Summary: The DANE domain count is now 3,988,988 (3,987,641 last month, 3,733,547 a year ago).
The number of domains that return DNSSEC-validated replies in response to MX queries is 23,098,096 (23,197,449 last month, 20,675,170 a year ago). Thus DANE TLSA is deployed on ~17.26% of domains with DNSSEC. For more stats, see https://stats.dnssec-tools.org/.
[ The credits[0] list is below my signature. ]
Reminder: If you're relying on trust-anchor (usage DANE-TA(2)) TLSA records matching a Let's Encrypt issuing CA, please note important upcoming changes in Let's Encrypt certificate issuance:
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/HESAY65... https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/GLRVY2C... https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/X4SS2EE...
As of today, I count ~3.99 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below.
This month Last Month Last year ---------- ---------- --------- 1306568 one.com 1314010 one.com 1214177 one.com 306621 hostpoint.ch 305329 hostpoint.ch 286784 hostpoint.ch 219246 infomaniak.ch 216411 infomaniak.ch 195060 infomaniak.ch 172777 transip.nl 172489 transip.nl 182438 mijndomein.nl 172069 jouwweb.nl 170058 mijndomein.nl 166314 transip.nl 170317 mijndomein.nl 166814 jouwweb.nl 154096 argewebhosting.nl 137375 argewebhosting.nl 138337 argewebhosting.nl 134199 simply.com 130652 simply.com 132653 simply.com 118030 jouwweb.nl 111485 hostnet.nl 111533 hostnet.nl 111945 hostnet.nl 109779 domeneshop.no 109976 domeneshop.no 108682 domeneshop.no 106544 loopia.se 106479 loopia.se 104887 loopia.se 89264 webhostingserver.nl 89713 webhostingserver.nl 94600 webhostingserver.nl 82634 forpsi.com 83026 forpsi.com 79127 forpsi.com 81475 zxcs.nl 81215 zxcs.nl 67139 zxcs.nl 47296 protonmail.ch 46191 protonmail.ch 46886 active24.com 41179 antagonist.nl 41111 antagonist.nl 39610 webreus.nl 38161 active24.com 38611 active24.com 39483 antagonist.nl 36259 webreus.nl 36576 webreus.nl 34977 protonmail.ch 28643 pcextreme.nl 29196 pcextreme.nl 32983 pcextreme.nl 28102 xel.nl 28283 xel.nl 29297 xel.nl
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month Last year ----------- ---------- --------- 12019 TOTAL 11870 TOTAL 10595 TOTAL 3819 DE, Germany 3785 DE, Germany 3209 DE, Germany 1948 NL, The Netherlands 1942 NL, The Netherlands 1891 NL, Netherlands 1929 US, United States 1883 US, United States 1833 US, United States 905 FR, France 921 FR, France 799 FR, France 481 CZ, Czechia 479 CZ, Czechia 388 CZ, Czechia 380 GB, United Kingdom 366 GB, United Kingdom 362 GB, United Kingdom 287 FI, Finland 272 FI, Finland 235 FI, Finland 212 CA, Canada 214 CA, Canada 221 CA, Canada 199 CH, Switzerland 187 CH, Switzerland 153 AT, Austria 186 AT, Austria 183 AT, Austria 135 SE, Sweden 176 SE, Sweden 169 SE, Sweden 134 CH, Switzerland 160 DK, Denmark 152 DK, Denmark 132 DK, Denmark 148 AU, Australia 145 AU, Australia 122 SG, Singapore 117 SG, Singapore 119 SG, Singapore 120 AU, Australia 103 RU, Russia 102 RU, Russia 72 PL, Poland 93 PL, Poland 89 PL, Poland 58 JP, Japan 67 NO, Norway 63 NO, Norway 57 RU, Russia 57 JP, Japan 61 JP, Japan 47 NO, Norway 49 IT, Italy 50 BR, Brazil 42 BR, Brazil 49 BR, Brazil 43 IT, Italy 38 IE, Ireland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are:
This month Last month Last year ---------- ---------- --------- 9592 TOTAL 9515 TOTAL 8339 TOTAL 4210 NL, The Netherlands 4229 NL, The Netherlands 3666 NL, Netherlands 2791 DE, Germany 2724 DE, Germany 2330 DE, Germany 888 US, United States 868 US, United States 860 US, United States 390 FR, France 401 FR, France 406 FR, France 202 CZ, Czechia 198 CZ, Czechia 175 CZ, Czechia 185 GB, United Kingdom 183 GB, United Kingdom 162 GB, United Kingdom 113 FI, Finland 112 FI, Finland 77 CA, Canada 86 CA, Canada 83 CA, Canada 74 FI, Finland 80 SE, Sweden 78 SE, Sweden 67 AU, Australia 75 AU, Australia 76 AU, Australia 64 CH, Switzerland 72 CH, Switzerland 74 CH, Switzerland 56 SE, Sweden 50 AT, Austria 52 AT, Austria 54 AT, Austria 44 SG, Singapore 46 SG, Singapore 44 SG, Singapore 39 JP, Japan 39 JP, Japan 36 JP, Japan 31 RU, Russia 32 RU, Russia 23 EE, Estonia 31 NO, Norway 29 RO, Romania 21 NO, Norway 29 RO, Romania 28 NO, Norway 21 IE, Ireland 29 BR, Brazil 28 BR, Brazil 21 DK, Denmark 26 DK, Denmark 22 DK, Denmark 17 BR, Brazil 16 IE, Ireland 17 IE, Ireland 15 LT, Lithuania
There are 10,449 unique zones (10,192 last month, 9,144 last year) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 21,169 (20,854 last month, 19,380 last year). These cover 21,466 distinct MX hosts (21,158 last month, 19,380 last year, some MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's email transparency report is 1,173 (841 last year, this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 674 (525 last year) are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.99 million DANE domains, 14,456 (14,431 last month, 13,107 last year) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1,862 (1,655 last month, 1,320 last year). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are:
172 mx2.tkservers.com 48 mail.caop.nl 35 mx1.mdbraber.com 32 mx01.speicher-werk.de 31 mail-03.eu-central-1.aorta.space 26 mail.orionpanel.nl 23 smtp2.kruik-it.nl 23 mail.spreadity.com 22 mail.exot.cz 15 mail.nationaalarchief.nl
To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-... https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r... https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 838 (901 last month, 1,076 last year). The top 10 name server operators with problem domains are:
This Month Last month Last year ---------- ---------- ---------- 528 neostrada.nl 608 neostrada.nl 148 swizzonic.ch 60 worldnic.com 61 worldnic.com 134 worldnic.com 22 openprovider.nl 22 openprovider.nl 106 epik.com 21 active24.cz 14 sectigoweb.com 95 axc.nl 14 sectigoweb.com 13 register.com 73 ebola.cz 13 register.com 8 ispapi.net 61 openprovider.nl 7 vultr.com 8 dnssrv.nl 29 made-easy.ch 7 dnssrv.nl 7 vultr.com 20 register.com 6 resolver.domains 6 resolver.domains 18 sectigoweb.com 6 ispapi.net 6 forpsi.net 12 ispapi.net
If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of existence appears in the last 120 days of Google transparency reports:
mailazy.net
-- Viktor.
[0] Credits: Hosting for the DANE/DNSSEC project is donated by isi.edu (Wes Hardaker and team). Wes also hosts and maintains the https://stats.dnssec-tools.org website. Thanks go to ICANN for sponsoring acquisition of the server hardware.
Coverage of DNSSEC domains continues to improve with ongoing data support from Chris Mikkelson from domaintools.com. Credits also due to ICANN providing gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency reports:
vbv.ag uni-augsburg.de kiesrijk.nl univie.ac.at uni-bielefeld.de liveatamsterdamsebos.nl gmx.at uni-erlangen.de maastrichtuniversity.nl vbv.at uni-muenchen.de mailmore.nl boozyshop.be vicinityclo.de mailon.nl eos-contentia.be web.de mailplus.nl triodos.be westlotto.de managementboek.nl nra.bg aeldresagen.dk markteffectmail.nl register.bg allbuy.dk mcmta.nl dwvmail.com.br anna-hjorth.dk mijndomein.nl e-negociacao.com.br annebrauner.dk mijnmagazines.nl e-renegocie.com.br anodyne.dk minbzk.nl pn1.com.br australian-bodycare.dk mindef.nl zaaztelecom.com.br avabeauty.dk mm1.nl defesa.gov.br bambustoej.dk mulderretail.nl nic.br barons.dk nefkens.nl registro.br bigsaver.dk netpoint.nl activfitness-news.ch bisgaardshoes.dk netpointfactoring.nl blackout-bonusclub.ch boblberg.dk nieuwsservice-rvo.nl creditum.ch bog.dk notbranded.nl escalade.ch borgerforslag.dk noties.nl gmx.ch bymelanie.dk ns.nl handy-abovergleich.ch camillakroeyer.dk nuudcare.nl hostpoint.ch casanova.dk nuwegexclusief.nl infomaniak.ch champagneklubben.dk okki.nl kalender-win.ch cillouettes.dk oomverzekeringen.nl msochrono.ch computerworld.dk opnaarwonderland.nl open.ch damask.dk otys.nl protonmail.ch danielspengetips.dk ouderenfonds.nl sherlockhomes.ch danskebank.dk ouderportaal.nl sms-gagnant.ch densidsteflaske.dk outlawevents.nl wog.ch dfi.dk overheid.nl bionoble.co dressforsuccess.dk oxilionhosted.nl simplelogin.co ejvinds.dk partijvoordedieren.nl aim-care.com fibianet.dk partnermail.nl albourne.com fletkurven.dk podiumcadeaukaart.nl also.com foraeldresparring.dk politie.nl anonaddy.com frisorenogbaronen.dk pp-prd.nl ansigtsyogaonline.com gasolinegrill.dk previder.nl boozyshop.com gastrotools.dk proefdiervrij.nl buroventures.com globestudios.dk prorun-mail.nl canva-facile.com hook-up.dk pvv.nl cm.com hostedsepo.dk quicknet.nl collarofsweden.com idelig.dk ranzijn.nl connectsb.com inkpro.dk rdw.nl conscience-et-realites.com iphoneopladere.dk rijksoverheid.nl cornerstoneplatform.com ixstudioscph.dk rivm.nl danskebank.com kagegrisen.dk rotterdam.nl datev.com kisserpaludan.dk rvig.nl denhaag.com kk.dk rvo.nl detectiveforaday.com kodbilen.dk sans-mail.nl eliteincomesociety.com konkurspriser.dk schuurman-schoenen.nl explorer-hotels.com kystfisken.dk scorion.nl fabfilter.com lacabra.dk shampoobars.nl farmergracy.com lammeskindet.dk shapeit.nl fastware-hosting.com lederstof.dk shoesme.nl flaneurhomme.com legekammeraten.dk sietskescholten.nl fromanteel-watches.com mobilcovers.dk sizzthebrand.nl getpaidopportunities.com modstroem.dk smartwatchbanden.nl gmx.com musclehouse.dk snowbass.nl goodforme.com naturhandel.dk spamservice.nl habitamat.com netic.dk sportrusten.nl habr.com nexsmart.dk ssonet.nl hannahbarrettyoga.com nfinitybeauty.dk stage-app.nl headachecalendar.com nimara.dk stater.nl hedon.com nordd.dk steunactie.nl highcharts.com nordicsheep.dk svb.nl imcnig.com nota.dk svr.nl infomaniak.com online-mode.dk technicus.nl ingthink.com pengeogfrihed.dk telefoonglaasje.nl intakt.com perfectjeans.dk thealphamen.nl itskaos.com qookware.dk thefightcompany.nl johnbeerens.com sengefabrikken.dk transip.nl joomlapolis.com seniornews.dk triodos.nl jula.com shapeit.dk truetickets.nl justpadel.com sillysanta.dk tudelft.nl kabayarefashion.com skjold-burne.dk uitgeverijpica.nl kheaa.com smoon.dk upcmail.nl leszexpertsfle.com sneakerzone.dk uvt.nl librti.com stil.dk uwv.nl luvrefranco.com sygeforsikring.dk vacaturesonline.nl mail.com thenap.dk valys.nl maileroo.com thesneakerstore.dk vandale.nl mailzerver.com trueliving.dk vimexx.nl marsblade.com viggo.dk vluchtelingenwerk.nl meriamecouture.com vin-huset.dk vpo.nl mplbeauty.com vind.dk vunzigedeuntjes.nl nanolearning.com yuaiahaircare.dk vvv-venlo.nl nautisme-pratique.com tilburguniversity.edu watchbandjes-shop.nl nine-pine.com biotheka.ee waternet.nl novashops.com holt.ee werkzoeken.nl offshorecorptalk.com maarahvapood.ee woongarantvolmacht.nl one.com minuvalik.ee ziggo.nl orsys.com surveyturtle.ee zorgmail.nl ottobredesign.com turunduslabor.ee ankerstjerne.no pieter-pot.com myownconference.email annabellstefanussen.no pompomlondon.com spam-filter.email babybanden.no ppcpcv.com spotler.email bergengokart.no protonmail.com talentech.email bull-ski-kajakk.no run-motion.com nuudcare.es chillout.no runbox.com triodos.es day-et.no sankakucomplex.com egu.eu dinholdning.no scienceshepherd.com finesoftware.eu domeneshop.no scorecloud.com mailplatform.eu dressmykid.no serverclienti.com qard.eu godvar.no sisuknitwear.com rybarik.eu guttelus.no sneakerjeans.com zerolime.eu handelsbanken.no solvinity.com zone.eu hoppin.no speciale-offre.com zonevs.eu hyttefeber.no sportnotch.com danskebank.fi idrettenonline.no stasdock.com f-solutions.fi kashmina.no stater.com fsol.fi lagerpriser.no stellarequipment.com handelsbanken.fi marikrogshus.no tcs.com io-tech.fi modostore.no the-vfl.com metaburn.fi mystuff.no theintercept.com raumanteatteri.fi nordiskbylien.no thelabelmachine.com sillysanta.fi norskgrammatikk.no thepcw.com ac-strasbourg.fr raskebriller.no thepcwholesale.com boozyshop.fr rushtrampoline.no thingsilikethingsilove.com braceletsmartwatch.fr smaaungene.no trainwithlov.com compagnie-des-sens.fr spillfabrikken.no triodos.com nuudcare.fr stilshoppen.no tutanota.com oo2.fr strikkia.no up2staff.com passefranceallemagne.fr suksessmednetthandel.no vivaldi.com privea.fr svippr.no webcruiter.com fvap.gov tickettothemoon.no win-rar.com nsa.gov veronicalill.no xfinity.com tid.gov.hk analysedanmark.nu xfinityhomesecurity.com fidesz.hu atelkamera.nu xfinitymobile.com italiamail.hu goget.nu bncr.fi.cr marathonlife.hu hallbarhalsa.nu airbank.cz nyirbatorvaroskartya.hu lenhud.nu akce-incomputer.cz zsibvasar.hu skjutsgruppen.nu amenit.cz bluebiz.info agirpourlenvironnement.org balikovna.cz eurocontrol.int calyxinstitute.org bewooden.cz infinex.io debian.org cd.cz simplelogin.io freebsd.org cinemax.cz nuudcare.it fridaysforfuture.org cokoladovnajanek.cz neolink.link gentoo.org cpost.cz etat.lu ietf.org creammy.cz anonaddy.me isc.org csob.cz pm.me mailbox.org csobstavebni.cz proton.me mailop.org cuni.cz army.mil netbsd.org dashofer.cz dla.mil ozlabs.org dedra.cz dma.mil postfix.org e-kondomy.cz health.mil samba.org ecps.cz jten.mil torproject.org ekokoza.cz mail.mil biotechnologia.com.pl fio.cz navy.mil asf.com.pt gov.cz nga.mil pinnbet.rs hobynaradi.cz osd.mil mobily.com.sa hypotecnibanka.cz socom.mil arbetsformedlingen.se innogy.cz spaceforce.mil australian-bodycare.se itesco.cz uscg.mil bearplay.se jumpfamily.cz usmc.mil bearplayshop.se kb.cz comcast.net bidflow.se klenotyaurum.cz ewetel.net bilprovningen.se klubpevnehozdravi.cz ficbook.net crtzoo.se ksporting.cz fivem.net egensajt.se manymail.cz gmx.net ellevio.se mbank.cz graphistepro.net epochtimes-mejl.se mfcr.cz habramail.net fotproffsen.se mindsoft.cz hr-manager.net handelsbanken.se mkluzkoviny.cz intares.net hellomantle.se mojedatovaschranka.cz mailanyone.net innebandy24.se mojemincovna.cz masterinter.net jaramba.se mrakyhracek.cz mijngezondheid.net jul-troja.se muni.cz mpssec.net klasspengar.se nic.cz octopoos.net koreanbeauty.se nilia.cz procurios.net kth.se o2.cz ripe.net kulturaktiebolaget.se opravdovezlociny.cz riseup.net livlyclothing.se optimail.cz s-qrc.net lnu.se outlet-alpine.cz soverin.net lomervarde.se p-info.cz space.net loopia.se pivoteka.cz t-2.net malarfabriken.se poptavej.cz amsterdam.nl merchsweden.se scrptd.cz aquastorexl.nl metaburn.se server4u.cz bankhoesdiscounter.nl minmyndighetspost.se shopex.cz belastingdienst.nl nordd.se smtp.cz beterinbeleggen.nl nordicsheep.se sparkys.cz beterspellen.nl polisen.se stoklasa.cz bewustpuur.nl samblamail.se tefal.cz bhosted.nl sillysanta.se thinline.cz blushfashionstore.nl silverdotter.se vas-server.cz bobo.nl skatteverket.se vitalpoint.cz body-supplies.nl skolverket.se vshosting.cz bolerolimonadewinkel.nl snbostader.se zafido.cz boozyshop.nl soleplus.se zdravestravovani.cz box.nl spelfabrik.se zlocinozrouti.cz bruut.nl svenskhusman.se zonky.cz burgernet.nl teeshoppen.se bayern.de carre.nl teknikdelar.se brandenburg.de casema.nl theletter.se bund.de cbr.nl websupport.se datev.de chello.nl agatinsvet.sk deutsch-franzoesischer-freundschaftspass.de clubplanner.nl bewooden.sk dfn.de csvjongholland.nl coopka.sk elster.de degros.nl edirect.sk ewetel.de derooijfotografie.nl fio.sk fau.de desan.nl gravirovane.sk freenet.de dewebmakers.nl hecht.sk gmx.de dictu.nl mamaaja.sk hi7.de digid.nl mklozkoviny.sk huellen-shop.de dimehouse.nl mnforce-panel.sk jpberlin.de domain-registry.nl nakupujzdravo.sk knauermann.de dorcas.nl nlp-akademia.sk lmu.de duo.nl partner.sk lrz.de efactuurdirect.nl penzionmara.sk mail.de esuals.nl poziadavka.sk mail2many.de extinctionrebellion.nl rondogo.sk mensa.de ezorg.nl travelmail.sk mindline-analytics.de fivecityspa.nl zapardrobnych.sk mpg.de frfc1908.nl zeit-des-wandels.tv posteo.de glamouryourhair.nl afinepairofshoes.co.uk ruhr-uni-bochum.de hobbygigant.nl clientnews3.co.uk sifjakobs.de home.nl millieandblake.co.uk sillysanta.de hostingpeople.nl nuudcare.co.uk smartwatcharmbaender.de hostnet.nl thewordman.co.uk sys4.de huurexpert.nl triodos.co.uk taures.de ikdeburger.nl nuudcare.us tu-darmstadt.de inspirerendleven.nl quantum-services.us tum.de interim-netwerk.nl ru.ac.za tutanota.de josephinajewelry.nl
participants (1)
-
Viktor Dukhovni