NOTE: When using NSEC3 to sign your domain, please make sure your iteration count is not needlessly large (above ~25). For details see:
https://mail.sys4.de/pipermail/dane-users/2021-March/000594.html https://datatracker.ietf.org/doc/html/draft-ietf-dnsop-nsec3-guidance-00
Summary: The DANE domain count is now 2,638,525 (up from 2,623,358 last month).
The number of domains that return DNSSEC-validated replies in response to MX queries is 15,118,039 (up from 14,890,975 last month). Thus DANE TLSA is deployed on ~17.45% of domains with DNSSEC. See https://stats.dnssec-tools.org/ for more stats.
The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has taken place, and all previously issued X3-issued certificates are now expired. If you're still publishing the X3 hash in your TLSA RRSet, it is best removed:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome.
As of today I count 2,638,525 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below.
This month Last month ---------- ---------- 1228949 one.com 1227082 one.com 150486 transip.nl 150090 transip.nl 150288 argewebhosting.nl 149333 argewebhosting.nl 110793 infomaniak.ch 108672 infomaniak.ch 104816 domeneshop.no 104762 domeneshop.no 99494 webhostingserver.nl 99669 webhostingserver.nl 93948 loopia.se 93660 loopia.se 69464 forpsi.com 68752 forpsi.com 41882 active24.com 41710 active24.com 39617 webreus.nl 39907 webreus.nl 38179 pcextreme.nl 38426 pcextreme.nl 37449 antagonist.nl 37231 antagonist.nl 37023 zxcs.nl 35720 zxcs.nl 29200 vevida.com 29296 vevida.com 27706 webhosting.dk 27736 webhosting.dk 26564 web4u.cz 26588 web4u.cz 26255 udmedia.de 25968 udmedia.de 25168 hosting2go.nl 25447 hosting2go.nl 18914 bhosted.nl 18827 bhosted.nl 18594 protonmail.ch 17855 protonmail.ch
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month ---------- ---------- 8677 TOTAL 8579 TOTAL 2631 DE, Germany 2595 DE, Germany 1664 US, United States 1650 US, United States 1644 NL, Netherlands 1648 NL, Netherlands 636 FR, France 631 FR, France 328 GB, United Kingdom 313 GB, United Kingdom 224 CZ, Czechia 226 CZ, Czechia 201 CA, Canada 197 CA, Canada 167 FI, Finland 165 FI, Finland 124 DK, Denmark 125 DK, Denmark 120 SG, Singapore 116 SG, Singapore 100 SE, Sweden 95 SE, Sweden 98 CH, Switzerland 95 CH, Switzerland 79 AU, Australia 75 AU, Australia 73 AT, Austria 70 AT, Austria 44 PL, Poland 45 PL, Poland 41 IE, Ireland 39 NO, Norway 39 NO, Norway 39 BR, Brazil 37 BR, Brazil 38 JP, Japan 36 JP, Japan 37 IE, Ireland 35 RU, Russia 36 IN, India
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are:
This month Last month ---------- ---------- 6851 TOTAL 6806 TOTAL 3253 NL, Netherlands 3268 NL, Netherlands 1802 DE, Germany 1782 DE, Germany 664 US, United States 659 US, United States 296 FR, France 299 FR, France 145 CZ, Czechia 147 GB, United Kingdom 142 GB, United Kingdom 134 CZ, Czechia 76 FI, Finland 52 CA, Canada 58 CA, Canada 46 SG, Singapore 45 SG, Singapore 46 SE, Sweden 44 CH, Switzerland 46 CH, Switzerland 43 SE, Sweden 42 RU, Russia 29 AT, Austria 33 FI, Finland 28 AU, Australia 26 AU, Australia 27 RU, Russia 26 AT, Austria 26 JP, Japan 24 JP, Japan 17 NO, Norway 17 NO, Norway 17 IE, Ireland 17 DK, Denmark 17 DK, Denmark 16 IE, Ireland 14 BR, Brazil 14 BR, Brazil 12 PL, Poland 10 SI, Slovenia
There are 7,053 unique zones (6,934 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 15,479 (15,467 last month). These cover 15,711 distinct MX hosts (15,701 last month, some MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's email transparency report is 475 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 291 are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.64 million domains, 12,757 (12,852 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1976 (1999 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts.
To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-... https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r... https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1295 (1298 last month). The top 10 name server operators with problem domains are:
This month Last month ---------- ---------- 509 registrar-servers.com 485 registrar-servers.com 122 axc.nl 119 axc.nl 93 ebola.cz 94 ebola.cz 45 epik.com 48 yourict.net 32 mijndomein.nl 45 epik.com 29 made-easy.ch 29 mijndomein.nl 24 tiscomhosting.nl 29 made-easy.ch 22 cloudflare.com 25 tiscomhosting.nl 18 movenext.nl 18 movenext.nl 17 openprovider.nl 17 infracom.nl 17 WORLDNIC.com
If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.
Four of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports:
frontmta.com.br bncr.fi.cr sauditelecom.com.sa kmutt.ac.th
-- Viktor.
[1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency reports:
univie.ac.at gmx.de duo.nl gmx.at jpberlin.de expeditionfestival.nl idec.at kabelmail.de ezorg.nl triodos.be lrz.de herinneringenoplinnen.nl clubedohardware.com.br mail.de hr.nl contactflex.com.br mensa.de huizenzoeker.nl corridaeaventura.com.br mpg.de interim-netwerk.nl nic.br posteo.de mailplus.nl registro.br ruhr-uni-bochum.de mailshover.nl gmx.ch tum.de markteffectmail.nl hostpoint.ch uni-erlangen.de mijnsalon.nl infomaniak.ch uni-muenchen.de mijnuvt.nl open.ch unitymedia.de minbuza.nl protonmail.ch web.de minbzk.nl switch.ch westlotto.de mindef.nl travailler-en-suisse.ch actie.deals mkbbelangen.nl simplelogin.co bridgewalking.dk mm1.nl ansigtsyogaonline.com dfi.dk ns.nl connectsb.com dk-hostmaster.dk ongehoordnederland.nl dailyplaylists.com fibianet.dk ouderportaal.nl datev.com handelsbanken.dk overheid.nl digitalelections.com netic.dk partijvoordedieren.nl ecstase.com shapeit.dk politie.nl exegy.com stil.dk powerslim.nl flaneurhomme.com uni-c.dk pp-prd.nl gmx.com uvm.dk previder.nl habr.com tilburguniversity.edu provalue.nl horagames.com emta.ee rijksoverheid.nl hotelsinduitsland.com holt.ee rivm.nl imcnig.com just.ee rotterdam.nl infomaniak.com lugeja.ee rvo.nl ingthink.com riigikogu.ee sans-mail.nl jula.com rmit.ee schoudercom.nl kpn.com envie.email schuurman-schoenen.nl leszexpertsfle.com spike.email sportrusten.nl mail.com spotler.email ssonet.nl mammoetmail.com rediris.es telefoonglaasje.nl matilhadobemadestramento.com triodos.es triodos.nl mx-relay.com uv.es truetickets.nl nine-pine.com litebit.eu uitgeverijpica.nl one.com transadvise.eu utwente.nl orverkiezing.com zone.eu uvt.nl outsystems.com zonevs.eu uwv.nl protonmail.com handelsbanken.fi veilinghuispeerdeman.nl protonvpn.com traficom.fi voorpositiviteit.nl sankakucomplex.com ac-strasbourg.fr vu.nl schizinfo.com compagnie-des-sens.fr waternet.nl societe.com oo2.fr xs4all.nl solvinity.com srci.fr zorgmail.nl stellarequipment.com fidesz.hu annabellstefanussen.no t-2.com mszp.hu audi.no thalesgroup.com pm.me derute.no thepcw.com army.mil domeneshop.no triodos.com dla.mil handelsbanken.no ugritone.com jten.mil idrettenonline.no veganallsorts.com mail.mil nordicprint.no vitstore.com militaryonesource.mil norskgrammatikk.no webcruiter.com navy.mil uib.no xfinity.com nga.mil viphuset.no xfinityhomesecurity.com osd.mil webcruitermail.no xfinitymobile.com socom.mil atelkamera.nu active24.cz uscg.mil goget.nu akce-incomputer.cz usmc.mil aegee.org bewooden.cz comcast.net debian.org colours.cz gmx.net freebsd.org cuni.cz habramail.net gentoo.org ekokoza.cz hr-manager.net ietf.org gigalekarna.cz inexio.net irtf.org itesco.cz mijngezondheid.net isc.org klenotyaurum.cz mpssec.net mailbox.org klubpevnehozdravi.cz procurios.net mailop.org manymail.cz ripe.net mkpbelgium.org nic.cz riseup.net netbsd.org omvnovinky.cz t-2.net openssl.org onebit.cz transip.net ozlabs.org optimail.cz triodos.net samba.org poptavej.cz xs4all.net torproject.org reserved.cz xworks.net whatpulse.org scrptd.cz 123watches.nl psgaz.pl server4u.cz 50plusbeurs.nl asf.com.pt smtp.cz amsterdam.nl mobily.com.sa stoklasa.cz argeweb.nl bilprovningen.se toplist.cz awcloud.nl boplatssyd-automail.se vas-server.cz belastingdienst.nl ecster.se vcelka.cz bhosted.nl handelsbanken.se virusfree.cz bhsupport.nl loopia.se zdravestravovani.cz bibliotheekdenhaag.nl matlistan.se bayern.de bluerail.nl minmyndighetspost.se brandenburg.de boekwinkeltjes.nl personligalmanacka.se bund.de bolerolimonadewinkel.nl skatteverket.se bundesregierung.de boozyshop.nl teknikdelar.se datev.de burgernet.nl theletter.se dfn.de corpoflow.nl pneusvet.sk ekom21.de denhaag.nl triodos.co.uk elster.de derooijfotografie.nl govtrack.us fau.de dictu.nl quantum-services.us freenet.de digid.nl ru.ac.za
participants (1)
-
Viktor Dukhovni