Number of DANE-enabled mail domains growing exponentially

Around the world, the number of mail domains with TLSA records is on the up, with growth reaching exponential proportions in the last six months. The Netherlands has taken on a key role in this movement, both within the .nl zone itself and in terms of DANE-for-mail implementation by hosting providers.

Strong global growth

Use of DANE for mail has really taken off over the last six months. According to the latest statistics on DNSSEC-Tools, there are now nearly 1.1 million domains using this security technology. That represents 11.5 per cent of the 9.4 million top-level domains with DNSSEC-signed MX records.


For some years, the number of mail gateways has been rising on a more or less linear trajectory. That's down to major operators bulk-enabling DANE for the mail domains that they manage., whose portfolio includes a large number of .nl domains, is one of the operators whose adoption of DANE has helped to drive migration. Another is TransIP, which configured DANE for the domains under its control some time ago.


Dutch registrars

The figures given above come from Viktor Dukhovni — co-author of the DANE standard defined in RFC 7671 — who gathers a range of DANE statistics from various sources and circulates a monthly digest. Dukhovni's list of the top twenty DANE-enabled mail hosters includes numerous Dutch registrars.


Dutch mail gateways

Looking at the countries with the most DANE-enabled mail gateways, we see that the Netherlands is in third place for IPv4, and second place for IPv6 (even though the country lags behind on IPv6 adoption).

IPv4 IPv6
Total: 4977 1834
1680 DE, Germany 677 DE, Germany
1026 US, United States 309 NL, Netherlands
674 NL, Netherlands 221 FR, France
382 FR, France 170 US, United States
204 GB, United Kingdom 111 CZ, Czechia
170 CZ, Czechia 51 GB, United Kingdom
104 CA, Canada 40 SE, Sweden
80 SG, Singapore 27 RU, Russia
71 CH, Switzerland 27 CH, Switzerland
69 SE, Sweden 26 CA, Canada
48 DK, Denmark 20 AT, Austria
45 IE, Ireland 13 DK, Denmark
40 AU, Australia 12 IE, Ireland
39 AT, Austria 12 AU, Australia
38 BR, Brazil 11 NO, Norway
33 FI, Finland 10 FI, Finland
29 PL, Poland 10 BR, Brazil
25 RU, Russia 9 SI, Slovenia
21 JP, Japan 7 UA, Ukraine
18 IT, Italy 7 PL, Poland

The Netherlands' high position is undoubtedly linked to the lead taken on DNSSEC signing (a prerequisite for the use of DANE) and to the country's relatively significant role in Europe's internet infrastructure and hosting landscape, combined with the fact that, earlier this year, DANE for outgoing mail was added to the 'use-or-explain' list by the Forum for Standardisation. In contrast to the situation in Sweden, the .nl zone doesn't have an incentive scheme for DANE, although one is in the pipeline.

The .nl zone

Only a small number of registries (including SIDN) provide Dukhovni with data on the adoption of DANE for mail in their zones. And the registries in question measure adoption in different ways. Where the other TLDs are concerned, he has to rely on data from scanners (passive) and crawlers (active). As a result, it's difficult to make international comparisons.

However, we are of course able to make certain observations regarding the situation in the .nl zone. On SIDN Labs' statistics site, you'll find information about the exponential growth in the number of DANE-enabled mail domains over the last six months. By the end of February, the figure stood at 335,000. That is very much in line with the DNSSEC-Tools graph on global DANE adoption presented above, and the .nl domain's sizeable contribution to the global total.


Measurement methods

We must point out, however, that the data in the graph above was obtained using a different measurement method from that used by Dukhovni. We have counted all the domains that have at least one DANE-enabled MX gateway, whereas he counts only those domains whose primary gateways all have TLSA records. Dukhovni therefore puts the number of DANE-enabled domains in the .nl zone at 226,000. The difference between his figure and ours indicates how many domains have DANE enabled only on their fallback gateways, typically operated by their service providers.

Despite all the differences in approach and quantification method, the various figures reveal a clear trend: the number of DANE-enabled mail domains has recently been rising sharply, reminiscent of the way support for DNSSEC shot up in the Netherlands a few years ago.

Control panel security

A new name in the DANE support listing is managed services provider Prolocation. All 4,900 domain names in the Prolocation portfolio were provided with DANE security at the start of the year. According to Raymond Dijkxhoorn, the company's system and network specialist, enabling DANE was relatively straightforward. "We helped SURFnet to develop the DANE standard, so we were in on the trend from the start. Because our control panel was used in the development process, we went live with DANE provisioning before anyone else. Now we have an operational interface that lets customers enter their own DANE data."

The trigger for enabling DANE was creation of a website for the One Conference, which obviously had to get 100 per cent in the tests.

Dijkxhoorn believes that it'll be a while longer before DANE for the web takes off. "There's no one yet offering additional validation, as we now have for EV certificates."

And the free Let's Encrypt package is generally used for renewal of the simple TLS certificates. You could therefore say that the initiative is acting as a brake on introduction of the more robust DANE for the web in combination with self-signed certificates. What's more, according to Dijkxhoorn, customers often overlook the fact that automating the required/mandatory updates for the "free" Let's Encrypt certificates costs far more than occasionally buying a commercial certificate.

In the interest of security, Dijkxhoorn would rather see the emphasis placed on control panels. "It's not uncommon for registrars' control panels to be hacked by people who simply circumvent the cryptographic security. It would be good if, for example, SIDN developed guidelines for control panels."


  • Tuesday 23 July 2019

    About SIDN

    Parenting by Barbie?


    AI AI Barbie explores the relationship between parents, children and smart toys

    Read more
  • Wednesday 14 March 2018

    About SIDN

    Warning: fake invoices going around


    Don't get caught and report all incidents

    Read more
  • Monday 11 November 2019

    About SIDN

    "Being Dutch, multistakeholderism is in my blood."


    Maarten Botterman is the new Chair of the ICANN Board

    Read more


Your browser is too old to optimally experience this website. Upgrade your browser to improve your experience.