Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .LI, .NAME, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome.
Summary: The DANE domain count is now 316,920
The number DNSSEC domains in the survey stands at 8,986,410. Thus DANE TLSA is deployed on 3.52% of domains with DNSSEC.
This month DNSSEC denial of existence issues were resolved at KPN Internedservices (internedservices.nl or is.nl) and dotroll.com (also known as webspacecontrol.com). My thanks to both for taking action to significantly reduce the residual barriers to DANE adoption.
As of today I count 316,920 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 15 MX host providers by domain count are:
114384 transip.nl 96340 domeneshop.no 34676 active24.com 23670 udmedia.de 10761 bhosted.nl 3721 interconnect.nl 2533 provalue.nl 2451 nederhost.nl 1521 yourdomainprovider.net 1299 xcellerate.nl 1189 hi7.de 1062 surfmailfilter.nl 753 omc-mail.com 622 core-networks.de 591 mailbox.org
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 10 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented):
4251 TOTAL 1449 DE, Germany 910 US, United States 549 NL, Netherlands 330 FR, France 158 GB, United Kingdom 128 CZ, Czech Republic 110 CA, Canada 57 SE, Sweden 56 SG, Singapore 55 CH, Switzerland
IPv6 is still comparatively rare for MX hosts, and the top 10 countries by DANE MX host IPv6 GeoIP are (same top 6).
2126 TOTAL 816 DE, Germany 426 US, United States 317 NL, Netherlands 191 FR, France 70 GB, United Kingdom 70 CZ, Czech Republic 37 SE, Sweden 27 SG, Singapore 19 CH, Switzerland 17 AT, Austria
There are 3571 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed.
The number of published MX host TLSA RRsets found is 5087. These cover 5449 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs).
The number of domains that at some point were listed in Gmail's email transparency report is 168 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 86 are in recent (last 90 days of) reports:
gmx.at lrz.de ouderportaal.nl transip.be mail.de overheid.nl nic.br posteo.de pathe.nl registro.br ruhr-uni-bochum.de politie.nl gmx.ch tum.de transip.nl open.ch uni-erlangen.de truetickets.nl anubisnetworks.com unitybox.de uvt.nl gmx.com unitymedia.de xs4all.nl mail.com web.de domeneshop.no societe.com dk-hostmaster.dk handelsbanken.no solvinity.com egmontpublishing.dk rushtrondheim.no t-2.com netic.dk webcruitermail.no trashmail.com tilburguniversity.edu aegee.org xfinity.com insee.fr debian.org xfinityhomesecurity.com octopuce.fr freebsd.org xfinitymobile.com comcast.net gentoo.org active24.cz gmx.net ietf.org cuni.cz hr-manager.net isc.org destroystores.cz inexio.net netbsd.org klubpevnehozdravi.cz mpssec.net openssl.org optimail.cz t-2.net samba.org smtp.cz transip.net torproject.org bayern.de xs4all.net asf.com.pt bund.de bhosted.nl handelsbanken.se elster.de boozyshop.nl minmyndighetspost.se fau.de deltion.nl skatteverket.se freenet.de hierinloggen.nl t-2.si gmx.de interconnect.nl govtrack.us jpberlin.de intermax.nl
Of the ~317000 domains, 1390 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 258. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. A partial list is available at:
https://github.com/danefail/list
To avoid getting listed, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes http://imrryr.org/~viktor/ICANN61-viktor.pdf http://imrryr.org/~viktor/icann61-viktor.mp3
http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4
The DNSSEC denial of existence breakage is lower this month, as a result of a complete resolution of all issues at is.nl and dotroll.com. After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 531. The top 20 name server operators with problem domains are:
51 dotserv.com 39 tiscomhosting.nl 35 metaregistrar.nl 33 sylconia.net 31 nrdns.nl 25 active24.cz (some broken wildcard cnames) 20 host-redirect.com 19 nazwa.pl (some broken wildcard NS RRs) 12 psb1.org 11 blauwblaatje.nl 10 eth-services.de 10 army.mil 9 vultr.com 9 dnscluster.nl 8 pcextreme.nl 8 forpsi.net 7 ovh.net 6 loopia.se 6 domdom.hu 5 1cocomo.com
If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.
None of the domains all whose nameservers have broken denial of existence appear in historical Google reports. So it is likely that the DNSSEC denial of existence problems are not felt by most email senders.