Summary: The DANE domain count is now 2,779,500 (up from 2,653,718 last month).
The number of domains that return DNSSEC-validated replies in response to MX queries is 16,107,719 (up from 15,663,538 last month). Thus DANE TLSA is deployed on ~17.26% of domains with DNSSEC. See https://stats.dnssec-tools.org/ for more stats.
[ A major part of the increase in both DNSSEC and DANE domains is a result of a significant expansion of use of DNSSEC among .CH domains, particularly at hostpoint.ch and infomaniak.ch.
Congratulations and thanks to both and also switch.ch.
The .CH TLD is now the 9th largest by count of signed delegations in the survey dataset, just behind .NO, perhaps not for long, if the present growth rate holds up. ]
Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome.
As of today I count 2,779,500 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below.
This month Last month ---------- ---------- 1225124 one.com 1227184 one.com 152779 transip.nl 151493 transip.nl 150719 argewebhosting.nl 150376 argewebhosting.nl 148426 infomaniak.ch 114457 infomaniak.ch 105493 domeneshop.no 105236 domeneshop.no 98765 webhostingserver.nl 98871 webhostingserver.nl 94403 loopia.se 94187 loopia.se 86961 hostpoint.ch 70345 forpsi.com 70606 forpsi.com 42190 active24.com 46019 active24.com 39057 zxcs.nl 40474 zxcs.nl 38973 webreus.nl 40396 webreus.nl 37753 antagonist.nl 37911 antagonist.nl 37509 pcextreme.nl 37226 pcextreme.nl 28712 vevida.com 28411 vevida.com 27550 webhosting.dk 27416 webhosting.dk 26580 web4u.cz 26691 udmedia.de 26555 udmedia.de 26509 web4u.cz 24671 hosting2go.nl 24443 hosting2go.nl 19910 protonmail.ch 20574 protonmail.ch 18975 bhosted.nl
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month ---------- ---------- 8890 TOTAL 8815 TOTAL 2655 DE, Germany 2631 DE, Germany 1715 US, United States 1693 US, United States 1686 NL, Netherlands 1676 NL, Netherlands 654 FR, France 662 FR, France 330 GB, United Kingdom 313 GB, United Kingdom 226 CZ, Czechia 226 CZ, Czechia 202 CA, Canada 206 CA, Canada 185 FI, Finland 174 FI, Finland 125 DK, Denmark 124 DK, Denmark 114 SG, Singapore 122 SG, Singapore 107 CH, Switzerland 106 CH, Switzerland 99 SE, Sweden 102 SE, Sweden 88 AU, Australia 84 AU, Australia 84 AT, Austria 76 AT, Austria 44 PL, Poland 41 RU, Russia 43 IE, Ireland 41 PL, Poland 40 RU, Russia 41 IE, Ireland 40 BR, Brazil 40 NO, Norway 39 NO, Norway 40 BR, Brazil 35 IT, Italy 38 JP, Japan
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are:
This month Last month ---------- ---------- 7009 TOTAL 6948 TOTAL 3336 NL, Netherlands 3301 NL, Netherlands 1826 DE, Germany 1810 DE, Germany 714 US, United States 710 US, United States 290 FR, France 297 FR, France 145 CZ, Czechia 154 CZ, Czechia 136 GB, United Kingdom 137 GB, United Kingdom 74 FI, Finland 71 FI, Finland 59 CA, Canada 61 CA, Canada 47 CH, Switzerland 44 SG, Singapore 44 SE, Sweden 43 SE, Sweden 42 SG, Singapore 42 CH, Switzerland 30 AU, Australia 32 AU, Australia 29 AT, Austria 29 AT, Austria 26 RU, Russia 27 JP, Japan 23 JP, Japan 20 IE, Ireland 21 IE, Ireland 17 RU, Russia 17 DK, Denmark 17 DK, Denmark 16 NO, Norway 16 NO, Norway 14 BR, Brazil 14 BR, Brazil 11 SI, Slovenia 12 IN, India
There are 7,242 unique zones (7,168 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 15,791 (15,673 last month). These cover 16,039 distinct MX hosts (15,908 last month, some MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's email transparency report is 517 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 301 are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.78 million DANE domains, 12,794 (12,719 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1298 (1187 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts.
To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-... https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r... https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1298 (1329 last month). The top 10 name server operators with problem domains are:
This month Last month ---------- ---------- 542 registrar-servers.com 548 registrar-servers.com 119 axc.nl 119 axc.nl 89 ebola.cz 88 ebola.cz 59 westgatehosting.com 48 epik.com 49 netcup.net 28 made-easy.ch 46 epik.com 27 mijndomein.nl 30 made-easy.ch 26 3zy.de 27 mijndomein.nl 24 tiscomhosting.nl 19 cloudflare.com 22 netcup.net 15 worldnic.com 20 cloudflare.com
If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.
Five of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br icv-crew.com bncr.fi.cr pedulilindungi.id novathreads.us
-- Viktor.
[1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency reports:
univie.ac.at followerpilot.de healthcheckcenter.nl gmx.at freenet.de herinneringenoplinnen.nl triodos.be gmx.de hetamsterdamsverbond.nl cetelemnegocie.com.br jpberlin.de hostingpeople.nl clubedohardware.com.br lmu.de interconnect.nl corridaeaventura.com.br lrz.de interim-netwerk.nl nic.br mail.de luxiez.nl registro.br mensa.de mailplus.nl pdac.ca mpg.de markteffectmail.nl gmx.ch neutraler-versand.de mijnuvt.nl hostpoint.ch posteo.de minbuza.nl infomaniak.ch ruhr-uni-bochum.de minbzk.nl linsenkontakt.ch tum.de mindef.nl open.ch tutanota.de mkbbelangen.nl protonmail.ch uni-erlangen.de mm1.nl switch.ch uni-muenchen.de mulderretail.nl travailler-en-suisse.ch unitymedia.de nieuwsservice-rvo.nl wog.ch web.de ns.nl simplelogin.co westlotto.de ouderportaal.nl beaconx.com actie.deals overheid.nl connectsb.com fibianet.dk parlement.nl coremultichain.com fvst.dk partijvoordedieren.nl dailyplaylists.com handelsbanken.dk paypro.nl datev.com netic.dk politie.nl flaneurhomme.com peterhald.dk powerslim.nl gmx.com shapeit.dk pp-prd.nl habr.com shellcard.dk previder.nl hotelsinduitsland.com stil.dk purdey.nl imcnig.com tilburguniversity.edu rijksoverheid.nl infomaniak.com just.ee rotterdam.nl ingthink.com rik.ee sans-mail.nl intakt.com spam-filter.email schoudercom.nl joomlapolis.com spike.email schuurman-schoenen.nl jula.com spotler.email sportrusten.nl kpn.com rediris.es ssonet.nl leszexpertsfle.com triodos.es telefoonglaasje.nl mail.com uv.es triodos.nl mammoetmail.com egu.eu truetickets.nl matilhadobemadestramento.com qard.eu tweedekamer.nl mx-relay.com transadvise.eu uitgeverijpica.nl mychildlebensborn.com zone.eu utwente.nl nine-pine.com zonevs.eu uvt.nl one.com handelsbanken.fi uwv.nl outsystems.com tarjousrinki.fi veilinghuispeerdeman.nl protonmail.com ac-strasbourg.fr vogeldagboek.nl protonvpn.com compagnie-des-sens.fr voorpositiviteit.nl sanderrossel.com edtm-actu.fr vu.nl sankakucomplex.com oo2.fr waternet.nl societe.com fidesz.hu xs4all.nl solvinity.com gardrobom.hu zorgmail.nl spareklubbnorge.com mindigbutor.hu annabellstefanussen.no stellarequipment.com mszp.hu audi.no t-2.com popfilm.hu bergengokart.no thalesgroup.com pandi.id derute.no thepcw.com interestexplorer.io domeneshop.no thepcwholesale.com pm.me handelsbanken.no triodos.com army.mil idrettenonline.no tutanota.com dla.mil norskgrammatikk.no veganallsorts.com jten.mil rushtrampoline.no veoliasophos.com mail.mil uib.no vitstore.com militaryonesource.mil viphuset.no webcruiter.com navy.mil atelkamera.nu xfinity.com nga.mil goget.nu xfinityhomesecurity.com osd.mil debian.org xfinitymobile.com socom.mil freebsd.org 30tidennivyzva.cz uscg.mil gentoo.org active24.cz comcast.net ietf.org akce-incomputer.cz fivem.net isc.org cuni.cz gmx.net mailbox.org ekokoza.cz habramail.net mailop.org gigalekarna.cz hr-manager.net netbsd.org itesco.cz inexio.net openssl.org klenotyaurum.cz mijngezondheid.net ozlabs.org klubpevnehozdravi.cz mpssec.net samba.org manymail.cz procurios.net torproject.org mkluzkoviny.cz riseup.net whatpulse.org nic.cz s-qrc.net psgaz.pl omvnovinky.cz t-2.net asf.com.pt onebit.cz transip.net mobily.com.sa optimail.cz xs4all.net bilprovningen.se poptavej.cz 123watches.nl boplatssyd-automail.se reserved.cz amsterdam.nl ecster.se scrptd.cz awcloud.nl handelsbanken.se server4u.cz belastingdienst.nl loopia.se smtp.cz bhosted.nl loopiahosting.se stoklasa.cz bluerail.nl minmyndighetspost.se toplist.cz boekwinkeltjes.nl personligalmanacka.se vas-server.cz bolerolimonadewinkel.nl skatteverket.se vcelka.cz boozyshop.nl teknikdelar.se virusfree.cz burgernet.nl theletter.se zdravestravovani.cz cbr.nl websupport.se 123watches.de cbs.nl flagranti.sk bayern.de citrusveiling.nl najlacnejsisport.sk brandenburg.de corpoflow.nl rondogo.sk bund.de derooijfotografie.nl toptop.sk bundesregierung.de digid.nl triodos.co.uk datev.de duo.nl xepay.co.uk dfn.de edenhotels.nl govtrack.us ekom21.de efactuurdirect.nl quantum-services.us elster.de ezorg.nl ru.ac.za fau.de
participants (1)
-
Viktor Dukhovni