NOTE: When using NSEC3 to sign your domain, please make sure your extra iteration count is not needlessly large (i.e. above ~25, 0 is best). For details see:
https://mail.sys4.de/pipermail/dane-users/2021-March/000594.html https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-00
Summary: The DANE domain count is now 2,653,718 (down from 2,671,696 last month).
[ One Dutch hosting provider with ~25k DANE domains last month, no longer has MX TLSA records this month, perhaps temporarily? ]
The number of domains that return DNSSEC-validated replies in response to MX queries is 15,663,538 (up from 15,370,647 last month). Thus DANE TLSA is deployed on ~16.94% of domains with DNSSEC. See https://stats.dnssec-tools.org/ for more stats.
Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome.
As of today I count 2,653,718 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below.
This month Last month ---------- ---------- 1227184 one.com 1229596 one.com 151493 transip.nl 150659 transip.nl 150376 argewebhosting.nl 150607 argewebhosting.nl 114457 infomaniak.ch 112821 infomaniak.ch 105236 domeneshop.no 105401 domeneshop.no 98871 webhostingserver.nl 99195 webhostingserver.nl 94187 loopia.se 94181 loopia.se 70345 forpsi.com 70039 forpsi.com 42190 active24.com 42040 active24.com 39057 zxcs.nl 39239 webreus.nl 38973 webreus.nl 38021 zxcs.nl 37753 antagonist.nl 37715 pcextreme.nl 37509 pcextreme.nl 37563 antagonist.nl 28712 vevida.com 28958 vevida.com 27550 webhosting.dk 27525 webhosting.dk 26580 web4u.cz 26607 web4u.cz 26555 udmedia.de 26407 udmedia.de 24671 hosting2go.nl 24915 hosting2go.nl 19910 protonmail.ch 24728 spamservice.nl 18975 bhosted.nl 19280 protonmail.ch
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month ---------- ---------- 8815 TOTAL 8751 TOTAL 2631 DE, Germany 2635 DE, Germany 1693 US, United States 1677 US, United States 1676 NL, Netherlands 1668 NL, Netherlands 662 FR, France 653 FR, France 313 GB, United Kingdom 317 GB, United Kingdom 226 CZ, Czechia 227 CZ, Czechia 206 CA, Canada 202 CA, Canada 174 FI, Finland 169 FI, Finland 124 DK, Denmark 124 DK, Denmark 122 SG, Singapore 121 SG, Singapore 106 CH, Switzerland 106 CH, Switzerland 102 SE, Sweden 97 SE, Sweden 84 AU, Australia 81 AU, Australia 76 AT, Austria 72 AT, Austria 41 RU, Russia 45 PL, Poland 41 PL, Poland 39 NO, Norway 41 IE, Ireland 39 IE, Ireland 40 NO, Norway 38 RU, Russia 40 BR, Brazil 37 JP, Japan 38 JP, Japan 37 BR, Brazil
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are:
This month Last month ---------- ---------- 6948 TOTAL 6912 TOTAL 3301 NL, Netherlands 3291 NL, Netherlands 1810 DE, Germany 1807 DE, Germany 710 US, United States 699 US, United States 297 FR, France 292 FR, France 154 CZ, Czechia 143 GB, United Kingdom 137 GB, United Kingdom 138 CZ, Czechia 71 FI, Finland 75 FI, Finland 61 CA, Canada 59 CA, Canada 44 SG, Singapore 45 CH, Switzerland 43 SE, Sweden 44 SG, Singapore 42 CH, Switzerland 41 SE, Sweden 32 AU, Australia 30 AU, Australia 29 AT, Austria 28 AT, Austria 27 JP, Japan 25 JP, Japan 20 IE, Ireland 18 DK, Denmark 17 RU, Russia 17 RU, Russia 17 DK, Denmark 16 NO, Norway 16 NO, Norway 16 IE, Ireland 14 BR, Brazil 14 BR, Brazil 12 IN, India 11 PL, Poland
There are 7,168 unique zones (7,132 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 15,673 (15,568 last month). These cover 15,908 distinct MX hosts (15,805 last month, some MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's email transparency report is 496 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 301 are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.65 million domains, 12,719 (12,786 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1187 (also 1187 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts.
To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-... https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r... https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1329 (1661 last month). The top 10 name server operators with problem domains are:
This month Last month ---------- ---------- 548 registrar-servers.com 526 registrar-servers.com 119 axc.nl 393 serverion.nl 88 ebola.cz 118 axc.nl 48 epik.com 89 ebola.cz 28 made-easy.ch 50 epik.com 27 mijndomein.nl 29 made-easy.ch 26 3zy.de 28 mijndomein.nl 24 tiscomhosting.nl 24 tiscomhosting.nl 22 netcup.net 22 cloudflare.com 20 cloudflare.com 16 movenext.nl
If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.
Three of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br icv-crew.com bncr.fi.cr peacecorps.gov ssa.gov sauditelecom.com.sa kmutt.ac.th novathreads.us
-- Viktor.
[1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency reports:
univie.ac.at gmx.de ezorg.nl gmx.at jpberlin.de healthcheckcenter.nl triodos.be kabelmail.de herinneringenoplinnen.nl cetelemnegocie.com.br lmu.de hetamsterdamsverbond.nl clubedohardware.com.br lrz.de hostingpeople.nl contactflex.com.br mail.de hr.nl corridaeaventura.com.br mpg.de interconnect.nl nic.br neutraler-versand.de interim-netwerk.nl registro.br posteo.de luxiez.nl pdac.ca ruhr-uni-bochum.de mailplus.nl gmx.ch tum.de markteffectmail.nl hostpoint.ch tutanota.de mijnuvt.nl infomaniak.ch uni-erlangen.de minbuza.nl open.ch uni-muenchen.de minbzk.nl protonmail.ch unitymedia.de mindef.nl switch.ch web.de mkbbelangen.nl travailler-en-suisse.ch westlotto.de mm1.nl simplelogin.co actie.deals mulderretail.nl ansigtsyogaonline.com fibianet.dk nieuwsservice-rvo.nl beaconx.com fvst.dk ns.nl connectsb.com handelsbanken.dk ouderportaal.nl coremultichain.com netic.dk overheid.nl dailyplaylists.com shapeit.dk parlement.nl datev.com shellcard.dk partijvoordedieren.nl exegy.com stil.dk politie.nl flaneurhomme.com tilburguniversity.edu powerslim.nl gmx.com holt.ee pp-prd.nl habr.com just.ee previder.nl hotelsinduitsland.com rik.ee purdey.nl imcnig.com envie.email rijksoverheid.nl infomaniak.com spam-filter.email rivm.nl ingthink.com spike.email rotterdam.nl intakt.com spotler.email sans-mail.nl joomlapolis.com rediris.es schoudercom.nl jula.com triodos.es schuurman-schoenen.nl kpn.com uv.es sportrusten.nl leszexpertsfle.com litebit.eu ssonet.nl mail.com transadvise.eu telefoonglaasje.nl mammoetmail.com zone.eu triodos.nl matilhadobemadestramento.com zonevs.eu truetickets.nl mx-relay.com handelsbanken.fi tweedekamer.nl mychildlebensborn.com tarjousrinki.fi uitgeverijpica.nl nine-pine.com traficom.fi utwente.nl one.com ac-strasbourg.fr uvt.nl outsystems.com compagnie-des-sens.fr uwv.nl protonmail.com edtm-actu.fr veilinghuispeerdeman.nl protonvpn.com oo2.fr vogeldagboek.nl sanderrossel.com fidesz.hu voorpositiviteit.nl sankakucomplex.com mindigbutor.hu vu.nl societe.com mszp.hu waternet.nl solvinity.com interestexplorer.io xs4all.nl spareklubbnorge.com pm.me zorgmail.nl stellarequipment.com army.mil annabellstefanussen.no t-2.com dla.mil audi.no thalesgroup.com jten.mil bergengokart.no triodos.com mail.mil derute.no tutanota.com militaryonesource.mil domeneshop.no veganallsorts.com navy.mil handelsbanken.no veoliasophos.com nga.mil idrettenonline.no vitstore.com osd.mil norskgrammatikk.no webcruiter.com socom.mil rushtrampoline.no xfinity.com uscg.mil uib.no xfinityhomesecurity.com usmc.mil viphuset.no xfinitymobile.com comcast.net atelkamera.nu active24.cz fivem.net goget.nu akce-incomputer.cz gmx.net debian.org bewooden.cz habramail.net freebsd.org cuni.cz hr-manager.net gentoo.org ekokoza.cz inexio.net ietf.org gigalekarna.cz mijngezondheid.net irtf.org itesco.cz mpssec.net isc.org klenotyaurum.cz procurios.net mailbox.org klubpevnehozdravi.cz ripe.net mailop.org manymail.cz riseup.net netbsd.org nic.cz t-2.net openssl.org omvnovinky.cz transip.net ozlabs.org onebit.cz xs4all.net samba.org optimail.cz xworks.net torproject.org poptavej.cz 123watches.nl whatpulse.org reserved.cz amsterdam.nl psgaz.pl scrptd.cz awcloud.nl asf.com.pt server4u.cz belastingdienst.nl mobily.com.sa smtp.cz bhosted.nl bilprovningen.se stoklasa.cz bhsupport.nl boplatssyd-automail.se toplist.cz bibliotheekdenhaag.nl ecster.se vas-server.cz bluerail.nl handelsbanken.se vcelka.cz boekwinkeltjes.nl loopia.se virusfree.cz bolerolimonadewinkel.nl loopiahosting.se zdravestravovani.cz boozyshop.nl matlistan.se 123watches.de burgernet.nl minmyndighetspost.se bayern.de cbr.nl personligalmanacka.se brandenburg.de cbs.nl skatteverket.se bund.de citrusveiling.nl teknikdelar.se bundesregierung.de corpoflow.nl theletter.se datev.de denhaag.nl websupport.se dfn.de derooijfotografie.nl triodos.co.uk ekom21.de digid.nl xepay.co.uk elster.de duo.nl govtrack.us fau.de edenhotels.nl quantum-services.us followerpilot.de efactuurdirect.nl ru.ac.za freenet.de