Summary: The DANE domain count is now 4,158,589 (4,069,697 last month).
The number of domains that return DNSSEC-validated replies in response to MX queries is 23,220,430 (23,199,861 last month). Thus DANE TLSA is deployed on ~17.90% of domains with DNSSEC. For more stats, see https://stats.dnssec-tools.org/.
A major fraction of the increase in DANE domains is thanks to Cloudflare publishing TLSA records for the MX hosts handling inbound email for ~70k customer domains.
[ The credits[0] list is below my signature. ]
Reminder: If you're relying on trust-anchor (usage DANE-TA(2)) TLSA records matching a Let's Encrypt issuing CA, please note important recent and upcoming changes in Let's Encrypt certificate issuance:
https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/HESAY65... https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/GLRVY2C... https://list.sys4.de/hyperkitty/list/dane-users@list.sys4.de/message/X4SS2EE...
[ There's a still stready trickle of domains whose DANE authentication fails because the DST X3 cross certificate for the ISRG X1 root is no longer by default included in Let's Encrypt certificate chains. ]
As of today, I count ~4.16 million domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below.
This month Last Month ---------- ---------- 1299886 one.com 1305272 one.com 311818 hostpoint.ch 310345 hostpoint.ch 231981 infomaniak.ch 228070 infomaniak.ch 200783 jouwweb.nl 191647 jouwweb.nl 173600 transip.nl 173391 transip.nl 170737 mijndomein.nl 171433 mijndomein.nl 166585 simply.com 161671 simply.com 131424 argewebhosting.nl 133508 argewebhosting.nl 112252 hostnet.nl 112176 hostnet.nl 110565 domeneshop.no 110331 domeneshop.no 106658 loopia.se 106740 loopia.se 87582 webhostingserver.nl 87960 webhostingserver.nl 84325 zxcs.nl 83860 zxcs.nl 83706 forpsi.com 83010 forpsi.com 71228 cloudflare.net 49979 protonmail.ch 51274 protonmail.ch 41335 antagonist.nl 41416 antagonist.nl 37883 active24.com 36256 active24.com 35476 webreus.nl 35245 webreus.nl 27833 xel.nl 27758 xel.nl 27552 pcextreme.nl
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl, .de and .uk. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month ----------- ---------- 12355 TOTAL 12348 TOTAL 4035 DE, Germany 3958 DE, Germany 1960 NL, The Netherlands 1962 NL, The Netherlands 1925 US, United States 1929 US, United States 876 FR, France 888 FR, France 488 CZ, Czechia 492 CZ, Czechia 421 GB, United Kingdom 418 GB, United Kingdom 310 FI, Finland 309 FI, Finland 242 CH, Switzerland 231 CH, Switzerland 211 CA, Canada 209 CA, Canada 190 SE, Sweden 204 AT, Austria 171 DK, Denmark 175 SE, Sweden 153 AU, Australia 168 DK, Denmark 123 AT, Austria 150 AU, Australia 115 SG, Singapore 119 SG, Singapore 107 RU, Russia 115 PL, Poland 104 PL, Poland 100 RU, Russia 65 NO, Norway 66 NO, Norway 64 BR, Brazil 60 BR, Brazil 63 IT, Italy 57 JP, Japan 55 JP, Japan 56 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are:
This month Last month ---------- ---------- 9920 TOTAL 9785 TOTAL 4295 NL, The Netherlands 4215 NL, The Netherlands 2915 DE, Germany 2907 DE, Germany 916 US, United States 906 US, United States 425 FR, France 398 FR, France 212 CZ, Czechia 213 CZ, Czechia 189 GB, United Kingdom 185 GB, United Kingdom 115 FI, Finland 116 FI, Finland 92 CA, Canada 88 CA, Canada 88 SE, Sweden 83 SE, Sweden 79 CH, Switzerland 80 CH, Switzerland 70 AU, Australia 76 AU, Australia 61 AT, Austria 56 AT, Austria 45 SG, Singapore 43 SG, Singapore 40 JP, Japan 40 JP, Japan 32 RO, Romania 32 RU, Russia 32 BR, Brazil 31 RO, Romania 31 NO, Norway 31 NO, Norway 30 RU, Russia 30 DK, Denmark 27 DK, Denmark 30 BR, Brazil 19 LT, Lithuania 17 LT, Lithuania
There are 10,936 unique zones (10,895 last month) in which the underlying MX hosts are found. This counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 22,121 (21,863 last month). These cover 22,427 distinct MX hosts (22,163 last month, some MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's email transparency report is 1,381 (1,272 last month, this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 758 (743 last month) are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~4.16 million DANE domains, 14,232 (14,334 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 2,669 (2,344 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts. The affected domain counts for the top 10 problem MX hosts are:
545 mx2.xcellerate.nl 169 mx2.tkservers.com 72 mail.fiyge.com 66 beta.itcomputers.eu 38 master.redinta.com 24 mx-5.magellanic.eu 22 semark.dk 22 hello.mailray.dk 16 mail.nationaalarchief.nl 14 mx.jmt.gr
To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-... https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r... https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1 https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 624 (697 last month). The top 10 name server operators with problem domains are:
This Month Last month ---------- ---------- 446 neostrada.nl 463 neostrada.nl 47 worldnic.com 54 worldnic.com 21 active24.cz 21 active24.cz 17 openprovider.nl 17 openprovider.nl 13 sectigoweb.com 14 sectigoweb.com 10 register.com 12 register.com 7 dnssrv.nl 7 dnssrv.nl 6 vultr.com 6 vultr.com 6 ispapi.net 6 ispapi.net 6 forpsi.net 6 forpsi.net
If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of existence appears in the last 120 days of Google transparency reports:
-- Viktor.
[0] Credits: Hosting for the DANE/DNSSEC project is donated by isi.edu (Wes Hardaker and team). Wes also hosts and maintains the https://stats.dnssec-tools.org website. Thanks go to ICANN for sponsoring acquisition of the server hardware.
Coverage of DNSSEC domains continues to improve with ongoing data support from Chris Mikkelson from domaintools.com. Credits also due to ICANN providing gTLD data via CZDS, and to the ccTLD registries for .CH, .DK, .FI, .FR, .IS, .LI, .NL, .NU and .SE. More data sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down, presumably as a hurdle to botnet SMTP code that gives up where real MTAs might persist. I am not a fan of this type of defence (it can also impose undue latency on legitimate email). However, provided the dead hosts still have TLSA records, (which don't need to match anything, just need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency reports:
orbiit.app landtag-mv.de ezorg.nl univie.ac.at lmu.de fitnesskoerier.nl gmx.at lrz.de fivecityspa.nl vbv.at mail.de floathouse.nl vorsorgekasse.at mail2many.de hobbygigant.nl boozyshop.be mensa.de home.nl lesbastions.be mpg.de hostnet.nl medinaexpo.be mvnet.de hr.nl ringkortrijk.be oberstdorf.de hro.nl shopping-nivelles.be osnanet.de huurexpert.nl triodos.be posteo.de huusken.nl nra.bg ruhr-uni-bochum.de ikdeburger.nl dwvmail.com.br secumail.de interim-netwerk.nl e-negociacao.com.br sifjakobs.de jointherebellion.nl e-renegocie.com.br sillysanta.de kadaster.nl zaaztelecom.com.br smartwatcharmbaender.de kiesrijk.nl aneel.gov.br sys4.de kinderkleding-tekoop.nl nic.br taures.de klassiekemuziek.nl mst.org.br th-nuernberg.de ledcustoms.nl registro.br tu-darmstadt.de liveatamsterdamsebos.nl greenpeace.ca tum.de maastrichtuniversity.nl ph.casino tutanota.de mailmore.nl activfitness-news.ch uni-augsburg.de mailon.nl blackout-bonusclub.ch uni-bielefeld.de mailplus.nl gmx.ch uni-erlangen.de managementboek.nl hostpoint.ch uni-muenchen.de markteffectmail.nl infomaniak.ch vicinityclo.de mcmta.nl msochrono.ch web.de merkmeisjeskleding.nl only-grams.ch westlotto.de mijndomein.nl open.ch sanchezadv.digital minbzk.nl protonmail.ch aeldresagen.dk mindef.nl sherlockhomes.ch allbuy.dk minvenj.nl sms-gagnant.ch anna-hjorth.dk mm1.nl switch.ch annebrauner.dk mulderretail.nl votreopinion.ch anodyne.dk nefkens.nl biolinky.co athleticstudio.dk nieuwsservice-rvo.nl formsubmit.co attode.dk nmnhevents.nl ipregistry.co avabeauty.dk notbranded.nl lumitherapy.co backpackerlife.dk ns.nl simplelogin.co bambustoej.dk nutribites.nl aim-care.com barons.dk nuudcare.nl akuislam.com bigsaver.dk nuwegexclusief.nl albourne.com bisgaardshoes.dk opnaarwonderland.nl alcanside.com blandselvfroe.dk ouderportaal.nl also.com bog.dk outlawevents.nl anonaddy.com bystinewinther.dk overheid.nl ansigtsyogaonline.com camillakroeyer.dk oxilionhosted.nl aotax.com champagnekaelderen.dk ozsw.nl autogespot.com champagneklubben.dk partijvoordedieren.nl azizbekkaoui.com computerworld.dk partnermail.nl barasportswear.com damask.dk pharmacom.nl beyondmedals.com danskebank.dk picacongressen.nl buroventures.com densidsteflaske.dk podiumcadeaukaart.nl byic.com dfi.dk politie.nl cainte.com dressforsuccess.dk pp-prd.nl canva-facile.com ejvinds.dk previder.nl caskcartel.com fibianet.dk proefdiervrij.nl cm.com fodboldgaver.dk prorun-mail.nl collarofsweden.com foraeldresparring.dk protislank.nl connectsb.com frisorenogbaronen.dk puurfiguur.nl danskebank.com fvst.dk pvv.nl datev.com garna.dk quicknet.nl detectiveforaday.com gastrotools.dk rdw.nl driverscloud.com globestudios.dk rebirth-festival.nl enoksenwatches.com hook-up.dk rechtspraak.nl europesnus.com hostedsepo.dk restaurant-sparkling.nl explorer-hotels.com idelig.dk rijksoverheid.nl fabfilter.com inkpro.dk rivm.nl farmergracy.com kagegrisen.dk rotterdam.nl fastware-hosting.com kk.dk rustinouderschap.nl flaneurhomme.com kodbilen.dk sans-mail.nl fromanteel-watches.com konkurspriser.dk schuurman-schoenen.nl funkysimplicity.com kystfisken.dk shampoobars.nl gearboxdigital.com lacabra.dk shoesme.nl giarite.com lederstof.dk sizzthebrand.nl gmx.com littleluux.dk smartwatchbanden.nl gohoeorgohome.com localfitness.dk spamservice.nl goodforme.com lollyslaundry.dk sportrusten.nl gosoaky.com lomax.dk ssonet.nl grimfrost.com mastri.dk stater.nl habitamat.com memery.dk supportervanschoon.nl habr.com merchhub.dk teeshoppen.nl hannahbarrettyoga.com mobilcovers.dk telefoonglaasje.nl headachecalendar.com modekompagniet.dk thealphamen.nl heartymail.com modstroem.dk thefightcompany.nl highcharts.com musclehouse.dk thehappybed.nl hwigroup.com netic.dk transip.nl imcnig.com nexsmart.dk triodos.nl infomaniak.com nfinitybeauty.dk truetickets.nl ingthink.com nimara.dk u-mailer.nl intakt.com no1shop.dk uitgeverijpica.nl jesuis1as.com nordd.dk upcmail.nl johnbeerens.com nordelegastro.dk upfront.nl joomlapolis.com nota.dk uvt.nl jula.com online-mode.dk uwv.nl justpadel.com opdagverden.dk vacaturesonline.nl kabayarefashion.com perfectjeans.dk valys.nl kae-cosmetici.com powercircle.dk vivonline.nl kheaa.com salinassundhed.dk vluchtelingenwerk.nl lantzcph.com sengefabrikken.dk vunzigedeuntjes.nl leszexpertsfle.com seniornews.dk vvv-venlo.nl librti.com shapeit.dk watchbandjes-shop.nl lizamariefit.com sillysanta.dk waternet.nl luxembourgartprize.com skjold-burne.dk werkzoeken.nl mail.com sneakerzone.dk ziggo.nl maileroo.com sofiamanning.dk zorgmail.nl mailzerver.com stil.dk babybanden.no marsblade.com stormfashion.dk bull-ski-kajakk.no medicaskinpro.com sygeforsikring.dk chillout.no meriamecouture.com taenk.dk domeneshop.no milamovement.com themeatclub.dk dressmykid.no mplbeauty.com thenap.dk gjormer.no mxuptime.com thesneakerstore.dk guttelus.no mydrivingacademy.com trueliving.dk hoppin.no natutube.com trustfitness.dk hypopressivtrening.no neonfilter.com uni-c.dk hyttefeber.no nine-pine.com venderbys.dk idrettenonline.no nomadeyewear.com viggo.dk kristinetghardeberg.no nordicbasketball.com vind.dk lillepr.no nordicdogtrainer.com vissevasse.dk marikrogshus.no novashops.com yuaiahaircare.dk metaburn.no oenling.com tilburguniversity.edu mystuff.no offshorecorptalk.com boostyourself.ee nordiskbylien.no one.com holt.ee norisma.no onezoz.com maarahvapood.ee norskgrammatikk.no orsys.com minuvalik.ee raskebriller.no ottobredesign.com pesapuuperekeskus.ee rushtrampoline.no ourcountryourchoice.com sirena.ee russedress.no pageloot.com surveyturtle.ee smaaungene.no pipfitk9.com turunduslabor.ee spillfabrikken.no planetnusa.com myownconference.email strikkia.no polyas.com spam-filter.email webcruitermail.no pompomlondon.com spotler.email atelkamera.nu ppcpcv.com talentech.email goget.nu protonmail.com logalty.es happydays.nu recwatches.com triodos.es lenhud.nu remy-jupille.com egu.eu aarding.org rightandfree.com zone.eu calyxinstitute.org run-motion.com zonevs.eu checkmyads.org runbox.com danskebank.fi debian.org sankakucomplex.com fsol.fi digital-shift.org schizinfo.com handelsbanken.fi freebsd.org scorecloud.com hersecret.fi fridaysforfuture.org secureandprosper.com metaburn.fi gentoo.org serverclienti.com swiftbanker.fi ietf.org siratperfumes.com traficom.fi isc.org sisuknitwear.com ac-strasbourg.fr mailbox.org solvinity.com braceletsmartwatch.fr mailop.org space4server.com compagnie-des-sens.fr netbsd.org spellcases.com edtm-actu.fr openssl.org stasdock.com oo2.fr ozlabs.org stater.com printique.fr postfix.org stellarequipment.com privea.fr rfc-editor.org tcs.com fvap.gov samba.org techspot.com aklub.hu torproject.org techvisiongames.com fidesz.hu turtle-wow.org teeshoppen.com italiamail.hu un-ihe.org theintercept.com pulowear.hu psgaz.pl thelabelmachine.com vidammokus.hu circusbet.rs thetranslatoracademy.com bluebiz.info loopia.rs tibush.com j360.info mobily.com.sa triodos.com onesignal.info advisamail.se tuftingshop.com eurocontrol.int arbetsformedlingen.se tutanota.com meeds.io bearbell.se uat-landgorilla.com ryde.io bearplayshop.se ugritone.com nuudcare.it bilprovningen.se up2staff.com ultima-generazione.it blandafron.se varietymode.com hoj.life dingolfshop.se vivaldi.com neolink.link ellevio.se webcruiter.com education.lu epochtimes-mejl.se win-rar.com etat.lu fotproffsen.se xfinity.com restena.lu getvibes.se xfinityhomesecurity.com anonaddy.me glowid.se xfinitymobile.com pm.me handelsbanken.se ymeuniverse.com proton.me hellomantle.se zangra.com army.mil inkrebel.se ez.community dla.mil innebandy24.se bncr.fi.cr health.mil isayshop.se airbank.cz jten.mil jaramba.se akce-incomputer.cz mail.mil kidsonestore.se balikovna.cz navy.mil koreanbeauty.se bewooden.cz nga.mil kth.se cokoladovnajanek.cz osd.mil kursledarskap.se cpost.cz socom.mil livlyclothing.se creammy.cz spaceforce.mil lnu.se csob.cz uscg.mil lomervarde.se csobhypotecni.cz usmc.mil loopia.se csobstavebni.cz onesignal.mobi merchsweden.se cuni.cz aifi.net mikaelapuranen.se dashofer.cz anarchistfederation.net minmyndighetspost.se dedra.cz anarcho-punk.net naprapatlandslaget.se e-kondomy.cz comcast.net naturligtsnygg.se ekokoza.cz ewetel.net northsquad.se fio.cz ficbook.net polisen.se gov.cz fivem.net redaktionen.se hangarbrno.cz forwardemail.net relode.se hobynaradi.cz gmx.net samblamail.se innogy.cz habramail.net sillysanta.se itesco.cz hr-manager.net silverdotter.se kb.cz institutocultivo.net skatteverket.se klenotyaurum.cz listelixr.net skolverket.se klubpevnehozdravi.cz mailanyone.net soleplus.se ksporting.cz masterinter.net svenskhusman.se manymail.cz mpssec.net teeshoppen.se mbank.cz pirate-punk.net teknikdelar.se mfcr.cz procurios.net teknikhallen.se mindsoft.cz ripe.net theletter.se mkluzkoviny.cz riseup.net websupport.se mojedatovaschranka.cz s-qrc.net agatinsvet.sk mrakyhracek.cz soverin.net coopka.sk mujandilek.cz space.net dublez.sk muni.cz t-2.net edirect.sk nic.cz transip.net fio.sk o2.cz alexstory.nl hecht.sk optimail.cz amsterdam.nl mamaaja.sk outlet-alpine.cz aquastorexl.nl meditec.sk p-info.cz arthouse-online.nl mklozkoviny.sk pivoteka.cz balanzs.nl mnforce-panel.sk poptavej.cz bankhoesdiscounter.nl nakupujzdravo.sk scrptd.cz bearlifestyle.nl nameserver.sk server4u.cz belastingdienst.nl nlp-akademia.sk smdledzarovky.cz bellobox.nl partner.sk smtp.cz beterspellen.nl penzionmara.sk sparkys.cz bewustpuur.nl poziadavka.sk stoklasa.cz bhosted.nl primatravel.sk tefal.cz blushfashionstore.nl rondogo.sk thinline.cz bobo.nl travelmail.sk tiscali.cz body-supplies.nl zapardrobnych.sk virusfree.cz bolerolimonadewinkel.nl exercere.store vitalpoint.cz boozyshop.nl zeit-des-wandels.tv vshosting.cz box.nl boca.gov.tw vzp.cz bruut.nl clientnews2.co.uk zafido.cz burgernet.nl clientnews3.co.uk zdravestravovani.cz carre.nl clientnews4.co.uk zonky.cz casema.nl handelsbanken.co.uk bayern.de cbr.nl harrogateorganics.co.uk bisgaardshoes.de chello.nl honeybalm.co.uk brandenburg.de citotoetsgroep4.nl millieandblake.co.uk bund.de clubplanner.nl nuudcare.co.uk datev.de commithappiness.nl thecalzonekitchen.co.uk dbtg.de cornemarchand.nl thewordman.co.uk denic.de debrandaris.nl triodos.co.uk dfn.de degros.nl nuudcare.us elster.de denhaag.nl quantum-services.us ewetel.de deonlinetandarts.nl ru.ac.za fau.de derooijfotografie.nl swiftbanker.co.za freenet.de desan.nl pnw.zone gmx.de digid.nl benzakdenimdevelopers.com huellen-shop.de dimehouse.nl thingsilikethingsilove.com iks-jena.de dorcas.nl agirpourlenvironnement.org jawliner.de duo.nl allevakantiehuizeninbelgie.nl jpberlin.de esuals.nl hoogenboezem-nieuwsbrieven.nl kultus-bw.de extinctionrebellion.nl
participants (1)
Viktor Dukhovni