Summary: The DANE domain count is now 2,544,101 (up from 2,522,820 last month).
The number of domains that return DNSSEC-validated replies in response to MX queries is 13,923,656 (up from 13,559,686 last month). Thus DANE TLSA is deployed on ~18.27% of domains with DNSSEC.
The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has taken place, but some X3-issued certificates are not yet expired, and will soon renewed via R3. Take proactive steps to avoid mail delivery issues:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome.
As of today I count 2,544,101 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below.
This month Last month ---------- ---------- 1205788 one.com 1,197,409 one.com 147619 transip.nl 146,757 transip.nl 146775 argewebhosting.nl 146,041 argewebhosting.nl 103761 domeneshop.no 103,374 domeneshop.no 99912 infomaniak.ch 98,861 webhostingserver.nl 99338 webhostingserver.nl 96,166 infomaniak.ch 92519 loopia.se 92,051 loopia.se 67146 forpsi.com 66,772 forpsi.com 40970 webreus.nl 41,264 webreus.nl 40962 active24.com 40,642 active24.com 39427 pcextreme.nl 39,895 pcextreme.nl 35906 antagonist.nl 35,523 antagonist.nl 32396 zxcs.nl 31,194 zxcs.nl 30001 vevida.com 30,096 vevida.com 27989 webhosting.dk 27,456 webhosting.dk 26427 web4u.cz 26,566 web4u.cz 25822 udmedia.de 25,718 udmedia.de 18607 bhosted.nl 18,487 bhosted.nl 15356 protonmail.ch 14,530 protonmail.ch 14474 onebit.cz 14,434 onebit.cz
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month ---------- ---------- 8033 TOTAL 7,799 TOTAL 2432 DE, Germany 2,390 DE, Germany 1542 US, United States 1,497 US, United States 1524 NL, Netherlands 1,437 NL, Netherlands 635 FR, France 637 FR, France 294 GB, United Kingdom 279 GB, United Kingdom 221 CZ, Czechia 227 CZ, Czechia 175 CA, Canada 170 CA, Canada 142 FI, Finland 123 FI, Finland 120 DK, Denmark 113 DK, Denmark 113 SG, Singapore 109 SG, Singapore 96 CH, Switzerland 99 CH, Switzerland 87 SE, Sweden 88 SE, Sweden 69 AU, Australia 63 AU, Australia 66 AT, Austria 62 AT, Austria 37 IN, India 42 IE, Ireland 36 PL, Poland 40 BR, Brazil 35 IE, Ireland 38 IN, India 35 BR, Brazil 34 JP, Japan 34 JP, Japan 33 PL, Poland 31 NO, Norway 30 RU, Russia
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are:
This month Last month ---------- ---------- 6444 TOTAL 6,378 TOTAL 3179 NL, Netherlands 3,183 NL, Netherlands 1639 DE, Germany 1,587 DE, Germany 618 US, United States 606 US, United States 283 FR, France 287 FR, France 131 CZ, Czechia 136 CZ, Czechia 122 GB, United Kingdom 112 GB, United Kingdom 52 CA, Canada 48 CA, Canada 43 CH, Switzerland 44 CH, Switzerland 43 AT, Austria 42 AT, Austria 40 SG, Singapore 38 SG, Singapore 38 SE, Sweden 36 SE, Sweden 26 AU, Australia 27 RU, Russia 22 RU, Russia 22 IE, Ireland 20 IE, Ireland 19 UA, Ukraine 18 JP, Japan 19 JP, Japan 18 FI, Finland 18 AU, Australia 18 DK, Denmark 17 NO, Norway 17 UA, Ukraine 17 FI, Finland 16 NO, Norway 17 DK, Denmark 12 BR, Brazil 14 BR, Brazil
There are 6,428 unique zones (6,291 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 14,448 (14,130 last month). These cover 14,652 distinct[3] MX hosts (14,328 last month, some MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's email transparency report is 423 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 260 are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.54 million domains, 12,995 (13,070 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1229 (1155 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts.
To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-... https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r... https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 940 (1491 last month). The top 10 name server operators with problem domains are:
This month Last month ---------- ---------- 405 registrar-servers.com 325 registrar-servers.com 119 movenext.nl 116 movenext.nl 86 ebola.cz 86 ebola.cz 35 criscompinformatika.hu 25 tiscomhosting.nl 33 epik.com 24 epik.com 31 mijndomein.nl 23 eatserver.nl 25 tiscomhosting.nl 17 infracom.nl 24 eatserver.nl 14 ns01.nl 18 cloudflare.com 12 renault.fr 17 infracom.nl 11 nrdns.nl
If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.
Five of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br trt1.jus.br trtrj.jus.br bncr.fi.cr ofda.gov
-- Viktor.
[1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency reports:
univie.ac.at dfn.de markteffectmail.nl gmx.at elster.de mijnsalon.nl boozyshop.be fau.de mijnuvt.nl tjek.be freenet.de minbuza.nl triodos.be gmx.de minbzk.nl register.bg jpberlin.de mindef.nl clubedohardware.com.br lrz.de mkbbelangen.nl outeletro.com.br mail.de mm1.nl nic.br mailserver4.de ns.nl registro.br mensa.de ouderportaal.nl gmx.ch mpg.de overheid.nl hostpoint.ch posteo.de parlement.nl infomaniak.ch ruhr-uni-bochum.de partijvoordedieren.nl open.ch stwm.de pathe.nl protonmail.ch tum.de politie.nl switch.ch uni-erlangen.de powerslim.nl travailler-en-suisse.ch uni-muenchen.de pp-prd.nl connectsb.com unitybox.de previder.nl dailyplaylists.com unitymedia.de rijksoverheid.nl datev.com web.de rotterdam.nl ecstase.com westlotto.de ru.nl fmc-na.com dfi.dk rvo.nl gmx.com dk-hostmaster.dk sans-mail.nl habr.com egmontpublishing.dk schoudercom.nl horagames.com netic.dk schuurman-schoenen.nl hotelsinduitsland.com nota.dk sportrusten.nl imcnig.com nst.dk ssonet.nl infomaniak.com peterhald.dk stater.nl ingthink.com powerhosting.dk telefoonglaasje.nl intakt.com star.dk ticketapp.nl jula.com uvm.dk triodos.nl kpn.com tilburguniversity.edu truetickets.nl leszexpertsfle.com lugeja.ee tweedekamer.nl mail.com spam-filter.email uitgeverijpica.nl mammoetmail.com spike.email uvt.nl matilhadobemadestramento.com rediris.es uwv.nl one.com triodos.es vu.nl protonmail.com uv.es webcentral.nl protonvpn.com zone.eu wehkampfinance.nl sankakucomplex.com zonevs.eu xs4all.nl societe.com ac-strasbourg.fr zorgmail.nl solvinity.com compagnie-des-sens.fr annabellstefanussen.no stater.com srci.fr audi.no stellarequipment.com fidesz.hu derute.no t-2.com interestexplorer.io domeneshop.no thalesgroup.com pm.me handelsbanken.no thepcw.com comcast.net idrettenonline.no triodos.com gmx.net nordicprint.no ugritone.com habramail.net norskgrammatikk.no veganallsorts.com hr-manager.net rushtrampoline.no vitstore.com inexio.net uib.no xfinity.com mijngezondheid.net viphuset.no xfinityhomesecurity.com mpssec.net atelkamera.nu xfinitymobile.com procurios.net goget.nu active24.cz prolocation.net lenhud.nu akce-incomputer.cz ripe.net debian.org amenit.cz riseup.net freebsd.org atlas.cz t-2.net gentoo.org bewooden.cz transip.net ietf.org centrum.cz triodos.net isc.org cuni.cz xs4all.net mailbox.org flagranti.cz amsterdam.nl mailop.org gigalekarna.cz argewebhosting.nl netbsd.org hellspy.cz arrangementenparade.nl openssl.org isportsystem.cz awcloud.nl ozlabs.org itesco.cz belastingdienst.nl samba.org klenotyaurum.cz bhosted.nl torproject.org klubpevnehozdravi.cz bhsupport.nl whatpulse.org nic.cz bluerail.nl asf.com.pt omvnovinky.cz boeketcadeau.nl boplatssyd-automail.se onebit.cz boekwinkeltjes.nl digitaltolk.se optimail.cz boozyshop.nl ecster.se poptavej.cz burgernet.nl handelsbanken.se reserved.cz cbr.nl loopia.se smtp.cz chipbizz.nl minmyndighetspost.se stoklasa.cz corpoflow.nl nordicprint.se toplist.cz derooijfotografie.nl personligalmanacka.se vas-server.cz dictu.nl polisen.se vcelka.cz digid.nl skatteverket.se virusfree.cz duo.nl teknikdelar.se volny.cz efactuurdirect.nl theletter.se zdravestravovani.cz ezorg.nl websupport.se bayern.de gerryweber.nl pneusvet.sk brandenburg.de hostingpeople.nl triodos.co.uk bund.de hr.nl govtrack.us bundesregierung.de interim-netwerk.nl ru.ac.za datev.de introweb.nl
[3] Some significant de-duplication of MX hosts has become necessary recently, as a result of providers using the same IP address and TLSA RRset under multiple per-customer names. Ideally, they'd reduce the complexity of the deployment by migrating to a common MX hostname, but for now this makes the numbers no longer directly comparable to values prior to 2020-12.
participants (1)
-
Viktor Dukhovni