Summary: The DANE domain count is now 1,149,012
The number of domains that return DNSSEC-validated replies in response to MX queries is 9,874,472. Thus DANE TLSA is deployed on 11.63% of domains with DNSSEC.
Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome.
Appeal: The handful of providers with long-term broken DNSSEC denial of existence are sadly making little progress to update their buggy DNS implementations. It would be really great if (at least):
mijnhostingpartner.nl (Many broken NSEC3 RRSIGs) epik.com (Wildcards missing from NSEC chain) metaregistrar.nl (Wrong empty non-terminal handling) tiscomhosting.nl (Missing wildcard NSEC for NODATA response) dotserv.com (invalid NSEC chain order) movenext.nl (NSEC replies don't cover wildcard) nrdns.nl (Malformed NSEC3 or ServFail) binero.se (NSEC3 chain names returned as NSEC!)
fixed their nameserver and/or zone provisioning code. While the O(10^3) affected domains are a small fraction of the O(10^7) signed domains, they are a much larger fraction of the signed domains for those particular providers.
Appeal: The number of domains with neglected outdated TLSA records, has grown to ~500. PLEASE *monitor* your deployment, and implement a cert/key rollover process that does not (even temporarily) disrupt the validity of your certificate chain as compared to the published (cached) TLSA records:
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
If you're willing and able to help reach out to the operators of MX hosts with misconfigured TLSA RRsets, please get in touch.
As of today I count 1,149,012 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are:
705488 one.com 125798 transip.nl 97267 domeneshop.no 36238 active24.com 32475 vevida.com 24131 udmedia.de 15856 flexfilter.nl 12993 onebit.cz 12327 zxcs.nl 10961 bhosted.nl 5999 netzone.ch 5644 previder.nl 3795 ips.nl 3401 interconnect.nl 2481 provalue.nl 2287 nederhost.nl 1628 nmugroup.com 1574 yourdomainprovider.net 1320 hi7.de 1293 prolocation.net
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented).
5221 TOTAL 1758 DE, Germany 1065 US, United States 718 NL, Netherlands 383 FR, France 216 GB, United Kingdom 175 CZ, Czechia 116 CA, Canada 88 SG, Singapore 75 CH, Switzerland 71 SE, Sweden 54 DK, Denmark 43 IE, Ireland 43 AT, Austria 41 FI, Finland 36 AU, Australia 34 PL, Poland 34 BR, Brazil 26 RU, Russia 26 JP, Japan 23 IN, India
IPv6 is still comparatively rare for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are:
1914 TOTAL 732 DE, Germany 304 NL, Netherlands 238 FR, France 155 US, United States 114 CZ, Czechia 74 GB, United Kingdom 39 SE, Sweden 33 CH, Switzerland 28 RU, Russia 28 CA, Canada 22 AT, Austria 18 IE, Ireland 14 NO, Norway 13 DK, Denmark 12 FI, Finland 10 AU, Australia 9 SI, Slovenia 9 IN, India 7 IT, Italy 6 SK, Slovakia
There are 4392 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed.
The number of published MX host TLSA RRsets found is 6639. These cover 7077 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs).
The number of domains that at some point were listed in Gmail's email transparency report is 245 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 129 are in recent (last 90 days of) reports:
univie.ac.at ruhr-uni-bochum.de mailplus.nl gmx.at tu-darmstadt.de markteffectmail.nl transip.be tum.de minbzk.nl nic.br uni-erlangen.de ouderportaal.nl registro.br uni-muenchen.de overheid.nl gmx.ch unitybox.de pathe.nl open.ch unitymedia.de photofacts.nl anubisnetworks.com web.de photofactsacademy.nl fmc-na.com egmontpublishing.dk politie.nl gmx.com netic.dk previder.nl habr.com sitnet.dk rijksoverheid.nl hotelsinduitsland.com tilburguniversity.edu rotterdam.nl kpn.com zone.eu rvo.nl mail.com dovecot.fi ssonet.nl one.com ac-strasbourg.fr transip.nl solvinity.com insee.fr truetickets.nl t-2.com octopuce.fr utwente.nl telfort.com web200.hu uvt.nl trashmail.com comcast.net xs4all.nl xfinity.com dd24.net domeneshop.no xfinityhomesecurity.com dns-oarc.net handelsbanken.no xfinitymobile.com gmx.net uib.no active24.cz habramail.net webcruitermail.no atlas.cz hr-manager.net atelkamera.nu centrum.cz inexio.net aegee.org cuni.cz mpssec.net debian.org klubpevnehozdravi.cz procurios.net freebsd.org onebit.cz riseup.net gentoo.org smtp.cz t-2.net ietf.org virusfree.cz transip.net isc.org volny.cz transversal.net netbsd.org allsecur.de vevida.net openssl.org bayern.de xs4all.net ozlabs.org bund.de bhosted.nl samba.org elster.de bluerail.nl torproject.org fau.de boekwinkeltjes.nl asf.com.pt freenet.de corpoflow.nl deborla.pt gmx.de denhaag.nl moikrug.ru jpberlin.de dictu.nl handelsbanken.se lrz.de digid.nl minmyndighetspost.se mail.de hierinloggen.nl personligalmanacka.se mensa.de hr.nl skatteverket.se posteo.de intermax.nl govtrack.us
Of the ~1.15 million domains, 2514 have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 560. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. A partial list is available at:
https://github.com/danefail/list
To avoid getting listed, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1318. The top 10 name server operators with problem domains are:
537 mijnhostingpartner.nl 109 epik.com 40 metaregistrar.nl 34 tiscomhosting.nl 34 dotserv.com 33 movenext.nl 31 nrdns.nl 30 binero.se 29 domaincontrol.com 27 sylconia.net
[ Sadly epik.com is back, after resolving all issues last month, it seems while the reported domains were resolved, the underlying systemic issue was not. ]
If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.
Eleven of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br trt01.gov.br trtrio.gov.br trt1.jus.br trtrj.jus.br key.com keybank.com bluehosting.host rackeo.host sauditelecom.com.sa
participants (1)
-
Viktor Dukhovni