Summary: The DANE domain count is now 2,522,820 (up from 2,351,764 last month and 1,734,012 this time last year).
The number of domains that return DNSSEC-validated replies in response to MX queries is 13,559,686 (up from 13,221,772 last month and 10,715,677 this time last year). Thus DANE TLSA is deployed on ~18.60% of domains with DNSSEC.
The Let's Encrypt Issuer CA switch from X3/X4 to R3/R4 has taken place, but some X3-issued certificates are not yet expired, and will soon renewed via R3. Take proactive steps to avoid mail delivery issues:
http://dnssec-stats.ant.isi.edu/~viktor/x3hosts.html
Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome.
As of today I count 2,522,820 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below.
This month Last Month Last year ---------- ---------- --------- 1,197,409 one.com 1,131,984 one.com 1,019,882 one.com 146,757 transip.nl 145,526 transip.nl 132,965 transip.nl 146,041 argewebhosting.nl 145,371 argewebhosting.nl 99,844 domeneshop.no 103,374 domeneshop.no 103,043 domeneshop.no 88,024 loopia.se 98,861 webhostingserver.nl 93,223 infomaniak.ch 37,425 active24.com 96,166 infomaniak.ch 91,856 loopia.se 31,555 vevida.com 92,051 loopia.se 66,281 forpsi.com 29,476 antagonist.nl 66,772 forpsi.com 41,628 webreus.nl 26,738 web4u.cz 41,264 webreus.nl 40,442 active24.com 24,646 udmedia.de 40,642 active24.com 40,363 pcextreme.nl 18,342 zxcs.nl 39,895 pcextreme.nl 34,985 antagonist.nl 17,227 bhosted.nl 35,523 antagonist.nl 30,298 zxcs.nl 15,468 flexfilter.nl 31,194 zxcs.nl 30,200 vevida.com 13,505 onebit.cz 30,096 vevida.com 29,937 webhostingserver.nl 8,765 protonmail.ch 27,456 webhosting.dk 26,412 web4u.cz 5,886 netzone.ch 26,566 web4u.cz 25,722 udmedia.de 5,632 previder.nl 25,718 udmedia.de 18,438 bhosted.nl 4,707 mailplatform.eu 18,487 bhosted.nl 14,501 flexfilter.nl 4,116 soverin.net 14,530 protonmail.ch 14,340 onebit.cz 3,548 ips.nl 14,434 onebit.cz 13,807 protonmail.ch 3,239 zonemx.eu
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented).
This month Last month Last year ---------- ---------- --------- 7,799 TOTAL 7,559 TOTAL 6,015 TOTAL 2,390 DE, Germany 2,386 DE, Germany 1,998 DE, Germany 1,497 US, United States 1,465 US, United States 1,209 US, United States 1,437 NL, Netherlands 1,261 NL, Netherlands 892 NL, Netherlands 637 FR, France 624 FR, France 480 FR, France 279 GB, United Kingdom 293 GB, United Kingdom 229 GB, United Kingdom 227 CZ, Czechia 236 CZ, Czechia 194 CZ, Czechia 170 CA, Canada 166 CA, Canada 128 CA, Canada 123 FI, Finland 113 FI, Finland 82 CH, Switzerland 113 DK, Denmark 111 SG, Singapore 79 SG, Singapore 109 SG, Singapore 99 CH, Switzerland 74 SE, Sweden 99 CH, Switzerland 90 SE, Sweden 67 DK, Denmark 88 SE, Sweden 79 DK, Denmark 54 FI, Finland 63 AU, Australia 60 AU, Australia 46 IE, Ireland 62 AT, Austria 51 AT, Austria 45 AT, Austria 42 IE, Ireland 45 IE, Ireland 38 PL, Poland 40 BR, Brazil 39 IN, India 38 JP, Japan 38 IN, India 39 BR, Brazil 38 AU, Australia 34 JP, Japan 37 RU, Russia 30 RU, Russia 33 PL, Poland 37 PL, Poland 26 BR, Brazil 30 RU, Russia 35 JP, Japan 24 IT, Italy
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are:
This month Last month Last year ---------- ---------- --------- 6,378 TOTAL 4,384 TOTAL 3,103 TOTAL 3,183 NL, Netherlands 1,577 DE, Germany 1,275 DE, Germany 1,587 DE, Germany 1,215 NL, Netherlands 540 US, United States 606 US, United States 598 US, United States 463 NL, Netherlands 287 FR, France 289 FR, France 261 FR, France 136 CZ, Czechia 133 CZ, Czechia 105 CZ, Czechia 112 GB, United Kingdom 113 GB, United Kingdom 90 GB, United Kingdom 48 CA, Canada 45 SE, Sweden 41 SE, Sweden 44 CH, Switzerland 45 CH, Switzerland 33 SG, Singapore 42 AT, Austria 45 CA, Canada 30 CH, Switzerland 38 SG, Singapore 39 SG, Singapore 28 JP, Japan 36 SE, Sweden 36 AT, Austria 28 CA, Canada 27 RU, Russia 22 RU, Russia 24 AT, Austria 22 IE, Ireland 22 IE, Ireland 18 IE, Ireland 19 UA, Ukraine 19 JP, Japan 17 RU, Russia 19 JP, Japan 18 FI, Finland 15 DK, Denmark 18 AU, Australia 16 NO, Norway 14 SI, Slovenia 17 NO, Norway 15 BR, Brazil 13 NO, Norway 17 FI, Finland 15 AU, Australia 13 ID, Indonesia 17 DK, Denmark 14 DK, Denmark 12 FI, Finland 14 BR, Brazil 10 UA, Ukraine 12 BR, Brazil
There are 6,291 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 14,130. These cover 14,328 distinct[3] MX hosts (some MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's email transparency report is 420 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 262 are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~2.52 million domains, 13,070 (13,189 last month) have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer STARTTLS (even though TLSA records are published) stands today at 1155 (817 last month). Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts.
To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-... https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r... https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 940 (1491 last month). The top 10 name server operators with problem domains are:
This Month Last month Last year ---------- ---------- --------- 325 registrar-servers.com 425 registrar-servers.com 347 registrar-servers.com 116 movenext.nl 406 axc.nl 221 mijnhostingpartner.nl 86 ebola.cz 107 movenext.nl 95 egensajt.se 25 tiscomhosting.nl 89 ebola.cz 62 movenext.nl 24 epik.com 25 tiscomhosting.nl 59 eurodns.com 23 eatserver.nl 25 mijndomein.nl 47 metaregistrar.nl 17 infracom.nl 24 eatserver.nl 32 tiscomhosting.nl 14 ns01.nl 22 epik.com 29 nrdns.nl 12 renault.fr 17 infracom.nl 26 hostnet.nl 11 nrdns.nl 15 cloudflare.com 24 ebola.cz
If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.
Six of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br trt1.jus.br bncr.fi.cr ofda.gov mobily.com.sa sauditelecom.com.sa
participants (1)
-
Viktor Dukhovni