Summary: The DANE domain count is now 3,988,988 (3,987,641 last month,
3,733,547 a year ago).
The number of domains that return DNSSEC-validated replies in
response to MX queries is 23,098,096 (23,197,449 last month,
20,675,170 a year ago). Thus DANE TLSA is deployed on ~17.26%
of domains with DNSSEC. For more stats, see
<https://stats.dnssec-tools.org/>.
[ The credits[0] list is below my signature. ]
Reminder: If you're relying on trust-anchor (usage DANE-TA(2)) TLSA records
matching a Let's Encrypt issuing CA, please note important upcoming
changes in Let's Encrypt certificate issuance:
https://list.sys4.de/hyperkitty/list/[email protected]/message/HESAY65XEKEW52UXYFELODTD44P25VIW/
https://list.sys4.de/hyperkitty/list/[email protected]/message/GLRVY2CRHYLTBNXOBRKPG7LFZKYWF7BS/
https://list.sys4.de/hyperkitty/list/[email protected]/message/X4SS2EEDGIYVQOHI2ZX65PIBYR652DPR/
As of today, I count ~3.99 million domains with correct SMTP DANE TLSA
records at every primary MX host that accepts connections[1]. As
expected, the bulk of the DANE domains are hosted by the DNS/email
hosting providers who've enabled DANE support for the customer domains
they host. The top 20 MX host providers by domain count are below.
This month Last Month Last year
---------- ---------- ---------
1306568 one.com 1314010 one.com 1214177 one.com
306621 hostpoint.ch 305329 hostpoint.ch 286784 hostpoint.ch
219246 infomaniak.ch 216411 infomaniak.ch 195060
infomaniak.ch
172777 transip.nl 172489 transip.nl 182438
mijndomein.nl
172069 jouwweb.nl 170058 mijndomein.nl 166314 transip.nl
170317 mijndomein.nl 166814 jouwweb.nl 154096
argewebhosting.nl
137375 argewebhosting.nl 138337 argewebhosting.nl 134199 simply.com
130652 simply.com 132653 simply.com 118030 jouwweb.nl
111485 hostnet.nl 111533 hostnet.nl 111945 hostnet.nl
109779 domeneshop.no 109976 domeneshop.no 108682
domeneshop.no
106544 loopia.se 106479 loopia.se 104887 loopia.se
89264 webhostingserver.nl 89713 webhostingserver.nl 94600
webhostingserver.nl
82634 forpsi.com 83026 forpsi.com 79127 forpsi.com
81475 zxcs.nl 81215 zxcs.nl 67139 zxcs.nl
47296 protonmail.ch 46191 protonmail.ch 46886 active24.com
41179 antagonist.nl 41111 antagonist.nl 39610 webreus.nl
38161 active24.com 38611 active24.com 39483
antagonist.nl
36259 webreus.nl 36576 webreus.nl 34977
protonmail.ch
28643 pcextreme.nl 29196 pcextreme.nl 32983 pcextreme.nl
28102 xel.nl 28283 xel.nl 29297 xel.nl
The real numbers are surely larger, because I don't have access to the
full zone data for most ccTLDs, especially .br, .cz, .eu, .no, .be, .pl,
.de and .uk. Speaking of countries, the IPv4 GeoIP distribution of
DANE-enabled MX hosts shows the below top 20 countries (each unique IP
address is counted, so multi-homed MX hosts are perhaps somewhat
over-represented).
This month Last month Last year
----------- ---------- ---------
12019 TOTAL 11870 TOTAL 10595 TOTAL
3819 DE, Germany 3785 DE, Germany 3209 DE, Germany
1948 NL, The Netherlands 1942 NL, The Netherlands 1891 NL, Netherlands
1929 US, United States 1883 US, United States 1833 US, United States
905 FR, France 921 FR, France 799 FR, France
481 CZ, Czechia 479 CZ, Czechia 388 CZ, Czechia
380 GB, United Kingdom 366 GB, United Kingdom 362 GB, United Kingdom
287 FI, Finland 272 FI, Finland 235 FI, Finland
212 CA, Canada 214 CA, Canada 221 CA, Canada
199 CH, Switzerland 187 CH, Switzerland 153 AT, Austria
186 AT, Austria 183 AT, Austria 135 SE, Sweden
176 SE, Sweden 169 SE, Sweden 134 CH, Switzerland
160 DK, Denmark 152 DK, Denmark 132 DK, Denmark
148 AU, Australia 145 AU, Australia 122 SG, Singapore
117 SG, Singapore 119 SG, Singapore 120 AU, Australia
103 RU, Russia 102 RU, Russia 72 PL, Poland
93 PL, Poland 89 PL, Poland 58 JP, Japan
67 NO, Norway 63 NO, Norway 57 RU, Russia
57 JP, Japan 61 JP, Japan 47 NO, Norway
49 IT, Italy 50 BR, Brazil 42 BR, Brazil
49 BR, Brazil 43 IT, Italy 38 IE, Ireland
IPv6 is less common than IPv4 for MX hosts, and the top 20 countries by
DANE MX host IPv6 GeoIP are:
This month Last month Last year
---------- ---------- ---------
9592 TOTAL 9515 TOTAL 8339 TOTAL
4210 NL, The Netherlands 4229 NL, The Netherlands 3666 NL, Netherlands
2791 DE, Germany 2724 DE, Germany 2330 DE, Germany
888 US, United States 868 US, United States 860 US, United States
390 FR, France 401 FR, France 406 FR, France
202 CZ, Czechia 198 CZ, Czechia 175 CZ, Czechia
185 GB, United Kingdom 183 GB, United Kingdom 162 GB, United Kingdom
113 FI, Finland 112 FI, Finland 77 CA, Canada
86 CA, Canada 83 CA, Canada 74 FI, Finland
80 SE, Sweden 78 SE, Sweden 67 AU, Australia
75 AU, Australia 76 AU, Australia 64 CH, Switzerland
72 CH, Switzerland 74 CH, Switzerland 56 SE, Sweden
50 AT, Austria 52 AT, Austria 54 AT, Austria
44 SG, Singapore 46 SG, Singapore 44 SG, Singapore
39 JP, Japan 39 JP, Japan 36 JP, Japan
31 RU, Russia 32 RU, Russia 23 EE, Estonia
31 NO, Norway 29 RO, Romania 21 NO, Norway
29 RO, Romania 28 NO, Norway 21 IE, Ireland
29 BR, Brazil 28 BR, Brazil 21 DK, Denmark
26 DK, Denmark 22 DK, Denmark 17 BR, Brazil
16 IE, Ireland 17 IE, Ireland 15 LT, Lithuania
There are 10,449 unique zones (10,192 last month, 9,144 last year) in
which the underlying MX hosts are found. This counts each of the above
providers as just one zone, so is a measure of the breadth of adoption
in terms of organizations deploying DANE SMTP.
The number of published MX host TLSA RRsets found is 21,169 (20,854 last
month, 19,380 last year). These cover 21,466 distinct MX hosts (21,158
last month, 19,380 last year, some MX hosts share the same TLSA records
through CNAMEs).
The number of DANE domains that at some point were listed in Gmail's
email transparency report is 1,173 (841 last year, this is my ad-hoc
criterion for a domain being a large-enough actively used email domain).
Of these, 674 (525 last year) are in recent (last 90 days of) reports
(see [2] below my signature).
Of the ~3.99 million DANE domains, 14,456 (14,431 last month, 13,107
last year) have "partial" TLSA records, that cover only a subset of the
(secondary) MX hosts. While this protects traffic to some of the MX
hosts, such domains are still vulnerable to the usual active attacks via
the remaining MX hosts.
The number of domains with incorrect TLSA records or failure to offer
STARTTLS (even though TLSA records are published) stands today at 1,862
(1,655 last month, 1,320 last year). Some of these have additional MX
hosts that don't have broken TLSA records, so mail can still arrive via
the remaining MX hosts. The affected domain counts for the top 10
problem MX hosts are:
172 mx2.tkservers.com
48 mail.caop.nl
35 mx1.mdbraber.com
32 mx01.speicher-werk.de
31 mail-03.eu-central-1.aorta.space
26 mail.orionpanel.nl
23 smtp2.kruik-it.nl
23 mail.spreadity.com
22 mail.exot.cz
15 mail.nationaalarchief.nl
To avoid email outages, please make sure to monitor the validity of your
own TLSA records, and implement a reliable key rotation procedure. See:
https://dane.sys4.de/common_mistakes
https://github.com/internetstandards/toolbox-wiki/blob/master/DANE-for-SMTP-how-to.md
https://mail.sys4.de/pipermail/dane-users/2018-February/000440.html
https://community.letsencrypt.org/t/please-avoid-3-0-1-and-3-0-2-dane-tlsa-records-with-le-certificates/7022/17
https://mail.sys4.de/pipermail/dane-users/2017-August/000417.html
https://github.com/baknu/DANE-for-SMTP/wiki/2.-Implementation-resources
https://datatracker.ietf.org/doc/html/rfc7671#section-8.1
https://datatracker.ietf.org/doc/html/rfc7671#section-8.4
After eliminating parked domains that do not accept email, the number of
"real" email domains with bad DNSSEC support stands at 838 (901 last
month, 1,076 last year). The top 10 name server operators with problem
domains are:
This Month Last month Last year
---------- ---------- ----------
528 neostrada.nl 608 neostrada.nl 148 swizzonic.ch
60 worldnic.com 61 worldnic.com 134 worldnic.com
22 openprovider.nl 22 openprovider.nl 106 epik.com
21 active24.cz 14 sectigoweb.com 95 axc.nl
14 sectigoweb.com 13 register.com 73 ebola.cz
13 register.com 8 ispapi.net 61 openprovider.nl
7 vultr.com 8 dnssrv.nl 29 made-easy.ch
7 dnssrv.nl 7 vultr.com 20 register.com
6 resolver.domains 6 resolver.domains 18 sectigoweb.com
6 ispapi.net 6 forpsi.net 12 ispapi.net
If anyone has good contacts at some of these providers, please encourage
them to remediate not only the broken domains (I can send them a list),
but also the root cause that makes the breakage possible.
Just one of the domains whose nameservers have broken denial of
existence appears in the last 120 days of Google transparency reports:
mailazy.net
--
Viktor.
[0] Credits:
Hosting for the DANE/DNSSEC project is donated by isi.edu (Wes Hardaker and
team). Wes also hosts and maintains the https://stats.dnssec-tools.org
website. Thanks go to ICANN for sponsoring acquisition of the server hardware.
Coverage of DNSSEC domains continues to improve with ongoing data
support from Chris Mikkelson from domaintools.com. Credits also due to
ICANN providing gTLD data via CZDS, and to the TLD registries for .CH,
.COM, .DK, .FI, .FR, .INFO, .IS, .LI, .NL, .NU, .ORG and .SE. More data
sources of ccTLD signed delegations welcome.
[1] Some domains deliberately include MX hosts that are always down,
presumably as a hurdle to botnet SMTP code that gives up where real MTAs
might persist. I am not a fan of this type of defence (it can also
impose undue latency on legitimate email). However, provided the dead
hosts still have TLSA records, (which don't need to match anything, just
need to exist and be well-formed) there's no loss of security.
[2] DANE domains appearing in last 90 days of Google Email transparency
reports:
vbv.ag uni-augsburg.de
kiesrijk.nl
univie.ac.at uni-bielefeld.de
liveatamsterdamsebos.nl
gmx.at uni-erlangen.de
maastrichtuniversity.nl
vbv.at uni-muenchen.de
mailmore.nl
boozyshop.be vicinityclo.de mailon.nl
eos-contentia.be web.de
mailplus.nl
triodos.be westlotto.de
managementboek.nl
nra.bg aeldresagen.dk
markteffectmail.nl
register.bg allbuy.dk mcmta.nl
dwvmail.com.br anna-hjorth.dk
mijndomein.nl
e-negociacao.com.br annebrauner.dk
mijnmagazines.nl
e-renegocie.com.br anodyne.dk minbzk.nl
pn1.com.br australian-bodycare.dk mindef.nl
zaaztelecom.com.br avabeauty.dk mm1.nl
defesa.gov.br bambustoej.dk
mulderretail.nl
nic.br barons.dk nefkens.nl
registro.br bigsaver.dk
netpoint.nl
activfitness-news.ch bisgaardshoes.dk
netpointfactoring.nl
blackout-bonusclub.ch boblberg.dk
nieuwsservice-rvo.nl
creditum.ch bog.dk
notbranded.nl
escalade.ch borgerforslag.dk noties.nl
gmx.ch bymelanie.dk ns.nl
handy-abovergleich.ch camillakroeyer.dk
nuudcare.nl
hostpoint.ch casanova.dk
nuwegexclusief.nl
infomaniak.ch champagneklubben.dk okki.nl
kalender-win.ch cillouettes.dk
oomverzekeringen.nl
msochrono.ch computerworld.dk
opnaarwonderland.nl
open.ch damask.dk otys.nl
protonmail.ch danielspengetips.dk
ouderenfonds.nl
sherlockhomes.ch danskebank.dk
ouderportaal.nl
sms-gagnant.ch densidsteflaske.dk
outlawevents.nl
wog.ch dfi.dk
overheid.nl
bionoble.co dressforsuccess.dk
oxilionhosted.nl
simplelogin.co ejvinds.dk
partijvoordedieren.nl
aim-care.com fibianet.dk
partnermail.nl
albourne.com fletkurven.dk
podiumcadeaukaart.nl
also.com foraeldresparring.dk politie.nl
anonaddy.com frisorenogbaronen.dk pp-prd.nl
ansigtsyogaonline.com gasolinegrill.dk
previder.nl
boozyshop.com gastrotools.dk
proefdiervrij.nl
buroventures.com globestudios.dk
prorun-mail.nl
canva-facile.com hook-up.dk pvv.nl
cm.com hostedsepo.dk
quicknet.nl
collarofsweden.com idelig.dk ranzijn.nl
connectsb.com inkpro.dk rdw.nl
conscience-et-realites.com iphoneopladere.dk
rijksoverheid.nl
cornerstoneplatform.com ixstudioscph.dk rivm.nl
danskebank.com kagegrisen.dk
rotterdam.nl
datev.com kisserpaludan.dk rvig.nl
denhaag.com kk.dk rvo.nl
detectiveforaday.com kodbilen.dk
sans-mail.nl
eliteincomesociety.com konkurspriser.dk
schuurman-schoenen.nl
explorer-hotels.com kystfisken.dk scorion.nl
fabfilter.com lacabra.dk
shampoobars.nl
farmergracy.com lammeskindet.dk shapeit.nl
fastware-hosting.com lederstof.dk shoesme.nl
flaneurhomme.com legekammeraten.dk
sietskescholten.nl
fromanteel-watches.com mobilcovers.dk
sizzthebrand.nl
getpaidopportunities.com modstroem.dk
smartwatchbanden.nl
gmx.com musclehouse.dk
snowbass.nl
goodforme.com naturhandel.dk
spamservice.nl
habitamat.com netic.dk
sportrusten.nl
habr.com nexsmart.dk ssonet.nl
hannahbarrettyoga.com nfinitybeauty.dk
stage-app.nl
headachecalendar.com nimara.dk stater.nl
hedon.com nordd.dk
steunactie.nl
highcharts.com nordicsheep.dk svb.nl
imcnig.com nota.dk svr.nl
infomaniak.com online-mode.dk
technicus.nl
ingthink.com pengeogfrihed.dk
telefoonglaasje.nl
intakt.com perfectjeans.dk
thealphamen.nl
itskaos.com qookware.dk
thefightcompany.nl
johnbeerens.com sengefabrikken.dk transip.nl
joomlapolis.com seniornews.dk triodos.nl
jula.com shapeit.dk
truetickets.nl
justpadel.com sillysanta.dk tudelft.nl
kabayarefashion.com skjold-burne.dk
uitgeverijpica.nl
kheaa.com smoon.dk upcmail.nl
leszexpertsfle.com sneakerzone.dk uvt.nl
librti.com stil.dk uwv.nl
luvrefranco.com sygeforsikring.dk
vacaturesonline.nl
mail.com thenap.dk valys.nl
maileroo.com thesneakerstore.dk vandale.nl
mailzerver.com trueliving.dk vimexx.nl
marsblade.com viggo.dk
vluchtelingenwerk.nl
meriamecouture.com vin-huset.dk vpo.nl
mplbeauty.com vind.dk
vunzigedeuntjes.nl
nanolearning.com yuaiahaircare.dk
vvv-venlo.nl
nautisme-pratique.com tilburguniversity.edu
watchbandjes-shop.nl
nine-pine.com biotheka.ee
waternet.nl
novashops.com holt.ee
werkzoeken.nl
offshorecorptalk.com maarahvapood.ee
woongarantvolmacht.nl
one.com minuvalik.ee ziggo.nl
orsys.com surveyturtle.ee
zorgmail.nl
ottobredesign.com turunduslabor.ee
ankerstjerne.no
pieter-pot.com myownconference.email
annabellstefanussen.no
pompomlondon.com spam-filter.email
babybanden.no
ppcpcv.com spotler.email
bergengokart.no
protonmail.com talentech.email
bull-ski-kajakk.no
run-motion.com nuudcare.es
chillout.no
runbox.com triodos.es day-et.no
sankakucomplex.com egu.eu
dinholdning.no
scienceshepherd.com finesoftware.eu
domeneshop.no
scorecloud.com mailplatform.eu
dressmykid.no
serverclienti.com qard.eu godvar.no
sisuknitwear.com rybarik.eu
guttelus.no
sneakerjeans.com zerolime.eu
handelsbanken.no
solvinity.com zone.eu hoppin.no
speciale-offre.com zonevs.eu
hyttefeber.no
sportnotch.com danskebank.fi
idrettenonline.no
stasdock.com f-solutions.fi
kashmina.no
stater.com fsol.fi
lagerpriser.no
stellarequipment.com handelsbanken.fi
marikrogshus.no
tcs.com io-tech.fi
modostore.no
the-vfl.com metaburn.fi mystuff.no
theintercept.com raumanteatteri.fi
nordiskbylien.no
thelabelmachine.com sillysanta.fi
norskgrammatikk.no
thepcw.com ac-strasbourg.fr
raskebriller.no
thepcwholesale.com boozyshop.fr
rushtrampoline.no
thingsilikethingsilove.com braceletsmartwatch.fr
smaaungene.no
trainwithlov.com compagnie-des-sens.fr
spillfabrikken.no
triodos.com nuudcare.fr
stilshoppen.no
tutanota.com oo2.fr
strikkia.no
up2staff.com passefranceallemagne.fr
suksessmednetthandel.no
vivaldi.com privea.fr svippr.no
webcruiter.com fvap.gov
tickettothemoon.no
win-rar.com nsa.gov
veronicalill.no
xfinity.com tid.gov.hk
analysedanmark.nu
xfinityhomesecurity.com fidesz.hu
atelkamera.nu
xfinitymobile.com italiamail.hu goget.nu
bncr.fi.cr marathonlife.hu
hallbarhalsa.nu
airbank.cz nyirbatorvaroskartya.hu lenhud.nu
akce-incomputer.cz zsibvasar.hu
skjutsgruppen.nu
amenit.cz bluebiz.info
agirpourlenvironnement.org
balikovna.cz eurocontrol.int
calyxinstitute.org
bewooden.cz infinex.io debian.org
cd.cz simplelogin.io
freebsd.org
cinemax.cz nuudcare.it
fridaysforfuture.org
cokoladovnajanek.cz neolink.link gentoo.org
cpost.cz etat.lu ietf.org
creammy.cz anonaddy.me isc.org
csob.cz pm.me
mailbox.org
csobstavebni.cz proton.me mailop.org
cuni.cz army.mil netbsd.org
dashofer.cz dla.mil ozlabs.org
dedra.cz dma.mil
postfix.org
e-kondomy.cz health.mil samba.org
ecps.cz jten.mil
torproject.org
ekokoza.cz mail.mil
biotechnologia.com.pl
fio.cz navy.mil asf.com.pt
gov.cz nga.mil pinnbet.rs
hobynaradi.cz osd.mil
mobily.com.sa
hypotecnibanka.cz socom.mil
arbetsformedlingen.se
innogy.cz spaceforce.mil
australian-bodycare.se
itesco.cz uscg.mil
bearplay.se
jumpfamily.cz usmc.mil
bearplayshop.se
kb.cz comcast.net bidflow.se
klenotyaurum.cz ewetel.net
bilprovningen.se
klubpevnehozdravi.cz ficbook.net crtzoo.se
ksporting.cz fivem.net
egensajt.se
manymail.cz gmx.net ellevio.se
mbank.cz graphistepro.net
epochtimes-mejl.se
mfcr.cz habramail.net
fotproffsen.se
mindsoft.cz hr-manager.net
handelsbanken.se
mkluzkoviny.cz intares.net
hellomantle.se
mojedatovaschranka.cz mailanyone.net
innebandy24.se
mojemincovna.cz masterinter.net jaramba.se
mrakyhracek.cz mijngezondheid.net
jul-troja.se
muni.cz mpssec.net
klasspengar.se
nic.cz octopoos.net
koreanbeauty.se
nilia.cz procurios.net kth.se
o2.cz ripe.net
kulturaktiebolaget.se
opravdovezlociny.cz riseup.net
livlyclothing.se
optimail.cz s-qrc.net lnu.se
outlet-alpine.cz soverin.net
lomervarde.se
p-info.cz space.net loopia.se
pivoteka.cz t-2.net
malarfabriken.se
poptavej.cz amsterdam.nl
merchsweden.se
scrptd.cz aquastorexl.nl
metaburn.se
server4u.cz bankhoesdiscounter.nl
minmyndighetspost.se
shopex.cz belastingdienst.nl nordd.se
smtp.cz beterinbeleggen.nl
nordicsheep.se
sparkys.cz beterspellen.nl polisen.se
stoklasa.cz bewustpuur.nl
samblamail.se
tefal.cz bhosted.nl
sillysanta.se
thinline.cz blushfashionstore.nl
silverdotter.se
vas-server.cz bobo.nl
skatteverket.se
vitalpoint.cz body-supplies.nl
skolverket.se
vshosting.cz bolerolimonadewinkel.nl
snbostader.se
zafido.cz boozyshop.nl
soleplus.se
zdravestravovani.cz box.nl
spelfabrik.se
zlocinozrouti.cz bruut.nl
svenskhusman.se
zonky.cz burgernet.nl
teeshoppen.se
bayern.de carre.nl
teknikdelar.se
brandenburg.de casema.nl
theletter.se
bund.de cbr.nl
websupport.se
datev.de chello.nl
agatinsvet.sk
deutsch-franzoesischer-freundschaftspass.de clubplanner.nl
bewooden.sk
dfn.de csvjongholland.nl coopka.sk
elster.de degros.nl edirect.sk
ewetel.de derooijfotografie.nl fio.sk
fau.de desan.nl
gravirovane.sk
freenet.de dewebmakers.nl hecht.sk
gmx.de dictu.nl mamaaja.sk
hi7.de digid.nl
mklozkoviny.sk
huellen-shop.de dimehouse.nl
mnforce-panel.sk
jpberlin.de domain-registry.nl
nakupujzdravo.sk
knauermann.de dorcas.nl
nlp-akademia.sk
lmu.de duo.nl partner.sk
lrz.de efactuurdirect.nl
penzionmara.sk
mail.de esuals.nl
poziadavka.sk
mail2many.de extinctionrebellion.nl rondogo.sk
mensa.de ezorg.nl
travelmail.sk
mindline-analytics.de fivecityspa.nl
zapardrobnych.sk
mpg.de frfc1908.nl
zeit-des-wandels.tv
posteo.de glamouryourhair.nl
afinepairofshoes.co.uk
ruhr-uni-bochum.de hobbygigant.nl
clientnews3.co.uk
sifjakobs.de home.nl
millieandblake.co.uk
sillysanta.de hostingpeople.nl
nuudcare.co.uk
smartwatcharmbaender.de hostnet.nl
thewordman.co.uk
sys4.de huurexpert.nl
triodos.co.uk
taures.de ikdeburger.nl
nuudcare.us
tu-darmstadt.de inspirerendleven.nl
quantum-services.us
tum.de interim-netwerk.nl ru.ac.za
tutanota.de josephinajewelry.nl
