As of today I count 110505 domains with correct DANE TLSA records for SMTP. As expected the bulk of the DANE domains are hosted the handful of DNS/hosting providers who've enabled DANE support in bulk for the domains they host. The top 10 MX host providers by domain count are:
43813 domeneshop.no 35704 transip.nl 15495 udmedia.de 2022 bhosted.nl 1332 nederhost.net 896 ec-elements.com 409 core-networks.de 307 uvt.nl 282 bit.nl 275 omc-mail.com
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, and in particular .de and .nl.
There are 2401 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of servers deployed. Alternatively, a similar number is seen in the count (2522) of distinct MX host server certificates that support the same ~110000 domains.
Of the ~110000 domains, 565 have "partial" TLSA records, that cover only a subset of the MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 64 (~4 are recent additions that will likely be resolved soon, the remaining ~60 are the for now stable population of broken domains). This month I'm posting the top 50 entries, these are domains that have been on that list for the longest time.
Hall of Shame:
castleturing.net goldenhairdafo.net dexalo.de nonoserver.info inu.nl dexalo.eu wm.net.nz dnsmadefree.com digitalwebpros.com apachedemo.de z0z0.me jeremyness.com oostergo.net pksvice.cz maximilian-greger.com thothnet.org ttygap.net copi.org wipedivision.cz bels.cz delphij.net rajmax.si baobrien.org poderdoalimento.com.br acsemb.org baobrien.guru rnrfunco.net dhautefeuille.eu pieterpottie.com sgt.com dinepont.fr sylvieandpieter.com rnrfunco.com hlfh.space sylviesfollies.com puz.de 12xu.info flatcap.org zencrypt.de warunek.net russon.org freeservices.net giesen.me amadigi.ovh kuzenkov.net kamikazekippetjes.nl duffau.net obninsk.biz myzt.nl daallexx.eu
The number of domains with bad DNSSEC support is 434. The top 10 DNS providers (by broken domain count) are:
62 axc.nl - Slated to be resolved 37 infracom.nl - Slated to be resolved 18 loopia.se 18 active24.cz 16 domaincontrol.com - notified 14 jsr-it.nl 12 rdw.nl 12 cas-com.net 11 dootall.com - notified 10 ignum.com
Around 100 of the broken domains have at least one working nameserver, and so are email-reachable, given enough retries.
The number of domains that at some point were listed in Gmail's transparency report is 99 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these 44 are in recent reports (February 2017):
Hall of Fame:
gmx.at mail.de asp4all.nl nic.br posteo.de ouderportaal.nl registro.br ruhr-uni-bochum.de overheid.nl gmx.ch tum.de xs4all.nl open.ch uni-erlangen.de domeneshop.no gmx.com unitymedia.de webcruitermail.no mail.com web.de debian.org trashmail.com enron.email freebsd.org xfinity.com octopuce.fr gentoo.org bayern.de comcast.net ietf.org bund.de dd24.net isc.org fau.de gmx.net netbsd.org gmx.de hr-manager.net samba.org jpberlin.de t-2.net torproject.org lrz.de xs4all.net
A recent addition that is not listed above is "exim.org". It seems that "exim.org" mailing lists don't process enough email to land on Google transparency reports. Similarly, "openssl.org" used to be on this list, and still has working TLSA records, but it seems no longer generates enough email traffic to be on Google's reports.
I don't have any way to measure how many domains enable DANE outbound but aren't using DNSSEC for their own domain or are not publishing TLSA records. It is easy to do, just fire up a local validating resolver, adjust /etc/resolv.conf to list only 127.0.0.1 and/or ::1, and add a couple of lines to main.cf. So the stats I am reporting reflects only DANE adoption for inbound email.
participants (1)
-
Viktor Dukhovni