Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for the gTLD data via CZDS, Afilias for access to .INFO zone data, data contributions from the TLD registries for .CH, .DK, .INFO, .LI, .NL and .ORG and open access for .FR, .NU and .SE. More data sources of ccTLD signed delegations welcome.
Summary: The DANE domain count is now 314,472
The number DNSSEC domains in the survey stands at 8,908,099. Thus DANE TLSA is deployed on 3.52% of domains with DNSSEC.
All DNSSEC denial of existence issues are resolved at mijnhostingparner.nl and tse.jus.br.
As of today I count 314,472 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 15 MX host providers by domain count are:
112848 transip.nl 96132 domeneshop.no 34452 active24.com 23638 udmedia.de 10651 bhosted.nl 3720 interconnect.nl 2491 provalue.nl 2456 nederhost.nl 1666 yourdomainprovider.net 1297 xcellerate.nl 1177 hi7.de 1093 surfmailfilter.nl 724 omc-mail.com 608 core-networks.de 567 mailbox.org
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 10 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented):
4263 TOTAL 1453 DE, Germany 922 US, United States 541 NL, Netherlands 346 FR, France 161 GB, United Kingdom 124 CZ, Czech Republic 100 CA, Canada 58 SE, Sweden 57 SG, Singapore 56 CH, Switzerland
IPv6 is still comparatively rare for MX hosts, and the top 10 countries by DANE MX host IPv6 GeoIP are (same top 6).
2066 TOTAL 813 DE, Germany 435 US, United States 309 NL, Netherlands 194 FR, France 66 GB, United Kingdom 66 CZ, Czech Republic 37 SE, Sweden 28 SG, Singapore 21 CH, Switzerland 18 AT, Austria
There are 3563 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed.
The number of published MX host TLSA RRsets found is 5015. These cover 5376 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs).
The number of domains that at some point were listed in Gmail's email transparency report is 165 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 91 are in recent reports:
gmx.at jpberlin.de ouderportaal.nl transip.be lrz.de overheid.nl nic.br mail.de pathe.nl registro.br posteo.de politie.nl gmx.ch ruhr-uni-bochum.de transip.nl open.ch tum.de truetickets.nl anubisnetworks.com uni-erlangen.de utwente.nl fmc-na.com unitybox.de uvt.nl gmx.com unitymedia.de xs4all.nl mail.com web.de domeneshop.no societe.com dk-hostmaster.dk rushtrondheim.no solvinity.com egmontpublishing.dk webcruitermail.no t-2.com netic.dk aegee.org trashmail.com tilburguniversity.edu debian.org xfinity.com insee.fr freebsd.org xfinityhomesecurity.com octopuce.fr gentoo.org xfinitymobile.com comcast.net ietf.org active24.cz dd24.net isc.org cuni.cz gmx.net netbsd.org destroystores.cz hr-manager.net openssl.org klubpevnehozdravi.cz inexio.net samba.org knizni-magazin.cz mpssec.net torproject.org nic.cz t-2.net asf.com.pt optimail.cz transip.net handelsbanken.se smtp.cz xs4all.net iis.se bayern.de bhosted.nl minmyndighetspost.se bund.de boozyshop.nl skatteverket.se elster.de deltion.nl t-2.si fau.de hierinloggen.nl govtrack.us freenet.de interconnect.nl gmx.de intermax.nl
Of the ~314000 domains, 1193 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 287. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. A partial list is available at:
https://github.com/danefail/list
To avoid getting listed, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes http://imrryr.org/~viktor/ICANN61-viktor.pdf http://imrryr.org/~viktor/icann61-viktor.mp3
http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4
The DNSSEC denial of existence breakage is lower this month, as a result of a complete resolution of all issues at mijnhostingpartner.nl and tse.jus.br. After eliminating parked domains that do not accept email of any kind, the number of "real" email domains with bad DNSSEC support stands at 708. The top 20 name server operators with problem domains are:
112 webspacecontrol.com (reportedly working on a solution) 64 is.nl 51 dotserv.com 39 tiscomhosting.nl 33 sylconia.net 33 metaregistrar.nl 29 nrdns.nl 25 active24.cz (some broken wildcard cnames) 21 host-redirect.com 15 nazwa.pl (some broken wildcard NS RRs) 13 psb1.org 12 ultratek.com 11 blauwblaatje.nl 11 army.mil 9 dnscluster.nl 8 vultr.com 8 pcextreme.nl 8 glbns.com 7 forpsi.net 6 domdom.hu
If anyone has good contacts at one of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.
None of the domains all whose nameservers have broken denial of existence appear in historical Google reports.