Summary: The DANE domain count is now 1,734,012.

The number of domains that return DNSSEC-validated replies in response to MX queries is 10,715,677. This is another large increase over last month when the total was 10,448,578. Thus DANE TLSA is deployed on ~16.18% of domains with DNSSEC.

Also adoption of ECDSA P-256 (algorithm 13) continues to grow, and the number of domains using P-256 KSKs has now surpassed RSA-SHA256 (algorithm 8) to become the most widely used DNSSEC algorithm. See: https://stats.dnssec-tools.org/#parameter

Happy New Year! Great progress over the past twelve months, Last year's December totals were 774,820 DANE SMTP domains and 8,878,369 DNSSEC-signed domains.]

Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome.

As of today I count 1,734,012 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are:

1019882 one.com 132965 transip.nl 99844 domeneshop.no 88024 loopia.se 37425 active24.com 31555 vevida.com 29476 antagonist.nl 26738 web4u.cz 24646 udmedia.de 18342 zxcs.nl 17227 bhosted.nl 15468 flexfilter.nl 13505 onebit.cz 8765 protonmail.ch 5886 netzone.ch 5632 previder.nl 4707 mailplatform.eu 4116 soverin.net 3548 ips.nl 3239 zonemx.eu

The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented).

6015 TOTAL 1998 DE, Germany 1209 US, United States 892 NL, Netherlands 480 FR, France 229 GB, United Kingdom 194 CZ, Czechia 128 CA, Canada 82 CH, Switzerland 79 SG, Singapore 74 SE, Sweden 67 DK, Denmark 54 FI, Finland 46 IE, Ireland 45 AT, Austria 38 PL, Poland 38 JP, Japan 38 AU, Australia 30 RU, Russia 26 BR, Brazil 24 IT, Italy

IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are:

3103 TOTAL 1275 DE, Germany 540 US, United States 463 NL, Netherlands 261 FR, France 105 CZ, Czechia 90 GB, United Kingdom 41 SE, Sweden 33 SG, Singapore 30 CH, Switzerland 28 JP, Japan 28 CA, Canada 24 AT, Austria 18 IE, Ireland 17 RU, Russia 15 DK, Denmark 14 SI, Slovenia 13 NO, Norway 13 ID, Indonesia 12 FI, Finland 12 BR, Brazil

There are 5053 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed.

The number of published MX host TLSA RRsets found is 7743. These cover 8629 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs).

The number of domains that at some point were listed in Gmail's email transparency report is 297 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 147 are in recent (last 90 days of) reports:

univie.ac.at jpberlin.de jasperalblas.nl gmx.at lrz.de mailplus.nl register.bg mail.de minbzk.nl nic.br posteo.de mindef.nl registro.br ruhr-uni-bochum.de mm1.nl buymyweedonline.ca tum.de ouderportaal.nl gmx.ch uni-erlangen.de overheid.nl open.ch uni-muenchen.de pathe.nl protonmail.ch unitybox.de photofacts.nl anubisnetworks.com unitymedia.de photofactsacademy.nl clubedominante.com web.de politie.nl gmx.com egmontpublishing.dk previder.nl habr.com netic.dk rijksoverheid.nl hotelsinduitsland.com star.dk ru.nl ingthink.com tilburguniversity.edu rvo.nl kpn.com rediris.es schoudercom.nl mail.com uv.es schuurman-schoenen.nl mammoetmail.com komfortkasse.eu ssonet.nl one.com web200.eu truetickets.nl primexbt.com zone.eu uvt.nl protonmail.com ac-strasbourg.fr xs4all.nl societe.com kangouroukids.fr domeneshop.no solvinity.com octopuce.fr handelsbanken.no t-2.com web200.hu uib.no telfort.com comcast.net webcruitermail.no trashmail.com dns-oarc.net atelkamera.nu xfinity.com gmx.net debian.org xfinityhomesecurity.com habramail.net freebsd.org xfinitymobile.com hr-manager.net gentoo.org active24.cz inexio.net ietf.org atlas.cz mpssec.net isc.org centrum.cz procurios.net lazarus-ide.org cuni.cz riseup.net mailbox.org itesco.cz t-2.net netbsd.org klubpevnehozdravi.cz transip.net openssl.org krypton.cz vevida.net ozlabs.org onebit.cz xs4all.net samba.org optimail.cz belastingdienst.nl torproject.org server4u.cz bhosted.nl whatpulse.org smtp.cz billybird.nl moikrug.ru virusfree.cz bluerail.nl boplatssyd-automail.se volny.cz boozyshop.nl handelsbanken.se web4u.cz corpoflow.nl loopia.se bayern.de denhaag.nl minmyndighetspost.se bund.de dictu.nl personligalmanacka.se elster.de digid.nl skatteverket.se fau.de ezorg.nl theletter.se freenet.de fontys.nl govtrack.us gmx.de intermax.nl ru.ac.za

Of the ~1.73 million domains, 3382 have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 426. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. A partial list is available at:

https://github.com/danefail/list

To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:

https://dane.sys4.de/common_mistakes https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources

http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4

After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1372. The top 11 name server operators with problem domains are:

347 registrar-servers.com (new this month, fix expected in days) 221 mijnhostingpartner.nl (varies between 200 and 500+) 95 egensajt.se 62 movenext.nl 59 eurodns.com 47 metaregistrar.nl 32 tiscomhosting.nl 29 nrdns.nl 26 hostnet.nl 24 ebola.cz 20 sylconia.net

If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.

Nine of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports:

coren-sp.gov.br trt01.gov.br trtrio.gov.br trt1.jus.br trtrj.jus.br flytoyourheart.com topdecorationworld.com mobily.com.sa sauditelecom.com.sa