Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome.

Summary: The DANE domain count is now 740,856

The substantial increase is primarily a result of newly enabled DNSSEC and DANE TLSA records for the MX hosts operated by one.com. Congratulations and thanks to one.com, and to iis.se for providing some of the incentive to make this happen.

The number of domains with DNSSEC MX records is 9,035,030 Thus DANE TLSA is deployed on 8.19% of domains with DNSSEC.

As of today I count 740,856 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are:

400996 one.com 117219 transip.nl 97040 domeneshop.no 35065 active24.com 23768 udmedia.de 10923 bhosted.nl 10592 wido.info 5689 previder.nl 3593 interconnect.nl 2525 provalue.nl 2437 nederhost.nl 1477 yourdomainprovider.net 1290 xcellerate.nl 1249 hi7.de 1077 surfmailfilter.nl 1013 soverin.net 777 omc-mail.com 689 sciver.net 646 mailbox.org 646 core-networks.de

The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 12 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented):

4463 TOTAL 1506 DE, Germany 940 US, United States 569 NL, Netherlands 359 FR, France 159 GB, United Kingdom 136 CZ, Czech Republic 111 CA, Canada 60 CH, Switzerland 58 SE, Sweden 55 SG, Singapore 49 BR, Brazil 40 DK, Denmark

IPv6 is still comparatively rare for MX hosts, and the top 12 countries by DANE MX host IPv6 GeoIP are (same top 6).

2229 TOTAL 877 DE, Germany 429 US, United States 328 NL, Netherlands 199 FR, France 73 CZ, Czech Republic 68 GB, United Kingdom 36 SE, Sweden 29 SG, Singapore 23 CH, Switzerland 19 AT, Austria 15 IE, Ireland 14 FI, Finland

There are 3701 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed.

The number of published MX host TLSA RRsets found is 5375. These cover 5759 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs).

The number of domains that at some point were listed in Gmail's email transparency report is 190 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 106 are in recent (last 90 days of) reports:

gmx.at mail.de markteffectmail.nl nic.br posteo.de ouderportaal.nl registro.br ruhr-uni-bochum.de overheid.nl gmx.ch tum.de pathe.nl open.ch uni-erlangen.de politie.nl anubisnetworks.com unitybox.de rotterdam.nl gmx.com unitymedia.de saxion.nl habr.com web.de transip.nl kpn.com egmontpublishing.dk truetickets.nl mail.com netic.dk uvt.nl one.com tilburguniversity.edu xs4all.nl societe.com eupvsec.eu domeneshop.no solvinity.com octopuce.fr handelsbanken.no t-2.com web200.hu webcruitermail.no trashmail.com comcast.net atelkamera.nu xfinity.com dd24.net aegee.org xfinityhomesecurity.com dns-oarc.net debian.org xfinitymobile.com gmx.net freebsd.org active24.cz habramail.net gentoo.org cuni.cz hr-manager.net ietf.org destroystores.cz inexio.net isc.org itesco.cz mpssec.net lazarus-ide.org klubpevnehozdravi.cz procurios.net mailbox.org nic.cz r4p3.net netbsd.org optimail.cz t-2.net openssl.org smtp.cz transip.net samba.org allsecur.de xs4all.net torproject.org bayern.de xworks.net asf.com.pt bund.de ardanta.nl handelsbanken.se elster.de bhosted.nl minmyndighetspost.se fau.de boozyshop.nl personligalmanacka.se freenet.de hierinloggen.nl skatteverket.se gmx.de hr.nl t-2.si jpberlin.de hro.nl govtrack.us kabelmail.de interconnect.nl lrz.de intermax.nl

Of the ~740000 domains, 1911 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.

The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 246. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. A partial list is available at:

https://github.com/danefail/list

To avoid getting listed, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:

https://dane.sys4.de/common_mistakes http://imrryr.org/~viktor/ICANN61-viktor.pdf http://imrryr.org/~viktor/icann61-viktor.mp3

http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4

After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 509. The top 10 name server operators with problem domains are:

50 dotserv.com 38 tiscomhosting.nl 32 sylconia.net 30 nrdns.nl 28 metaregistrar.nl 24 active24.cz (customer zones with broken wildcard cnames) 21 nazwa.pl (customer zones with broken wildcard NS RRs) 18 host-redirect.com 13 movenext.nl 11 is.nl

If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.

Three of the domains all whose nameservers have broken denial of existence appear in historical Google reports:

trtrj.jus.br trt01.gov.br trtrio.gov.br