As of today I count 137620 domains with correct DANE TLSA records for SMTP. As expected the bulk of the DANE domains are hosted the handful of DNS/hosting providers who've enabled DANE support in bulk for the domains they host. The top 10 MX host providers by domain count are:
60764 domeneshop.no 43961 transip.nl 15734 udmedia.de 3040 bhosted.nl 1493 nederhost.net 904 ec-elements.com 431 core-networks.de 307 uvt.nl 301 bit.nl 287 omc-mail.com
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, in particular .de, .nl and .no.
There are 2449 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. Alternatively, a similar number is seen in the count (2613) of distinct MX host server certificates that support the same ~137000 domains.
A related number is 4172 TLSA RRsets found for MX host TCP port 25. This includes secondary MX hosts and domains none of whose primary MX hosts have TLSA records.
The number of domains that at some point were listed in Gmail's email transparency report is now 105 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 56 are in recent reports (March 2017):
gmx.at jpberlin.de overheid.nl nic.br lrz.de pathe.nl registro.br mail.de wooniezie.nl gmx.ch posteo.de xs4all.nl open.ch ruhr-uni-bochum.de domeneshop.no anubisnetworks.com tum.de webcruitermail.no gmx.com uni-erlangen.de debian.org mail.com unitymedia.de domainmail.org piratenexus.com web.de freebsd.org pirateperfection.com enron.email gentoo.org pre-sustainability.com octopuce.fr ietf.org t-2.com comcast.net netbsd.org trashmail.com dd24.net netcoolusers.org xfinity.com gmx.net openssl.org bayern.de hr-manager.net samba.org bund.de t-2.net torproject.org elster.de xs4all.net minmyndighetspost.se fau.de asp4all.nl skatteverket.se gmx.de ouderportaal.nl
A different metric is how many of the DANE-enabled domains received email from at least 10 Gmail senders in a recent 8 day interval. Back in Dec/2016 I reported that ~2200 out of ~105k domains met that criterion. This month, the number was ~3900 out of ~137k domains. So it seems that a non-negligible fraction of the increase is from real domains that receive email, and not just parked domains.
Of the ~137000 domains, 655 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 96 (~30 are recent additions that may be resolved soon, the remaining ~60 are the for now stable population of broken domains). This month I'm posting the list of the 44 underlying MX hosts that serve these domains and whose TLSA records don't match reality.
Hall of Shame:
mail.dipietro.id.au www.mtg.de mail.inu.nl clubeararaquarense.org.br mx1.spamsponge.de mail.jekuiken.nl mail.antiphishing.ch mail.nonoserver.info mail.myzt.nl mail.digitalwebpros.com mx.datenknoten.me bounder.steelyard.nl mail.dnsmadefree.com mx.giesen.me mx.wm.net.nz demo.liveconfig.com mail.castleturing.net baobrien.org ny-do.pieterpottie.com datawebb.dafcorp.net smtp.copi.org diablo.sgt.com anubis.delphij.net eumembers.datacentrix.org tusk.sgt.com dorothy.goldenhairdafo.net smtp2.amadigi.ovh mx.bels.cz hs.kuzenkov.net webmail.headsite.se johniez.cz oostergo.net protector.rajmax.si mail.pksvice.cz ren.warunek.net arch-server.hlfh.space srv01.101host.de mail.e-rave.nl mail.blackcherry-management.co.uk mail.cdbm.de mail.hhsk.nl email.themcintyres.us mail.manima.de box.inpoint-mailt.nl
The number of domains with bad DNSSEC support is 322. The top 10 DNS providers (by broken domain count) are:
52 axc.nl - Slated to be resolved 38 infracom.nl - Slated to be resolved 18 loopia.se 18 active24.cz 14 jsr-it.nl 12 rdw.nl 9 cas-com.net 8 metaregistrar.nl 6 tiscomhosting.nl 6 thednscompany.com
Around 60 of the broken domains have at least one working nameserver, and so are email-reachable, given enough retries.
Back in March I wrote:
A different metric is how many of the DANE-enabled domains received email from at least 10 Gmail senders in a recent 8 day interval. Back in Dec/2016 I reported that ~2200 out of ~105k domains met that criterion. This month, the number was ~3900 out of ~137k domains. So it seems that a non-negligible fraction of the increase is from real domains that receive email, and not just parked domains.
This "metric" is made available to me informally, so I avoid asking too frequently. The latest update shows:
+---------------+---------------------+------------+ | total_domains | mail_from_5_senders | gt_50_msgs | +---------------+---------------------+------------+ | 173181 | 13393 | 2076 | +---------------+---------------------+------------+
which uses a slightly different "cut-off" of 5 senders rather than 10, so we don't have a direct comparison, but this should be the metric going forward. We we have > 13k domains that get traffic from multiple senders, and > 2k domains with evidence of sustained traffic (over the 8 day sample size).
Just in case this is not clear, Gmail is not presently using DANE outbound, rather I send them a list of DANE domains from time to time, and get back the above numbers.
participants (1)
-
Viktor Dukhovni