Summary: The DANE domain count is now 1,877,704.
The number of domains that return DNSSEC-validated replies in response to MX queries is 10,922,412. Thus DANE TLSA is deployed on ~17.19% of domains with DNSSEC.
Credits: The coverage of DNSSEC domains continues to improve with ongoing data support from Paul Vixie of Farsight Security. Credits also due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH, .COM, .DK, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data sources of ccTLD signed delegations welcome.
As of today I count 1,877,704 domains with correct SMTP DANE TLSA records at every primary MX host that accepts connections[1]. As expected, the bulk of the DANE domains are hosted by the DNS/email hosting providers who've enabled DANE support for the customer domains they host. The top 20 MX host providers by domain count are below.
1035802 one.com 136509 transip.nl 100753 domeneshop.no 88719 loopia.se 71404 infomaniak.ch 38325 active24.com 31059 vevida.com 30605 antagonist.nl 27536 webreus.nl 26933 web4u.cz 26278 zxcs.nl 24969 udmedia.de 17444 bhosted.nl 15192 flexfilter.nl 13854 onebit.cz 9816 protonmail.ch 5810 netzone.ch 5631 previder.nl 5477 soverin.net 4872 zonemx.eu
The real numbers are surely larger, because I don't have access to the full zone data for most ccTLDs, especially .no/.cz/.de/.eu/.be. Speaking of countries, the IPv4 GeoIP distribution of DANE-enabled MX hosts shows the below top 20 countries (each unique IP address is counted, so multi-homed MX hosts are perhaps somewhat over-represented).
6347 TOTAL 2111 DE, Germany 1273 US, United States 919 NL, Netherlands 540 FR, France 261 GB, United Kingdom 215 CZ, Czechia 154 CA, Canada 87 CH, Switzerland 82 SG, Singapore 79 SE, Sweden 71 DK, Denmark 47 IE, Ireland 45 AU, Australia 41 AT, Austria 32 JP, Japan 28 IN, India 28 BR, Brazil 27 PL, Poland 25 RU, Russia 24 FI, Finland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by DANE MX host IPv6 GeoIP are:
3247 TOTAL 1324 DE, Germany 559 US, United States 467 NL, Netherlands 270 FR, France 124 CZ, Czechia 99 GB, United Kingdom 39 SE, Sweden 39 CH, Switzerland 39 CA, Canada 35 SG, Singapore 25 RU, Russia 24 AT, Austria 20 IE, Ireland 16 ID, Indonesia 16 DK, Denmark 15 AU, Australia 14 NO, Norway 14 JP, Japan 11 FI, Finland 11 BR, Brazil
There are 5361 unique zones in which the underlying MX hosts are found, this counts each of the above providers as just one zone, so is a measure of the breadth of adoption in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 8115. These cover 9040 distinct MX hosts (some MX hosts share the same TLSA records through CNAMEs).
The number of domains that at some point were listed in Gmail's email transparency report is 334 (this is my ad-hoc criterion for a domain being a large-enough actively used email domain). Of these, 160 are in recent (last 90 days of) reports:
univie.ac.at lrz.de hierinloggen.nl gmx.at mail.de intermax.nl nic.br mailserver4.de kingsquare.nl registro.br mensa.de mailplus.nl gmx.ch posteo.de minbzk.nl hostpoint.ch ruhr-uni-bochum.de mindef.nl infomaniak.ch tum.de mm1.nl open.ch uni-erlangen.de ouderportaal.nl protonmail.ch unitybox.de overheid.nl anubisnetworks.com unitymedia.de pathe.nl clubedominante.com web.de politie.nl comeseetv.com westlotto.de previder.nl fmc-na.com dk-hostmaster.dk rijksoverheid.nl frenchtogether.com egmontpublishing.dk rotterdam.nl gmx.com netic.dk ru.nl habr.com star.dk rvo.nl hotelsinduitsland.com stil.dk schoudercom.nl infomaniak.com uni-c.dk schuurman-schoenen.nl ingthink.com tilburguniversity.edu ssonet.nl kpn.com emta.ee truetickets.nl leszexpertsfle.com lugeja.ee uvt.nl mail.com rmit.ee xs4all.nl mammoetmail.com rediris.es zorgmail.nl one.com uv.es domeneshop.no primexbt.com litebit.eu handelsbanken.no protonmail.com web200.eu uib.no solvinity.com zone.eu webcruitermail.no t-2.com ac-strasbourg.fr atelkamera.nu telfort.com compagnie-des-sens.fr goget.nu thalesgroup.com octopuce.fr aegee.org trashmail.com web200.hu debian.org xfinity.com comcast.net freebsd.org xfinityhomesecurity.com dns-oarc.net gentoo.org xfinitymobile.com gmx.net ietf.org active24.cz habramail.net isc.org atlas.cz hr-manager.net mailbox.org centrum.cz inexio.net netbsd.org cuni.cz mpssec.net openssl.org itesco.cz procurios.net ozlabs.org klubpevnehozdravi.cz riseup.net samba.org krypton.cz t-2.net slackbuilds.org onebit.cz transip.net torproject.org optimail.cz xs4all.net whatpulse.org smtp.cz xworks.net asf.com.pt virusfree.cz belastingdienst.nl boplatssyd-automail.se volny.cz bhosted.nl handelsbanken.se bayern.de bluerail.nl loopia.se bund.de boozyshop.nl minmyndighetspost.se elster.de corpoflow.nl personligalmanacka.se fau.de dictu.nl skatteverket.se freenet.de digid.nl theletter.se gmx.de ezorg.nl govtrack.us jpberlin.de gerryweber.nl ru.ac.za kabelmail.de
Of the ~1.88 million domains, 4504 have "partial" TLSA records, that cover only a subset of the (secondary) MX hosts. While this protects traffic to some of the MX hosts, such domains are still vulnerable to the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to advertise STARTTLS (even though TLSA records are published) stands today at 465. Some of these have additional MX hosts that don't have broken TLSA records, so mail can still arrive via the remaining MX hosts.
To avoid email outages, please make sure to monitor the validity of your own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-... https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r... https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
http://tools.ietf.org/html/rfc7671#section-8.1 http://tools.ietf.org/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of "real" email domains with bad DNSSEC support stands at 2050. The top 13 name server operators with problem domains are:
616 mijnhostingpartner.nl (fix expected any day now, but may be delayed) 559 registrar-servers.com (a.k.a. Neustar, continuing to grow slowly) 71 ebola.cz 70 movenext.nl 47 metaregistrar.nl 44 axc.nl 43 cdmon.net 37 hyp.net 34 flevohost.nl 30 tiscomhosting.nl 28 hostnet.nl 22 infracom.nl 18 is.nl
If anyone has good contacts at some of these providers, please encourage them to remediate not only the broken domains (I can send them a list), but also the root cause that makes the breakage possible.
Eleven of the domains all whose nameservers have broken denial of existence appear in the last 120 days of Google transparency reports:
coren-sp.gov.br trt01.gov.br trtrio.gov.br trt1.jus.br trtrj.jus.br flytoyourheart.com topdecorationworld.com bncr.fi.cr mobily.com.sa sauditelecom.com.sa threadteaching.co.uk
participants (1)
-
Viktor Dukhovni