Summary: The DANE domain count is now 1,842,179.
The number of domains that return DNSSEC-validated replies in response to MX queries is 10,837,476. Thus DANE TLSA is deployed on ~17.00% of domains with DNSSEC.
Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome.
As of today I count 1,842,179 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below.
1039151 one.com 135237 transip.nl 100341 domeneshop.no 88535 loopia.se 68917 infomaniak.ch 37835 active24.com 31227 vevida.com 30345 antagonist.nl 26692 web4u.cz 24813 udmedia.de 22509 zxcs.nl 17374 bhosted.nl 15308 flexfilter.nl 13690 onebit.cz 9518 protonmail.ch 5814 netzone.ch 5575 previder.nl 5163 soverin.net 4756 mailplatform.eu 4321 zonemx.eu
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented).
6251 TOTAL 2084 DE, Germany 1246 US, United States 896 NL, Netherlands 549 FR, France 256 GB, United Kingdom 201 CZ, Czechia 153 CA, Canada 85 CH, Switzerland 83 SG, Singapore 78 SE, Sweden 69 DK, Denmark 46 AT, Austria 44 IE, Ireland 43 JP, Japan 39 AU, Australia 31 BR, Brazil 27 RU, Russia 26 PL, Poland 25 IT, Italy 23 IN, India
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are:
3176 TOTAL 1311 DE, Germany 531 US, United States 453 NL, Netherlands 263 FR, France 112 CZ, Czechia 98 GB, United Kingdom 41 SE, Sweden 35 SG, Singapore 34 AT, Austria 33 CH, Switzerland 32 JP, Japan 32 CA, Canada 31 RU, Russia 17 IE, Ireland 16 DK, Denmark 14 SI, Slovenia 13 NO, Norway 13 AU, Australia 12 ID, Indonesia 12 BR, Brazil
There are 5296 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 8054. These cover 8964 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs).
The number of domains that at some point were listed in Gmail's email transparency report is 322 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 155 are in recent (last 90 days of) reports:
univie.ac.at jpberlin.de minbzk.nl gmx.at kabelmail.de mindef.nl register.bg lrz.de mm1.nl nic.br mail.de ouderportaal.nl registro.br mailserver4.de overheid.nl buymyweedonline.ca posteo.de pathe.nl gmx.ch ruhr-uni-bochum.de photofacts.nl infomaniak.ch tum.de politie.nl open.ch uni-erlangen.de previder.nl protonmail.ch uni-muenchen.de rijksoverheid.nl anubisnetworks.com unitybox.de ru.nl clubedominante.com unitymedia.de rvo.nl fmc-na.com web.de schoudercom.nl gmx.com egmontpublishing.dk schuurman-schoenen.nl habr.com netic.dk ssonet.nl hotelsinduitsland.com star.dk truetickets.nl infomaniak.com tilburguniversity.edu uvt.nl ingthink.com emta.ee xs4all.nl kpn.com lugeja.ee zorgmail.nl leszexpertsfle.com rmit.ee domeneshop.no mail.com rediris.es handelsbanken.no mammoetmail.com uv.es uib.no one.com web200.eu webcruitermail.no primexbt.com zone.eu atelkamera.nu protonmail.com ac-strasbourg.fr goget.nu solvinity.com compagnie-des-sens.fr aegee.org t-2.com octopuce.fr debian.org telfort.com web200.hu freebsd.org trashmail.com comcast.net gentoo.org vitstore.com dns-oarc.net ietf.org xfinity.com gmx.net isc.org xfinityhomesecurity.com habramail.net lazarus-ide.org xfinitymobile.com hr-manager.net mailbox.org active24.cz inexio.net netbsd.org atlas.cz mpssec.net openssl.org centrum.cz procurios.net ozlabs.org cuni.cz riseup.net samba.org itesco.cz t-2.net slackbuilds.org klubpevnehozdravi.cz transip.net torproject.org krypton.cz vevida.net whatpulse.org onebit.cz xs4all.net asf.com.pt optimail.cz xworks.net moikrug.ru smtp.cz belastingdienst.nl boplatssyd-automail.se virusfree.cz bhosted.nl handelsbanken.se volny.cz bluerail.nl loopia.se web4u.cz boozyshop.nl minmyndighetspost.se bayern.de corpoflow.nl personligalmanacka.se bund.de dictu.nl skatteverket.se elster.de digid.nl theletter.se fau.de intermax.nl govtrack.us freenet.de jasperalblas.nl ru.ac.za gmx.de mailplus.nl
Of the ~1.84 million domains, 4424 have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 466. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts.
To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-... https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r... https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1846. The top 13 name server operators with problem domains are:
482 registrar-servers.com (count still growing slowly) 348 mijnhostingpartner.nl (operator expects a fix "before long") 275 axc.nl (new this month :-( ) 82 egensajt.se 64 movenext.nl 56 ebola.cz 46 metaregistrar.nl 30 tiscomhosting.nl 27 hostnet.nl 23 infracom.nl 22 cdmon.net 20 sylconia.net 17 is.nl
If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.
Nine (same as last month) of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports:
trt01.gov.br trtrio.gov.br trt1.jus.br trtrj.jus.br flytoyourheart.com topdecorationworld.com mobily.com.sa sauditelecom.com.sa threadteaching.co.uk
participants (1)
-
Viktor Dukhovni