Update on stats 2022-09

1 Oct 2022


      Summary:  The DANE domain count is now 3,603,343 (c.f. 3,598,975 last
          month).
The number of domains that return DNSSEC-validated replies in
          response to MX queries is 19,588,402 (up from 19,332,285 last
          month).  Thus DANE TLSA is deployed on ~18.39% of domains with
          DNSSEC.  For more stats, see https://stats.dnssec-tools.org/.
          [ See the Credits[0] list below my signature. ]
As of today I count ~3.60 million domains with correct SMTP DANE TLSA records
at every primary MX host that accepts connections[1].  As expected, the bulk of
the DANE domains are hosted by the DNS/email hosting providers who've enabled
DANE support for the customer domains they host.  The top 20 MX host providers
by domain count are below.
This month                   Last Month
  ----------                   ----------
  1229109 one.com              1236565 one.com
   282877 hostpoint.ch          281674 hostpoint.ch
   193040 infomaniak.ch         190849 infomaniak.ch
   185568 mijndomein.nl         185033 mijndomein.nl
   164423 transip.nl            163544 transip.nl
   155782 argewebhosting.nl     159122 argewebhosting.nl
   112118 hostnet.nl            112282 hostnet.nl
   109897 jouwweb.nl            108076 domeneshop.no
   108431 domeneshop.no         107087 jouwweb.nl
    96992 loopia.se              97044 loopia.se
    94049 webhostingserver.nl    94545 webhostingserver.nl
    78282 forpsi.com             77900 forpsi.com
    64627 zxcs.nl                63883 zxcs.nl
    47352 active24.com           47339 active24.com
    40473 webreus.nl             40371 webreus.nl
    39617 antagonist.nl          39576 antagonist.nl
    33978 pcextreme.nl           34177 pcextreme.nl
    31219 protonmail.ch          30328 protonmail.ch
    29050 xel.nl                 28469 xel.nl
    27608 udmedia.de             27636 udmedia.de
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .fr, .eu, .no, .be,
.pl, .de and .uk.  Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month                Last month
  -----------               -----------
  10211 TOTAL               10154 TOTAL
   3066 DE, Germany          3062 DE, Germany
   1878 NL, Netherlands      1845 NL, Netherlands
   1797 US, United States    1780 US, United States
    755 FR, France            766 FR, France
    369 GB, United Kingdom    355 GB, United Kingdom
    351 CZ, Czechia           340 CZ, Czechia
    224 FI, Finland           239 FI, Finland
    215 CA, Canada            220 CA, Canada
    152 AT, Austria           151 AT, Austria
    130 CH, Switzerland       128 DK, Denmark
    129 DK, Denmark           127 CH, Switzerland
    126 SG, Singapore         124 SG, Singapore
    121 SE, Sweden            120 SE, Sweden
    114 AU, Australia         110 AU, Australia
     58 RU, Russia             57 PL, Poland
     56 PL, Poland             55 RU, Russia
     56 JP, Japan              54 JP, Japan
     45 NO, Norway             49 NO, Norway
     40 IE, Ireland            38 BR, Brazil
     39 BR, Brazil             35 IE, Ireland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month               Last month
  ----------               ----------
  8063 TOTAL               7992 TOTAL
  3580 NL, Netherlands     3557 NL, Netherlands
  2280 DE, Germany         2264 DE, Germany
   825 US, United States    849 US, United States
   358 FR, France           341 FR, France
   177 CZ, Czechia          180 CZ, Czechia
   162 GB, United Kingdom   152 GB, United Kingdom
    73 CA, Canada            74 FI, Finland
    71 FI, Finland           67 CA, Canada
    65 CH, Switzerland       61 CH, Switzerland
    58 AU, Australia         50 AU, Australia
    47 AT, Austria           47 AT, Austria
    46 SE, Sweden            44 SE, Sweden
    44 SG, Singapore         38 SG, Singapore
    36 JP, Japan             34 JP, Japan
    21 NO, Norway            23 NO, Norway
    21 IE, Ireland           20 DK, Denmark
    20 DK, Denmark           19 IE, Ireland
    16 BR, Brazil            17 BR, Brazil
    12 RU, Russia            12 LT, Lithuania
    12 RO, Romania           11 RO, Romania
There are 8,574 unique zones (8,468 last month) in which the underlying
MX hosts are found.  This counts each of the above providers as just one
zone, so is a measure of the breadth of adoption in terms of
organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 18,205 (17,855 last
month).  These cover 18,498 distinct MX hosts (18,152 last month, some
MX hosts share the same TLSA records through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 725 (this is my ad-hoc criterion for a
domain being a large-enough actively used email domain).  Of these, 405
are in recent (last 90 days of) reports (see [2] below my signature).
Of the ~3.60 million DANE domains, 13,693 (13,723 last month) have "partial"
TLSA records, that cover only a subset of the (secondary) MX hosts.  While this
protects traffic to some of the MX hosts, such domains are still vulnerable to
the usual active attacks via the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,386
(1,349 last month).  Some of these have additional MX hosts that don't
have broken TLSA records, so mail can still arrive via the remaining MX
hosts.  The affected domain counts for the top 10 problem MX hosts are:
107   mx.xobit.nl
    105   mail.blueconsulting.cz
     34   mx2.synetcon.net
     26   mail.sig-io.nl
     26   fsn1-c04.xemo-net.de
     20   mx1.mdbraber.com
     17   mx1.traxion.com
     15   artemis.strebsjig.net
     14   mx2.traxion.com
     14   mta9.pointner.at
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure.  See:
https://dane.sys4.de/common_mistakes
    https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-...
    https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
    https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-r...
    https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
    https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
    https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 1,076 (2,068 last
month).  The top 10 name server operators with problem domains are:
This Month           Last month
  ----------           ----------
  363 worldnic.com   357 worldnic.com
  123 axc.nl         134 axc.nl
   74 ebola.cz        75 ebola.cz
   57 openprovider.nl 60 openprovider.nl
   38 epik.com        41 psi-japan.net
   32 psi-japan.net   34 active24.cz
   32 active24.cz     28 made-easy.ch
   28 made-easy.ch    25 ns01.nl
   21 register.com    22 register.com
   17 sectigoweb.com  18 epik.com
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains all whose nameservers have broken denial of existence
appears in the last 120 days of Google transparency reports:
mailazy.net
--
      Viktor.
[0] Credits: The coverage of DNSSEC domains continues to improve with
ongoing data support from Paul Vixie of Farsight Security.  Credits also
due to ICANN for gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE.  More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist.  I am not a fan of this type of defence (it can also
impose undue latency on legitimate email).  However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
univie.ac.at                  elster.de               expeditionfestival.nl
gmx.at                        ewetel.de               ezorg.nl
cetelemnegocie.com.br         fau.de                  fivecityspa.nl
nic.br                        freenet.de              herinneringenoplinnen.nl
registro.br                   gmx.de                  hobbygigant.nl
activfitness-news.ch          hi7.de                  hostnet.nl
cbd420.ch                     hobart.de               hr.nl
englmaier.ch                  jpberlin.de             interconnect.nl
gmx.ch                        lmu.de                  interim-netwerk.nl
hostpoint.ch                  lrz.de                  jayno.nl
infomaniak.ch                 mail.de                 kiesrijk.nl
linsenkontakt.ch              mensa.de                lico.nl
migros-runnwin.ch             mpg.de                  luxiez.nl
msochrono.ch                  posteo.de               mail-studio.nl
onemillionrun.ch              ruhr-uni-bochum.de      mailplus.nl
open.ch                       spacenet.de             managementboek.nl
protonmail.ch                 tum.de                  markteffectmail.nl
sms-gagnant.ch                tutanota.de             mcmta.nl
switch.ch                     uni-augsburg.de         mijndomein.nl
simplelogin.co                uni-erlangen.de         minbzk.nl
402automotive.com             uni-muenchen.de         mindef.nl
albourne.com                  vicinityclo.de          mm1.nl
anonaddy.com                  web.de                  mulderretail.nl
beaconx.com                   westlotto.de            ndt.nl
bymalina.com                  allbuy.dk               netsamen.nl
cm.com                        dfi.dk                  nieuwsservice-rvo.nl
connectsb.com                 dinhstore.dk            ns.nl
cryptowallet.com              dk-hostmaster.dk        orangebag.nl
dailyplaylists.com            fibianet.dk             otys.nl
datev.com                     fvst.dk                 ouderportaal.nl
elementalraiders.com          inkpro.dk               overheid.nl
fabfilter.com                 ixstudioscph.dk         partijvoordedieren.nl
fastware-hosting.com          kompetenceudvikling.dk  paypro.nl
flaneurhomme.com              labelking.dk            ploegendienst-festival.nl
gmx.com                       lacabra.dk              politie.nl
groed.com                     mobilcovers.dk          pp-prd.nl
habr.com                      netic.dk                previder.nl
hoobly.com                    nordd.dk                rdw.nl
hotelsinduitsland.com         peterhald.dk            rijksoverheid.nl
imcnig.com                    powerhosting.dk         roken.nl
infomaniak.com                seniornews.dk           rotterdam.nl
ingthink.com                  shapeit.dk              rug.nl
jesuis1as.com                 shellcard.dk            rvo.nl
johnbeerens.com               stil.dk                 sans-mail.nl
joomlapolis.com               uvm.dk                  schoudercom.nl
jula.com                      wavell.dk               schuurman-schoenen.nl
kabayarefashion.com           webhosting.dk           smartwatchbanden.nl
kantarresearch.com            tilburguniversity.edu   sportrusten.nl
klbrlive.com                  holtmail.ee             ssonet.nl
leszexpertsfle.com            just.ee                 stater.nl
librti.com                    rik.ee                  surfspot.nl
liefleven.com                 myownconference.email   telefoonglaasje.nl
mactabeauty.com               spike.email             thealphamen.nl
mail.com                      spotler.email           transip.nl
mailfence.com                 talentech.email         travelclown.nl
matilhadobemadestramento.com  nuudcare.es             triodos.nl
mplbeauty.com                 triodos.es              uitgeverijpica.nl
mx-relay.com                  uv.es                   utwente.nl
nine-pine.com                 egu.eu                  uvt.nl
one.com                       litebit.eu              uwv.nl
orsys.com                     skhosting.eu            valtifest.nl
orverkiezing.com              tbibank.eu              valys.nl
pieter-pot.com                zone.eu                 vimexx.nl
polyas.com                    zonevs.eu               visitoost.nl
pompomlondon.com              fsol.fi                 visittwente.nl
ppcpcv.com                    handelsbanken.fi        voorpositiviteit.nl
protonmail.com                metaburn.fi             vrijevolkfestival.nl
protonvpn.com                 tarjousrinki.fi         wannahavesfashion.nl
run-motion.com                ac-strasbourg.fr        watchbandjes-shop.nl
runbox.com                    compagnie-des-sens.fr   waternet.nl
sankakucomplex.com            edtm-actu.fr            xel.nl
scorecloud.com                kangouroukids.fr        ziggo.nl
serverclienti.com             nuudcare.fr             zorgmail.nl
solvinity.com                 oo2.fr                  annabellstefanussen.no
stater.com                    privea.fr               audi.no
stellarequipment.com          nsa.gov                 derute.no
t-2.com                       fidesz.hu               domeneshop.no
thalesgroup.com               mszp.hu                 guttelus.no
thepcw.com                    pandi.id                hyttefeber.no
thepcwholesale.com            bluebiz.info            idrettenonline.no
triodos.com                   netabuse.info           mystuff.no
truewaykids.com               eurocontrol.int         naprapatlandslaget.no
tutanota.com                  neolink.link            nordicprint.no
up2staff.com                  anonaddy.me             norskgrammatikk.no
veganallsorts.com             pm.me                   plukkselv.no
vivaldi.com                   proton.me               rushtrampoline.no
webcruiter.com                army.mil                spillfabrikken.no
webmailph.com                 dla.mil                 uib.no
xfinity.com                   health.mil              analysedanmark.nu
xfinityhomesecurity.com       jten.mil                atelkamera.nu
xfinitymobile.com             mail.mil                goget.nu
bncr.fi.cr                    militaryonesource.mil   lenhud.nu
airbank.cz                    navy.mil                debian.org
akce-incomputer.cz            nga.mil                 freebsd.org
amenit.cz                     osd.mil                 gentoo.org
atlas.cz                      socom.mil               ietf.org
bewooden.cz                   uscg.mil                isc.org
centrum.cz                    usmc.mil                mailbox.org
csob.cz                       apnic.net               mailop.org
cuni.cz                       comcast.net             netbsd.org
dedra.cz                      ewetel.net              ozlabs.org
directmail-fraus.cz           fivem.net               samba.org
e-kondomy.cz                  gmx.net                 torproject.org
ekokoza.cz                    habramail.net           kemono.party
fio.cz                        hr-manager.net          biotechnologia.com.pl
itesco.cz                     inexio.net              mobily.com.sa
kb.cz                         mijngezondheid.net      bilprovningen.se
klenotyaurum.cz               mpssec.net              ecster.se
klubpevnehozdravi.cz          procurios.net           geflemetalfestival.se
ksporting.cz                  ripe.net                handelsbanken.se
manymail.cz                   riseup.net              lomervarde.se
mfcr.cz                       t-2.net                 loopia.se
mkluzkoviny.cz                transip.net             minmyndighetspost.se
mojedatovaschranka.cz         123watches.nl           nordicprint.se
muni.cz                       agriton.nl              parksnackan.se
nanospace.cz                  amsterdam.nl            polisen.se
nic.cz                        aquastorexl.nl          silverdotter.se
onebit.cz                     argeweb.nl              skatteverket.se
optimail.cz                   belastingdienst.nl      teknikdelar.se
outlet-alpine.cz              beterspellen.nl         theletter.se
poptavej.cz                   blushfashionstore.nl    centrum.sk
scrptd.cz                     bobo.nl                 dovypredania.sk
server4u.cz                   boekwinkeltjes.nl       e-slovak.sk
smtp.cz                       boozyshop.nl            kadernickyservis.sk
stoklasa.cz                   bratsites-grs.nl        mklozkoviny.sk
tiscali.cz                    bruut.nl                naau.sk
vas-server.cz                 burgernet.nl            pobox.sk
vcelka.cz                     cbr.nl                  rondogo.sk
virusfree.cz                  cbs.nl                  satro.sk
volny.cz                      corpoflow.nl            teacher.sk
zdravestravovani.cz           derooijfotografie.nl    zapardrobnych.sk
123watches.de                 dictu.nl                simpcity.su
bayern.de                     digid.nl                adelina.com.ua
brandenburg.de                dimehouse.nl            triodos.co.uk
bund.de                       duo.nl                  govtrack.us
bundesregierung.de            eco-logisch.nl          quantum-services.us
datev.de                      edenhotels.nl           ru.ac.za
dfn.de                        esuals.nl

Viktor Dukhovni

tags (0)

participants (1)