Credits: Thanks to a substantial contribution of names of signed domains by Paul Vixie of Farsight Security, and smaller significant contribution by domains-index.com, the scope of the survey is substantially expanded from ~6.0 million to ~7.9 million domains. Unsurprisingly, the numbers for the major hosting providers are substantially larger than in April.

Aside from the increase in the number of tested domains a new hosting provider "active24.com" (aka active24.cz) has enabled inbound and outbound DANE for their hosted domains. Thank you "active24.com" for improving the security of Internet email infrastructure.

Summary: The DANE domain count is now 289,550.

The number DNSSEC domains in the survey stands at 7,878,881, thus DANE TLSA is deployed on 3.67% of domains with DNSSEC.

As of today I count 289,550 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support in bulk for the domains they host. It is starting to get crowded at the top of the list, so I'm now listing the top 15 MX host providers by domain count:

100271 transip.nl 95922 domeneshop.no 33299 active24.com 23389 udmedia.de 9655 bhosted.nl 2281 nederhost.nl 1547 yourdomainprovider.net 1032 hi7.de 955 xcellerate.nl 927 surfmailfilter.nl 634 core-networks.de 629 omc-mail.com 508 mailbox.org 495 secure-gw.de 433 systemec.nl

The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.nl/.cz/.de. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 10 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented):

1402 DE, Germany 870 US, United States 508 NL, Netherlands 344 FR, France 166 GB, United Kingdom 121 CZ, Czech Republic 81 CA, Canada 65 SE, Sweden 59 CH, Switzerland 51 SG, Singapore

IPv6 is still comparatively rare for MX hosts, and the top 10 countries by DANE MX host IPv6 GeoIP are (same top 6).

754 DE, Germany 431 US, United States 280 NL, Netherlands 187 FR, France 88 GB, United Kingdom 67 CZ, Czech Republic 36 SE, Sweden 24 SG, Singapore 23 CH, Switzerland 14 SI, Slovenia

There are 3331 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed.

The number of published MX host TLSA RRsets found is 4785. These cover 5103 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs).

The number of domains that at some point were listed in Gmail's email transparency report is 152 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 82 are in recent reports:

gmx.at gmx.de overheid.nl travelbirdbelgique.be jpberlin.de pathe.nl nic.br lrz.de politie.nl registro.br mail.de truetickets.nl gmx.ch posteo.de uvt.nl open.ch ruhr-uni-bochum.de xs4all.nl anubisnetworks.com tum.de domeneshop.no gmx.com uni-erlangen.de handelsbanken.no mail.com unitybox.de webcruitermail.no solvinity.com unitymedia.de aegee.org trashmail.com web.de debian.org xfinity.com egmontpublishing.dk freebsd.org xfinityhomesecurity.com netic.dk gentoo.org xfinitymobile.com tilburguniversity.edu ietf.org active24.cz insee.fr isc.org clubcard.cz octopuce.fr netbsd.org cuni.cz comcast.net openssl.org cvc.cz dd24.net samba.org itesco.cz dns-oarc.net torproject.org klubpevnehozdravi.cz gmx.net asf.com.pt localssrcapp.cz hr-manager.net handelsbanken.se nic.cz mpssec.net iis.se smtp.cz t-2.net minmyndighetspost.se bayern.de xs4all.net skatteverket.se bund.de bhosted.nl t-2.si elster.de bit.nl govtrack.us fau.de boozyshop.nl freenet.de ouderportaal.nl

Of the ~289000 domains, 1466 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 220. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. A partial list is available at:

https://github.com/danefail/list

To avoid getting listed, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:

https://dane.sys4.de/common_mistakes http://imrryr.org/~viktor/ICANN61-viktor.pdf http://imrryr.org/~viktor/icann61-viktor.mp3

http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4

All the new blood in the survey has uncovered some previously unseen DNSSEC denial of existence breakage. After eliminating parked domains that do not accept email of any kind, the number of "real" email domains with bad DNSSEC support stands at 1171. The top 20 name server operators with problem domains are:

793 webspacecontrol.com / dotroll.com 52 mijnhostingpartner.nl 49 dotserv.com 22 sylconia.net 16 firstfind.nl 13 psb1.org 11 nazwa.pl 11 blauwblaatje.nl 10 metaregistrar.nl 8 zeptor.nl 8 tse.jus.br 8 dnscluster.nl 8 active24.cz 7 ignum.com 6 vultr.com 6 tiscomhosting.nl 6 host-redirect.com 6 glbns.com 6 domdom.hu 6 1cocomo.com

The domains all whose nameservers have broken denial of existsnce that also appear in historical Google reports are:

tre-ce.jus.br tre-sc.jus.br tre-rj.jus.br tre-sp.jus.br tse.jus.br