BR, Brazil
24 DK, Denmark 23 NO, Norway
18 IE, Ireland 18 UA, Ukraine
There are 9,391 unique zones (9,398 last month) in which the underlying
MX hosts are found. This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 20,808 (20,884 last
month). These cover 21,102 distinct MX hosts (21,182 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 1,062 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain). Of these, 548
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.92 million DANE domains, 14,262 (14,274 last month) have
"partial" TLSA records, that cover only a subset of the (secondary) MX
hosts. While this protects traffic to some of the MX hosts, such
domains are still vulnerable to the usual active attacks via the
remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,873
(2,180 last month). Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts. The affected domain counts for the top 10 problem MX hosts are:
178 mx2.tkservers.com
133 mx2.solutive.nl
42 mail.itcomputers.net
37 mx04.speicher-werk.de
35 mx1.mdbraber.com
32 relay.csngroep.nl
24 semark.dk
23 smtp2.kruik-it.nl
20 fsn1-c04.xemo-net.de
19 web1.sys.ccs-baumann.de
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP…
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-…
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,057 (1,357 last
month). The top 10 name server operators with problem domains are:
This Month Last month
---------- ----------
715 neostrada.nl 963 neostrada.nl
70 worldnic.com 93 worldnic.com
60 ebola.cz 65 ebola.cz
32 openprovider.nl 39 openprovider.nl
14 sectigoweb.com 14 sectigoweb.com
13 register.com 13 register.com
10 dnssrv.nl 12 dnssrv.nl
8 ispapi.net 9 ispapi.net
7 vultr.com 7 vultr.com
7 cloudns.net 7 resolver.domains
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security. Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at web.de hoogenboezem-nieuwsbrieven.nl
gmx.at westlotto.de huurexpert.nl
vbv.at aeldresagen.dk hz.nl
atmozreunion.be allbuy.dk ikdeburger.nl
boozyshop.be annebrauner.dk inspirerendleven.nl
triodos.be annes-atelier.dk interconnect.nl
vanbreda.be australian-bodycare.dk interim-netwerk.nl
cetelemnegocie.com.br avabeauty.dk jo-lyn.nl
dwvmail.com.br bambustoej.dk kiesrijk.nl
e-negociacao.com.br barons.dk lcrdm.nl
e-renegocie.com.br bigsaver.dk liveatamsterdamsebos.nl
zaaztelecom.com.br bog.dk mail-studio.nl
nic.br buchcopenhagen.dk mailmore.nl
registro.br camillakroeyer.dk mailon.nl
activfitness-news.ch casanova.dk mailplus.nl
blackout-bonusclub.ch computerworld.dk managementboek.nl
gmx.ch damask.dk markteffectmail.nl
hostpoint.ch danielspengetips.dk mcmta.nl
infomaniak.ch danskebank.dk messen.nl
migros-runnwin.ch datafordeler.dk mijndomein.nl
msochrono.ch def.dk minbzk.nl
open.ch densidsteflaske.dk mindef.nl
protonmail.ch dfi.dk mm1.nl
sherlockhomes.ch dk-hostmaster.dk nederweert.nl
sms-gagnant.ch fibianet.dk netpoint.nl
switch.ch foraeldresparring.dk netpointfactoring.nl
simplelogin.co fvst.dk nieuwsservice-rvo.nl
albourne.com gastrotools.dk nmnhevents.nl
anonaddy.com globestudios.dk notbranded.nl
ansigtsyogaonline.com idelig.dk noties.nl
cm.com iphoneopladere.dk ns.nl
collarofsweden.com kodbilen.dk nuudcare.nl
colourfulrebel.com konkurspriser.dk nuwegexclusief.nl
connectsb.com kystfisken.dk otys.nl
danskebank.com labelking.dk ouderportaal.nl
datev.com lacabra.dk overheid.nl
denhaag.com lederstof.dk oxilionhosted.nl
exegy.com lncrew.dk partijvoordedieren.nl
fabfilter.com lysetikloster.dk partnermail.nl
farmergracy.com mobilcovers.dk pipdenhaag.nl
fastware-hosting.com musclehouse.dk podiumcadeaukaart.nl
fromanteel-watches.com netic.dk politie.nl
gmx.com nfinitybeauty.dk pp-prd.nl
habr.com nimara.dk previder.nl
highcharts.com nordd.dk prorun-mail.nl
infomaniak.com nota.dk quicknet.nl
ingthink.com opdagverden.dk rdw.nl
intakt.com punktum.dk rijksoverheid.nl
itskaos.com seniornews.dk rivm.nl
johnbeerens.com shapeit.dk rvo.nl
joomlapolis.com skjold-burne.dk sans-mail.nl
jula.com smoon.dk schuurman-schoenen.nl
kabayarefashion.com sneakerzone.dk shampoobars.nl
kheaa.com stil.dk shoesme.nl
kolabnow.com stpt.dk sietskescholten.nl
leszexpertsfle.com strongcurves.dk sizzthebrand.nl
librti.com thenap.dk smartwatchbanden.nl
mactabeauty.com thesneakerstore.dk sportrusten.nl
mail.com trueliving.dk ssonet.nl
mailzerver.com venderbys.dk stater.nl
medimeisterschaften.com vin-huset.dk svb.nl
mixx.com vind.dk technicus.nl
mplbeauty.com yuaiahaircare.dk telefoonglaasje.nl
nanolearning.com tilburguniversity.edu toms.nl
nine-pine.com just.ee transip.nl
offshorecorptalk.com maarahvapood.ee triodos.nl
one.com minuvalik.ee truetickets.nl
orsys.com rik.ee tudelft.nl
ottobredesign.com surveyturtle.ee uitgeverijpica.nl
pieter-pot.com turunduslabor.ee upcmail.nl
polyas.com zone.ee uvt.nl
pompomlondon.com myownconference.email uwv.nl
protonmail.com spam-filter.email vacaturesonline.nl
protonvpn.com spotler.email vandale.nl
renworkshops.com talentech.email vimexx.nl
run-motion.com nuudcare.es vogeldagboek.nl
sankakucomplex.com triodos.es vunzigedeuntjes.nl
scorecloud.com egu.eu watchbandjes-shop.nl
serverclienti.com finesoftware.eu waternet.nl
solvinity.com iaccept.eu wehkampfinance.nl
stasdock.com litebit.eu werkzoeken.nl
stater.com zone.eu wonenmetlef.nl
stellarequipment.com zonevs.eu ziggo.nl
tcs.com danskebank.fi zorgmail.nl
theintercept.com handelsbanken.fi zoweg-mail.nl
thepcw.com metaburn.fi 8-bits.no
thepcwholesale.com raumanteatteri.fi annabellstefanussen.no
thesmmacademy.com rockdenim.fi babybanden.no
triodos.com traficom.fi bergengokart.no
tutanota.com ac-strasbourg.fr bull-ski-kajakk.no
up2staff.com braceletsmartwatch.fr chillout.no
veganallsorts.com compagnie-des-sens.fr domeneshop.no
vivaldi.com nuudcare.fr dressmykid.no
webcruiter.com passefranceallemagne.fr frivannsliv.no
webmailph.com privea.fr godvar.no
win-rar.com tid.gov.hk guttelus.no
workvector.com fidesz.hu handelsbanken.no
xfinity.com italiamail.hu hyttefeber.no
xfinityhomesecurity.com bluebiz.info idrettenonline.no
xfinitymobile.com eurocontrol.int kashmina.no
bncr.fi.cr infinex.io lagerpriser.no
airbank.cz rootnet.io marikrogshus.no
akce-incomputer.cz nuudcare.it mystuff.no
balikovna.cz neolink.link nordicprint.no
bewooden.cz anonaddy.me norskgrammatikk.no
cokoladovnajanek.cz pm.me raskebriller.no
cpost.cz proton.me rushtrampoline.no
cro.cz army.mil sillysanta.no
csob.cz dla.mil smaaungene.no
cuni.cz health.mil spillfabrikken.no
dashofer.cz jten.mil strikkia.no
dedra.cz mail.mil atelkamera.nu
e-kondomy.cz navy.mil fitnessnu.nu
ecps.cz nga.mil goget.nu
fio.cz osd.mil lenhud.nu
gynkrup.cz socom.mil aarding.org
hypotecnibanka.cz uscg.mil agirpourlenvironnement.org
innogy.cz usmc.mil debian.org
itesco.cz apnic.net freebsd.org
kb.cz benjaminfulford.net fridaysforfuture.org
klenotyaurum.cz comcast.net gentoo.org
klubpevnehozdravi.cz ewetel.net ietf.org
ksporting.cz ficbook.net isc.org
manymail.cz fivem.net mailbox.org
mbank.cz gmx.net netbsd.org
mfcr.cz graphistepro.net openssl.org
mkluzkoviny.cz habramail.net ozlabs.org
mojedatovaschranka.cz hr-manager.net postfix.org
mrakyhracek.cz inexio.net torproject.org
muni.cz intares.net biotechnologia.com.pl
nic.cz mailanyone.net brebank.com.pl
o2.cz masterinter.net mobily.com.sa
optimail.cz mijngezondheid.net arbetsformedlingen.se
outlet-alpine.cz mpssec.net australian-bodycare.se
p-info.cz procurios.net bearplayshop.se
poptavej.cz ripe.net bilprovningen.se
pre.cz riseup.net du.se
rozhlas.cz s-qrc.net ecster.se
scrptd.cz soverin.net egensajt.se
smtp.cz speedkom.net ellevio.se
sparkys.cz t-2.net fashion-copenhagen.se
stoklasa.cz amsterdam.nl handelsbanken.se
tiscali.cz amsterdamwinefestival.nl hellomantle.se
vas-server.cz aquastorexl.nl huskvarnafolketspark.se
virusfree.cz belastingdienst.nl koreanbeauty.se
vitalpoint.cz beterspellen.nl livlyclothing.se
vshosting.cz bewustpuur.nl lnu.se
zafido.cz bhosted.nl lomervarde.se
zdravestravovani.cz blushfashionstore.nl loopia.se
zonky.cz bobo.nl merchsweden.se
bayern.de body-supplies.nl minmyndighetspost.se
brandenburg.de boekwinkeltjes.nl naprapatlandslaget.se
bund.de bolerolimonadewinkel.nl nordicprint.se
bundesregierung.de boozyshop.nl performcollection.se
datev.de box.nl polisen.se
deutsch-franzoesischer-freundschaftspass.de bruut.nl silverdotter.se
dfn.de burgernet.nl skatteverket.se
ekom21.de caracamilla.nl skolverket.se
elster.de carre.nl snbostader.se
ewetel.de casema.nl soleplus.se
fau.de cbr.nl svenskhusman.se
freenet.de chello.nl teknikdelar.se
gmx.de clubplanner.nl theletter.se
huellen-shop.de degros.nl websupport.se
jpberlin.de deijsvogel.nl agatinsvet.sk
lmu.de deonlinetandarts.nl fio.sk
lrz.de derooijfotografie.nl kadernickyservis.sk
mail.de desan.nl lenivakucharka.sk
mensa.de dewoningzoeker.nl mklozkoviny.sk
mpg.de dictu.nl nakupujzdravo.sk
posteo.de digid.nl rondogo.sk
ruhr-uni-bochum.de dimehouse.nl toptop.sk
smartwatcharmbaender.de dorcas.nl zapardrobnych.sk
stwm.de druten.nl zeit-des-wandels.tv
sys4.de duo.nl clientnews3.co.uk
tu-darmstadt.de esuals.nl millieandblake.co.uk
tum.de expeditionfestival.nl nuudcare.co.uk
tutanota.de extinctionrebellion.nl thewordman.co.uk
uni-augsburg.de ezorg.nl triodos.co.uk
uni-bielefeld.de fivecityspa.nl nuudcare.us
uni-erlangen.de haarlem.nl quantum-services.us
uni-muenchen.de hobbygigant.nl ru.ac.za
vicinityclo.de home.nl
1
0
Hi togehter,
one of my s/qmail users has problems with the TLSA/DANE record for the
following domain:
* excalibur.iks-jena.de
Here, I get the settings:
$ dnstlsa excalibur.iks-jena.de
Usage: [2], Selector: [1], Type: [1]
10f34e8f08e446cc26d7d591184b51cb83791c869cef388be5d5cb58e2927f7a
Usage: [2], Selector: [1], Type: [1]
3c9762932ec8e6e52d4b37504f15d90a3fac9930e1058170372b3a4b0e068a43
where the root FP is ok, the MTA's not.
Given the remarks in RFC 7672 section 3.1.2, I feel a bit uncomfortable
about it.
Any opinions? Advices?
Regards.
--eh.
--
Dr. Erwin Hoffmann | www.fehcom.de
PGP key-id: 20FD6E671A94DC1E
PGP key-fingerprint: 8C6B 155B 0FDA 64F1 BCCE A6B9 20FD 6E67 1A94 DC1E
```
6
11
Breaking news, Microsoft is pulling the trigger on DANE next year: Implementing Inbound SMTP DANE with DNSSEC for Exchange Online Mail Flow - Microsoft Community Hub<https://techcommunity.microsoft.com/t5/exchange-team-blog/implementing-inbo…>
Mike
1
0