Summary: The DANE domain count is now 2,568,169 (up from 2,544,101 last month).
The number of domains that return DNSSEC-validated replies in response to MX queries is 14,288,417 (up from 13,923,656 last month). Thus DANE TLSA is deployed on ~17.97% of domains with DNSSEC.
https://stats.dnssec-tools.org/
The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has taken place, and all previously issued X3-issued certificates are now expired. If you're still publishing the X3 hash in your TLSA RRSet, it is best removed:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome.
As of today I count 2,568,169 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below.
This month Last month ---------- ---------- 1219827 one.com 1205788 one.com 148553 transip.nl 147619 transip.nl 147435 argewebhosting.nl 146775 argewebhosting.nl 104178 domeneshop.no 103761 domeneshop.no 102904 infomaniak.ch 99912 infomaniak.ch 99738 webhostingserver.nl 99338 webhostingserver.nl 92884 loopia.se 92519 loopia.se 67647 forpsi.com 67146 forpsi.com 41221 active24.com 40970 webreus.nl 40647 webreus.nl 40962 active24.com 39035 pcextreme.nl 39427 pcextreme.nl 36298 antagonist.nl 35906 antagonist.nl 33417 zxcs.nl 32396 zxcs.nl 29790 vevida.com 30001 vevida.com 27967 webhosting.dk 27989 webhosting.dk 26531 web4u.cz 26427 web4u.cz 25882 udmedia.de 25822 udmedia.de 18695 bhosted.nl 18607 bhosted.nl 16210 protonmail.ch 15356 protonmail.ch 14555 onebit.cz 14474 onebit.cz
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month ---------- ---------- 8200 TOTAL 8033 TOTAL 2467 DE, Germany 2432 DE, Germany 1591 US, United States 1542 US, United States 1567 NL, Netherlands 1524 NL, Netherlands 632 FR, France 635 FR, France 302 GB, United Kingdom 294 GB, United Kingdom 225 CZ, Czechia 221 CZ, Czechia 190 CA, Canada 175 CA, Canada 144 FI, Finland 142 FI, Finland 119 DK, Denmark 120 DK, Denmark 114 SG, Singapore 113 SG, Singapore 94 CH, Switzerland 96 CH, Switzerland 92 SE, Sweden 87 SE, Sweden 71 AU, Australia 69 AU, Australia 63 AT, Austria 66 AT, Austria 38 PL, Poland 37 IN, India 37 JP, Japan 36 PL, Poland 36 RU, Russia 35 IE, Ireland 36 IE, Ireland 35 BR, Brazil 36 BR, Brazil 34 JP, Japan 33 NO, Norway 31 NO, Norway
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are:
This month Last month ---------- ---------- 6537 TOTAL 6444 TOTAL 3203 NL, Netherlands 3179 NL, Netherlands 1682 DE, Germany 1639 DE, Germany 641 US, United States 618 US, United States 280 FR, France 283 FR, France 145 CZ, Czechia 131 CZ, Czechia 123 GB, United Kingdom 122 GB, United Kingdom 49 CA, Canada 52 CA, Canada 44 CH, Switzerland 43 CH, Switzerland 42 SE, Sweden 43 AT, Austria 42 AT, Austria 40 SG, Singapore 39 SG, Singapore 38 SE, Sweden 26 FI, Finland 26 AU, Australia 23 AU, Australia 22 RU, Russia 21 JP, Japan 20 IE, Ireland 17 IE, Ireland 18 JP, Japan 17 DK, Denmark 18 FI, Finland 15 NO, Norway 18 DK, Denmark 14 BR, Brazil 17 UA, Ukraine 13 RU, Russia 16 NO, Norway 10 PL, Poland 12 BR, Brazil
There are 6,612 unique zones (6,428 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 14,671 (14,448 last month). These cover 14,882 distinct MX hosts (14,652 last month, some MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's email transparency report is 449 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 283 are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.57 million domains, 12,871 (12,995 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1028 (1229 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts.
To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-... https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r... https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 1298 (940 last month). The top 10 name server operators with problem domains are:
This month Last month ---------- ---------- 439 registrar-servers.com 405 registrar-servers.com 119 movenext.nl 119 movenext.nl 93 ebola.cz 86 ebola.cz 46 axc.nl 35 criscompinformatika.hu 45 made-easy.ch 33 epik.com 39 epik.com 31 mijndomein.nl 34 mijndomein.nl 25 tiscomhosting.nl 26 tiscomhosting.nl 24 eatserver.nl 22 eatserver.nl 18 cloudflare.com 19 infracom.nl 17 infracom.nl
If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.
Six of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br trt1.jus.br bncr.fi.cr ofda.gov ticketspy.nl sauditelecom.com.sa
-- Viktor.
[1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency reports:
univie.ac.at lrz.de hr.nl gmx.at mail.de interim-netwerk.nl triodos.be mailserver4.de introweb.nl register.bg mensa.de mailplus.nl clubedohardware.com.br mpg.de markteffectmail.nl outeletro.com.br posteo.de mijnhypotheekonline.nl nic.br ruhr-uni-bochum.de mijnsalon.nl registro.br stwm.de mijnuvt.nl gmx.ch tum.de minbuza.nl hostpoint.ch uni-erlangen.de minbzk.nl infomaniak.ch uni-muenchen.de mindef.nl open.ch unitybox.de minienw.nl protonmail.ch unitymedia.de mkbbelangen.nl switch.ch web.de mm1.nl travailler-en-suisse.ch westlotto.de ns.nl simplelogin.co dk-hostmaster.dk ouderportaal.nl connectsb.com egmontpublishing.dk overheid.nl dailyplaylists.com labelking.dk parlement.nl datev.com netic.dk partijvoordedieren.nl ecstase.com nota.dk pathe.nl flaneurhomme.com nst.dk politie.nl fmc-na.com peterhald.dk powerslim.nl gmx.com powerhosting.dk pp-prd.nl habr.com star.dk previder.nl horagames.com uvm.dk rijksoverheid.nl hotelsinduitsland.com tilburguniversity.edu rotterdam.nl imcnig.com emta.ee ru.nl infomaniak.com lugeja.ee rvo.nl ingthink.com rmit.ee sans-mail.nl intakt.com envie.email schoudercom.nl jula.com spike.email schuurman-schoenen.nl kpn.com spotler.email sportrusten.nl leszexpertsfle.com rediris.es ssonet.nl mail.com triodos.es stater.nl mammoetmail.com uv.es telefoonglaasje.nl matilhadobemadestramento.com litebit.eu triodos.nl one.com transadvise.eu truetickets.nl protonmail.com zone.eu tweedekamer.nl protonvpn.com zonevs.eu uitgeverijpica.nl sankakucomplex.com traficom.fi utwente.nl societe.com ac-strasbourg.fr uvt.nl solvinity.com bloctel.fr uwv.nl stater.com compagnie-des-sens.fr vu.nl stellarequipment.com srci.fr waternet.nl t-2.com fidesz.hu webcentral.nl thalesgroup.com interestexplorer.io wehkampfinance.nl thepcw.com pm.me xs4all.nl triodos.com dla.mil zorgmail.nl ugritone.com jten.mil annabellstefanussen.no vanderkam.com mail.mil audi.no veganallsorts.com militaryonesource.mil derute.no vitstore.com navy.mil domeneshop.no webmailph.com nga.mil handelsbanken.no xfinity.com osd.mil idrettenonline.no xfinityhomesecurity.com socom.mil leadmail.no xfinitymobile.com uscg.mil nordicprint.no active24.cz usmc.mil norskgrammatikk.no akce-incomputer.cz comcast.net rushtrampoline.no amenit.cz gmx.net uib.no bewooden.cz habramail.net viphuset.no cuni.cz hr-manager.net atelkamera.nu flagranti.cz inexio.net goget.nu gigalekarna.cz mijngezondheid.net lenhud.nu hellspy.cz mpssec.net debian.org isportsystem.cz procurios.net freebsd.org itesco.cz prolocation.net gentoo.org klenotyaurum.cz ripe.net ietf.org klubpevnehozdravi.cz riseup.net isc.org manymail.cz t-2.net mailbox.org nic.cz transip.net mailop.org omvnovinky.cz triodos.net netbsd.org onebit.cz xs4all.net openssl.org optimail.cz amsterdam.nl ozlabs.org poptavej.cz argewebhosting.nl samba.org reserved.cz arrangementenparade.nl torproject.org smtp.cz awcloud.nl whatpulse.org stoklasa.cz belastingdienst.nl asf.com.pt toplist.cz bhosted.nl bilprovningen.se vas-server.cz bhsupport.nl boplatssyd-automail.se vcelka.cz bluerail.nl ecster.se virusfree.cz boeketcadeau.nl handelsbanken.se zdravestravovani.cz boekwinkeltjes.nl loopia.se agdsn.de boozyshop.nl minmyndighetspost.se bayern.de burgernet.nl nordicprint.se brandenburg.de cbr.nl personligalmanacka.se bund.de chipbizz.nl polisen.se bundesregierung.de corpoflow.nl skatteverket.se datev.de derooijfotografie.nl teknikdelar.se dfn.de dictu.nl theletter.se ekom21.de digid.nl pneusvet.sk elster.de duo.nl triodos.co.uk fau.de etz.nl govtrack.us freenet.de ezorg.nl quantum-services.us gmx.de hetamsterdamsverbond.nl ru.ac.za jpberlin.de
participants (1)
-
Viktor Dukhovni